Europe · CoE Framework Convention signatory
This content is for informational and educational purposes only and does not constitute legal advice.
On 16 January 2026, the Italian Competition Authority opened two investigations into Activision Blizzard, a subsidiary of the Microsoft group, concerning potential misleading and aggressive commercial practices in the video games Diablo Immortal and Call of Duty Mobile. The Authority is examining whether the company breached the Consumer Code through the use of user-interface design choices that may influence consumers, including minors, to increase playtime and make in-game purchases without clear awareness. The assessment covers, among other aspects, the use of push notifications for time-limited items and virtual currency bundles whose structure may make the actual monetary cost of transactions less transparent. The investigations also consider default parental control settings, the mechanisms used to obtain consent for personal data profiling, the adequacy of information provided on contractual rights, and whether account suspensions may lead to the loss of funds spent on digital content.
On 18 December 2025, the Guarantor for the Protection of Personal Data (GPDP) issued a warning to users of artificial intelligence services regarding the generation of content using third-party voices or images via artificial intelligence technologies (deepfakes). The GPDP noted that such content potentially qualifies as personal data under Article 4(1) of Regulation (EU) 2016/679 (GDPR) and may constitute biometric data where processed for unique identification. The GPDP found that such processing, when lacking a valid legal basis and transparent information, may infringe Articles 5(1)(a), 6 and 9 of the GDPR. Consequently, the GPDP issued a formal warning under Article 58(2)(a) of the GDPR that such processing activities can constitute infringements of data protection rules.
On 10 October 2025, the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI) enters into force. The Bill requires public procurement platforms to prioritise AI suppliers that process and store strategic data within national data centres, ensuring disaster recovery, business continuity, and high security and transparency standards. Collaborative research between businesses, research bodies, and technology transfer centres is also promoted to commercialise AI research outcomes. Furthermore, the Bill specifies that AI systems used in the public sector, except those deployed abroad during military operations, must operate on servers located within Italy to safeguard citizens' sensitive data. Personal data processing by intelligence agencies and cybersecurity bodies must comply with existing data protection frameworks, specifically the Personal Data Protection Code and relevant cybersecurity legislation. The application of these principles to AI activities conducted for national security purposes by intelligence, military, and police bodies, as well as other authorised public and private entities, will be detailed in specific regulations issued under established legislative procedures.
On 10 October 2025, the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI), including consent rules for minors’ access to AI technologies enters into force. The Bill requires parental consent for users under fourteen and allows minors aged fourteen to eighteen to provide their own consent, provided the information is clear and accessible. The measure applies to AI service providers processing minors’ personal data and aligns with the General Data Protection Regulation and Italy’s Personal Data Protection Code.
On 10 October 2025, the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI) enters into force. The Bill amends Law No. 633 concerning the protection of copyright and related rights to state that copyright protection applies exclusively to works of human intellect. It explicitly recognises that works generated using AI tools are protected only if they represent the result of the author’s intellectual effort. Furthermore, the Bill adds a new provision allowing the reproduction and extraction of works or materials available online or in databases, provided there is legitimate access, for the purpose of text and data mining by AI models, including generative systems.
On 10 October 2025, the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI) enters into force. The Bill specifies the institutions empowered to oversee compliance. The Agency for Digital Italy (AgID) and the National Cybersecurity Agency (ACN) as the National Authorities for AI to ensure the implementation of the European Union AI Act (Regulation (EU) 2024/1689). AgID is tasked with promoting AI innovation and overseeing the evaluation, accreditation, and monitoring of AI conformity bodies. ACN is responsible for supervising AI systems, particularly in relation to cybersecurity, including inspection and sanctioning activities. Both agencies will jointly manage AI testing spaces, in coordination with the Ministries of Defence and Justice where relevant. Additionally, AgID is appointed as the notifying authority and ACN as the market surveillance authority under the EU AI Act.
On 8 October 2025, the Resolution establishing technical and procedural standards for online age verification under the 2023 Caivano Decree, enters into force. The Caivano Decree introduced measures for online safety and the protection of minors. The measure requires websites and video-sharing platforms distributing pornographic material in Italy to deploy verification systems consistent with the General Data Protection Regulation's principles of data protection and proportionality. The measure clarifies the scope and aligns with the Digital Services Act.
On 7 October 2025, the Italian Data Protection Authority (DPA) appeared before the 8th Committee of the Senate on the updated text adopted for Senate Bill No. 1136 on the protection of minors in the digital environment. The revised text allows the activation of social media and video-sharing accounts only for persons over 15 years of age and assigns the DPA the responsibility for verifying and sanctioning infringements in accordance with Articles 56(2), 58(2), and 83 of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR). The draft raises to 16 years the age for autonomous digital consent and restricts parental consent to minors aged 15 to 16. The DPA proposed being assigned monitoring functions under Article 3(4) and participation in the preparation of guidelines under Article 5. The hearing also addressed the development of privacy-preserving age-verification mechanisms, awareness campaigns under Article 6, and the possible attribution of powers to restrict or disable access to online services that breach data-protection provisions.
On 6 October 2025, the Italian Data Protection Authority issued a notice against ICF Technology, which manages the CamHub website. The authority stated that the website, currently blocked in Italy, streams sexually explicit videos, including private chat rooms. It also stated that collecting and sharing videos illegally recorded from cameras in private Italian homes violates European and national privacy laws. It warned that reactivating the site without the explicit consent of the data subjects could constitute unlawful processing of sensitive personal data and cause serious harm.
On 2 October 2025, the Italian Communications Authority (AGCOM) issued Presidential Order No. 21/25/PRES against Telegram Messenger Inc. following an investigation into alleged large-scale copyright infringement. The measure was adopted under the Regulation on the Protection of Copyright on Electronic Communication Networks (Resolution 680/13/CONS), based on a request received on 8 September 2025 from the Italian Publishers Association (AIE). The association reported the unauthorised distribution of more than 11'000 literary works, including titles from Giunti, Einaudi, HarperCollins, Newton Compton, and Mondadori, in violation of Copyright Law No. 633 of 1941. The Directorate for Digital Rights and Protection of Fundamental Rights opened an investigative proceeding on 11 September 2025 and confirmed the accessibility of a significant number of protected works, amounting to a serious and large-scale infringement. The investigation found no justification for access under copyright exceptions, and no counterarguments were submitted by the parties within the prescribed 3 working days. The President ordered Telegram to disable access to the infringing channel within 2 days of notification. Non-compliance may lead to sanctions under Article 1(31) of Law No. 249 of 31 July 1997 and referral to judicial police authorities under Article 182-ter of Law No. 633 of 1941. The order may be appealed before the Regional Administrative Court of Lazio within 60 days.
On 1 October 2025, the Italian Data Protection Authority (DPA) determined that the processing of personal data by AI/Robotics Venture Strategy 3 Ltd., operator of the ClothOff “deep nude” service, was unlawful under Articles 5(1)(a), 5(2), and 25 of the General Data Protection Regulation (GDPR). The DPA noted the company’s failure to provide requested information and its inadequate watermarking of manipulated images, which breached the principles of fairness, accountability, and data protection by design and by default. It imposed a temporary restriction on the processing of Italian users’ personal data under Article 58(2)(f), effective immediately and pending the outcome of the investigation. The measure also requires publication on the DPA’s website, entry in the internal register of measures, and makes reference to possible administrative sanctions under Article 83(5)(e) and criminal liability under Article 170 of the Personal Data Protection Code.
On 30 September 2025, the determination on compliance with the national competent authority under the Network and Information Security (NIS) Directive entered into force, except for the provision setting out the procedure and deadlines for continuous updating and confirmation of NIS entity and user information. The determination specifies the deadlines, methods, and procedures for the use and access to the Agency's digital platform, as well as additional information that entities must provide to the national NIS competent authority, and the deadlines, methods, and procedures for the designation of NIS representatives on national territory. The determination sets procedures for registration, annual and continuous updates, and user authentication through the Public Digital Identity System (SPID) or Italian Electronic Identity Card (CIE). It defines roles including contact points, substitutes, Computer Security Incident Response Team (CSIRT) representatives, and operators. Users must associate accounts with their Network and Information Systems (NIS) entity, confirm data accuracy, and report changes within 14 days. It was also highlighted that non-compliance may lead to penalties.
On 24 September 2025, the Italian Communications Authority (AGCOM) issued Presidential Order No. 20/25/PRES against Telegram Messenger Inc., following an investigation into large-scale copyright infringement. AGCOM's Directorate for Digital Rights launched the investigation on 11 September 2025 following a request received on 6 May 2025 from the Italian Publishers Association (AIE). The AIE reported that a Telegram channel and an associated website were distributing numerous literary works, including titles from Salani, Mondadori, Newton Compton, and Sperling & Kupfer, in violation of Copyright Law No. 633 of 1941. AGCOM’s checks confirmed the widespread unauthorised availability of protected works. The domain was registered via GoDaddy.com LLC using Domains By Proxy to maintain anonymity; the hosting services and servers were attributed to Telegram Messenger Inc., which is incorporated in the British Virgin Islands and has servers located in the United Kingdom. Under Articles 8 and 9 of the Regulation on the Protection of Copyright on Electronic Communication Networks (Resolution 680/13/CONS), AGCOM applied the abbreviated procedure and ordered Telegram to disable access to the infringing channel within 2 days of notification. Failure to comply may result in sanctions under Law No. 249 of 1997 and referral to law enforcement under Article 182-ter of Law No. 633 of 1941. This decision can be appealed to the Regional Administrative Court of Lazio within 60 days.
On 19 September 2025, the Italian National Cybersecurity Agency adopted the determination on compliance with the national competent authority under the Network and Information Security (NIS) Directive entered into force, except for the provision setting out the procedure and deadlines for continuous updating and confirmation of NIS entity and user information. The determination specifies the deadlines, methods, and procedures for the use and access to the Agency's digital platform, as well as additional information that entities must provide to the national NIS competent authority, and the deadlines, methods, and procedures for the designation of NIS representatives on national territory. The determination sets procedures for registration, annual and continuous updates, and user authentication through the Public Digital Identity System (SPID) or Italian Electronic Identity Card (CIE). It defines roles including contact points, substitutes, Computer Security Incident Response Team (CSIRT) representatives, and operators. Users must associate accounts with their Network and Information Systems (NIS) entity, confirm data accuracy, and report changes within 14 days. It was also highlighted that non-compliance may lead to penalties.
On 17 September 2025, the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI) was adopted by the Italian Senate. The Bill requires public procurement platforms to prioritise AI suppliers that process and store strategic data within national data centres, ensuring disaster recovery, business continuity, and high security and transparency standards. Collaborative research between businesses, research bodies, and technology transfer centres is also promoted to commercialise AI research outcomes. Furthermore, the Bill specifies that AI systems used in the public sector, except those deployed abroad during military operations, must operate on servers located within Italy to safeguard citizens' sensitive data. Personal data processing by intelligence agencies and cybersecurity bodies must comply with existing data protection frameworks, specifically the Personal Data Protection Code and relevant cybersecurity legislation. The application of these principles to AI activities conducted for national security purposes by intelligence, military, and police bodies, as well as other authorised public and private entities, will be detailed in specific regulations issued under established legislative procedures.
On 17 September 2025, the Italian Senate adopted the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI), including consent rules for minors’ access to AI technologies. The Bill requires parental consent for users under fourteen and allowing minors aged fourteen to eighteen to provide their own consent, provided information is clear and accessible. The measure applies to AI service providers processing minors’ personal data and aligns with the General Data Protection Regulation and Italy’s Personal Data Protection Code.
On 17 September 2025, the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI) was adopted by the Parliament. The Bill amends Law No. 633 concerning the protection of copyright and related rights to state that copyright protection applies exclusively to works of human intellect. It explicitly recognises that works generated using AI tools are protected only if they represent the result of the author’s intellectual effort. Furthermore, the Bill adds a new provision allowing the reproduction and extraction of works or materials available online or in databases, provided there is legitimate access, for the purpose of text and data mining by AI models, including generative systems.
On 17 September 2025, the Italian Senate adopted the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI). The Bill specifies the institutions empowered to oversee compliance. The Agency for Digital Italy (AgID) and the National Cybersecurity Agency (ACN) as the National Authorities for AI to ensure the implementation of the European Union AI Act (Regulation (EU) 2024/1689). AgID is tasked with promoting AI innovation and overseeing the evaluation, accreditation, and monitoring of AI conformity bodies. ACN is responsible for supervising AI systems, particularly in relation to cybersecurity, including inspection and sanctioning activities. Both agencies will jointly manage AI testing spaces, in coordination with the Ministries of Defence and Justice where relevant. Additionally, AgID is appointed as the notifying authority and ACN as the market surveillance authority under the EU AI Act.
On 15 September 2025, the Communications Regulatory Authority’s (AGCOM) resolution amending the Online Copyright Regulations to expand the scope of dynamic injunctions available under the Piracy Shield platform enters into force. The resolution enables accredited reporters, including anti-piracy associations and federations, to request disabling access to illicitly distributed content during the first thirty minutes of live broadcasts and premieres, through DNS resolution blocking and network traffic routing restrictions targeting IP addresses primarily engaged in illegal activities. The measures apply to providers of mere conduit, hosting, and caching services, as well as VPN providers, publicly available DNS service operators, and search engines involved in the accessibility of infringing resources. Reporters are required to act with diligence and avoid high-risk overblocking, or face suspension of accreditation. The resolution also empowers AGCOM to order the unblocking of resources inactive for at least six months and permits unblocking requests from reporters for non-infringing services. The revised regulation integrates provisions from the Digital Services Act (DSA), the Omnibus Decree amending the Anti-Piracy Law, and updates to the Consolidated Law on Audiovisual Media Services, which now includes disciplinary proceedings for copyright infringements by audiovisual media service providers.
On 11 September 2025, the Italian Communications Authority (AGCOM) opened an investigation into Telegram Messenger Inc. for alleged copyright infringement. The proceeding was initiated under the Regulation on the Protection of Copyright on Electronic Communication Networks (Resolution 680/13/CONS) following a request received on 8 September 2025 from the Italian Publishers Association (AIE). The association reported the unauthorised reproduction and distribution of more than 11,000 literary works, including titles from publishers such as Giunti, Einaudi, HarperCollins, and Mondadori.
On 11 September 2025, the Italian Communications Authority (AGCOM) opened an investigation into Telegram Messenger Inc. for alleged large-scale copyright infringement. The case was initiated following a request from the Italian Publishers Association (AIE) concerning the unauthorised distribution of literary works through a Telegram channel and an associated website. AGCOM’s Directorate for Digital Rights reviewed the request, found it admissible, and initiated proceedings under abbreviated terms due to the serious and large-scale nature of the alleged violations.
On 2 September 2025, the Regional Administrative Tribunal for Lazio issued a ruling partially annulling the Competition Authority's sanction of EUR 1.13 billion against Amazon to an unspecified lower amount due to inadequate justification for the fine imposed. However, the Tribunal upheld the decision against Amazon for abusing its dominant position in the Italian online marketplace services market. The Tribunal confirmed Amazon engaged in self-preferencing between 2016-2021 by tying essential marketplace benefits exclusively to its Fulfilled by Amazon (FBA) logistics service, affecting third-party sellers on Amazon Italy and competing logistics providers. Amazon controlled approximately 53% of the Italian marketplace intermediation services market and used discriminatory performance metrics that favoured FBA users whilst restricting Prime eligibility and promotional event access for sellers using independent logistics. The Competition Authority imposed a EUR 1.13 billion fine, and behavioural remedies requiring Amazon to publish clear Prime eligibility criteria, apply uniform performance monitoring regardless of logistics provider, and provide equal treatment for Prime-eligible offers.
On 20 August 2025, the Italian Data Protection Authority issued Provision No. 479, imposing urgent measures under Article 58(2)(f) of the General Data Protection Regulation (GDPR) to address the unlawful dissemination of a private audio recording on the YouTube channel “Falsissimo” and its subsequent circulation on Instagram. The action followed a complaint under Article 77 GDPR seeking removal and de-indexing of the content across multiple platforms, including YouTube, TikTok, Instagram, Facebook, X, Google, and company channels. The Authority recalled its earlier warning of 4 August 2025 (Provision No. 467) and the 6 August press release, which noted that the disclosure likely violated Articles 1, 5, 6, 17, and 21 GDPR, as well as Articles 1 and 167 of the Italian Privacy Code. Given that the audio remained accessible, accumulating over 1.3 million views, and new content had appeared on Instagram, the Authority concluded that the violations persisted. The order requires immediate removal of the specific audio segment from the YouTube episode, deletion of the Instagram reel, and a prohibition on any further dissemination. Non-compliance may result in administrative fines under Article 83 GDPR, and the measure can be appealed within the statutory timeframe before the ordinary judicial authority.
On 6 August 2025, the Italian Data Protection Authority opened an investigation into AI/Robotics Venture Strategy 3 Ltd., operator of the ClothOff “deep nude” service, by issuing a formal request for information (ref. 109872) concerning the processing of personal data and the implications of generating manipulated content potentially harmful to the reputation of data subjects.
On 4 August 2025, the Italian Data Protection Authority issued Provision No. 467 in response to the non-consensual disclosure of a private audio file taken from a chat conversation involving a well-known actor. The Authority considered the audio to form part of private correspondence protected under Article 15 of the Constitution and recognised that its publication constituted processing of personal data within the scope of Regulation (EU) 2016/679 (General Data Protection Regulation) and the Italian Personal Data Protection Code (Legislative Decree No. 196/2003, as amended). The Authority found that, while journalistic freedom of expression does not always require consent, the disclosure lacked materiality in relation to the actor’s public role and instead concerned intimate and emotional matters unrelated to public interest. Pursuant to Article 58(2)(a) of the Regulation and Article 154(1)(f) of the Code, the Authority issued a warning to potential users of the data subject’s personal data, emphasising that any further dissemination of the audio or related extracts could constitute a violation leading to sanctions. Furthermore, under Article 154-bis(3) of the Code, the Authority ordered publication of the decision in the Official Journal of the Italian Republic to ensure wider awareness. The provision also noted the right of appeal under Article 78 of the Regulation, Article 152 of the Code, and Article 10 of Legislative Decree No. 150/2011, allowing challenges before the competent judicial authority within 30 days in Italy or 60 days if abroad.
On 30 July 2025, the Communications Regulatory Authority (AGCOM) adopted a resolution amending the Online Copyright Regulations to expand the scope of dynamic injunctions available under the Piracy Shield platform to include all rightsholders of live events, audiovisual and cinematographic works, entertainment programmes, and similar audio content. The amendments enable accredited reporters, including anti-piracy associations and federations, to request disabling access to illicitly distributed content during the first thirty minutes of live broadcasts and premieres, through DNS resolution blocking and network traffic routing restrictions targeting IP addresses primarily engaged in illegal activities. The measures apply to providers of mere conduit, hosting, and caching services, as well as VPN providers, publicly available DNS service operators, and search engines involved in the accessibility of infringing resources. Reporters are required to act with diligence and avoid high-risk overblocking, or face suspension of accreditation. The resolution also empowers AGCOM to order the unblocking of resources inactive for at least six months and permits unblocking requests from reporters for non-infringing services. The revised regulation integrates provisions from the Digital Services Act (DSA), the Omnibus Decree amending the Anti-Piracy Law, and updates to the Consolidated Law on Audiovisual Media Services, which now includes disciplinary proceedings for copyright infringements by audiovisual media service providers.
On 30 July 2025, the Competition Authority (AGCM) opened an investigation against Meta to assess potential infringements of Article 102 of the Treaty on the Functioning of the European Union (TFEU). The investigation concerns alleged abusive tying conduct related to the pre-installation and prominent integration of the generative artificial intelligence service “Meta AI” within the WhatsApp instant messaging application. The AGCM identified distinct relevant product markets for consumer communication services via applications and general-purpose chatbot or AI assistant services, noting Meta's dominant position in the former market at both European and national levels. The AGCM considered that the integration of Meta AI into WhatsApp is likely to distort competition by facilitating rapid user base expansion and potentially training AI models on user interactions, thereby generating exclusionary effects. The proceeding is scheduled to conclude by 31 December 2026, and the parties have a 60-day period from notification to exercise their right to be heard.
On 23 July 2025, the Communications Regulatory Authority (AGCOM) adopted Resolution no. 199/25/CONS, launching an inquiry into how audience consumption is measured on digital platforms. The inquiry aims to address the lack of standardised, transparent methods across streaming services, social media, and other online media providers. Under Decree no. 208/2021, measurement systems must adhere to principles of accuracy, transparency, verifiability, and independent certification. However, AGCOM notes that large platforms still rely on proprietary tools rather than submitting data to independent Joint Industry Committees, leading to inconsistent and possibly inflated metrics. AGCOM highlighted the urgency of the issue due to digital advertising accounting for over 60% of Italy’s ad revenues, exceeding television, arguing that the lack of certified data impedes fair competition and the ability to make informed investment decisions. AGCOM’s inquiry seeks to clarify obligations under the European Media Freedom Act and the Digital Markets Act, which require large platforms to ensure transparency, impartiality, non-discrimination, independent audits, advertiser access to verification tools, and annual methodology reviews. The AGCOM will review current measurement models, including those using Software Development Kits and server-to-server technologies, against European standards and its previous guidance to establish rules for measurement perimeters and requirements to guarantee transparent, comparable audience data.
On 23 July 2025, the Italian Communications Authority adopted the Guidelines to ensure that influencers comply with the provisions of the Consolidated Law on audio visual media services. The guidelines apply to influencers who create, select, or curate content that informs, entertains, or generates income through commercial agreements or platform monetisation. The guidelines establish two categories including professional influencers with at least one million followers and 2% average engagement rates face enhanced obligations, whilst smaller influencers must meet baseline requirements. The guideline imposes editorial responsibility upon influencers for content transparency, requiring clear identification of promotional material, implementation of minor protection safeguards including content classification and age verification, and adherence to anti-discrimination provisions.
On 23 July 2025, the Italian communications authority (AGCOM) adopted the final Code of Conduct, following a public consultation launched under Resolution No. 472/24/CONS containing Guidelines to ensure that influencers comply with the provisions of the Consolidated Law on audio visual media services. The Code applies to influencers operating in Italy with at least 500,000 followers on one platform or more than 1 million monthly views, treating them as audio-visual media service providers under national law. It imposes several obligations, including editorial responsibility for content, mandatory use of standard advertising labels, disclosure of filters and digital alterations, and safeguards for minors and fundamental rights. Enforcement measures include fines of up to EUR 600,000 and removal from AGCOM’s public influencer register.
On 20 March 2025, the Senate passed the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI). The Bill specifies the institutions empowered to oversee compliance. The Agency for Digital Italy (AgID) and the National Cybersecurity Agency (ACN) as the National Authorities for AI to ensure the implementation of the European Union AI Act (Regulation (EU) 2024/1689). AgID is tasked with promoting AI innovation and overseeing the evaluation, accreditation, and monitoring of AI conformity bodies. ACN is responsible for supervising AI systems, particularly in relation to cybersecurity, including inspection and sanctioning activities. Both agencies will jointly manage AI testing spaces, in coordination with the Ministries of Defence and Justice where relevant. Additionally, AgID is appointed as the notifying authority and ACN as the market surveillance authority under the EU AI Act.
Last updated: 16/01/2026