Law 132/2025: AI and Corporate Responsibility

Law 132/2025, which came into force on October 10, 2025, represents a fundamental step for how Italian companies, public entities and professionals must integrate and manage artificial intelligence. This is not just about general ethical principles, but an organic set of rules that introduces concrete obligations, criminal and administrative responsibilities, and a rigorous internal management system. With this law, our country aligns with EU Regulation 2024/1689 (AI Act) by putting people at the center, so that technology remains a tool in service of humanity, respecting fundamental rights and supporting safe and responsible innovation.

What are the key principles of law 132/2025?

This law represents the first major comprehensive intervention on AI in Italy and is based on essential principles that guarantee a balance between technological innovation and social protection:

Human centrality: AI must support and assist human activity, never completely replacing human judgment or responsibility, especially in sensitive sectors such as healthcare, justice and employment. The protection of people’s dignity and rights is a priority.
Transparency: companies must explain clearly and comprehensibly how they use AI, especially towards workers involved in business processes. This fosters a climate of trust and prevents discrimination related to the use of algorithms.
Security and cybersecurity: protecting the IT system and data lifecycle is an essential condition. Companies must follow guidelines from the National Cybersecurity Agency to defend against attacks and vulnerabilities.
Personal data protection: the law integrates GDPR, imposing strict rules for processing, collecting and storing data used by AI, with particular regard to the lawful origin of such data and the right of choice of data subjects.
Inclusion and accessibility: beyond technical aspects, the text promotes digital training, guarantees accessibility for people with disabilities and supports gender equality and equal opportunities in the digital sphere.
Digital sovereignty: to defend national security and competitiveness, the legislator encourages the localization of data centers and cloud services on Italian territory.

These principles translate into stringent obligations that directly involve management and corporate responsibility. These principles become tangible obligations that directly involve the management and responsibilities of businesses and public administration.

Corporate governance and human oversight: a new strategic approach

Among the most important innovations, the law requires companies to build an internal governance dedicated to AI systems, much more than a mere formality:

Roles and responsibilities must be clearly defined for managing legal, technological and social risks related to AI, with specialized teams in compliance and monitoring.
Rigorous procedures for evaluation, testing and continuous updating of algorithms must be adopted to minimize operational, ethical and social risks.
It is mandatory to conduct periodic audits and maintain precise documentation that certifies every step of automated decision-making processes.
No less important is the continuous training of employees and managers, to develop updated digital skills and spread a culture of security.

Governance conceived in this way not only reduces potential risks and disputes, but improves the quality of decisions made with AI support and instills greater confidence in customers, investors and partners. At the same time, the principle of “Human-in-the-Loop” is established as essential: important decisions, especially in sensitive sectors, must always include supervision by a human operator. AI must be a support tool and not a total substitute. This ensures accountability, critical evaluations and maintains transparency.

Why is digital sovereignty important and how is data managed?

The law dedicates great attention to defending digital sovereignty, promoting the localization of data centers and cloud services in Italy to offer greater control over strategic infrastructures. In parallel, precise rules are established for managing the data supply chain:

Every piece of data used to train algorithms must come from lawful and documented sources.
Complete data traceability is necessary, with precise records of every phase of their use.
Data owners have the right to object to the use of their content in training algorithms, strengthening individual protection.

Failure to comply with these requirements can lead to heavy sanctions, in addition to seriously damaging reputation and competitiveness.

Criminal and administrative responsibility: new attention to security and ethics

A very relevant aspect concerns the criminal and administrative responsibilities associated with the use of AI. In particular:

The law introduces new crimes related to the failure to adopt or update security measures necessary to avoid risks when working with AI systems.
The illegal dissemination of content manipulated or generated through AI (for example deepfakes) is punished with prison sentences from 1 to 5 years.
Specific aggravating circumstances are provided for crimes committed using AI tools, extending the scope of responsibility also to market manipulation and political rights. These rules represent a strong incentive for companies to equip themselves with rigorous risk management tools and to promote an internal culture of responsibility and compliance.

Copyright and human creativity in the digital age

The legislation also addresses the delicate issue of intellectual property:

Works generated with AI support can only be protected if they present a real human creative contribution, not limited to automatic operations.
The use of content for training algorithms is regulated to ensure that authors can decide if and how to use their own data.

This allows protecting human creativity, protecting authors and maintaining a balance between automation and originality.

How does digital culture change and what are the opportunities?

The law is not limited to dictating technical rules, but aims for broad and participatory cultural change:

It provides training programs for workers, professionals, students and citizens, to spread digital skills and awareness of risks and opportunities.
It promotes accessibility of technologies for people with disabilities, while supporting gender equality and equal opportunities.
It encourages investments and public-private partnerships to create an innovative and responsible ecosystem, capable of combining technology and social sustainability.

Despite the commitment required for adaptation, the Law represents a strategic opportunity for companies that will be able to transform compliance into a competitive advantage:

They will be able to strengthen the trust of customers, partners and investors, distinguishing themselves for transparency and responsibility.
They will have access to public incentives and dedicated programs for startups and SMEs committed to digital innovation.
They will be able to better manage legal and reputational risks, avoiding sanctions and damage.

The return in terms of reputation and innovative capacity will be decisive in an increasingly competitive and regulated digital market.

A human, safe and inclusive digital future

Law 132/2025 marks the beginning of a new phase for AI in Italy, positioning the country among the European protagonists of regulation attentive to people and sustainable development. Companies and professionals must seize this challenge with speed and awareness, renewing organizational and cultural models. Only in this way will it be possible to build a safe digital ecosystem, transparent and ethical, in which technology accompanies people towards a future of inclusive and innovative growth.

Sources: