Share with your CISO
Italy’s government moved on June 10, 2026 to convert the EU AI Act into enforceable national law, granting preliminary approval to two draft legislative decrees that build out a real compliance architecture. The Agenzia per l’Italia Digitale and the Agenzia per la Cybersicurezza Nazionale will anchor oversight, with sector regulators keeping their turf in banking, finance, and insurance. Employment-related AI decisions get specific attention, requiring documented human review. The practical demand signal is clear: companies operating in Italy must be able to demonstrate AI system governance on paper, not just in policy.
What this means for your business
The companies most exposed here are multinationals running AI systems across EU markets who treated the AI Act as a 2025 planning exercise and haven’t converted that plan into auditable evidence. Italy’s move matters because it’s the first major member state to begin translating the regulation’s risk classification framework into domestic enforcement machinery with named authorities and liability rules. If you operate there and your AI inventory is a spreadsheet someone owns part-time, you’re not on the right side of where this is heading.
The employment angle is where organizations tend to underestimate their exposure. Automated hiring, termination, or discipline decisions are legally sensitive under multiple existing frameworks, and these decrees layer an additional documentation requirement on top. The critical phrase in the Jones Day analysis, written by lawyers whose practice is built on companies getting this wrong, is “meaningful human review.” That word “meaningful” is doing a lot of work. A human clicking approve on a flagged candidate because the system ranked them first is not what regulators will accept. The audit trail has to show that a person actually engaged with the parameters the model used to reach its output, which most HR tech deployments today are not built to produce.
The broader pattern here is compliance gravity: once one large member state operationalizes an EU regulation with specific agencies, sanctions, and documentation standards, the pressure on neighboring jurisdictions and on the regulators in sectors like banking and insurance to match that specificity accelerates. Organizations that wait for their home-country implementation to finalize before building governance infrastructure are betting that the Italian timeline won’t set the pace. That bet gets harder to defend every month Italy moves forward, and I’d only revisit it if the decrees stall in Italy’s parliamentary review process, which remains possible but looks less likely given how far the approval process has already progressed.
Concept deep-dive: AI risk classification
The EU AI Act sorts AI systems into tiers based on the severity of harm they could cause, much like how electrical equipment gets safety ratings before it can be sold. “High-risk” systems, including those used in hiring, credit scoring, and law enforcement, face the strictest documentation, testing, and human oversight requirements. Getting the classification wrong in either direction creates liability: under-classify a system and you’ve skipped mandatory controls; over-classify and you’ve accepted compliance costs that weren’t legally required.
Based on reporting from Italy’s AI Compliance Push Enters a New Phase, originally published 2026-06-10 03:00:00.

