Italy: A TMT: Information Technology Overview
From Innovation to Governance: The Next Phase of the Digital Economy
2026 is set to be a defining year for Europe’s technology sector. According to market forecasts, technology spending across Europe is expected to grow by 6.3%, surpassing EUR1.5 trillion for the first time, driven by investment in artificial intelligence (AI), cloud computing, cybersecurity and the growing strategic priority of technological sovereignty. Italy reflects the same trajectory. According to the Artificial Intelligence Observatory of the Politecnico di Milano, the Italian AI market reached EUR1.8 billion in 2025, representing a 50% increase compared with the previous year. However, the figure that best captures the current landscape is not the level of investment, but the widening gap between technological innovation and the ability of organisations – and legal systems – to govern it effectively.
The most significant developments extend well beyond artificial intelligence, even if AI continues to dominate the headlines. Cloud computing remains the backbone of the digital economy, but it is increasingly recognised as critical infrastructure – subject to regulation, strategic competition and growing geopolitical significance. In the AI landscape, the key shift is from generative AI, which produces content in response to prompts, to agentic AI: systems capable of pursuing defined objectives by breaking them down into individual tasks, interacting with external tools and acting with limited human intervention. Cybersecurity, meanwhile, is no longer viewed as a purely technical issue, but as a core element of corporate governance. Digital platforms, in turn, have entered a new era of heightened regulatory scrutiny, with enforcement increasingly reshaping competitive dynamics across digital markets. These developments reflect a broader transformation. Technology is becoming increasingly global and infrastructural, while regulation is evolving from a tool for mitigating risk into an instrument of strategic autonomy and industrial policy. This shift is now most clearly reflected in the progressive implementation of the European Union’s core digital regulatory framework, whose principal pillars are entering their operational phase simultaneously.
The AI Act provides for phased implementation of its provisions. However, under the Digital Omnibus package, the European Union has postponed the application of the requirements governing high-risk AI systems until 2 December 2027 for standalone high-risk AI systems and until 2 August 2028 for high-risk AI systems incorporated into products. At national level, Italy has taken a different approach. With Law No 132/2025 – the country’s first comprehensive framework legislation on artificial intelligence, which entered into force on 10 October 2025 – the Italian legislature has established the core principles, governance architecture and legislative delegations underpinning the national AI framework, with the implementing decrees expected by October 2026.
The liability landscape has also evolved significantly. While the European Union has withdrawn the proposed AI Liability Directive, the revised Product Liability Directive (Directive (EU) 2024/2853), which member states must transpose by the end of 2026, expressly brings software and AI systems within its scope and strengthens the procedural tools available to claimants. As a result, the quality of technical documentation, the traceability of development processes and the review of contractual risk allocation mechanisms are becoming increasingly important for manufacturers and AI developers alike.
At the European level, the simplification introduced through the Digital Omnibus package is complemented by an equally strong drive to accelerate AI adoption. The Apply AI Strategy seeks to promote the uptake of AI across European businesses, with dedicated measures for SMEs, while shaping the allocation of EU funding and public procurement policies. Compliance with the AI Act will therefore become more than a regulatory obligation: it will increasingly represent a prerequisite for accessing certain markets, public contracts and funding opportunities.
At the same time, the Data Act has applied since September 2025, reshaping the cloud services market and redefining the contractual relationship between cloud providers and their customers.
In the cybersecurity sphere, the NIS2 Directive – implemented in Italy through Legislative Decree No 138/2024 and complemented by Law No 90/2024 strengthening the national cybersecurity framework – requires organisations to complete the implementation of the prescribed security measures by October 2026. Meanwhile, the Digital Operational Resilience Act (DORA) is already fully applicable to the financial sector, while the Cyber Resilience Act, which has already entered into force, introduces security-by-design requirements for products with digital elements and their components, with its core obligations becoming fully applicable from December 2027.
For digital platforms, enforcement of the Digital Services Act (DSA) and the Digital Markets Act (DMA) has become a structural feature of the regulatory landscape. The first enforcement decisions are already influencing the design of digital services, business models, and competitive dynamics across digital markets.
Overlaying these legislative instruments are well-established horizontal regulatory frameworks, most notably the GDPR – further reinforced by Regulation (EU) 2025/2518 on cross-border GDPR enforcement – and copyright law. Together, they continue to operate across the entire digital ecosystem, adding further complexity to the regulatory landscape applicable to AI-enabled services.
Much of the European digital rulebook is already in force. The challenge is not only compliance with new legislation, but ensuring that regulatory instruments developed independently of one another operate coherently in relation to technologies – such as agentic AI – that none of them expressly envisaged. This regulatory convergence is already reshaping the legal market. The value added by legal advisers no longer lies in mastering individual areas of law, but in their ability to co-ordinate overlapping regulatory frameworks, manage their interaction and translate them into workable governance structures. Matters such as negotiating agreements for AI-enabled digital services, structuring data governance and data usage rights, allocating regulatory risk across increasingly complex supply chains, ensuring compliance with new cybersecurity obligations and designing effective AI governance frameworks have become among the fastest-growing areas of technology legal practice. More fundamentally, this is the area in which legal expertise alone is no longer sufficient. Real value lies in transforming an increasingly fragmented body of regulation into a coherent governance framework.
The stakes extend well beyond regulatory compliance. According to Eurostat’s 2025 survey, the principal obstacle preventing European businesses from adopting AI is the lack of relevant skills (70.9%), followed by uncertainty over the legal implications (52.5%). Regulatory uncertainty therefore constrains technological investment almost as much as the shortage of talent, making legal certainty an increasingly important economic asset. Competitive advantage will belong to those organisations that turn governance from a perceived constraint on digital transformation into a driver of innovation, competitiveness and trust.
For businesses, 2026 is therefore more than another year of regulatory milestones: it marks a strategic turning point. The next competitive advantage will not belong simply to those that deploy artificial intelligence, but to those that succeed in embedding it within a credible governance framework, while others continue to regard governance as little more than a compliance exercise.