Back to Blog
Guest Post · Legal & Technical Analysis

AI Procurement in Italian PA: AgID's Public Consultation Closes

Reflections ahead of the opinion of the Italian Data Protection Authority

Avv. Massimo Caredda·MC Studio Legale — Cagliari·
AI procurement in Italian Public Administration

01 — AgID Guidelines on AI Procurement in Public Administration

On 19 March 2026, AgID opened the public consultation on the draft Guidelines for the procurement of Artificial Intelligence in the Italian Public Administration (Determination no. 43/2026), adopted under the D.P.C.M. of 12 January 2024 (Three-Year IT Plan 2024-2026). The 105-page document, version 1.0, addresses all public bodies under art. 2, par. 2 of the Digital Administration Code (CAD) and applies to any AI system used as an integrated component or in support of institutional functions.

The document proposes a governance framework covering the entire contractual lifecycle: programming, design, award, signature, execution.

The regulatory framework is broad: AI Act (Reg. EU 2024/1689), GDPR, Data Act (Reg. EU 2023/2854, applicable from 12 September 2025), Italian Public Contracts Code (Legislative Decree 36/2023), Law 132/2025 (Italian AI law), NIS2, Cyber Resilience Act.

The structure is built around three operational chapters:

  • Ch. 3 — How to acquire AI systems: technology families (statistical AI, ML, Deep Learning, GenAI), logical architecture (orchestrator / models / data / application tools), the role of data, cybersecurity, risk management.
  • Ch. 4 — Metrics, costs, monitoring (LCOAI): Levelized Cost of AI — CAPEX + OPEX + organizational costs + exit and transition costs. Comparability across API, cloud-hosted, self-hosted, hybrid solutions.
  • Ch. 5 — Tender tools and cooperation between PAs: outcome-oriented technical specifications, MEAT criteria, evolutionary clauses, data portability, framework agreements, purchasing aggregations, interoperability.

02 — Data as an Autonomous Legal Asset in AI Procurement

The Guidelines dedicate an entire paragraph (§ 3.4) to the role of data, qualifying it as an autonomous and defining component of the AI system, distinct from models and application tools. According to the Guidelines, data management cannot be implicitly delegated to the supplier: it must be the subject of explicit assessment from the programming phase onward.

The Guidelines distinguish four data macro-categories:

#CategoryDescription
01PA-owned dataData collected/processed by the PA in the exercise of institutional functions
02Personal and special-category dataUnder arts. 4 and 9 GDPR
03Third-party dataCommercial datasets, external open data
04Data generated by the AI systemOutputs, operational logs, metadata, tracking data

On data reuse for training purposes, the Guidelines highlight that supplier SLAs should specifically govern the conditions under which the supplier may use data available to the contracting authority for further purposes — including training, improvement and reuse of models.

Without a dedicated contractual clause, the PA exposes itself not only to private monetization of public data potentially incompatible with the public interest, but also to non-compliance with GDPR principles of lawfulness (lacking a valid legal basis), data minimization and purpose limitation, with consequent liability and sanction risks — including under arts. 82 and 83 GDPR — for both the supplier and the contracting authority.

03 — Cybersecurity as a Procurement Obligation

The Guidelines incorporate the NIST taxonomy of AI-specific attacks (§ 3.6.2), framing them as risks to be translated into contractual obligations, tender criteria and acceptance conditions — not as ancillary technical requirements.

CategoryDescriptionGDPR relevance
Evasion AttacksInput perturbations to alter the trained model's classificationArt. 32 — appropriate technical and organizational measures
Poisoning AttacksCorruption of training data — degrades performance or implants backdoors in the modelArt. 5.1.d — data accuracy principle
Privacy AttacksData reconstruction, Membership Inference, Model Extraction: reconstructing personal data from the trained modelArt. 4 no. 12 — Data Breach. Notification duties under arts. 33–34 GDPR
Abuse Attacks (GenAI)Prompt injection, data exfiltration via AI agents, manipulation of generative system behaviorArt. 32 — risk assessment; organizational safeguards on AI agents

Security requirements to be translated into tender specifications (§ 3.6.3)

  • Risk management system documented and maintained by the supplier prior to system delivery.
  • Training datasets subject to governance policies appropriate to the use context and intended purposes.
  • Automatic logging throughout the entire AI system lifecycle.
  • Human oversight contractually guaranteed — adequate HMI interfaces designed in.
  • Exhaustive list of authorized operations for AI agents (explicit allowlist — no unforeseen action).
  • Emergency control and documented procedures for rapid recovery in case of anomalous behavior.
  • Periodic audits with mandatory full supplier cooperation.

04 — Open Question: Is the Supplier Still a Recipient of Personal Data?

As seen above, the Guidelines call for contractual clauses and technical specifications that limit the supplier's reuse of data for further purposes. But a foundational question remains: in the presence of robust pseudonymization measures, does the supplier still qualify as a recipient of personal data under the GDPR?

The shift: CJEU C-413/23 P — «Deloitte ruling» (4 September 2025)

The Court introduces the principle of relativity in qualifying data as «personal»: such qualification is not an ontological property of the information, but a relational one — it depends on who processes the data and the means actually available to trace back the data subject's identity.

For the Controller (SRB)
Always personal data

Holds the re-identification key. The art. 13 GDPR information duty persists regardless of the recipient's classification.

For the Third-party Recipient
Potentially anonymous

If they neither possess nor can reasonably obtain the means to trace back identity, the data may not be personal for that specific entity.

The two cumulative conditions

  1. The recipient must not be able to revoke pseudonymization measures during any processing carried out under their control.
  2. The measures must concretely prevent attribution of data to the data subject — including via cross-checks with other identification means — so that for that recipient the data subject is not, or is no longer, identifiable.

That said, the CJEU confirmed that the entity receiving the data — even if pseudonymized with no reasonable possibility of re-identification — must still be considered a «recipient» under current legislation, with all the related consequences, including the information duties to data subjects under arts. 13 and 14 GDPR.

Digital Omnibus (COM(2025) 837) and the EDPB/EDPS Joint Opinion 2/2026

The proposed amendment to the GDPR, part of the «Digital Omnibus» reform project, attempts to codify this approach.

Digital Omnibus proposal
  • Amendment of art. 4.1 GDPR: data is non-personal where the controller cannot reasonably identify the data subject.
  • Art. 41-bis: Commission implementing acts to specify qualification criteria.
  • New art. 88c: legitimate interest as an explicit legal basis for AI training.
EDPB + EDPS — Joint Opinion 2/2026
  • Opposed to the art. 4.1 amendment: risk of architectures artificially built to escape the GDPR («points of irresponsibility»).
  • The controller might share «relatively non-personal» data, over-relying on security measures.
  • Suggested adoption of further EDPB guidelines instead of a structural legislative change to the notion of personal data.

05 — Conclusions Ahead of the Italian DPA's Opinion

The public consultation on the AgID Guidelines closed on 11 April. The themes addressed are highly sensitive and timely; nonetheless, on certain fronts there is a lack of «clear» guidance for operators facing the need to procure AI systems for institutional functions.

We will see whether the observations of stakeholders — PAs, AI market operators, DPOs, CISOs — have helped turn the document into a tool for awareness on the systematic integration of procurement, protection and data governance.

Equally interesting will be the observations of the Italian Data Protection Authority, called to issue its opinion on the draft Guidelines as updated based on the public consultation outcomes.

Avv. Massimo Caredda — MC Studio Legale, Cagliari · #PrivacyLaw #GDPR #AIAct #DPO #DigitalOmnibus

Does your PA or AI vendor need to prepare for the new framework?

Tomato Blue supports public bodies and AI market operators on tender specifications, DPIAs, data governance and cybersecurity for AI systems.

Contact us