How to Get Agid Approval for Digital Platforms in Italy (step-by-step, Italia Digitale 2024–2026)

Any technology vendor planning to supply a digital platform, whether SaaS, a data-management solution or an integrated service, to an Italian Public Administration (PA) must navigate the approval and registration requirements administered by the Agenzia per l’Italia Digitale (AgID). The process is grounded in Legislative Decree No. 82 of 7 March 2005, known as the Digital Administration Code (Codice dell’Amministrazione Digitale, or CAD), which sets the legal framework for how PAs procure and operate digital services.

Understanding how to get AgID approval for digital platforms in Italy has become more urgent under the Italia Digitale 2024–2026 Three-Year Plan, which introduces tighter accessibility enforcement, new AI procurement guidance and strengthened cybersecurity requirements that directly affect the documents vendors must prepare and the timeline they should expect. This guide walks IT vendors, product managers, CIOs and in-house counsel through every stage, from initial eligibility checks through dossier assembly, submission, review rounds and final listing, with the realistic timelines, cost estimates and 2026-specific changes needed to plan an efficient application.

Overview of the AgID Approval Process and Who It Applies To

AgID is the technical regulatory agency responsible for driving Italy’s digital transformation across the public sector. Under the CAD, PAs are required to procure and use digital platforms that meet AgID’s technical rules on interoperability, accessibility, security and data management. Vendors that wish to supply platforms to PAs, or participate in public administration digital procurement, must demonstrate compliance with these rules through a formal registration, qualification or approval process administered or referenced by AgID.

The obligation applies broadly. It covers SaaS applications used by PA staff or citizens, cloud-hosted data platforms that process or store PA data, integrated service platforms connecting multiple PA systems, and qualified trust services such as electronic signatures and digital preservation. Italy is also accelerating its digital identity infrastructure: platforms that interact with citizens on behalf of a PA must typically support SPID (Sistema Pubblico di Identità Digitale) or CIE (Carta d’Identità Elettronica) authentication, both of which fall under AgID’s oversight.

Certain narrow exceptions exist. Purely internal tools used only by private-sector organisations with no PA interface, and small microservices that neither process PA personal data nor connect to PA systems, generally fall outside the scope of AgID registration. However, if a platform touches PA data, serves PA users or is offered through a public procurement channel, vendors should assume that AgID certification requirements apply. Where a platform involves critical cybersecurity functions, the Agenzia per la Cybersicurezza Nazionale (ACN) may also be consulted during the review process, adding a parallel layer of assessment.

Eligibility and Prerequisites for AgID Approval

Before preparing a submission, vendors must confirm that they, and their platform, meet the baseline eligibility criteria. The core threshold is straightforward: the platform must be intended for use by, or on behalf of, one or more Italian Public Administrations, or it must be offered through a public procurement framework that references AgID compliance.

Vendors should verify the following prerequisites before initiating the process:

• Company registration. The vendor must be a legally constituted entity with a valid registration (in Italy, this means a visura camerale from the Camera di Commercio; foreign entities need an equivalent extract).
• Tax identification. An Italian Codice Fiscale and/or VAT number, or a fiscal representative appointment for non-resident vendors.
• Legal representative. A named individual authorised to sign declarations and bind the company.
• Primary and security contacts. A nominated compliance contact and a dedicated security contact reachable via PEC (certified email) or equivalent.
• EU/Italian presence (non-EU vendors). Non-EU companies must typically appoint a legal representative or local agent within the EU, provide a PEC address and ensure all submission documents are translated into Italian.

There are limited scenarios where a private vendor may supply a platform to a PA without full AgID registration, for instance, where a PA accepts vendor self-declarations of compliance within a specific procurement procedure. However, industry observers expect these exceptions to narrow under Italia Digitale 2026 enforcement, and relying on self-declaration alone carries significant contract and reputational risk. Vendors are strongly advised to pursue formal platform compliance in Italy through the full AgID process.

Foreign Applicant Requirements

Non-Italian companies face additional documentary steps. These include appointing a fiscal representative registered with the Agenzia delle Entrate, providing sworn Italian translations of corporate documents and powers of attorney, obtaining a qualified electronic signature from an AgID-listed trust service provider, and establishing a PEC address for official communications. All foreign-issued documents must generally be recent (issued within the preceding six months) and, where required, apostilled or legalised.

Step-by-Step Procedure: How to Get AgID Approval for Digital Platforms in Italy

The AgID approval process follows a structured sequence. The table below summarises each step, the responsible party and typical duration before the detailed walkthrough that follows.

Step 1, Conduct a Scope Assessment and Internal Pre-Audit

Begin by confirming the PA scope of the platform. Determine whether it will serve national, regional or municipal administrations, as different tiers may trigger different procurement rules and security expectations. Map every data flow: identify what personal data or public records the platform will process, where data will reside, and which third-party sub-processors are involved.

Run an internal pre-audit covering three areas: (1) accessibility, measured against WCAG 2.1/2.2 standards; (2) security posture, benchmarked against ACN guidance and ISO 27001 controls; and (3) interoperability, checking whether the platform supports the required authentication protocols (SPID, CIE) and API standards. Identify the hosting model, IaaS, PaaS or SaaS, and confirm whether the cloud service provider (CSP) already holds AgID-compliant status. This pre-audit is performed by a cross-functional team of product, security, legal and solution architecture staff, and typically takes 1–3 weeks.

Step 2, Align Platform Architecture to AgID Technical Requirements

With gap-analysis results in hand, engineering and DevOps teams remediate the platform to meet AgID technical rules. Key alignment tasks include:

• Authentication and identity. Integrate SPID and/or CIE identity flows where the platform interfaces with citizens or PA personnel. AgID publishes technical specifications for SPID service providers on its digital identity intervention area pages.
• Interoperability APIs. Ensure APIs conform to the interoperability guidelines set out under the CAD and the Italia Digitale plan, including use of open standards and documented endpoints (OpenAPI specifications are strongly recommended).
• Data residency and encryption. Apply encryption at rest and in transit. Confirm that data residency arrangements comply with Italian and EU requirements, particularly relevant for non-EU hosted platforms.
• Logging and record retention. Implement audit logging sufficient for PA accountability obligations under the CAD.

This remediation phase typically takes 2–8 weeks depending on the platform’s existing maturity and the extent of necessary changes.

Step 3, Prepare the Compliance Dossier and Supporting Documentation

Assemble the full compliance dossier. This is the single most document-intensive step and the one where incomplete preparation causes the majority of delays. The dossier must include the technical architecture documentation, data flow diagrams, DPIA (where applicable), security assessment reports, accessibility conformance evidence, SLA terms, privacy processing agreements and all corporate identification documents. Refer to the required documents table in the next section for the complete list.

All documents must be formatted as PDF or PDF/A files. Declarations and cover letters must bear a qualified electronic signature (QES) from a provider listed on AgID’s trusted list of qualified certification service providers. Where multiple team members contribute, legal drafting the DPIA, InfoSec producing penetration test reports, an external auditor certifying accessibility, designate a single compliance lead to consolidate, cross-reference and quality-check the package. Allow 2–6 weeks for dossier preparation, with additional time if external audits (penetration testing, ISO 27001 certification) have not yet been completed.

Step 4, Submit to AgID or Register on the Designated Portal

Submit the completed dossier through the appropriate AgID portal or, where the registration is embedded in a PA procurement process, through the contracting authority’s designated platform. Ensure all attachments follow AgID naming conventions: label each document clearly (e.g., “DPIA_[CompanyName]_v1.0_2026.pdf”), include a cover letter listing all enclosed files, and attach the legal representative’s QES to the cover letter and any formal declarations.

Provide a nominated contact person’s details (name, PEC address, telephone) for all correspondence during review. If the submission is made jointly with a PA contracting officer, common in framework agreements, coordinate submission timing to align with the PA’s procurement calendar. AgID typically acknowledges receipt within 2–6 weeks, depending on submission volume and platform complexity.

Step 5, Respond to AgID Review Rounds and Corrective Action Requests

AgID reviews the dossier and may issue one or more requests for clarification or supplementary documentation. Common areas of query include insufficient detail in security assessment reports, incomplete subprocessor disclosures in the DPIA, gaps in accessibility conformance evidence, and SLA terms that do not meet PA procurement standards.

Each clarification request is communicated via PEC. The vendor’s compliance lead and technical contact should be prepared to respond within the timeframe specified in the request, typically 15–30 days per round. For platforms involving critical cybersecurity functions, AgID may refer the dossier to the ACN for a parallel security assessment, which can add 4–12 weeks to the review cycle. Maintain an internal tracker of all queries raised and responses submitted, as this log becomes valuable evidence of good-faith compliance and accelerates any subsequent renewal or variation process. The overall AgID application timeline for this review phase ranges from 4–12 weeks for straightforward submissions.

Step 6, Receive Final Approval, Listing and Begin Procurement Use

Once AgID is satisfied that all requirements are met, the platform receives formal approval or is added to the relevant qualified provider list. Publication of the listing typically occurs within 1–4 weeks of final acceptance. Post-approval, the vendor must comply with ongoing obligations: periodic compliance reporting (usually annual), notification of material changes to the platform’s architecture or data processing arrangements, and cooperation with any subsequent AgID or ACN audit. The platform may now be referenced in PA procurement procedures, and vendors should ensure their contractual terms (SLAs, data processing agreements, incident response commitments) are aligned with the conditions of approval.

Required Documents and Information for AgID Approval

The documents needed for an AgID submission vary by platform type, but the following table covers the standard dossier that vendors should expect to prepare. Each document must be formatted as specified and, where indicated, bear a qualified electronic signature.

Document Submission Format and Naming Conventions

Label every file using a consistent naming convention: [DocumentType]_[CompanyName]_[Version]_[Date].pdf. All formal declarations, cover letters and powers of attorney must carry a qualified electronic signature. Where a document is issued by a third party (e.g., a penetration test report from an external auditor), include the issuer’s name, accreditation details and report date. Foreign-language documents require a sworn Italian translation. Compile a master index listing every enclosed document, its file name, page count and version, this accelerates AgID’s intake review and reduces the likelihood of requests for clarification based on missing items.

AgID Application Timeline and Key Deadlines

No single statutory deadline governs every AgID approval uniformly. Timelines vary by platform type, submission completeness and whether cybersecurity consultation with the ACN is triggered. The table below sets out realistic milestone durations based on the structure of the process and practical experience.

For a straightforward SaaS platform with complete documentation and no cybersecurity referral, the likely practical effect is an end-to-end timeline of 8–16 weeks. Complex submissions, cloud-hosted platforms, CSP qualification applications, or AI-enabled services requiring transparency assessments, should allow 4–6 months. Under the Italia Digitale 2026 plan, early indications suggest that enhanced accessibility and cybersecurity review steps may add several weeks to the typical timeline, making early preparation essential. If the platform is being submitted in connection with a specific procurement deadline, coordinate submission timing with the PA contracting officer to avoid misalignment between AgID review cycles and tender closing dates.

Costs, Fees and Tax Considerations

AgID does not typically charge a flat application or registration fee for standard platform submissions. However, the indirect costs of achieving and maintaining compliance are significant. The table below provides estimated ranges for the principal cost items that vendors should budget for.

Non-resident vendors should note that Italian VAT and withholding tax rules apply to supplies made to PAs. A fiscal representative may be required for invoicing purposes. Tax counsel should be consulted early in the process to ensure that pricing models and contractual payment terms are structured correctly for the Italian public-sector context.

What Changes in 2026: Italia Digitale and New AgID Approval Requirements

The Italia Digitale 2024–2026 Three-Year Plan introduces several changes that directly affect how vendors prepare their AgID submissions. Vendors assembling dossiers in 2026 should account for the following developments:

• Strengthened accessibility enforcement. AgID has expanded its enforcement powers over digital accessibility. Providers must now supply explicit accessibility conformance reports tested against WCAG 2.1/2.2 standards, together with documented remediation timelines for any outstanding non-conformances. AgID can investigate non-compliance and impose sanctions, making a thorough accessibility audit a practical prerequisite rather than an optional enhancement. The new document commonly requested is a detailed accessibility test report with remediation plan.
• AI procurement guidance. The Three-Year Plan includes new requirements for transparency in AI-enabled platforms procured by PAs. Industry observers expect that platforms incorporating machine learning or automated decision-making will need to provide an algorithmic impact assessment and evidence of dataset provenance and bias testing. While detailed binding rules continue to develop, vendors should prepare these documents proactively.
• Updated CSP and cloud rules. AgID circulars governing cloud service providers have been tightened. Platforms hosted on third-party cloud infrastructure must now demonstrate stronger data segregation, provide updated CSP compliance statements referencing the latest AgID circular requirements, and include contractual clauses that explicitly address data localisation and incident notification obligations. The new document commonly required is a CSP compliance statement referencing current AgID circulars.
• Greater ACN involvement. The Agenzia per la Cybersicurezza Nazionale (ACN) now plays a more active role in reviewing high-impact platforms. Where a submission involves critical infrastructure, large-scale personal data processing or cross-border data flows, AgID may refer the dossier to ACN for a parallel cybersecurity assessment, adding 4–12 weeks to the review timeline and requiring vendors to supply additional cybersecurity requirements documentation aligned with Italy’s national cybersecurity strategy.

The cumulative effect of these 2026 changes is a longer preparation phase and a broader dossier. Vendors are well advised to begin accessibility audits and security assessments early, and to engage qualified counsel familiar with the current state of AgID circulars and ACN guidance before assembling the final submission.

Common Pitfalls in the AgID Approval Process and How to Avoid Them

• Incomplete DPIA or missing subprocessors list. One of the most frequent causes of clarification requests. Prepare the DPIA early, list every subprocessor with their role and location, and update the register whenever a subprocessor changes. An incomplete DPIA can delay approval by an entire review cycle.
• Using real production data in the test environment. Submitting a test environment that contains live personal data raises immediate data-protection concerns. Use anonymised or fully synthetic datasets, and document the anonymisation method in the test environment instructions.
• Missing qualified electronic signatures on declarations. Unsigned or improperly signed cover letters and declarations are rejected at intake. Obtain a QES from a provider listed on AgID’s trusted list of qualified certification service providers before preparing any formal documents.
• Ignoring accessibility remediation under 2026 enforcement rules. The expanded enforcement regime means accessibility gaps that might previously have been accepted with a future remediation commitment now require concrete evidence of current conformance. Run an accessibility audit at the start of the process, not as an afterthought, and schedule remediation sprints before dossier assembly.
• Failing to include contractual commitments to PAs. AgID expects vendors to demonstrate that their SLAs, incident response procedures and data breach notification timescales are compatible with PA procurement standards. Include clear contract annexes, a sample escalation path and specific uptime commitments rather than vague service descriptions.

Sources

1. Agenzia per l’Italia Digitale (AgID), English Homepage
2. AgID, Digital Identity / SPID Intervention Areas
3. AgID, Qualified Certification Service Providers (QTS List)
4. Accessiway, “AGID’s New Digital Accessibility Enforcement”
5. Agenzia per la Cybersicurezza Nazionale (ACN)
6. Interoperable Europe / OSOR, Italy’s Public Service Digital Strategy Updated
7. Wolters Kluwer, Italy Adopts Its First Rules on Cloud Service Providers
8. Geodati / AgID PDF Resources, National Guidelines
9. Legislative Decree No. 82 of 7 March 2005 (Digital Administration Code, CAD)