Business AI Act Compliance GDPR 16 Mar 2026

AI Regulations in Europe: What Every Business Must Do Before August 2026

The EU AI Act is already in force. Italian Law 132/2025 is live. GDPR now explicitly covers automated decisions. If you deploy AI in your business and haven't reviewed your compliance posture, the clock is running.

Let's be direct: if your company uses AI — for customer service, HR decisions, operations, marketing, or anything else — you are already subject to a growing stack of European regulations. Some are already enforceable. Others kick in fully in August 2026. And the fines are not symbolic: we're talking up to 7% of your global annual turnover for the worst violations.

This post gives you a clear, practical map of the regulatory landscape — what applies to you, when, and what you need to do about it. No legalese. Just signal.

The Big Picture: A Multi-Layer Regulatory Stack

European AI regulation is not one law. It's a layered system where several regulations interact and overlap. Here's the quick map:

🔵 EU AI Act — Reg. (EU) 2024/1689

Who it affects: Any company that develops, deploys, or uses AI systems in the EU market

The first comprehensive EU law specifically for AI. In force since August 2024, fully applicable from August 2, 2026.

Max fine: 7% global turnover or €35M

🇮🇹 Italian AI Law — L. 132/2025

Who it affects: All companies and public bodies operating in Italy that develop or use AI

Italy's first national AI law. In force since October 10, 2025. Introduces obligations for employers, professionals, and public bodies — with criminal penalties for some violations.

Penalties: criminal + GDPR-level admin fines via decree

🔒 GDPR — Reg. (EU) 2016/679

Who it affects: Any company processing personal data of EU residents

Already applies to your AI systems if they touch personal data — which most do. Automated decision-making, profiling, and AI training on personal data all trigger GDPR obligations.

Max fine: 4% global turnover or €20M

📱 Digital Services Act — Reg. (EU) 2022/2065

Who it affects: Platforms, marketplaces, and social networks operating in the EU

Governs algorithmic recommendation systems, content moderation, and ad targeting. Applies to platforms since February 2024. Very large platforms (45M+ EU users) face stricter obligations.

Max fine: 6% global turnover

📦 Data Governance Act + Data Act

Who it affects: Companies handling public data, IoT manufacturers, cloud providers

The DGA (applicable since September 2023) governs data sharing intermediaries and public data reuse. The Data Act (applicable from September 2025) gives users rights over IoT-generated data and removes cloud lock-in.

Max fine: up to 6% global turnover (Italy, DGA)

🛡️ NIS2 — Dir. (EU) 2022/2555

Who it affects: Medium/large companies in 18 critical sectors — energy, health, finance, manufacturing, logistics, cloud

Mandatory cybersecurity measures, incident reporting within 24–72 hours, and board-level accountability. Should have been transposed by all EU states by October 2024.

Max fine: 2% global turnover or €10M (essential entities)

Deep Dive: The EU AI Act — What It Actually Means for Your Business

The AI Act uses a risk-based approach. The higher the risk of the AI application, the stricter the rules.

❌ Prohibited Practices — banned from February 2025

Some AI uses are simply illegal, full stop:

· Subliminal manipulation of human behavior
· Social scoring systems by governments or companies
· Real-time biometric surveillance in public spaces (with narrow exceptions)
· AI systems that exploit vulnerability — such as age or disability — to influence decisions

⚠️ High-Risk AI — heavy obligations from August 2026

If your AI touches any of the following areas, expect the full compliance burden:

· Recruitment, CV screening, employee monitoring, or performance evaluation
· Credit scoring and insurance risk assessment
· Access to education or vocational training
· Administration of essential public services
· Safety components in machinery, vehicles, or critical infrastructure
· Biometric identification systems

For high-risk AI, you must implement risk management systems, technical documentation, human oversight mechanisms, registration in the EU AI database, and post-market monitoring. This is not checkbox compliance — it requires real engineering and governance investment.

ℹ️ Limited Risk — transparency obligations, active now

If you deploy chatbots, AI-generated content, or deepfake-capable systems, you must clearly disclose to users that they are interacting with or seeing AI-generated output. This is already in effect.

The general-purpose model question

If you are building on top of foundation models such as OpenAI, Anthropic, Mistral, or Gemini, the model provider has their own obligations — but you, as the deployer, still carry responsibility for how the model is used in your specific application. You cannot hide behind the vendor.

Italian Law 132/2025: The National Layer That's Already Live

Italy's Law 132/2025 entered into force on October 10, 2025. It is not just a transposition of the AI Act — it adds Italian-specific obligations across several sectors. If you operate in Italy, these apply now.

For Employers

If you use AI systems that affect employees — scheduling, performance monitoring, task assignment, or hiring — you must inform workers in advance, update your GDPR privacy notices, and review your Data Protection Impact Assessment. This is not optional.

For Professionals

Article 13 requires lawyers, accountants, consultants, and other professionals to disclose to clients when AI systems are used in their work. AI is a tool, not a substitute for professional judgment — and if something goes wrong, the professional remains legally responsible regardless of what the AI said.

For Healthcare

AI can be used to support diagnosis and treatment, but the clinical decision always stays with the doctor. AI-generated outputs must be validated; the physician carries full liability.

Criminal Penalties

The law introduces criminal aggravation for crimes committed using AI — for example, fraud via deepfakes or algorithmic manipulation of victims. Creating and distributing deceptive deepfakes is now a standalone criminal offense in Italy.

⚠️ Many obligations in L. 132/2025 are still being detailed via implementing decrees

The regulatory picture will keep evolving through 2026. Businesses should map their AI systems now and build governance processes that can adapt — rather than waiting for the final text.

GDPR + AI: The Overlap You're Probably Ignoring

GDPR has been enforceable since 2018, but many businesses have not updated their compliance to reflect AI use. Here is where the friction is:

· Article 22 — Automated decisions: If your AI makes or heavily influences decisions about individuals (loan approval, job rejection, insurance pricing), people have the right to human review. This must be operationally implemented, not just written in a policy document.
· DPIA requirement: Any AI system processing personal data at scale, using biometric data, or profiling individuals likely triggers a mandatory Data Protection Impact Assessment before deployment.
· Training data: Using personal data to train AI models requires a valid legal basis. "It was publicly available" is not sufficient justification.
· Explainability: Individuals have the right to understand the logic behind automated decisions that affect them. Black-box models may not satisfy this requirement.

The Italian data protection authority has already issued significant fines in this space, including temporary suspensions of AI services. Don't assume GDPR is a solved problem just because you have a privacy notice.

Key Dates: Your Compliance Timeline

February 2, 2025 — Already passed

AI Act prohibitions on unacceptable-risk practices are enforceable. Subliminal manipulation, social scoring, and certain biometric uses are banned.

August 2, 2025 — Already active

AI Act governance bodies are operational. General-purpose model obligations begin.

September 12, 2025 — Already active

EU Data Act applicable. IoT manufacturers must enable data access for users; cloud providers must remove switching fees.

October 10, 2025 — Already in force

Italian Law 132/2025. Employer information obligations, professional disclosure duties, and new criminal provisions are active.

August 2, 2026 — Five months away

Full AI Act applicability. High-risk AI system obligations, registration requirements, and technical documentation requirements become enforceable. This is the hard deadline.

January 20, 2027

New EU Machinery Regulation becomes applicable. AI-controlled machinery must meet updated safety and cybersecurity requirements.

What You Need to Do Now: A Practical Business Checklist

These are the questions every business deploying AI should be able to answer today:

· AI inventory: Do you have a list of every AI system you use or deploy, including third-party tools integrated into your workflows?
· Risk classification: For each system, do you know whether it falls under prohibited, high-risk, limited-risk, or minimal-risk under the AI Act?
· Personal data audit: For every AI system that processes personal data, do you have a valid legal basis, an updated privacy notice, and a DPIA if required?
· Human oversight: For AI systems that influence decisions about people, is there a documented human review mechanism?
· Transparency: Are users informed when they interact with AI? Are AI-generated outputs labeled as such?
· Employer obligations (Italy): Have you updated information notices to employees about AI systems used in HR processes?
· Cybersecurity: If you're in a NIS2-covered sector, have you identified whether you qualify as an essential or important entity and started your risk management program?
· Supply chain: Do your contracts with AI vendors include appropriate data processing agreements and compliance representations?

A note on SMEs

Many regulatory thresholds are calibrated for large companies, but the obligations themselves — transparency, documentation, human oversight — apply regardless of size. SMEs may get proportionate treatment on fines, but not on the substance of what is required. Starting now, even with a basic AI register and updated privacy notices, puts you ahead of most.

One More Thing: The AI Liability Directive Was Withdrawn

In February 2025, the European Commission withdrew its proposed AI Liability Directive. This means:

· There is currently no unified EU framework for civil liability from AI damage
· Liability cases fall back to national laws, which vary significantly across EU member states
· Italy has not yet introduced specific national legislation on this point

For businesses, this creates a short-term grey area — but not safety. The AI Act creates obligations whose violation can be used as evidence of negligence in civil proceedings. Companies that cannot explain their systems will be exposed. Document your systems and your governance decisions. The paper trail matters.

The Bottom Line

The European regulatory stack for AI is not a future problem. It is a current one. Multiple regulations are already in force, enforcement bodies are active, and the August 2026 deadline for the AI Act's high-risk provisions is closer than it feels.

Compliance is not just about avoiding fines. The AI Act requirements — risk management, documentation, human oversight, data quality — are essentially good engineering and governance practices. Companies that treat this as an engineering challenge, not just a legal one, will come out ahead.

At RAAS Impact, we help map your current systems against the regulatory landscape, design governance processes that don't slow you down, and build AI solutions that are production-ready and compliant from day one. If you're unsure where you stand, the right time to find out is before August 2026 — not after.

Sources: Regulation (EU) 2024/1689 (AI Act) · Italian Law 132/2025 · Regulation (EU) 2016/679 (GDPR) · Regulation (EU) 2022/2065 (DSA) · Regulation (EU) 2022/868 (DGA) · Regulation (EU) 2023/2854 (Data Act) · Directive (EU) 2022/2555 (NIS2) · Regulation (EU) 2023/1230 (Machinery Regulation) · COM(2022) 496 final (withdrawn AI Liability Directive). This post is informational and does not constitute legal advice.

RAAS Impact

We’re not just another AI agency — we’re operators who’ve been in your shoes. With over 25 years (each) of hands-on experience leading digital transformation in global organizations, we understand what it really takes to drive change. We’ve built startups from zero, led enterprise platforms end-to-end, and solved problems from finance to logistics, from marketing performance to operational complexity.