The EU AI Act is already in force. Italian Law 132/2025 is live. GDPR now explicitly covers automated decisions. If you deploy AI in your business and haven't reviewed your compliance posture, the clock is running.
Let's be direct: if your company uses AI â for customer service, HR decisions, operations, marketing, or anything else â you are already subject to a growing stack of European regulations. Some are already enforceable. Others kick in fully in August 2026. And the fines are not symbolic: we're talking up to 7% of your global annual turnover for the worst violations.
This post gives you a clear, practical map of the regulatory landscape â what applies to you, when, and what you need to do about it. No legalese. Just signal.
European AI regulation is not one law. It's a layered system where several regulations interact and overlap. Here's the quick map:
đĩ EU AI Act â Reg. (EU) 2024/1689
Who it affects: Any company that develops, deploys, or uses AI systems in the EU market
The first comprehensive EU law specifically for AI. In force since August 2024, fully applicable from August 2, 2026.
Max fine: 7% global turnover or âŦ35MđŽđš Italian AI Law â L. 132/2025
Who it affects: All companies and public bodies operating in Italy that develop or use AI
Italy's first national AI law. In force since October 10, 2025. Introduces obligations for employers, professionals, and public bodies â with criminal penalties for some violations.
Penalties: criminal + GDPR-level admin fines via decreeđ GDPR â Reg. (EU) 2016/679
Who it affects: Any company processing personal data of EU residents
Already applies to your AI systems if they touch personal data â which most do. Automated decision-making, profiling, and AI training on personal data all trigger GDPR obligations.
Max fine: 4% global turnover or âŦ20Mđą Digital Services Act â Reg. (EU) 2022/2065
Who it affects: Platforms, marketplaces, and social networks operating in the EU
Governs algorithmic recommendation systems, content moderation, and ad targeting. Applies to platforms since February 2024. Very large platforms (45M+ EU users) face stricter obligations.
Max fine: 6% global turnoverđĻ Data Governance Act + Data Act
Who it affects: Companies handling public data, IoT manufacturers, cloud providers
The DGA (applicable since September 2023) governs data sharing intermediaries and public data reuse. The Data Act (applicable from September 2025) gives users rights over IoT-generated data and removes cloud lock-in.
Max fine: up to 6% global turnover (Italy, DGA)đĄī¸ NIS2 â Dir. (EU) 2022/2555
Who it affects: Medium/large companies in 18 critical sectors â energy, health, finance, manufacturing, logistics, cloud
Mandatory cybersecurity measures, incident reporting within 24â72 hours, and board-level accountability. Should have been transposed by all EU states by October 2024.
Max fine: 2% global turnover or âŦ10M (essential entities)The AI Act uses a risk-based approach. The higher the risk of the AI application, the stricter the rules.
Some AI uses are simply illegal, full stop:
If your AI touches any of the following areas, expect the full compliance burden:
For high-risk AI, you must implement risk management systems, technical documentation, human oversight mechanisms, registration in the EU AI database, and post-market monitoring. This is not checkbox compliance â it requires real engineering and governance investment.
If you deploy chatbots, AI-generated content, or deepfake-capable systems, you must clearly disclose to users that they are interacting with or seeing AI-generated output. This is already in effect.
The general-purpose model question
If you are building on top of foundation models such as OpenAI, Anthropic, Mistral, or Gemini, the model provider has their own obligations â but you, as the deployer, still carry responsibility for how the model is used in your specific application. You cannot hide behind the vendor.
Italy's Law 132/2025 entered into force on October 10, 2025. It is not just a transposition of the AI Act â it adds Italian-specific obligations across several sectors. If you operate in Italy, these apply now.
If you use AI systems that affect employees â scheduling, performance monitoring, task assignment, or hiring â you must inform workers in advance, update your GDPR privacy notices, and review your Data Protection Impact Assessment. This is not optional.
Article 13 requires lawyers, accountants, consultants, and other professionals to disclose to clients when AI systems are used in their work. AI is a tool, not a substitute for professional judgment â and if something goes wrong, the professional remains legally responsible regardless of what the AI said.
AI can be used to support diagnosis and treatment, but the clinical decision always stays with the doctor. AI-generated outputs must be validated; the physician carries full liability.
The law introduces criminal aggravation for crimes committed using AI â for example, fraud via deepfakes or algorithmic manipulation of victims. Creating and distributing deceptive deepfakes is now a standalone criminal offense in Italy.
â ī¸ Many obligations in L. 132/2025 are still being detailed via implementing decrees
The regulatory picture will keep evolving through 2026. Businesses should map their AI systems now and build governance processes that can adapt â rather than waiting for the final text.
GDPR has been enforceable since 2018, but many businesses have not updated their compliance to reflect AI use. Here is where the friction is:
The Italian data protection authority has already issued significant fines in this space, including temporary suspensions of AI services. Don't assume GDPR is a solved problem just because you have a privacy notice.
February 2, 2025 â Already passed
AI Act prohibitions on unacceptable-risk practices are enforceable. Subliminal manipulation, social scoring, and certain biometric uses are banned.
August 2, 2025 â Already active
AI Act governance bodies are operational. General-purpose model obligations begin.
September 12, 2025 â Already active
EU Data Act applicable. IoT manufacturers must enable data access for users; cloud providers must remove switching fees.
October 10, 2025 â Already in force
Italian Law 132/2025. Employer information obligations, professional disclosure duties, and new criminal provisions are active.
August 2, 2026 â Five months away
Full AI Act applicability. High-risk AI system obligations, registration requirements, and technical documentation requirements become enforceable. This is the hard deadline.
January 20, 2027
New EU Machinery Regulation becomes applicable. AI-controlled machinery must meet updated safety and cybersecurity requirements.
These are the questions every business deploying AI should be able to answer today:
A note on SMEs
Many regulatory thresholds are calibrated for large companies, but the obligations themselves â transparency, documentation, human oversight â apply regardless of size. SMEs may get proportionate treatment on fines, but not on the substance of what is required. Starting now, even with a basic AI register and updated privacy notices, puts you ahead of most.
In February 2025, the European Commission withdrew its proposed AI Liability Directive. This means:
For businesses, this creates a short-term grey area â but not safety. The AI Act creates obligations whose violation can be used as evidence of negligence in civil proceedings. Companies that cannot explain their systems will be exposed. Document your systems and your governance decisions. The paper trail matters.
The European regulatory stack for AI is not a future problem. It is a current one. Multiple regulations are already in force, enforcement bodies are active, and the August 2026 deadline for the AI Act's high-risk provisions is closer than it feels.
Compliance is not just about avoiding fines. The AI Act requirements â risk management, documentation, human oversight, data quality â are essentially good engineering and governance practices. Companies that treat this as an engineering challenge, not just a legal one, will come out ahead.
At RAAS Impact, we help map your current systems against the regulatory landscape, design governance processes that don't slow you down, and build AI solutions that are production-ready and compliant from day one. If you're unsure where you stand, the right time to find out is before August 2026 â not after.
Sources: Regulation (EU) 2024/1689 (AI Act) ¡ Italian Law 132/2025 ¡ Regulation (EU) 2016/679 (GDPR) ¡ Regulation (EU) 2022/2065 (DSA) ¡ Regulation (EU) 2022/868 (DGA) ¡ Regulation (EU) 2023/2854 (Data Act) ¡ Directive (EU) 2022/2555 (NIS2) ¡ Regulation (EU) 2023/1230 (Machinery Regulation) ¡ COM(2022) 496 final (withdrawn AI Liability Directive). This post is informational and does not constitute legal advice.