Deterministic validation systems upstream and downstream of LLM calls, to drastically reduce the risk of agents hallucinating data, deviating from policies or producing non-compliant output.
EU AI Act: why compliance is a code problem, not a paperwork problem
Most of the European obligations will apply from August 2, 2026, and Italy - with Law 132/2025 already in force and implementing decrees on the way - is building a regime of criminal and corporate liability for those releasing AI systems without oversight.
The August 2, 2026 deadline and the Italian path to compliance
The AI Act is already partially in effect. EU Regulation 2024/1689.
The prohibitions apply from February 2025, and August 2, 2026 brings the application of most remaining provisions, including obligations for high-risk systems.
A common misconception is that the regulation only affects those who create the base models (OpenAI, Anthropic). The reality is different: the Regulation directly affects deployers - that is, those who use an AI system under their own responsibility in business processes (Art. 3(4)). They are required to ensure human oversight, logging, and compliant use (Art. 26).
How to apply it in our case
In Italy, the framework should be read on two levels.
Already in force.
Law 132/2025 (in force since October 10, 2025) has directly introduced new criminal offenses related to AI, including the crime of unlawful dissemination of content generated or altered with AI (art. 612-quater c.p., deepfake) and a common aggravating factor for crimes committed through Artificial Intelligence systems (art. 61 no. 11-decies c.p.).
On the way.
On June 10, 2026, the Council of Ministers approved in preliminary review (Press Release no. 177) two draft implementing decrees. They are not law yet but define the direction, and the deadline for adoption is October 2026. The drafts assign oversight to two authorities: AgID as the notification authority, ACN as the market supervision and data security authority.
What the draft decrees are about to put on the table
1
A new crime (proposed art. 437-bis c.p.)
Failure to implement security measures in high-risk AI systems, where the omission of technical barriers or human oversight leads to a concrete danger for people or public safety. Criminal liability is not "automatic for top management": it falls on those who actually failed to put in place the required measures, with intent or gross negligence.
2
Extension of D.Lgs. 231/2001 (proposed art. 25-vicies)
The offense could become a predicate crime for corporate administrative liability, with financial and prohibitive sanctions: this is where the risk affects the company as an entity.
3
Automated workplace decisions
The drafts prohibit entrusting solely to an algorithm the decisions on hiring, dismissal, and disciplinary measures, reserving the final decision to a human being; for dismissals made in violation, nullity is expressly provided.
⚠️ Status of the process (updated June 2026)
The points come from decrees in preliminary review, not yet in force. The information reflects the regulatory status at the indicated date, does not replace legal advice and we will try to update them once the final texts are published in the Official Gazette.
The "easy" compliance bluff
Our position is clear
True AI Act compliance is not about filling in a PDF or purchasing a compliance dashboard license. The list of theoretical obligations must be transformed into practical actions which the IT team must translate and implement to avoid penalties.
And the AI Act's penalties are progressive: up to 3% of global turnover or €15M for obligations on providers and deployers, up to 7% or €35M for those adopting prohibited practices. Every non-architectural shortcut is a debt that comes due at an ACN inspection.
Compliance with the AI Act is not an after-the-fact administrative activity. It is a non-functional requirement of the architecture. It must be anticipated and written into the code, otherwise — without architecture — it’s technical-regulatory debt.
We'll help you implement the law.
Compliance by Design
1
Guardrail Engineering (Art. 15 - accuracy, robustness, cybersecurity.)
2
LLM Observability & immutable tracking (Art. 12 - record-keeping).
3
Human-in-the-Loop Architectures (Art. 14 - human oversight.)
4
Data sovereignty and proprietary code (No vendor lock-in.)
Do you want to know where you're really exposed?
With a free analysis, we map your AI systems to the 4 pillars - Guardrails, Observability, Human-in-the-Loop, Data Sovereignty - and deliver your top priority gaps with respect to AI Act obligations. No strings attached.
We've already done it
Our AI Auditing use case
Not theory. In our portfolio is the Advanced Auditing Agentic AI Platform: a multi-tenant system designed to conduct complex audits, manage the knowledge base in a controlled way and mitigate hallucinations. In practice, all knowledge remains federated and the AI cannot leave the boundaries of the designed domain. The harness is not just good engineering practice: it's a fundamental requirement.
Some clarifications to help you understand what’s happening
Questions about the EU AI Act
Who is a "deployer" under the AI Act?
What changes on August 2, 2026?
What penalties does a company face?
Is the Italian regulation already in force?
Which official documents and institutional sources do you refer to?
Disclaimer
Informational and engineering-focused content. The information reflects the regulatory status at the date of update (see the sources listed in the FAQ on this page for more details) and does not represent legal advice. The content of this page, however thoroughly checked, may contain errors or incorrect interpretations. For actual evaluations and/or specific cases talk to a qualified professional, or call us and we’ll involve one together.
Last update: June 2026.
Want to discover the real impact of our solutions?
Don’t leave your AI compliance up to chance or a typical 80-page PDF. The adoption of AI must not be slowed down by bureaucracy, turned into an additional cost, or become a legal gamble: we build agentic systems that are stable, secure, and compliant from the first line of code. Clear ideas, clear business.
