Italy has adopted a landmark AI law complementing the EU AI Act, providing safety provisions for specific sectors and promoting AI innovation through investments and a National AI Strategy

Yesterday, February 2, 2025, the first provisions of the EU AI Act went into effect, including those relating to AI literacy and prohibited systems. Prohibited systems include those that pose an unacceptable level of risk to fundamental rights, health, or safety, and penalties for their use can be up to €35 million or 7% of annual worldwide turnover. Providers and deployers of AI systems must ensure sufficient AI literacy for staff and agents. Compliance requires creating an inventory of AI systems, classifying them, and ensuring ongoing AI literacy training. Holistic AI offers a solution to simplify compliance with the EU AI Act.

The EU AI Act addresses the use of biometric technologies and their implications for privacy, security, and fundamental rights. Biometric data is defined as personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person. The Act prohibits certain biometrics-related AI practices, such as real-time remote biometric identification systems in public spaces and biometric categorization systems inferring sensitive characteristics. Biometric verification is not prohibited but is still subject to GDPR and other applicable laws. High-risk biometrics-related AI systems, such as emotion recognition and remote biometric identification, must undergo a stricter conformity assessment involving a notified body. Organizations must evaluate their use cases against the Act's provisions to ensure lawful and ethical operation within the EU.

The European AI Office has initiated the drafting process for the first-ever Code of Practice for general-purpose AI (GPAI) models under the EU AI Act. The Code of Practice will serve as a guiding framework to align with the stringent requirements of the Act and ensure compliance. Over 1,000 stakeholders are involved in the drafting process, which will span four rounds of reviews and consultations, with the final version expected to be published in April 2025. The Code of Practice provides guidelines for GPAI model providers to demonstrate compliance with legal obligations, including identifying and addressing systemic risks. If the Code of Practice is not ready or deemed inadequate by 2 August 2025, the European Commission may introduce common rules to ensure compliance with the AI Act.

The EU AI Act focuses on data governance and management in AI development, with strict requirements for high-risk AI systems and general-purpose AI models to comply with. The Act also addresses the interplay between AI governance and personal data protection law, particularly the GDPR. The Act introduces new legal grounds for personal data processing and also mandates impact assessments to address risks to fundamental human rights and freedoms. However, AI technologies present unique challenges for privacy and personal data protection, and enterprises may need to navigate compliance with multiple regulatory frameworks. Proper preparation is vital to avoid the harsh consequences of non-compliance.