Skip to content
AIPIA — Italian AI Professionals Association
EU AI Act

EU AI Act: practical guidance for international AI practice

Regulation (EU) 2024/1689 is the world's first comprehensive AI law. It applies to any organisation deploying AI in the European market — regardless of where the organisation is established. AIPIA distils the regulation into practitioner-level guidance through working groups, member briefings, training, and an open-access AI Act guide.

Why it matters

The first horizontal AI law with global reach

The AI Act creates a single legal framework for artificial intelligence across the 27 EU member states. Like the GDPR before it, the regulation applies extraterritorially: if your AI system serves users in the EU, the regulation applies — even if your organisation is in Boston, Dubai, London, or São Paulo.

The regulation takes a risk-based approach. Practices deemed incompatible with EU values are prohibited outright. High-risk uses face strict obligations on documentation, oversight, and conformity assessment. Limited-risk uses require transparency. Minimal-risk uses are encouraged to adopt voluntary codes.

For international organisations, the AI Act is rapidly becoming a de facto global standard. The UK is developing its own framework around shared principles; the UAE has issued an AI Charter aligned with international norms; countries in Latin America and Asia are following the European model. Compliance built for the AI Act now will satisfy most emerging frameworks elsewhere.

What AIPIA provides

  • An open-access AI Act guide maintained by the AIPIA CTS
  • Working groups on risk classification, GPAI obligations, and sectoral application
  • Member briefings when the European Commission, Italian authorities, or EDPB publish guidance
  • Training programmes closing with the European Digital Credential in AI Act compliance
  • Code of Ethics aligned with the regulation's spirit and obligations
  • AI-specific professional liability insurance for members exposed to AI Act risks
Risk tiers

Four tiers, four sets of obligations

The AI Act classifies every AI system by its level of risk to health, safety, and fundamental rights. Each tier triggers a distinct compliance pathway.

Unacceptable risk · prohibited
  • Social scoring by public authorities
  • Real-time biometric identification in public spaces (with narrow law-enforcement exceptions)
  • Manipulative or deceptive AI causing harm
  • Exploitation of vulnerabilities of specific groups
  • Untargeted scraping of facial images for recognition databases
  • Emotion recognition in workplace and education (with limited medical/safety exceptions)
High risk · strict obligations
  • AI in critical infrastructure (transport, energy, water)
  • Education and vocational training (admissions, evaluation)
  • Employment, workforce management, access to self-employment
  • Essential services (credit scoring, benefits, emergency dispatch)
  • Law enforcement, migration, asylum, border control
  • Administration of justice and democratic processes
  • Biometric identification, categorisation, and emotion recognition (where not prohibited)
  • Safety components of regulated products (machinery, medical devices, vehicles)
Limited risk · transparency
  • Chatbots and AI-generated content disclosure
  • Deepfake labelling
  • Emotion recognition outside high-risk contexts
Minimal risk · voluntary codes
  • AI-powered video games
  • Spam filters
  • Most consumer AI applications
Roles

Who carries which obligations

The same organisation can hold multiple roles for different systems. A company that builds an AI tool and deploys it internally is both provider and deployer for that system.

Providers

Organisations that develop AI systems and place them on the market. Most demanding obligations: risk management, data governance, technical documentation, transparency, human oversight, accuracy and robustness, conformity assessment, post-market monitoring.

Deployers

Organisations that use AI systems under their own authority. Obligations vary by risk tier: human oversight, log retention, fundamental-rights impact assessment for public bodies and select sectors, transparency toward affected individuals.

Importers and distributors

EU-established intermediaries placing third-country AI on the market. Verify CE marking, technical documentation, and conformity. Withdraw non-compliant systems.

GPAI model providers

Foundation-model developers must publish training-data summaries, respect EU copyright opt-outs, comply with technical documentation requirements, and — for "systemic risk" models — undertake evaluations, adversarial testing, and incident reporting.

Timeline

Phased application from 2024 to 2027

  1. 1 August 2024

    Regulation entered into force

  2. 2 February 2025

    Prohibited practices and AI literacy obligations applicable

  3. 2 August 2025

    General-purpose AI (GPAI) rules and governance bodies operational

  4. 2 August 2026

    Most provisions apply, including high-risk AI obligations

  5. 2 August 2027

    High-risk AI embedded in regulated products fully enforceable

FAQ

Common questions from international practitioners

Does the AI Act apply to companies outside the EU?
Yes. The regulation has extraterritorial scope. It applies to providers placing AI systems on the EU market and to providers and deployers established outside the EU whose AI output is used in the EU. US, UK, Gulf, and Asian organisations serving European customers are within scope.

What is the relationship between the AI Act and the GDPR?
They coexist and reinforce each other. GDPR governs personal-data processing; the AI Act regulates AI systems and models. High-risk AI systems handling personal data must comply with both. Where conflict arises, GDPR continues to apply to data-protection aspects, with the AI Act adding system-level requirements.

What are the penalties for non-compliance?
Up to €35 million or 7% of worldwide annual turnover for prohibited-practice violations. Up to €15 million or 3% for high-risk obligations breaches. Up to €7.5 million or 1% for incorrect, incomplete, or misleading information to authorities. Penalties scale with severity, intent, and company size.

How should a company outside the EU prepare?
Start with three steps. First, map all AI systems used or sold in the EU and classify their risk tier. Second, identify whether your organisation acts as provider, deployer, importer, or distributor. Third, build technical documentation, conformity-assessment evidence, and monitoring processes for high-risk systems before applicable enforcement dates.

Need practical AI Act support?

Training, working groups, member briefings, and AI-specific professional liability insurance — built for international practitioners operating in or selling into the European market.

AI Act training Liability cover Talk to us