News · Compliance · 24 June 2026

A guide to using AI tools: avoid fines of up to 7% of your turnover.

By Dario Carta, Lawyer and Chartered Accountant · Reading time: 12 minutes

Key points

  • AI is already operational inside companies — generative AI, HR software, client scoring — often with no legal framing: with the AI Act and Italian Law 132/2025, this approach is no longer sustainable.
  • Fines are comparable to GDPR and antitrust: up to 35 million euros or 7% of worldwide turnover for prohibited practices.
  • The AI Act takes a risk-based approach: four risk levels with increasing obligations.
  • A CV-screening or client-scoring tool can qualify as a high-risk system: misclassification is the first mistake that opens the door to sanctions.
  • Italian Law 132/2025 designated AGID as the national competent authority and provides for a national register of high-risk AI systems.
  • Compliance is not just a cost: it can become a strategic lever for tax credits and for reducing indirect tax risks.

Are you using artificial intelligence correctly? Tools such as Claude, ChatGPT and Gemini are already in your teams' hands, often without a company policy and without the governing body being fully aware of the legal implications. With the European AI Act and Italian Law no. 132/2025, ungoverned use of AI has become a concrete risk: fines reach 35 million euros or 7% of annual worldwide turnover.

This guide offers companies and professionals an operational framework: how to classify the AI systems in use, which obligations apply, and how to turn compliance into a competitive and tax advantage.

1. AI in the company: already present, often ungoverned

Most companies already use artificial intelligence, even without knowing it. It is not just ChatGPT for drafting texts: AI systems include CV-screening software, credit or commercial scoring algorithms, predictive analytics, customer-service chatbots and employee-monitoring systems.

The problem is not use in itself: it is the absence of governance. When an employee uses Claude or Gemini to produce company documents, or when a management system automatically scores clients, legal responsibilities arise that the governing body must know and oversee.

Warning: informal use is not risk-free use. Unstructured use of AI tools by staff — without policy, training or traceability — does not exclude the company's liability. Without documented governance, the company's position in the event of an inspection is structurally weaker.

2. The regulatory framework: the AI Act and Law 132/2025

Regulation (EU) 2024/1689, known as the AI Act, entered into force on 1 August 2024 with progressive application. The rules on unacceptable-risk systems have applied since February 2025; those on high-risk systems come fully into force between 2026 and 2027.

In Italy, Law 132/2025 implemented and supplemented the European framework, designating AGID as the national authority competent for supervision and sanctions. The law establishes a national register of high-risk AI systems and introduces specific obligations for companies that develop or use AI in sensitive contexts.

3. Risk classification: four levels

The AI Act takes a risk-based approach: obligations depend on the system's risk level, not on the technology used.

⚠️ The system you think is harmless. A tool that filters CVs or scores clients is not a technical detail: if it affects rights or significant decisions, it is a high-risk system. Misclassification is the mistake that, on its own, opens the door to the highest sanctions.

4. The sanctions regime: three levels

The sanctions regime is built on three levels, with proportionality and deterrence criteria similar to the GDPR:

Proportional reductions apply to SMEs and start-ups, but the percentage threshold on turnover remains: for a company with 10 million euros in revenues, 3% means 300,000 euros.

5. The indirect tax risk of non-compliant AI

Non-compliance with the AI Act generates not only sanction risks but also tax risks. Administrative fines are not deductible under Article 99 of the Italian Income Tax Code (TUIR). Late compliance costs are less plannable and higher than preventive ones. Sanction proceedings can also damage commercial reputation and reduce the future tax base.

Companies that address AI compliance in a structured way can classify costs correctly (deductible as general expenses or capitalised as intangible assets) and access the tax credits for technological innovation provided by current legislation.

6. Compliance as a strategic lever

An advanced approach turns regulatory adaptation into a planning lever. Correct classification of compliance costs, access to tax incentives for technological innovation, reduction of indirect tax risks and integration with internal control systems all make AI compliance an investment, not a burden.

A company that properly documents its AI governance model is also stronger in due diligence, bank financing or extraordinary transactions.

7. How to structure effective AI compliance: the five phases

Frequently asked questions

We are an SME: does the AI Act apply to us too?

Yes. The AI Act applies to any operator using AI systems in a professional context in the EU, regardless of size. SMEs benefit from some sanction reductions, but are not exempt from the obligations.

We only use ChatGPT to write emails: are we at risk?

For internal texts or generic communications, the risk is minimal. But if the system is used to generate opinions, analyses or third-party communications presented as your own, transparency obligations apply.

Our HR software screens CVs automatically: what should we do?

Check whether the system falls into the high-risk category (almost certainly yes, if it determines or influences hiring decisions). If so: map the vendor, verify the technical documentation, implement human oversight of final decisions and update internal policies.

When do the obligations for high-risk systems come into force?

High-risk systems in HR, credit and education must be compliant by August 2026. Systems already on the market have a transitional period ending in 2027.

BoezioAI at your company's side

The AI Act cuts across compliance, directors' liability and corporate governance. Our team — lawyers, chartered accountants and engineers — supports companies and firms in classifying AI systems, structuring compliance and adopting compliant tools.

For an assessment of your case: info@boezioai.com · +39 329 7413254

Article by Dario Carta (Lawyer and Chartered Accountant), originally published in Italian on cartaepartners.it. Reproduced and translated with the author's consent.

← All news