Within European regulation of artificial intelligence, the AI Act represents one of the fundamental pillars for the protection of digital rights. Its aim is to strike a balance between technological innovation and the protection of citizens’ privacy, non-discrimination and security. From my perspective as a lawyer specialising in digital rights, with a focus on the GDPR, the AI Act and cybersecurity, it is now essential to guide companies towards a proactive compliance approach, capable of mitigating not only legal risks but also, and above all, the reputational risks to which they may be exposed.
The phased entry into force of the AI Act – with prohibitions coming into effect from February 2025 and obligations for high-risk systems from 2 August 2026 – requires organisations to take action immediately. This is also because the penalties provided for can amount to up to 6 per cent of global turnover. The regulation adopts a risk-proportionate approach, prohibiting practices deemed unacceptable, such as real-time biometric recognition in public spaces or subliminal manipulation, which directly affect privacy and human autonomy (Articles 5–6).
Particular attention is paid to systems classified as high-risk, a category which also includes various artificial intelligence applications in the field of cybersecurity, for example in surveillance systems, the management of critical infrastructure or credit scoring.
In these cases, the AI Act imposes stringent requirements regarding transparency, robustness and human oversight. In practical terms, this means designing secure systems right from the development stage, capable of withstanding adversarial attacks, data poisoning and model inversion techniques. All of this takes place within the framework of the rights guaranteed by the former Charter of Fundamental Rights of the European Union (Articles 8 and 21) and in constant coordination with the GDPR, particularly to reduce the risk of discriminatory bias and high-impact data processing.
The AI Act, however, cannot be interpreted in isolation. Its regulatory framework is necessarily intertwined with the NIS2 Directive, which covers essential sectors such as energy, healthcare and finance, and with the DORA Regulation for the financial sector. These instruments introduce obligations regarding ICT risk management and incident reporting, with different timeframes: 24 hours in the case of NIS2 and up to 15 days for the AI Act. This means that organisations must harmonise their compliance processes, avoiding overlaps or, worse still, gaps in accountability.
In the case of artificial intelligence systems applied to cybersecurity, the responsibility of senior management – already set out in Article 5 of NIS2 – is also of particular importance. This responsibility now extends to accountability for any breaches of digital rights. A faulty or inadequately supervised AI model, for example in threat detection systems, can generate false positives with tangible impacts on the rights of defence or the privacy of data subjects.
In this sense, robust compliance also helps to strengthen the organisation’s legal resilience, reducing exposure to class actions under the Directive on Representative Actions and to investigations by supervisory authorities, such as the Data Protection Authority.
From an operational perspective, the AI Act introduces very specific requirements. System robustness must include the ability to withstand evasion attacks, in line with the requirements of Article 32 of the GDPR. Transparency, on the other hand, entails the need to maintain auditable logs and traceability throughout the entire lifecycle of the systems, whilst also guaranteeing the right to an explanation of automated decisions. Added to this is the obligation to report serious incidents within 15 days and the option to adhere to sector-specific codes of conduct, which provide a presumption of compliance. Taken together, these elements outline a structured and clear framework, which is particularly relevant for senior management.
In such a context, it is important to consider what concrete actions can be taken. For CEOs and COOs, a first step is to establish a Data Protection Board with oversight responsibilities for artificial intelligence systems, alongside the definition of ethical policies consistent with the guidelines of the EDPB (European Data Protection Board). It is also essential to carefully assess risk profiles, including those of a criminal nature, particularly when dealing with health or financial data.
From a technical perspective, CTOs and IT managers are required to correctly classify the AI systems used internally, identifying those posing a high risk, particularly when artificial intelligence is integrated into security tools. The adoption of techniques such as federated learning or differential privacy can contribute significantly to reducing data exposure and improving the overall level of compliance.
The role of the CISO also becomes central. They are required to act proactively, carrying out AI-specific DPIAs, testing for vulnerabilities in accordance with the frameworks defined by ENISA, and drawing up incident response plans suited to attack scenarios amplified by artificial intelligence.
To complete this picture, it is essential to provide mandatory training on digital rights for all those involved in the use of intelligent systems, accompanied by periodic audits and gap analyses. Simulations of AI cyber scenarios and voluntary certifications can also become a tangible competitive advantage.
TheAI Act should not be viewed merely as yet another regulatory requirement. If approached methodically and with a strategic vision, it can become a genuine opportunity to establish ethical leadership in the field of digital rights and to strengthen the trust of customers, partners and stakeholders.
By Barbara Sabellico – Lawyer & DPO, Legal Tech expert