Innovation Law Insights

Podcast

Ransomware and crime – A proposal to tackle cyber extortion in Italy

In this episode of Diritto al Digitale, we explore Italy’s bold move to criminalise ransom payments in response to the growing threat of ransomware attacks. With Italy ranking among the top ransomware targets globally, a new legislative proposal aims to disrupt cybercriminals’ business model by banning ransom payments for critical infrastructure operators, mandating rapid breach notifications, and recognising ransomware as a national security threat. Listen to the episode here.

 

Data Protection and Cybersecurity  

Double opt-in and privacy consent for marketing purposes: Italy’s evolving position

With Decision No. 330 of 4 June 2025 (the Decision), the Italian data protection authority (the Garante) provided important clarifications regarding the requirements for collecting valid privacy consent to process personal data for marketing purposes, focusing on the double opt-in mechanism.

Although this mechanism isn’t expressly mandated by Regulation (EU) 2016/679 (GDPR) and Legislative Decree No. 196/2003 (Italian Privacy Code) as a prerequisite for valid consent, the Garante adopts particularly rigorous criteria in its assessment. It identified the double opt-in – and in particular the set of guarantees it provides – as a minimum measure to ensure the lawful collection and proper documentation of consent for promotional data processing activities.

The opt-in mechanism and the double opt-in

Opt-in refers to the positive action through which users explicitly express their intention to provide consent. In digital environments, this typically consists of voluntarily selecting an unchecked box in an online form, actively submitting a completed form, or clicking a dedicated confirmation button.

Double opt-in represents a reinforced version of this model. Once the initial opt-in is completed (eg submitting a form), the user receives a verification message at the email address or phone number provided, containing a unique link or code. Only upon completing this second step – by clicking the link or entering the code – can consent be deemed fully confirmed.

Double opt-in as a minimum standard according to the Italian data protection authority

Through the Decision, the Italian data protection authority further enhanced the role of the double opt-in mechanism as the best practice for collecting and documenting privacy consent in connection with marketing-related data processing.

The mechanism’s suitability for satisfying consent requirements had already been recognised in previous decisions. But with this Decision the Garante went one step further by qualifying the double opt-in as a minimum requirement to comply with the obligations set forth by the GDPR and the Italian Privacy Code in this context.

The Italian data protection authority specifies that the notion of “minimum requirement” should be interpreted as referring not to the double opt-in mechanism itself, but to the set of technical and evidentiary safeguards it provides, namely:

• the data subject verifying the actual availability of the email address;
• unambiguous attribution of the confirmation action to the intended individual;
• accurate documentation of the technical and chronological steps of the consent process;
• demonstrating the clear link between the expression of consent and the prior access to the privacy notice.

Accordingly, the Garante acknowledges that alternative mechanisms can be used; but these alternatives must ensure equivalent levels of technical and documentary reliability, particularly in terms of attribution certainty, data subject identifiability, technical verifiability, and demonstrable linkage with the privacy notice.

The Decision doesn’t explicitly list valid alternatives to the double opt-in mechanism; but it may be argued that mechanisms like those set out in the Code of Conduct on Telemarketing and Teleselling (ie retaining the IP address and timestamp associated with the user’s online action (eg checking a consent box), or sending a notification message (eg SMS) to the same user confirming that consent has been registered) may still be sufficient, depending on the specific context, to obtain consent. In this case, the measures adopted by the company – limited to basic log files showing only an IP address, date, and time – were deemed insufficient to prove valid consent.

While alternative solutions that offer equivalent safeguards remain admissible, this Decision reinforces the view that double opt-in represents the most effective solution currently available for ensuring compliant consent collection for marketing purposes. As such, its adoption by companies processing personal data may significantly enhance compliance with data protection regulations.

Conclusion

The Decision underlines the importance of implementing mechanisms capable of effectively documenting the collection of consent when processing personal data for marketing purposes. Despite the lack of an explicit legislative requirement, the Italian data protection authority recognises the double opt-in mechanism as a best practice for ensuring the lawful collection of consent for marketing activities. This recognition could progressively lead to establishing double opt-in as the standard practice in the Italian market, while awaiting further clarifications on alternative methods capable of ensuring equivalent guarantees.

It’s essential for organisations processing personal data for marketing purposes to carefully review their consent collection procedures and ensure that the consent mechanisms offer guarantees equivalent to those provided by the double opt-in model.

Author: Federico Toscani

 

Blockchain and Cryptocurrency

Italy extends VASP regime for crypto operators – implicit tensions in implementing MiCAR

The Italian government has significantly extended the transitional regime for crypto operators that qualify as Virtual Asset Service Providers (VASPs) registered in the national register which has an impact on the MiCAR implementation.

The amendments significantly affect Legislative Decree No. 129 of 5 September 2024 (MiCAR Implementing Decree), which implemented Regulation (EU) 2023/1114 on Markets for Crypto-Assets (MiCAR).

The extension concerns:

• the deadline for submitting applications for authorisation pursuant to Article 62 MiCAR;
• the duration of the transitional period; and
• a conditional exemption in favour of entities belonging to corporate groups, with applications also submitted in another member state.

This article analyses the current regulations, the changes provided for in the decree-law and the possible systemic implications for future providers of crypto asset services (CASP).

The regulatory architecture of the transitional regime for crypto providers

Article 45 of the MiCAR Implementing Decree sets out the transitional regime applicable to entities already registered, as of 27 December 2024, in the special section of the VASP register established at the OAM. The provision acts as a bridge between the previous national rules and the harmonised framework introduced by MiCAR, setting out the conditions and terms under which entities that are already operating can continue to provide services until the authorisation procedure is completed.

According to the original wording, legal entities that submit an application for authorisation by 30 June 2025, pursuant to Article 62 MiCAR, can continue to carry out regulated activities until 30 December 2025, or until the authorisation is granted or refused pursuant to Article 63 MiCAR; whichever is earlier. Operational continuity is subject to a series of formal requirements, including notification to the OAM of the submission of the application, both in Italy and in another member state, as well as the outcome of the relevant procedure.

If the application for authorisation is rejected, the operator has to cease its activities with Italian customers within 60 days.

Failure to meet the deadline for submitting the application will result, on 30 June 2025, in the automatic cessation of operations and the consequent cancellation from the register by the OAM. There are also information obligations towards customers, to be fulfilled by 31 May 2025, and ten-year document retention requirements for transactions carried out between 1 April 2025 and the date of removal from the register.

An extension redefining the scope of the transitional regime

The changes announced by the OAM aren’t limited to a mere postponement of deadlines; together they affect structural elements of Article 45 of the MiCAR Implementing Decree.

The first variation regards the deadline for submitting applications for authorisation pursuant to Article 62 MiCAR, which has been postponed by six months from 30 June to 30 December 2025. As a result, the automatic termination of operations for non-compliant entities will also be postponed, delaying the triggering of the cancellation mechanism referred to in Article 45, paragraph 4, of the MiCAR Implementing Decree.

Even more significant is the extension of the final deadline for the transitional regime: the possibility of operating without authorisation, which would previously have expired on 30 December 2025, is now extended until 30 June 2026. The measure allows the time frame for provisional operations to be realigned with the new deadline for submitting applications, avoiding any interruption between the two phases.

Entities belonging to the same group can continue to operate in Italy even without having submitted an application, if another entity in the group has done so, even in a different member state.

Finally, the extension of the obligation to transmit data electronically to the OAM, which would no longer expire with the submission of the first quarter of 2025 but would continue until the third quarter, completes a framework of progressive adaptation.

The system outlined seems to reflect structural difficulties in operational adaptation by operators in the decentralised industry, who already have to meet particularly stringent authorisation and governance requirements. At the same time, the complexity of the new framework's application could justify a margin of flexibility for the competent authorities, in particular Consob and the Bank of Italy, which are called upon to absorb new supervisory, investigative and oversight powers in a very short timeframe.

A transition strategically extended but not halted

The extension of the transitional regime for Italian VASPs shouldn’t be seen as a simple technical delay or as a derogation without a framework. It represents a regulatory engineering decision aimed at modulating over time the impact of a profound structural change on an economic and institutional fabric that’s still in the process of adjustment.

The extension is a delicate balancing act.

• On the one hand, it responds to a practical need: to give operators already registered in the OAM register, which are often small in size and have limited internal structures, the time necessary to complete a particularly burdensome authorisation process, which involves significant adjustments to governance, compliance, internal control, operational continuity and IT security.
• On the other hand, it reflects an institutional awareness: the full and consistent implementation of MiCAR requires investment not only from the supervised entities but also from the competent authorities, which are called upon to manage new authorisation and supervisory functions in a sector that’s still emerging and undergoing reconfiguration.

Added to this, it’s the only apparently technical significance of the derogation in favour of transnational groups, which allows them to operate in Italy even in the absence of a local application, provided that it is submitted by a subsidiary in another member state. This provision, consistent with the principle of the European passport, raises questions about the effective harmonisation of the criteria for authorisation and the ability of national systems to avoid regulatory arbitrage in the EU.

What’s at stake, therefore, is not only compliance with the deadlines, but the quality of the transition process: a move from a national registration-only regime to a structured European authorisation regime, which aims to standardise the treatment of crypto-assets on a continental scale, while leaving member states some leeway in the implementation phase.

The extension doesn’t undermine MiCAR consistency but highlights its controlled flexibility: the postponement doesn’t suspend the European framework, nor does it alter it in substance, but merely extends its application for reasons of balance. However, this flexibility calls for rigorous enforcement. To ensure that it doesn’t become a permanent grey area, it will be necessary to ensure that this new timeline is used to consolidate compliance practices, foster a shared regulatory culture and, above all, prevent the emergence of a patchwork of conditions between national operators and international groups.

Ultimately, the postponement doesn’t represent a break, but a functional pause for integration. It’s a window that allows the market to breathe, the authorities to structure themselves, and the legislator to verify, as work progresses, the real capacity of the system to adopt a model that’s not only regulatory but also cultural.

The real challenge is no longer whether, but how.

Watch this episode for more on this topic: Web3, Blockchain and Their New Legal Challenges.

Author: Giulio Napolitano

 

Intellectual Property

EUIPO publishes study on generative AI and copyright

In May 2025, the European Union Intellectual Property Office (EUIPO) released a comprehensive study dedicated to analysing generative AI (GenAI) from a copyright perspective. Commissioned to the EUIPO Observatory, the document systematically addresses the main legal and economic issues surrounding the development and use of GenAI models in the copyright domain, proposing operational hypotheses to strike a balance between protecting human creativity and fostering technological innovation.

The study focuses on two key stages of the GenAI “value chain”: on one hand, the use of existing creative works to train the models (input); on the other, the nature and management of the content generated by the systems (output). The first phase raises fundamental questions regarding the legitimacy of using datasets containing copyrighted works, particularly in light of the EU rules on text and data mining (TDM).

Model training, text and data mining, and copyright

Directive (EU) 2019/790 on copyright in the Digital Single Market (CDSM) introduced two specific exceptions allowing the use of protected works for TDM activities under certain conditions. In commercial contexts – which are typical of GenAI applications – the exception under Article 4 is particularly relevant. It permits TDM by private entities for profit-making purposes unless rights holders have explicitly opted out.

This opt-out clause is identified by the EUIPO as one of the most problematic aspects of the current framework. The study highlights that while the right of exclusion exists in theory, there are still not fully effective technical or legal mechanisms to enforce it. Rights holders should be able to exercise opt-out “appropriately,” but there is currently no agreed definition of what “appropriate” means: some rely on online terms of use, others on metadata insertion, robots.txt files, or HTTP headers. But there’s no consolidated practice that ensures actual exclusion.

The highlighted risk is that opt-out becomes a merely formal safeguard, hard to apply in practice – especially given the automated, dispersed and opaque nature of large-scale data collection. The study also notes that once content is uploaded online, it’s often copied, altered or aggregated by third parties, often stripping away any exclusion metadata in the process. As a result, even rights holders who validly opt out have little assurance their works are excluded from training datasets.

Working towards an effective opt-out mechanism?

To address these challenges, the EUIPO suggests adopting and promoting interoperable technical standards that would allow rights holders to clearly, machine-readably, and universally express their refusal to authorise TDM. Proposed solutions include digital work identification systems, standardised metadata, watermarking tools, and content tracking technologies such as those developed within the Coalition for Content Provenance and Authenticity (C2PA) initiative.

At the same time, the study offers a broader reflection: while essential, opt-out should be just one step toward creating a structured licensing market for TDM. If legal and technical conditions allowed, authors and rights holders could not only exclude the use of their works but also license them transparently and with fair compensation. To reach this goal, reliable systems for rights management, measuring the contribution of individual works to training, and fairly distributing revenues must be developed.

Challenges related to AI-generated outputs

The output phase presents its own set of issues. On the one hand, the AI Act introduces new transparency obligations to flag artificially generated content. On the other, the boundaries between original works, derivative creations, or works merely “in the style of” are becoming increasingly blurred. The EUIPO reviews several technical tools to mark, monitor, or identify AI-generated content, such as watermarking, standardised metadata, C2PA technologies, and prompt-rewriting techniques. But it’s clear that technology alone is not enough: a legal and contractual framework is needed to enforce rights downstream and trace sources used during training.

Licensing datasets

One of the most innovative parts of the document is its reflection on the potential emergence of a structured market for licensing content to be used in training datasets. Some players – such as publishers, authors, or digital archives – are beginning to consider granting training rights as a potential revenue source. But for this market to be viable, it requires clear rules, transparent pricing, reliable metrics, and adequate technical infrastructure. Otherwise, the system risks remaining skewed in favour of model developers, leaving creators without the tools to negotiate fair remuneration.

The role of public authorities

Public authorities – particularly the EUIPO – are highlighted as key actors in the study's conclusions. The office proposes to act as a catalyst in defining technical standards, operational guidelines, informative tools, and collaborative platforms. Among the most concrete proposals is the creation of a European “Copyright Knowledge Centre” to foster convergence among stakeholders – developers, authors, publishers, collective management organisations, tech platforms – and to support the adoption of common practices, both legally and technologically.

The document ends by identifying six priority areas for the sector's balanced development: the need to harmonise opt-out mechanisms for training, the need to clearly distinguish artificial from human content, the development of an efficient licensing market, the strengthening of public-private coordination, the promotion of innovation in respect of creativity, and the ability to enforce rights effectively.

The study doesn’t offer definitive answers but rather a conceptual and practical roadmap for navigating this still uncertain and fast-evolving landscape.

Author: Lara Mastrangelo

 

Technology Media and Telecommunication

AGCom 2025 Annual Report on Open Internet activities

On 16 June, AGCom published its Annual Report on the activities carried out in the field of Open Internet for the period between 1 May 2024 and 30 April 2025.

The Annual Report is adopted in accordance with Regulation (EU) 2015/2120, which introduced a set of net neutrality rules into the EU legal framework. This Regulation assigns national regulatory authorities' specific responsibilities in terms of regulation, monitoring and enforcement to ensure the effective and proper application of provisions aimed at safeguarding the open nature of the internet.

The report provides a general overview of the actions undertaken by AGCom to implement Open Internet measures, including in-depth analyses and verifications carried out through the collection and assessment of data from major Internet Service Providers (ISPs), soft enforcement initiatives (moral suasion), and participation in expert working groups coordinated by BEREC (notably, the Open Internet working group). In particular, AGCom contributed a draft to the monitoring activities related to implementing the Open Internet Regulation, preparing the “BEREC Report on the implementation of the Open Internet Regulation 2024.”

The Report sets out the outcomes of AGCom’s regulatory and supervisory activities in the following areas:

• Freedom to use terminal equipment: the report outlines AGCom’s initiatives, particularly monitoring and inspection activities, aimed at ensuring users' right to choose their own devices to access the internet (as provided under Resolution No. 348/18/CONS, as amended by Resolution No. 34/20/CONS). The report recalls that in February 2025 AGCom launched a procedure and a public consultation for the definition of the Network Termination Point for fixed internet access services (Resolution No. 31/25/CONS).
• Commercial and technical practices relating to internet access services: the report focuses on:
  • the types of traffic management measures implemented;
  • the compatibility of such measures with the exceptions provided under Regulation (EU) 2015/2120, specifically those relating to legal obligations, the integrity and security of the network, and the prevention or mitigation of exceptional or temporary network congestion;
  • the compatibility of traffic management measures with the provision of specialised services and their impact on the quality of standard Internet access;
  • transparency measures, both at the pre-contractual stage and during contract performance.
• Traffic management measures and provision of specialised services. AGCom reports having monitored these practices through direct review of ISP websites, analysis of user complaints, and targeted requests for information addressed to ISPs.
• Transparency measures, in line with the Authority’s stated commitment to ensuring clear information and high quality in Internet connectivity services.

The Authority also recalls that Article 5(1) of the Regulation empowers national authorities to adopt enforcement measures by setting technical requirements or other appropriate and necessary measures “where this is necessary to ensure the continued availability of non-discriminatory internet access services at levels of quality that reflect advances in technology.”

Lastly, the report refers to AGCom’s sanctioning powers under the Electronic Communications Code, pursuant to Article 6 of Regulation (EU) 2015/2120, in case of violations of the relevant provisions. In the reporting period, the Authority initiated a formal investigation against one operator for failing to allow users subscribed to offers with a nominal speed of 2.5 Gbps to achieve the same performance when using their own router. The proceeding was suspended following the Authority’s approval of a set of commitments to be implemented within 12 months.

Authors: Massimo D'Andrea, Flaminia Perna, Matilde Losa

 

Space law

Proposal for the new EU Space Act and the approval of the Italian Space Law: Innovation or potential conflict?

On 25 June 2025, the European Commission presented a draft regulation aimed at establishing a common framework for space activities in the EU. This marks the first attempt to create an internal market for space services and infrastructure, addressing the current regulatory fragmentation caused by a patchwork of national laws. Provisionally titled the EU Space Act, the initiative seeks to set uniform rules to ensure operational safety, infrastructure robustness, and environmental sustainability, with the overarching goal of consolidating Europe’s role in the global space economy.

The proposal is driven by the need to provide defined and coherent legal conditions for a rapidly growing sector, marked by an increasing number of actors and significant economic, technological, and geopolitical implications. The new regulatory framework will apply to both operators based in the EU and non-EU operators, with requirements scaled according to company size and risk profile. The choice of a regulation, which is directly and uniformly applicable across member states, marks a shift from the preference of some member states for a more flexible, directive-based approach.

Three areas of intervention: Safety, resilience, environmental impact

The proposal is structured around three main pillars. In terms of safety, it introduces a harmonised authorisation system for launching and operating space objects, alongside specific obligations for debris prevention and orbital asset tracking. Resilience is addressed by introducing dedicated cybersecurity measures and risk management across the entire lifecycle of space infrastructure. As for sustainability, the regulation foresees the adoption of common technical standards to assess and mitigate the environmental impact of space activities, also leveraging enabling technologies such as in-orbit servicing and debris removal.

A gradual transition towards a European space governance

The initiative is one of the Commission's priorities, as it seeks to mitigate the effects of the current regulatory fragmentation that hinders the competitiveness of cross-border value chains in the EU by preventing joint projects and exacerbating the environmental impact of space activities. The aim is to promote common governance that will enable the EU to address the challenges of growing orbital congestion, protecting strategic assets, and industrial sustainability in a coordinated manner.

The draft includes a two-year transitional period before the regulation becomes applicable, allowing operators and member states time to adapt to the new provisions. The Commission has announced its intention to support this phase through targeted measures, particularly for small and medium-sized enterprises, including tools for administrative simplification, access to testing facilities, and assistance with authorisation applications. The regulation will now enter formal negotiations between the European Parliament and the Council under the ordinary legislative procedure.

National updates: Italian Space Law published in the Official Journal

In Italy, the legislative process for the proposed law on national regulations for space activities wrapped up on 24 June with the publication of Law No. 89 of 2025 (Italian Space Law) in the Italian Official Journal.

The Italian Space Law primarily regulates the authorisation regime for space activities carried out by Italian companies, but also by foreign companies operating in Italian space. To engage in space activities, private companies must obtain authorisation certifying compliance with specific objective requirements relating to the safety, resilience, and environmental sustainability of the specific operation, as well as subjective requirements concerning the operator's conduct, technical expertise, financial soundness, and the existence of adequate insurance coverage. The Italian Space Law also introduces, alongside the responsibility of states as defined by international treaties, strict liability for individual space operators for damage caused to persons and property on Earth, as well as to aircraft in flight. The liability regime is also closely linked to the introduction of compulsory insurance covering up to EUR100 million per claim, with reductions for innovative startups and research projects.

The Italian Space Law also provides for the creation of a EUR35 million Space Economy Fund for 2025, to promote the development of the market for space-based products and services, including by startups and SMEs.

EU Space Act and Italian Space Law: A potential conflict?

The parallel occurrence of the final approval of the Italian Space Law and the start of the legislative process on the EU Space Act raises doubts about the potential conflict between national legislation and future EU law. In both cases, the rules on space activities follow the principle of territoriality, with the consequent application to foreign operators carrying out their activities in areas subject to the sovereignty of the Italian state or the EU. This will create an additional obstacle not only for Italian companies but also for foreign companies entering the Italian market, which, once the EU Space Act enters into force, will have to navigate between supranational provisions and local regulations. The current role of the Italian Space Agency as a supervisory and regulatory authority could clash with a more centralised European regulatory framework.

But it’s worth noting that several European countries already have laws regulating space activities, which makes the approval of the Italian Space Law a necessary step to ensure Italy's greater competitiveness in a rapidly growing sector such as the new space economy. At the same time, it’s likely to be a while before the EU Space Act is approved. There’s broad consensus on the importance of the space sector for the EU's competitiveness and strategic autonomy, but member states have different views on the most appropriate legal basis and regulatory model for EU legislative intervention.

Pending clarification of the extent of coordination that may be necessary to align the Italian Space Law with the future EU Space Act, the newly approved national legislation can already provide clear and up-to-date rules, which are essential for dealing with a rapidly developing sector like the new space economy.

Authors: Marianna Riedo, Gabriele Cattaneo

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra, Enila Elezi.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.