Abstract_Lights_P_0152

3 June 202617 minute read

Innovation Law Insights

3 June 2026
Legal Break

AI Act changes explained: What the EU Digital Omnibus means for businesses

The EU is already revising the AI Act – and most companies are still catching up with the original version.

In this episode of Legal Break, Giulio Coraggio of DLA Piper joins Antonio Ravenna to break down the Digital Omnibus package: what’s changing for high-risk AI systems, what it means for developers and businesses, and why waiting is no longer an option. Watch the video here.

 

Technology

Quantum computing meets compliance: ESMA publishes report on quantum computing and the new regulatory frontier in financial markets

With its Risk Analysis of 13 May 2026, titled Quantum Computing in Financial Markets: Applications, Investments, and Prospects, the European Securities and Markets Authority (ESMA) has put quantum computing under the magnifying glass of its oversight of securities markets. While the document isn’t prescriptive, its significance is difficult to underestimate.

The report doesn’t merely survey the applications of quantum computing (QC) in financial markets but subtly maps out the regulatory levers already available to the European legislator to govern the transition. These are seemingly disparate tools, but the Commission and the European Supervisory Authorities (ESAs) are progressively integrating them into a unified framework, in which quantum computing is no longer merely “technology of the future,” but an operational risk already regulated today.

The landscape: Between market opportunities and cybersecurity threats

The ESMA Report is structured on two levels.

In the first, descriptive section, the Authority outlines the current landscape of QC applications in financial markets: from portfolio optimisation to transaction settlement, from stochastic modelling (Monte Carlo) to quantum machine learning (QML) applications, and on to quantum-enabled infrastructures for distributed ledger technologies. The applications are still in the proof-of-concept phase – current hardware, in the “noisy intermediate-scale quantum phase,” doesn’t yet allow for a true quantum advantage for commercially relevant problems – but the report notes a significant acceleration in investment, with venture capital investments in European QC startups set to grow fivefold by 2025.

Secondly, and this is the most relevant point from a regulatory perspective, ESMA devotes specific attention to the threat that quantum computing poses to cybersecurity. A sufficiently powerful quantum computer, applying Shor’s algorithm, would be capable of breaking the main public-key cryptography schemes currently used to protect communications, digital signatures, transaction integrity, and data confidentiality in the financial sector – namely, the Rivest–Shamir–Adleman (RSA) and Elliptic-Curve Cryptography (ECC). Hence the “harvest now, decrypt later” (HNDL) paradigm: data encrypted today using vulnerable techniques could be intercepted and stored, awaiting decryption tomorrow when quantum hardware becomes sufficiently powerful. The problem isn’t theoretical, and its retroactive nature requires accelerating migration before the threat materialises.

The technical solution is Post-Quantum Cryptography (PQC), a new generation of cryptographic algorithms designed to withstand quantum attacks, for which the US National Institute of Standards and Technology published the first standards in 2024.

The European regulatory response is more complex.

DORA as the ‘gateway’ for the quantum threat into EU law

The starting point is Regulation (EU) 2022/2554 on the Digital Operational Resilience Act (DORA), applicable as of 17 January 2025, to financial entities operating in the EU. ESMA is clear on this point: DORA “requires financial entities falling within its scope to implement cybersecurity risk management measures covering cryptographic vulnerabilities arising from technological developments, including quantum computing.”

The legal basis lies not so much in an explicit provision on quantum computing – which is absent from the text of the Regulation – as in the “technology-neutral” structure of DORA. Articles 6 and 7, in conjunction with Commission Delegated Regulation (EU) 2024/1774, require financial entities to establish an ICT risk management framework capable of addressing “all ICT risks,” including those arising from emerging threats. Financial entities have to implement up-to-date cryptographic policies and procedures, manage the key lifecycle, and ensure that the controls adopted are “state-of-the-art” with respect to the risk.

The operational implications are significant. A financial institution that, in 2026, continues to rely exclusively on RSA or ECC algorithms to protect sensitive data with a long lifecycle – such as know-your-customer information, trade books, or long-term derivative contracts – exposes itself to a “harvestable” risk, the assessment of which falls squarely within the risk management obligations set forth by DORA. Nor is this merely a programmatic forecast: DORA’s penalty regime (Articles 50 et seq.) provides for administrative monetary penalties and direct liability of the management body for the proper implementation of the framework – a framework that, in banking and financial governance, now has a well-established history.

Quantum technologies in the NIS2 regulatory text

The second pillar is Directive (EU) 2022/2555 (NIS2), which has significantly strengthened the cybersecurity obligations imposed on “essential” and “important” entities; categories that include many actors, directly or indirectly linked to the financial system, from cloud service providers to operators of critical digital infrastructure.

Article 21 of NIS2 requires the adoption of risk management measures, including “policies and procedures regarding the use of cryptography and, where appropriate, encryption.” The wording is, like that of DORA, technologically neutral but essentially risk-oriented: once the quantum risk has been classified by European authorities as an “evolving cryptographic threat” – and this has most recently occurred with the Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography (PQC Roadmap) published by the Commission in 2025 – the obligation to adopt “state-of-the-art” cryptographic measures translates, by interpretation, into a requirement to plan for PQC migration.

It’s also worth noting a very recent and particularly significant development. On 20 January 2026, the Commission published Proposal COM (2026) 13 final, as part of a broader package to simplify EU cybersecurity, which for the first time introduces an explicit PQC requirement into the text of NIS2.

QC ceases to be a risk “inferred by interpretation” from the general provisions and becomes a specific regulatory requirement, with all that this entails in terms of enforceability, enforcement, and the liability of management bodies.

PQC migration: A phased roadmap with operational deadlines

The third regulatory level is that of operational planning. The ESMA report explicitly refers to the PQC Roadmap, which sets out a sequence of deadlines spanning ten years:

  • By 2026: launch of transition planning and the first PQC pilot projects.
  • By 2030: completion of the PQC transition for high-risk use cases.
  • By 2035: completion of the transition for medium-risk use cases.

In parallel, the Quantum Safe Financial Forum, a multi-stakeholder initiative promoted by Europol, published a methodology in 2026 for assessing PQC migration priorities in the financial sector, based on a combination of the risk of the asset to be protected and the time required for migration.

For European financial entities, the combined provisions of DORA, NIS2 (including its upcoming version), and the PQC Roadmap outline an obligation that, while structured across different regulatory instruments, converges clearly.

PQC migration is no longer a matter of technological foresight, but a structural component of compliance regarding digital operational resilience. An entity that, in 2027, is unable to document a PQC transition plan could find itself exposed to regulatory challenges and significant reputational risks.

The intersection with the AI Act.

The relationship between PQC and Regulation (EU) 2024/1689 (the AI Act) warrants a side note. The ESMA report devotes an entire section to Quantum Machine Learning (QML), emphasising that systems combining quantum algorithms and machine learning (ML) could find application in finance in areas such as fraud detection, credit scoring, and pattern recognition.

These are applications that, if developed, could fall within the “high-risk” scope of the AI Act and, specifically, under Annex III, point 5(b), concerning systems for assessing the creditworthiness of natural persons. The heightened quantum risk in these contexts is twofold. On the one hand, in terms of model explainability and governance (quantum systems are, by definition, more difficult to interpret). On the other hand, in terms of cybersecurity, given that high-risk AI systems are subject to robustness and accuracy requirements under Article 15 of the AI Act, which include resilience to attacks.

The combined provisions of the AI Act and DORA, as applied to QML systems, constitute a complex regulatory framework that financial entities will need to manage in an integrated manner.

Conclusions

The ESMA report confirms a trend that’s becoming increasingly established: quantum computing is no longer a cutting-edge technology to be viewed with academic curiosity, but an operational risk that’s already regulated – albeit through technologically neutral regulatory instruments. There are three key takeaways that European financial institutions should draw from the report:

  • Quantum risk is already an integral part of ICT risk management obligations under DORA, and failure to manage it exposes the management body to direct liability.
  • NIS2, even in its upcoming amended version, is progressively establishing PQC as an explicit regulatory requirement.
  • PQC migration has concrete operational deadlines – 2030 for high-risk use cases – which require planning to begin immediately, also in light of the retroactive HNDL risk.

PQC hasn’t waited to become law but is already incorporated into cybersecurity and digital operational resilience frameworks, requiring financial entities to undertake a sophisticated compliance exercise; one in which the technological and regulatory dimensions are inextricably intertwined. It is, in other words, a new form of compliance for digital markets, for which ESMA has just outlined the first interpretive framework.

Author: Andrea Pantaleo and Giulio Napolitano

 

Technology, Media and Telecommunications

AGCom approves update to the National Numbering Plan and the CLI framework

With Resolution No. 21/26/CIR, published on 29 April 2026, AGCom approved the update of the National Numbering Plan (NNP) set out in Resolution No. 8/15/CIR, following the public consultation launched through Resolution No. 60/25/CIR.

The measure forms part of the broader set of initiatives adopted by AGCom to strengthen transparency in electronic communications regarding the identification of the origin of communications (Calling Line Identity, CLI) and to combat CLI spoofing, aggressive telemarketing and fraudulent teleselling practices.

The resolution introduces an amendment to Article 6 of the NNP, expressly providing that the provider of the electronic communications service is responsible for the accuracy of the CLI and must verify the correspondence between the CLI used and the numbering resources assigned to the line and to the end-user originating the communication.

Providers also have to block calls or messages in the event of a mismatch. AGCom further expands the categories of numbering resources that can be used as CLI, including, in addition to geographic and mobile numbers, emergency numbers, public utility service numbers, harmonised European social value services, customer care service numbers, reverse charging service numbers, numbering resources reserved for SMS/MMS and data transmission services.

The resolution also amends Article 15 of the NNP concerning numbering resources for customer care services. It confirms the possibility for providers of electronic communications services to obtain dedicated short numbering resources, including three-digit numbers starting with “1” and numbering ranges with prefixes 192 and 194.

AGCom also introduces a significant innovation by allowing entities that don’t hold a general authorisation for the provision of electronic communications services to use specific numbering resources dedicated to customer care services free of charge for callers. According to the Authority, this measure should enhance the recognisability of customer care services for end-users and improve the transparency of commercial communications.

With reference to teleselling and telemarketing activities, AGCom further confirmed its intention to continue assessing dedicated numbering resources for commercial calls, recalling a previous intervention concerning numbering resources with the 084 prefix, which have so far seen limited uptake. In this context, the Authority will assess the introduction of additional dedicated numbering resources, and specific operational and monitoring measures for services generating high volumes of traffic.

Finally, the Resolution establishes a Technical Working Group within the Directorate for Electronic Communications Networks and Services, tasked with examining the technical, operational and economic issues that emerged during the public consultation. These include mechanisms for verifying the authenticity of the CLI, rules on the sub-assignment of numbering resources, procedures for identifying end-users and possible further developments of the NNP.

Authors: Massimo D'Andrea, Matilde Losa, Arianna Porretti

 

Intellectual Property

UPC: Court of Appeal clarifies the notion of ‘applicant’ for the purpose of ordering security for costs

In its decision of 7 April 2026, the Court of Appeal ruled on the mechanism of security for costs pursuant to Article 69(4) UPCA and Rule 158 RoP, providing clarification both as to the parties entitled to request such a measure in appellate proceedings and as to the relationship between this measure and an application to stay the proceedings.

The decision relates to litigation between a well-known Finnish company active in the licensing of AI-based mobile technologies and a major US technology operator. The dispute originated from an infringement action brought by the Finnish company in which the defendant filed a counterclaim for invalidity of the asserted patent.

In those proceedings, the court of first instance ordered the claimant to provide security, which was not paid, resulting in the dismissal of the infringement action.

The claimant also failed to comply with its obligation to pay the legal costs. At the same time, the counterclaim for invalidity was upheld, leading to an additional order for costs against the right holder.

The losing party appealed the decision, and the respondent requested that security be provided and that the proceedings be stayed until payment of the amounts already awarded at first instance and until the security in the appeal proceedings had been effectively provided.

With regard to the first issue, the judges in Luxembourg reiterated a principle previously established (Hefei v Grundfos – UPC_CoA_622/2025 and UPC_CoA_623/2025; Oerlikon v Bhagat – UPC_CoA_8/2025), according to which security can only be ordered against the party that initiated the proceedings by lodging the originating application (the “applicant”). In appellate proceedings, the status of applicant lies with the appellant, meaning that only the respondent can request the provision of security for costs. This applies even where the respondent formally acted as defendant at first instance but substantively as claimant, as was the case here in relation to the counterclaim. This interpretation of the notion of “applicant” is consistent with the rationale of the security for costs mechanism, which is to protect the defendant from the risk that a costs order against the claimant may remain unenforced.

In this case, the Court of Appeal found that there was a concrete risk of insolvency on the part of the appellant, further exacerbated by the fact that the appellant had not yet paid the amounts awarded to the opposing party at the end of the first instance proceedings.

In light of these circumstances, the court ordered the provision of a security of a significant amount within three weeks of notification of the decision.

The panel rejected the respondent’s request to stay the proceedings, clarifying that the appellant’s financial situation does not, as a rule, constitute sufficient grounds to stay proceedings under Rule 295(m) RoP. The court emphasised the exceptional nature of such a measure, which must be assessed in light of the guiding principles of the Rules of Procedure, including proportionality, fairness and, above all, the need for expeditious proceedings, which would have been undermined by a stay.

Author: Laura Gastaldi

 

The resale right and the SIAE list of authors who did not claim it

With its publication in the Official Gazette No. 99 of 30 April 2026, the Italian Society of Authors and Publishers (SIAE) made public its semi-annual list of authors – or collective works – for whom the resale right has not yet been claimed, or whose administrative positions have not yet been completed with the institution. This is a periodic obligation that SIAE must fulfil pursuant to Article 47 of the Implementing Regulation of the Copyright Law.

What is the resale right?

The resale right – also known by the French term droit de suite – is an economic prerogative granted by law to authors of visual artworks or manuscripts, and to their heirs or successors. It entitles them to receive a share – calculated as a percentage of the sale price – each time a work is resold on the secondary market through the involvement of a professional operator, such as an auction house, an art gallery, or any other party acting professionally as seller, buyer, or intermediary.

The rationale behind this institution lies in a principle of fairness: artworks often appreciate in value over time, sometimes significantly compared to their original sale price, and it would be unjust for such an increase to benefit only the market without the author who created that value receiving any share. The resale right corrects this imbalance, ensuring that the artist or their successors participate economically in subsequent commercial transactions of the work.

Why some authors appear on the list

The publication of the list serves a specific purpose of transparency and protection. It includes authors – or their successors – who, despite having accrued the right to receive royalties from the resale of their works, have not yet come forward to formally claim them with SIAE, or whose files remain incomplete or lack the documentation necessary to finalise the process.

The reasons may vary widely: from simple unawareness of the existence of this right, to difficulties faced by heirs in reconstructing legal succession relationships, to situations of untraceability or failure to update personal data with the institution. In all such cases, publication in the Official Gazette serves as a prompt, encouraging those concerned – or anyone entitled to act on their behalf – to take action before any deadlines expire or funds remain undistributed.

The list published on 30 April 2026 includes hundreds of names, both Italian and foreign, confirming the international scope of the art market and the potentially wide range of individuals involved.

How to act if you are among the interested parties

Authors whose names appear on the list – or their heirs and successors – have to contact the relevant SIAE offices, specifically the Literature & Visual Arts division, located at Viale della Letteratura 30, 00144 Rome. The necessary forms to submit a claim are available directly on the institution’s website, at www.siae.it, and allow users to initiate the process of completing their administrative position.

It's advisable to act without delay: any amounts due remain with SIAE pending claim, but prompt action facilitates the handling of the case and reduces the risk of bureaucratic complications related to the statute of limitations or the difficulty of retrieving documentation over time.

Author: Noemi Canova

 

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo BardelliCarolina BattistellaNoemi Canova, Gabriele Cattaneo, Maria Rita CormaciCamila CrisciCristina CriscuoliTamara D’AngeliChiara D’OnofrioFederico Maria Di Vizio, Enila EleziLaura GastaldiVincenzo GiuffréNicola LandolfiGiacomo LusardiJosaphat ManzoniValentina MazzaLara MastrangeloMaria Chiara Meneghetti, Giulio Napolitano, Andrea Pantaleo, Deborah ParacchiniMaria Vittoria PessinaMarianna Riedo, Rebecca RossiRoxana SmeriaMassimiliano TiberioFederico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena VareseAlessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.

Print

Related capabilities

Consumer Goods, Food and RetailTechnologyLife SciencesMedia Sports and EntertainmentIntellectual Property