Skip to main content
|

Add a bookmark to get started

Bookmarks info
15 May 202514 minute read

Innovation Law Insights

15 May 2025
Podcast

How the EU's New Model Clauses for AI can help your business

The European Commission has just released an updated version of the Model Contractual Clauses for AI Procurement – but what do they actually mean for your business? In this episode of Diritto al Digitale, Giulio Coraggio explores how the clauses aim to simplify compliance with the AI Act, reduce legal uncertainty, and reshape the way public and private players negotiate AI contracts. Whether you’re an AI buyer, supplier, or legal counsel, this is your essential guide to turning regulation into opportunity. Listen the episode on Apple Podcasts, Google Podcasts, Spotify, Audible.

 

Data Protection and Cybersecurity

EDPB and EDPS issue preliminary feedback on proposed GDPR record-keeping simplification

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a joint letter responding to the European Commission’s draft proposal aimed at simplifying record-keeping obligations under Article 30 of the GDPR.

This proposal, part of the upcoming Fourth Omnibus legislative package, seeks to ease compliance burdens on certain categories of organizations, while retaining core privacy safeguards.

The Commission's draft proposes extending the existing derogation under Article 30(5) GDPR. Currently, the derogation exempts organizations with fewer than 250 employees from maintaining records of processing activities unless specific risk-related conditions apply. The proposed changes would extend this exemption to “small mid-cap companies” (SMCs) and nonprofits with fewer than 500 employees. Additionally, proposed revision would modify Article 30(5) GDPR to provide that the derogation wouldn't apply if the processing is “likely to result in a high risk” instead of “likely to result in a risk,” raising the threshold of risk.

The proposal also removes some current limitations, such as the exception for “occasional processing.” Finally, a recital of the proposal would clarify that processing special categories of personal data to comply with a legal obligation in the field of employment, social security or social protection law (in accordance with Article 9(2)(b) GDPR) wouldn't be subject to the obligation to maintain a record of these processing activities.

The EDPB and EDPS expressed preliminary support for targeted simplification, acknowledging its potential to reduce compliance burdens without undermining core privacy protections. But they stressed the importance of empirical analysis to assess its real-world impact. Specifically, they urged the Commission to provide data on the number of organizations that would benefit from the reform and to evaluate how these changes might affect overall data protection.

Importantly, the supervisory bodies welcomed the retention of mandatory record-keeping for high-risk processing activities, noting that even small organizations can carry out such operations. They highlighted existing guidance, particularly the Article 29 Working Party's guidelines on Data Protection Impact Assessments (DPIAs), which clarify when processing is likely to be considered high-risk.

Despite their preliminary support, the EDPB and EDPS emphasized that simplification must not compromise the fundamental rights of data subjects. They reaffirmed the necessity of maintaining a risk-based approach and indicated that a formal consultation process will follow the publication of the final legislative text.

We will need to wait for the official legislative text to confirm the simplification of record-keeping obligations. But it's evident that the proposed changes could significantly ease compliance burdens for many small companies currently affected by the complex requirements of Article 30 of the GDPR.

Author: Roxana Smeria

Data Protection: Record fine for violations in extra-EU data transfers

On May 2, 2025, the Irish Data Protection Commission (DPC) announced a EUR530 million fine against a major global digital platform for serious violations of the General Data Protection Regulation (GDPR). The case concerns the unlawful transfer of personal data of European users to China and significant deficiencies in transparency in the company’s privacy notices.

Key violations

The investigation, launched in September 2021, revealed two main infringements:

  • Transfers of personal data to China without adequate safeguards ensuring a level of protection equivalent to that guaranteed within the EU, in breach of Article 46(1) GDPR.
  • Insufficient information provided to users regarding the countries to which their data was being transferred and the nature of the processing, in breach of Article 13(1)(f) GDPR.

These violations resulted in sanctions amounting to:

  • EUR485 million for unlawful data transfers
  • EUR45 million for lack of transparency in the privacy policy for a total of EUR530 million.

Context and reasoning behind the decision

The company initially stated that it didn't store European users’ data on servers located in China. But in April 2025, it acknowledged that some information had indeed been stored on Chinese servers, contradicting previous statements made to the supervisory authority.

According to the DPC, the company failed to conduct an adequate assessment of the level of protection provided by Chinese law and practices regarding personal data processed in China. Nor did it implement sufficient supplementary measures to ensure a level of protection equivalent to that required by the GDPR.

During the inquiry, the documentation submitted by the company itself highlighted how certain provisions of the Chinese legal framework, in particular laws on counterespionage, anti-terrorism, cybersecurity and intelligence, diverge significantly from EU standards, making it impossible to ensure an essentially equivalent level of protection.

Corrective measures and deadlines

The DPC has ordered the company to:

  • comply with the GDPR within six months, under penalty of suspension of data transfers to China; and
  • immediately cease all non-compliant data transfers.

This decision comes in an already complex context for the company, which has previously been fined by European regulators for violations of data protection rules.

Reactions and outlook

The company has announced its intention to appeal the decision, warning of potential repercussions for companies and sectors operating globally and expressing concern about possible negative effects on Europe’s competitiveness.

In the meantime, to rebuild trust with European institutions, the company has launched a major infrastructure investment plan aimed at localizing data processing in Europe. Data protection authorities maintain that critical issues regarding transparency and compliance remain unresolved.

Conclusion

This fine is the third largest ever imposed under the GDPR. The case confirms the increasingly strict stance of European authorities in addressing data transfers to third countries lacking adequate protection. And it highlights the need for internationally active organizations to adopt strong and compliant governance in data transfer practices.

Author: Gabriele Cattaneo

 

Intellectual Property

Horizontal stripe on aircraft fuselage: General Court confirms refusal for lack of distinctiveness

In a recent judgment, the General Court of the European Union (GC) upheld the Board of Appeal’s (BoA) decision to refuse the registration of a position mark consisting of a horizontal red stripe placed on the silver fuselage of an aircraft, deeming it devoid of distinctive character under Article 7(1)(b) EUTMR, in relation to air transport services by private aircraft and related services in Class 39.

A position mark is a trademark that depends on the specific manner in which it is placed or affixed to products. The criteria for examination are the same as those applied to figurative and three-dimensional marks. At the same time, the GC pointed out that since consumers don't typically associate a product’s appearance with its commercial origin, “their distinctiveness may be more difficult to establish.”

The court further noted that a sign that's overly simple or lacks characteristics that are easily and instantly memorable is, by itself, not capable of conveying a message that consumers can recall. In this case, a red line on a silver fuselage lacks distinctive character and cannot function as an indicator of commercial origin for the relevant services. The color red is commonly used for decorative purposes or to attract attention, while silver is too similar to white, which is traditionally used in the aviation sector.

Taken as a whole, the sign lacks inherent distinctiveness.

The judgment is also significant because the GC reaffirmed that, although the relevant specialized public may demonstrate a higher level of attention, the criteria for assessing distinctiveness remain unchanged and focus on whether the sign enables consumers to distinguish the commercial origin of the services.

Finally, contrary to the applicant’s arguments, the GC noted that “the EUIPO is required to examine absolute grounds for refusal of its own motion, and it is the applicant’s responsibility to provide sufficient evidence if it is going to challenge a refusal of registration.”

On the basis of these considerations, the GC upheld the refusal.

Author: Tamara D’Angeli

 

Gaming and Gambling

NIS2 gambling obligations – What changes for operators and suppliers

Gambling operators and their suppliers must address the NIS2 obligations, which impose stringent cybersecurity requirements across the EU.

The NIS2 Directive (Directive (EU) 2022/2555) aims to enhance the cybersecurity resilience of several sectors, including gambling, by establishing a high common level of cybersecurity across the EU.

How the NIS2 applies to the gambling sector

The NIS2 Directive applies to entities categorized as “essential” or “important” based on their sector, size, and impact on societal and economic activities. While gambling isn't explicitly listed among the critical sectors, gambling operators and their suppliers may fall under the scope of NIS2 if they meet certain criteria:

  • Digital Service Providers: Online gambling platforms offering services like online marketplaces or social networking features.
  • Managed Service Providers: Suppliers providing IT services, including cloud computing, data centers, or cybersecurity solutions to gambling operators.

It’s imperative for gambling operators and their associated suppliers to assess their operations against NIS2 criteria to determine applicability and understand their NIS2 obligations.

Italy’s implementation: Legislative Decree No. 138/2024

Italy transposed the NIS2 Directive into national law through Legislative Decree No. 138, effective from October 18, 2024. The decree expands the scope of cybersecurity obligations and introduces specific deadlines for compliance.

Key deadlines:

  • January 1 – February 28, 2025: Entities identified under Article 3 had to register on the designated Italian portal, providing specified data.
  • March 31, 2025: The National Cybersecurity Agency (ACN) compiled a list of affected entities.
  • April 15, 2025: ACN communicated inclusion, permanence, or removal from the list to the entities. Entities becoming affected by December 31, 2025, have additional transition periods:
  • Within 9 months: Comply with incident reporting obligations.
  • Within 18 months: Comply with provisions for cybersecurity training, governance, and risk management.

This article provides a detailed outline of deadlines and obligations in Italy: NIS2 in Italy – Deadlines and Obligations.

Malta’s approach to NIS 2 – Legal Notice 71 of 2025

Several gambling operators are established in Malta. It transposed the NIS2 Directive into national law through Legal Notice 71 of 2025, known as the “Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order, 2025″ published on March 8, 2025. This framework replaces the previous NIS1 regime and introduces stricter cybersecurity obligations, reporting requirements and enforcement mechanisms for entities deemed to be “essential” or “important.”

Key aspects:

  • Self-Registration Mechanism: Entities must register through a national self-registration mechanism established by the Critical Infrastructure Protection Department (CIPD).
  • Competent Authorities: The CIPD acts as the primary regulatory authority for cybersecurity, overseeing compliance, conducting security audits, and enforcing penalties for non-compliance. Malta’s Computer Security Incident Response Team (CSIRT) plays a central role in coordinating cybersecurity responses and facilitating coordinated vulnerability disclosure processes.
  • Coordinated Vulnerability Disclosure (CVD): A dedicated framework encourages reporting potential vulnerabilities in ICT products, processes, or services to relevant entities, with CSIRT acting as the national coordinator for such disclosures.

Read more about the topic in this article: “Gambling operators shall deal with the implementation of NIS 2 in Malta.”

Core obligations under NIS2

Entities falling under NIS2 have to adhere to comprehensive cybersecurity obligations:

  • Cybersecurity risk management: Implement appropriate technical and organizational measures to manage cybersecurity risks, including risk analysis, incident handling, business continuity, and supply chain security.
  • Incident reporting: Report significant incidents to the competent national authority or Computer Security Incident Response Team (CSIRT) within 24 hours of becoming aware, followed by a detailed report within 72 hours, and a final report within one month.
  • Governance and accountability: Management bodies are responsible for approving and overseeing cybersecurity measures. They must undergo regular training and can be held liable for non-compliance.
  • Supply chain security: Assess and manage risks associated with suppliers and service providers, ensuring they also meet cybersecurity standards.
  • Registration and information provision: Provide necessary information to national authorities, including details about services, contact information, and designated representatives.
  • Penalties for non-compliance: Failure to comply can result in administrative fines of up to EUR10 million or 2% of the total annual worldwide turnover, whichever is higher. Additional penalties change depending on the country of implementation. Read more on the topic in this article: NIS2 – Personal Liability of Directors For Lack of Compliance is a Warning Message

DLA Piper’s role in facilitating compliance

At DLA Piper, we offer comprehensive support to gambling operators and their suppliers in addressing NIS2 compliance:

  • Scoping and applicability assessment: We assist in determining whether your organization falls within the scope of NIS2, considering factors like size, sector, and services provided.
  • Registration assistance: Our team guides you through the registration process with the appropriate national authorities, ensuring timely and accurate submissions.
  • Cybersecurity framework development: We help design and implement robust cybersecurity measures tailored to your organization’s needs, aligning with NIS2 requirements.
  • Incident response planning: We assist in developing effective incident response plans, ensuring rapid and compliant reactions to cybersecurity incidents.
  • Training and awareness: We provide training programs for management and staff to foster a culture of cybersecurity awareness and compliance.
  • Legal and regulatory guidance: We offer ongoing legal advice to navigate the evolving regulatory landscape, ensuring continuous compliance.

The implementation of the NIS2 Directive marks a significant shift in the cybersecurity landscape for gambling operators and their suppliers. With stringent obligations and tight deadlines, understanding and adhering to NIS2 obligations is crucial. DLA Piper can help in addressing this complex regulatory landscape, ensuring your organization remains compliant and secure.

Feel free to contact us if you want to know more. You can also check DLA Piper’s Gambling Laws of the World Guide.

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo BardelliCarolina BattistellaCarlotta Busani, Noemi CanovaGabriele Cattaneo, Maria Rita CormaciCamila CrisciCristina CriscuoliTamara D’AngeliChiara D’OnofrioFederico Maria Di VizioNadia FeolaLaura GastaldiVincenzo GiuffréNicola LandolfiGiacomo LusardiValentina MazzaLara MastrangeloMaria Chiara MeneghettiDeborah ParacchiniMaria Vittoria PessinaMarianna Riedo, Tommaso RicciRebecca RossiRoxana SmeriaMassimiliano TiberioFederico Toscani, Giulia Zappaterra, Enila Elezi.

Articles concerning Telecommunications are curated by Massimo D’AndreaFlaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio CoraggioMarco de MorpurgoGualtiero DragottiAlessandro FerrariRoberto ValentiElena VareseAlessandro Boso CarettaGinevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.

 

Print

Related capabilities

Consumer Goods, Food and RetailTechnologyMedia, Sport and EntertainmentLife SciencesIntellectual Property
Privacy PolicyLegal noticesCookie policyModern slaveryWhistleblowingFraud AlertSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2025 DLA Piper