18 September 2025 • 24 minute read

Innovation Law Insights

18 September

Podcast

How AI Governance, Privacy, and Innovation Intersect: A Conversation with Emerald De Leeuw-Goggin

In the latest episode of the podcast Diritto al Digitale, Giulio Coraggio discuss with Emerald De Leeuw-Goggin, Global Head of AI Governance & Privacy at Logitech, about how companies can balance innovation with compliance in one of the fastest-evolving areas of law and technology.

From her entrepreneurial beginnings as the founder of Eurocomply to her current leadership role at Logitech, Emerald’s career illustrates what it means to drive change at the intersection of AI governance, privacy, and intellectual property. You can watch the podcast and listen to it.

Artificial Intelligence

How to Set Up an AI Committee in Your Company’s Governance Framework

Creating an AI committee within a company’s governance framework on the usage of artificial intelligence is no longer a luxury, it is a necessity.

With the rapid development of artificial intelligence and the pressure of regulations like the EU AI Act and the GDPR and the risk of disputes for intellectual property and privacy related breaches, companies cannot delay the setting up of an AI governance framework. And the backbone of such a framework is the AI committee which ensures that innovation goes hand in hand with accountability, that risks are managed effectively, and that legal and ethical standards are embedded in every stage of an AI project.

In this article, I will answer the most pressing questions about how to structure such a body: who should be members, whether a Chief AI Officer is necessary, how the committee should operate and communicate with the rest of the company, how it should interact with GDPR compliance processes, and how its role should be reflected in the company’s AI compliance policy.

Who should be members of the AI committee?

This is the most frequent question we receive lately... An AI committee must be cross-functional by design. Artificial intelligence projects affect technology, data protection, business strategy, and ethics simultaneously. To cover this complexity, the following roles should normally be represented:

Senior technology leaders such as the CTO, the head of IT or lead data scientists to bring technical knowledge on models, data, and deployment;
Legal and compliance officers who can interpret regulations like the AI Act, GDPR, consumer protection, and sector-specific rules;
The Data Protection Officer, whose role is central in ensuring that the handling of personal data in AI projects complies with privacy requirements;
Cybersecurity or IT security managers, since AI systems are vulnerable to adversarial attacks and require robust infrastructure; and
Risk management specialists, able to frame AI within the broader enterprise risk map, including reputational, financial, and operational risks.

Also, other members such as the head of marketing and the head of HR should be available "on demand" depending on the topic discussed within the AI committee.

The mix of members should be adapted to the company’s size, AI maturity and the sector in which the company operates, but the principle remains: an AI committee must combine multiple perspectives to be effective.

Should there be a Chief AI Officer?

The question of whether to appoint a Chief AI Officer (CAIO) is becoming increasingly relevant. For companies where AI is central to the business model — banks deploying automated credit scoring, health-tech companies relying on diagnostic algorithms, or data driven businesses - the answer is usually yes.

A CAIO can:

Set a unified AI strategy across the company.
Act as the permanent chair of the AI committee.
Ensure alignment between governance, risk, compliance, and business.
Serve as the key point of contact for regulators, auditors, and external stakeholders.

Where AI is less central, responsibilities can remain spread across existing C-suite functions such as the CTO, CIO, or CDO. However, even in such cases, the AI committee must have clear leadership and accountability to avoid becoming a “talk shop” without enforcement power.

The AI committee should have in any case a person that is accountable for its operation and is in charge to ensure that it is involved in all the AI-related projects of the company, which should not proceed without the AI committee's blessing.

How should the AI committee operate and communicate internally?

An AI committee without clear procedures will fail quickly. To work, it needs both authority and communication channels which should be set out in the company's AI policy. Good practice includes:

Charter and mandate: the AI committee must have a written scope and defined responsibilities in relation to artificial intelligence systems adopted by the company. This includes reviewing new AI initiatives, setting internal standards, and escalating issues to senior leadership.
Review, approval, and monitoring of AI systems: the AI committee should be empowered to review, approve, and continuously monitor all AI systems developed or adopted by the company. This oversight must follow an “AI by design” approach, ensuring that compliance with the AI Act, the GDPR, intellectual property law, and sector-specific legislation is embedded from the earliest design phase through deployment and monitoring.
Regular meetings: typically, monthly or bi-monthly, with the ability to call extraordinary meetings for high-risk or urgent projects.
Decision-making: clear rules indicating that the approval of the AI committee is necessary before the adoption of any artificial intelligence system by the company.
Departmental liaisons: each department—product, legal, IT, HR, operations—should nominate a contact person to interact with the AI committee to ease its operation.
Guidelines and training: the AI committee should not only supervise but also provide practical tools, templates, and awareness sessions to embed responsible AI across the organization. If employees do not understand the risks to which the company might be exposed and the procedure to be followed, they will try to bypass the AI committee.
Reporting lines: the AI committee should provide periodic reports to the board or a relevant executive committee, summarizing decisions, risks identified, and lessons learned.

This operating model ensures that the AI committee is not isolated but works as a connective tissue between AI projects and company governance.

How should the AI committee's operation connect with the GDPR compliance framework?

The intersection of AI, the relevant committee, and governance is especially visible in the area of data protection. Since most AI systems rely on personal data, GDPR compliance cannot be an afterthought. The AI committee should:

Ensure that Data Protection Impact Assessments (DPIAs) are performed for high-risk AI systems early in the design phase and perform the Fundamental Rights Impact Assessment (FRIA) when needed under the AI Act.
Review whether the chosen legal basis for data processing (consent, legitimate interest, contractual necessity) is appropriate.
Promote privacy by design, including data minimization, anonymization, or pseudonymization when feasible.
Guarantee that transparency obligations are met: users must know when AI is making decisions about them and must have access to meaningful explanations.
Oversee integration of data subject rights (access, rectification, erasure, objection) into AI processes.
Monitor security controls and incident response processes for AI-related data breaches.

These activities should be coordinated with the DPO to avoid duplications. Indeed, by embedding GDPR into its agenda, the AI committee avoids silos and ensures that data protection requirements are integrated into the broader governance strategy.

How should the AI committee be reflected in the compliance policy?

The last step is formalizing the committee’s role in the company’s AI compliance policy. A policy that does not mention the committee will fail to give it legitimacy and visibility. At a minimum, the policy should:

Identify the existence of the AI committee, its composition, and its authority.
Assign responsibilities clearly to members, including the chair or CAIO if appointed.
Require that certain categories of AI systems - particularly high-risk ones - cannot be deployed without prior review and approval.
Specify the documentation that must be produced, such as risk assessments, bias audits, and DPIAs.
Clarify how the committee integrates with GDPR compliance processes.
Define metrics, monitoring, and reporting obligations.
Include a clause on periodic review and continuous improvement of both the policy and the committee’s functioning.

This approach ensures that governance is not just aspirational but enforceable, visible, and binding across the company.

Conclusion

An AI committee is the cornerstone of effective corporate governance in the age of artificial intelligence. It brings together diverse expertise, creates a forum for risk management, and provides the oversight necessary to comply with laws like the GDPR, intellectual property law, sector-specific rules, and of course the EU AI Act. By reviewing, approving, and monitoring AI systems with an “AI by design” approach, the committee ensures that compliance is built into innovation, not bolted on afterwards.

In a world where trust in AI is as valuable as performance, setting up an AI committee is not only about compliance, it is about building a sustainable competitive advantage.

Author: Giulio Coraggio

Data Protection and Cybersecurity

Non-Material Damage under the GDPR: The CJEU in Case C-655/23 (IP v. Quirin Privatbank)

On 4 September 2025, the Court of Justice of the European Union (CJEU) delivered an important judgment in Case C-655/23, IP v. Quirin Privatbank AG on the compensability of non-material damage under Regulation (EU) 2016/679 (“GDPR”). The ruling provides crucial guidance on the criteria and prerequisites for compensation under Article 82 GDPR, clarifying what may constitute compensable non-material harm, as well as the conditions for obtaining the compensation of such damage.

The Facts

The applicant had applied for a position with a bank through a professional networking platform. During the recruitment process, an employee of the bank mistakenly sent a message intended solely for the applicant to a third party not involved in the hiring process. The third party, who knew the applicant from past professional experiences, forwarded the message back to him.

As a result of this violation, the applicant brought proceedings before the German courts, seeking an injunction to prevent further unlawful disclosures of his personal data and compensation for the non-material harm suffered.

The German courts acknowledged the GDPR violation and granted the injunction but dismissed the damages claim, holding that the applicant had not sufficiently proved the existence of non-material harm. On appeal, the Bundesgerichtshof (Federal Court of Justice) referred several questions to the CJEU for a preliminary ruling on the interpretation of Article 82 GDPR.

Reasoning of the Court

Importantly, such harm does not need to result in tangible adverse consequences, provided the claimant demonstrates that it actually occurred and was caused by the unlawful disclosure.

The Court further clarified that:

There is no minimum threshold of seriousness required for non-material damage; even minor but proven harm is compensable.
The seriousness or intentionality of the controller’s conduct cannot be relied upon to reduce the compensation; compensation must be “full and effective.”
The granting of an injunction to prevent future unlawful disclosures cannot reduce or replace compensation for non-material harm already suffered; the two remedies are distinct and cumulative.

Accordingly, and in line with the GDPR’s provisions, the Court adopts a broad interpretation of non-material damage.

However, national rules on the burden of proof continue to apply, meaning that in practice it remains challenging for claimants to substantiate such claims and obtain compensation. Indeed, although non-material harm is in principle compensable, the claimant must still prove: (i) the actual existence of the alleged damage; (ii) the GDPR violation; and (iii) the causal link between the violation and the damage. As a result, given the inherent difficulty of proving subjective states such as emotional distress, the evidentiary burden on claimants remains complex.

Conclusion

This judgment confirms the CJEU’s broad approach to the compensability of non-material harm. While data subjects must still prove both the existence of harm and a direct causal link with the GDPR infringement, the decision underscores that companies are exposed not only to regulatory sanctions but also to damages claims from individuals as a direct consequence of unlawful data processing.

Author: Federico Toscani

Blockchain and Cryptocurrency

Dual crypto licensing or partnership: the crossroads outlined by the Bank of Italy for CASPs regarding EMTs.

On September 4, 2025, the Bank of Italy published a communication on the interconnection (hereinafter, the “Communication”) between Regulation (EU) 2023/1114 on markets in crypto-asset (hereinafter, “MiCAR”) and Directive (EU) 2015/2366 on payment services (hereinafter, “PSD2”) in order to crystallize the manner in which services relating to electronic money tokens (hereinafter, “EMTs”) should be legally configured. The Communication follows in the footsteps of the No Action Letter issued by the European Banking Authority (hereinafter, “EBA”) on June 10, 2025, and establishes, for Italy, an interpretative framework that has an immediate impact on the authorization and organizational strategies of crypto-asset service providers (hereinafter, “CASPs”).

The central assumption is clear: EMTs, by their very nature, are halfway between the world of crypto-assets and the universe of payments. While MiCAR qualifies them as a specific category of crypto-assets, they must also be considered as “funds” within the meaning of PSD2 given their equivalence with traditional electronic money, with the consequence that some CASP activities overlap with regulated payment services. This overlap gives rise to a decisive principle: when a CASP offers EMT transfer services, or EMT custody and administration services through a custodial wallet that allows credits and debits to and from third parties, these activities must be considered payment services for all intents and purposes.

The regulatory message is unequivocal. From March 2, 2026, CASPs intending to provide such services will have to be doubly authorized: on the one hand, as crypto-asset service providers under MiCAR, and on the other, as payment institutions (hereinafter “PIs”) or electronic money institutions (hereinafter “EMIs”) under PSD2. Alternatively, it will be possible to operate through a partnership with an already authorized payment service provider (PSP), provided that the partnership is clearly formalized, with a precise division of responsibilities, information exchange procedures, monitoring tools, and the appointment of an internal contact person.

For operators already active, the Communication sets a strict timetable: the MiCAR application must be submitted by December 30, 2025, in accordance with the recently extended transitional regime, while the PSD2 application must be filed sufficiently in advance to complete the process by March 1, 2026. Failing this, operations on EMT services must be suspended until authorization is obtained or the partnership is formalized.

The Communication therefore does not merely transpose a European guideline but defines an operational path for Italian CASPs.

1. Services concerned and scope of application

The Communication precisely identifies which EMT services fall within the scope of payments. These are, in particular, the transfer of EMT and the custody and administration of EMT, when the custodial wallet allows transfers to and from third parties to be received and disposed of. In this configuration, the wallet is treated as a payment account, and the services offered by the CASP are, to all intents and purposes, transformed into payment transaction execution services. The logic is simple: if the operator moves EMT on behalf of the customer in an open circuit to third parties, it is subject to the same obligations and guarantees as those who move traditional funds.

No less important is the delimitation of what remains outside the perimeter. Intermediation in the purchase of crypto-assets with EMT does not constitute a payment service, nor do crypto-fiat exchange services. Furthermore, qualification as payment services does not automatically imply assimilation to the payment instruments typified by the Consolidated Banking Law: the overlap concerns the function performed, not the nature of the instrument used.

Starting March 2, 2026, CASPs that intend to offer EMT transfer and custody services with these characteristics must therefore also be authorized under PSD2 as payment institutions or electronic money institutions. Alternatively, they may operate through partnerships with an already authorized PSP, provided that the agreement is clearly structured and guarantees an adequate level of oversight.

For entities already in operation, the timelines are strict: the MiCAR application must be submitted by December 30, 2025, and the PSD2 authorization process must be completed by March 1, 2026. Failing this, operations must be suspended until authorizations are obtained or the partnership is activated.

2. Authorizations and operating models

The Communication identifies two alternative paths for CASPs wishing to provide EMT transfer or custody services that qualify as payment services: dual licensing or partnership with an already authorized PSP.

The first option requires the operator to obtain, in addition to MiCAR authorization as a CASP, PSD2 authorization, choosing between PIs or EMIs based on its business model. This is not a purely formal choice: the type of license must consistently reflect the services actually provided, the operating methods adopted, and the associated risks. In this scenario, the Communication reiterates the need to establish dedicated capital to protect both CASP activities and the provision of payment services, ensuring separate and dedicated oversight for the issuance of electronic money and the movement of EMTs. Even if the operator limits its operations to EMT payments only, dedicated capital in line with the standards set for PIs and EMIs is still required.

The second option is to build a partnership with an authorized PSP. This route does not reduce transparency obligations or mitigate the overall responsibility of the CASP, but it does allow the authorization activity to be concentrated solely on the MiCAR perimeter. However, the Communication specifies that the partnership must be solid and documented at the time of application, with a minimum set of elements: a contractual agreement that clearly establishes the areas of responsibility; procedures for exchanging information on transactions carried out; mechanisms for monitoring the partner's activities; and the indication of an internal contact person within the CASP responsible for overseeing the relationship. In the absence of these safeguards, the partnership is not considered suitable to replace the dual license.

The Bank of Italy's approach is therefore pragmatic but rigorous: it allows freedom of choice between two operating models, but in both cases requires that the level of control and accountability be equivalent. Whether it is a dual license or a partnership, CASPs must demonstrate that they have structured authorization and organizational arrangements capable of guaranteeing customers the same level of reliability and protection as that recognized for traditional payment market operators.

3. Prudential requirements, ownership structures, and representatives

One of the most significant aspects of the Communication concerns the harmonization of prudential requirements, which is not limited to imposing compliance with MiCAR rules, but also requires CASPs authorized as payment service providers to cumulatively satisfy the requirements of both regulations. The objective is clear: to ensure that the intermediary always has sufficient capital to cover the entire spectrum of risks arising from mixed operations.

In concrete terms, this means that CASPs must comply with the minimum requirements set out in MiCAR (which vary depending on the services provided and are supplemented by the obligation to hold own funds or insurance coverage) and, at the same time, with the requirements established for PIs and EMIs by national supervisory provisions. For payment institutions, the initial capital is set at €125,000 for EMT transfer and custody services; for electronic money institutions, the threshold rises to €350,000. The approach is therefore cumulative: it is not a question of choosing which regulation to apply, but of adding up the required safeguards, as confirmed by the numerical example attached to the Communication.

In addition to the capital profile, particular attention is paid to ownership structures. MiCAR and PSD2 do not have identical rules on qualifying holdings: the European regulation requires qualifying shareholders to meet requirements of integrity, absence of significant sanctions, and financial soundness, identifying holdings on the basis of control and multiplier criteria. PSD2, on the other hand, places even greater emphasis on transparency: qualifying participants must comply with integrity, fairness, and competence requirements in accordance with the provisions of the Consolidated Banking Law and related implementing decrees, considering all criminal offenses and not only those listed in MiCAR. The operational consequence is that when CASPs also apply for authorization under PSD2, they must submit documentation proving compliance with the broader requirements for PSPs, without exception.

Finally, the Communication equates CASPs that intend to offer payment services in EMT with ‘relevant’ payment institutions and electronic money institutions, for which the requirements for company representatives are particularly stringent. It is not enough to demonstrate the absence of a criminal record or sanctions: directors and managers must have adequate knowledge, skills, and experience, guarantee independence of judgment, and devote sufficient time to the performance of their duties. Here too, the more extensive requirements set out in banking regulations apply, including the assessment of all types of criminal offenses, professional conduct, and a track record consistent with the position to be filled.

The overall result is a prudential and governance framework that significantly raises the bar: not only capital and financial resources, but also transparency in the structure and personal reliability of representatives become essential conditions for accessing the EMT payments market.

4. Customer protection and application profiles

If the classification of EMT services as payments moves CASPs into the territory of PSD2, the next step is logical: the application of customer protections. The Communication establishes that, in general, CASPs offering EMT transfer or custody must comply with the provisions on transparency, disclosure, and liability already in place for traditional payment service providers.

However, there are some specific exceptions due to the technical characteristics of blockchain transactions and, in general, technologies that are distributed ledger technologies (hereinafter, "DLTs"). This is the case, for example, with network fees: in on-chain transfers, costs can vary in real time and are not always known in advance. In such cases, the obligation to indicate the exact amount of the fees ex ante does not apply, but the operator must still provide the user with the available information before the user authorizes the transaction. Similarly, the provisions requiring the maximum execution times to be indicated in advance do not apply: here too, at least a reliable estimate is required, communicated before the transaction.

In addition to information safeguards, the Communication reiterates the importance of strong customer authentication (hereinafter, "SCA"). From March 2, 2026, CASPs will have to ensure that access to EMT custodial wallets and the initiation of transfers are protected by strong authentication procedures, in line with Articles 97 and 98 of PSD2. Failure to apply SCA will result in direct liability for the provider, except in cases of proven customer fraud, with the consequence that CASPs will have to describe their authentication mechanisms at the time of authorization, demonstrating compliance with the rules in force.

Equally important is the introduction of fraud reporting obligations. From March 2, 2026, CASPs offering payment services in EMT will have to submit statistics on payment fraud, according to the six-monthly schedule already in place for other operators, and in accordance with the guidelines issued by the EBA. This step marks a further convergence between the world of crypto-assets and that of traditional payments, not only in terms of authorization but also in terms of supervisory controls.

Finally, the Communication confirms the exclusion of open banking rules. Payment order and account information services do not apply to EMT transfers and custody, for the simple reason that the logic of DLTs does not lend itself to integration into the account access circuits governed by PSD2. This exclusion avoids forcing the technical architecture of EMTs into schemes designed for traditional bank money.

The picture that emerges is one of full assimilation: the same transparency obligations, the same customer protection, and the same responsibilities for payment service providers.

However, there is a common thread of targeted adaptation that attempts to recognize the technological peculiarities of EMTs and shapes their application without derogating from the underlying principle: to guarantee users the same level of protection as those who use conventional payment instruments.

Conclusions

The Bank of Italy's Communication marks a decisive step: electronic money tokens are no longer a gray area of crypto-asset law but are now firmly within the scope of regulated payments under specific circumstances. For CASPs, this means adopting a clear strategy, dual licensing or partnership, and preparing for capital, governance, and customer protection requirements that leave no room for improvisation. March 2, 2026, is a watershed date: those who are not ready risk finding themselves out of the European crypto-asset market.

On the same topic, you may be interested in the article “Italian VASP extension and tensions in the implementation of MiCAR.”

Author: Andrea Pantaleo & Giulio Napolitano

Intellectual Property

Patent Box and Software: the Italian Revenue Agency on Deductibility and SIAE Registration

With Ruling No. 223/2025, the Italian Revenue Agency has revisited an issue of significant operational impact for companies investing in software: the correct application of the "Patent Box" regime to in-house research and development costs relating to software protected by copyright, particularly where there is no SIAE registration.

The Case Submitted

A company active in the analysis and management of legal and financial data (ALFA S.p.A.) asked for confirmation that the Patent Box regime can also apply to costs for the creation of internally developed software not registered with SIAE, provided that ownership is certified by a self-declaration. A second question concerned the possibility of recovering (“recapture”) costs incurred in prior years in the event of subsequent SIAE registration.

The Agency’s Position

The Revenue Agency’s response is clear:

SIAE registration is not required to benefit from the ordinary Patent Box regime. It is sufficient for the company to certify, through a self-declaration pursuant to Presidential Decree 445/2000, the ownership and existence of the software, its originality and creativity, and its link to “relevant” research and development activities under the legislation. This documentation must be provided in case of audits and must be complete, detailed, and verifiable, in line with the criteria already outlined in Circular 5/E/2023 and related implementing provisions.
All costs not directly attributable to software development activities - such as administrative or general expenses - are excluded from the benefit, and objective cost-allocation criteria, not merely flat rates, must be applied.

And What About “Recapture” in Case of Subsequent Registration?

The so-called “reward mechanism,” which allows companies to recover costs incurred in the eight prior fiscal years if the software is registered with SIAE (or another body with equivalent effects), remains tied to the moment of registration. Only from that fiscal year does the possibility of applying recapture for expenses not already eligible under the ordinary regime arise. However, the Agency recalled that this matter had already been addressed and resolved in earlier guidance (Circular 5/E/2023); therefore, it deemed the second question inadmissible due to the absence of “objective uncertainty”.

Operational Implications

Ruling 223/2025 provides an important clarification:

The ordinary Patent Box regime also applies to software not registered with SIAE, provided that ownership is duly declared and rigorously documented.
SIAE registration remains necessary only for the reward mechanism (recapture) and produces effects solely from the year of registration.
Documentation and traceability remain central: only actual costs, objectively attributable to development and allocated using transparent criteria, may benefit from the uplift.

Conclusion

The Agency’s response enables innovative companies to fully benefit from the enhanced deductibility also for “in-house” software without formal registration, while at the same time imposing strict requirements on documentation and cost allocation.

Author: Federico Maria Di Vizio

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Giovanni Chieco, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Dorina Simaku, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.