Innovation Law Insights

Legal Break

Legal Tech: The key trends shaping 2025

In this episode of Legal Break, Tommaso Ricci from DLA Piper explores the most significant technological developments in the legal sector, offering insights into the trends that have defined the past year and those shaping the future of the profession. Watch the episode here.

 

Privacy and cybersecurity

Significant incidents under NIS2: Italian NIS2 Authority issues new guidelines

Last December the National Cybersecurity Agency (ACN) published the NIS Guidelines on the definition of the cybersecurity incident management process. The document is intended to support entities falling within the scope of Legislative Decree No. 138 of 4 September 2024 (the NIS Decree) in implementing their obligations relating to incident management. It complements the previous document on the basic specifications (reading guide).

The document is addressed to essential and important NIS entities and aims to provide a reference model for defining and structuring the cybersecurity incident management process, illustrating its phases, sub-phases, and its relationship with the basic security measures required under the NIS framework.

The Guidelines don’t introduce new obligations but describe a possible organisational and operational setup for the process, linking regulatory requirements with the concrete activities required for prevention, detection, response, and continuous improvement in incident management.

The model proposed by ACN structures the incident management process into five main phases:

• Preparation, which includes governance, identification and protection activities.
• Detection, aimed at the timely identification of events relevant to cybersecurity.
• Response, which includes the sub-phases of reporting, investigation, containment and eradication.
• Recovery, aimed at returning to the operational state before the incident.
• Improvement, understood as a cross-cutting phase driven by lessons learned.

Security measures and organisational setup

A significant part of the document is devoted to the preparation phase. It highlights:

• the definition and approval, by the management and governing bodies, of the incident management plan, as required by measure RS.MA 01;
• the adoption of cybersecurity policies consistent with measures GV.PO 01 and GV.PO 02, including those relating to event monitoring, incident response and recovery;
• the formal assignment of roles and responsibilities, including the designation of the Point of Contact and the CSIRT Liaison, and the integration of any third parties involved in the process.

The Guidelines clarify that the designation of the CSIRT Liaison constitutes an operational delegation and doesn’t transfer responsibility from the management and governing bodies, as provided for by Article 23 of the NIS Decree.

Detection, evidence and significant incidents

With regard to the detection phase, the Guidelines state that events relevant to cybersecurity are subject to analysis (triage) to verify their nature; only where the analysis confirms that the event relates to an incident is the incident formally declared and the response phase initiated.

Particular attention is given to the concept of incident evidence, a key notion for notification obligations. What matters isn’t the complete reconstruction of the root cause, but the availability of objective elements attesting to the occurrence of one of the types of significant incidents provided for in the basic specifications. The acquisition of such evidence marks the point from which the 24-hour deadline for pre-notification and the 72-hour deadline for notification to CSIRT Italia begin to run.

The document also recalls the distinction between the types of significant incidents applicable to important entities and the additional ones provided for essential entities, including cases of unauthorised access or access with abuse of granted privileges.

Recovery and continuous improvement

The recovery and improvement phases are addressed as essential elements for ensuring organisational resilience. The Guidelines emphasise the need to:

• adopt and document procedures for the recovery of information systems and networks, consistent with the incident management plan;
• track the activities carried out and assess their effectiveness;
• integrate lessons learned into business continuity, disaster recovery, and crisis management plans, as required by the improvement measures under the NIS framework.

Conclusions

As clarified by ACN, the Guidelines neither amend nor supplement the provisions of the NIS Decree or the implementing measures, but provide a reference model and interpretative support for entities required to translate regulatory requirements into operational processes and procedures.

The document appears particularly useful during the design of the incident management process. It verifies alignment between adopted measures and regulatory requirements, and it prepares for the monitoring and review activities required under the NIS framework, contributing to a systematic reading of incident management obligations within the NIS2 framework.

Author: Gabriele Cattaneo

 

Intellectual Property

Khaby Lame and the transformation of digital identity into an intellectual property asset

Recent reports regarding the alleged sale of the company managing the economic and commercial rights associated with Khaby Lame’s image and brand – at a valuation approaching USD1 billion – offer a valuable opportunity to reflect on the evolution of intellectual property law in the digital economy era. And it highlights on the emergence of personal identity as a new legal and economic asset.

Khaby Lame, the most-followed creator on TikTok and globally recognised for his non-verbal, and therefore universal, communication style, exemplifies how online fame can be transformed into a complex framework of economically exploitable rights, extending far beyond individual audiovisual content. Today, the role of the content creator can no longer be confined to the mere production of social media posts; rather, it increasingly takes the form of a personal brand, endowed with autonomous economic value. As such, it can be structured, licensed and transferred.

According to initial reports, the transaction would go well beyond the traditional management of commercial partnerships. It would also encompass the development of a “digital twin” based on AI technologies, capable of replicating the creator’s distinctive image, gestures and expressive traits.

From a legal standpoint, the case raises significant questions regarding the interplay between the right to one’s image and other personality rights, intellectual property rights, and the economic exploitation of digital identity.

Under Italian law, the right to one’s image is traditionally classified as a personality right – non-transferable and unavailable in its core essence. It’s well established that economic exploitation of one’s image can be contractually authorised or licensed, subject to clearly defined limits.

The prospect of developing a digital twin of Khaby Lame opens new scenarios from an intellectual property perspective. A digital twin isn’t merely a static representation; it’s a dynamic system capable of autonomously generating content, adapting to different linguistic and cultural contexts, and operating simultaneously across multiple markets and platforms. This development raises critical issues concerning the ownership of rights in AI-generated works, the scope and limits of the authorisation granted by the individual whose image is used, liability for content produced by the digital twin, and the duration and revocability of consent to the exploitation of one’s digital identity.

Khaby’s case serves as an advanced testing ground for what may soon become widespread practice. Increasingly, creators, artists, and public figures may structure their professional activities through assignments or licences of economic rights, alongside the use of avatars and virtual identities.

At the same time, this evolution calls for deeper reflection on the legal boundaries of exploiting human identity, the protection of personal dignity, and the need to strike an appropriate balance between technological innovation and fundamental rights.

In this sense, Khaby Lame isn’t merely a media phenomenon, but a clear and emblematic example of how intellectual property is evolving – shifting its focus from the work to the individual and from the creative act to the creator’s identity itself.

Author: Noemi Canova

 

Legal Design

Legal Design Tricks: Little tips to use legal design in your daily activities 

Trick #13: Human-in-the-loop: Why the Legal Designer is essential for AI (and not the other way around)

Everyone is talking about AI.

Few remember that without skilled humans, even the most advanced algorithm can make poor decisions.

AI accelerates document production, but speed without oversight - regulatory chaos.

Legal documents aren’t just texts: they are experiences that influence decisions, risks, costs and trust.

This is where the Legal Designer comes in.

What is the role of the Legal Designer?

The Legal Designer:

• structures legal processes;
• organises and simplifies information; and
• translates complexity into actionable, understandable choices.

The goal? To produce documents that are clear, coherent and usable.

This is exactly the spirit of human-in-the-loop: the human remains in the AI decision cycle, intervening at different stages of design, development and deployment to improve performance and reduce risks.

What does ‘human-in-the-loop’ mean?

Human-in-the-loop means a person intervenes:

• in AI design;
• in data preparation;
• in output review; and
• in risk governance.

Because only someone who understands the law can recognise when AI makes legal mistakes.

Let’s explore the key contributions of the Legal Designer in enabling human-in-the-loop.

Curating Data for AI

AI “learns” from the data we provide.

If documents are ambiguous, redundant, inconsistent or full of jargon, the output will be equally flawed!

The Legal Designer:

• simplifies and clarifies legal texts during pre-processing;
• ensures legal meaning is clear;
• removes ambiguity, errors and unnecessary jargon; and
• creates clear and consistent information structures.

The goal? To provide clean, AI-ready legal data.

Example: standardizing contract templates improves AI responses to commercial team requests.

Building a smart knowledge base

Without structure, even the best AI becomes a chaotic search engine.

The Legal Designer:

• organises laws, policies and clauses in a navigable way;
• defines taxonomies and information pathways; and
• links information across legal, compliance and business teams.

The goal? To create a shared, coherent and up-to-date knowledge base.

Example: a corporate repository of clauses with pre-defined selection criteria allows AI to suggest pre-approved texts, reducing risk and increasing speed.

Monitoring risks and output quality

Technology moves fast. Law reflects.

The Legal Designer:

• sets limits and controls;
• identifies ethical and legal risks; and
• reviews and corrects outputs (preventing hallucinations).

The goal? To avoid “legal hallucinations” and ensure compliance.

Example: a clear review workflow for AI-generated contracts prevents “fantasy legal outputs”.

Putting people at the centre

A tool nobody uses is a wasted investment.

The Legal Designer:

• designs the legal user experience;
• makes AI interactions clear and intuitive; and
• communicates when, how and why to use the tool.

The goal? To adopt sustainable AI that puts people first and technology at their service.

Example: simplified guides for employees using AI systems entail fewer requests to legal, more autonomy for everyone.

In summary

AI doesn’t replace human expertise. It amplifies the value of those who know how to guide it.

In this context, the Legal Designer is:

• curator of quality;
• knowledge architect;
• risk guardian; and
• translator between law, technology and people.

The Legal Designer isn’t a bystander in the technological transformation. They’re a protagonist: bridging, guiding and acting as the critical conscience of intelligent systems.

Without human-in-the-loop, AI isn’t intelligent: it’s just automatic.

Did you know?

Internal studies and Big Tech experiments show removing 20% of unnecessary text from contracts increases AI accuracy by up to 30% in suggested clause modifications.

Want to design an AI-ready ecosystem?

Start with data. Start with people.

And start with someone who can speak to both: the Legal Designer.

Author: Deborah Paracchini

 

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Giovanni Chieco, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Andrea Pantaleo, Deborah Paracchini, Maria Vittoria Pessina, Tommaso Ricci, Marianna Riedo, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.