Innovation Law Insights

Data Protection and Cybersecurity

Updated Categories of Cyber Incident Notifications for Entities in the National Cybersecurity Perimeter

On August 1, 2025, DPCM No. 111 of 4 June 2025 (hereinafter, the “DPCM”), updating the list of cyber incidents that entities within the National Cybersecurity Perimeter must notify, was published in the Italian Official Gazette. The DPCM constitutes a central reference point for entities designated as part of the National Cybersecurity Perimeter, as it identifies the types of incidents that give rise to a mandatory notification obligation.

Regulatory Framework

The National Cybersecurity Perimeter (hereinafter, the “Perimeter”), established under Decree-Law No. 105/2019 (converted into Law No. 133/2019), imposes strict obligations on selected public and private entities deemed of strategic importance due to their role in the exercise of essential functions or the provision of essential services, whose malfunctioning, disruption (even partial), or misuse could jeopardize national security. These entities operate in critical sectors such as energy, finance, transport, communications, defense, and health.

The obligations set forth by the Perimeter include the identification and protection of critical ICT assets, as well as the prompt notification to CSIRT Italia of any incidents that may compromise the confidentiality, integrity, or availability of digital infrastructures.

Notifiable Incidents

The newly issued DPCM updates the classification of cyber incidents contained in Annex A of the previous DPCM No. 81/2021. In particular, the DPCM defines the following macro-categories of incidents that must be reported:

1. Initial Exploitation: Includes events such as the delivery and execution of malware via phishing emails, exploitation of known software vulnerabilities in exposed services, or unauthorized remote code execution (i.e. ICP-A-1). These are often the initial stages of a broader attack.
2. Faults and Service Disruptions (Guasto): Encompasses degradation or loss of expected service levels in terms of computing resources, bandwidth, or backups, as well as the loss or compromise of user credentials and cryptographic keys.
3. Installation and Persistence: Involves activities related to the installation of malicious code or methods for maintaining unauthorized access. For instance, unauthorized privilege escalation within internal systems or the deployment of persistence techniques (e.g., ICP-A-11, ICP-A-12).
4. Lateral Movement and Discovery: Includes activities aimed at navigating the internal network or gathering information, such as credential harvesting or the use of techniques to access or execute code on different internal systems (e.g., ICP-A-15, ICP-A-17).
5. Actions on Objectives: Covers the use of techniques intended to collect or exfiltrate data from the affected systems (e.g., ICP-A-18, ICP-A-19), typically after a persistent presence has already been established.

A significant addition introduced by the DPCM is the explicit inclusion - under category ICP-A-20 - of incidents involving unauthorized access or abuse of legitimately granted privileges, regardless of the actor’s intent or the objective pursued.

This includes all cases, identified through qualitative or quantitative indicators, where access to digital resources occurs either:

• without any legitimate authorization; or
• through misuse of authorized credentials, such as in cases of lateral movement by internal personnel, use of excessive privileges, or access beyond assigned operational tasks.

Qualitative indicators may include, for instance, access occurring at unusual times, access to data or systems unrelated to the user’s role, or anomalous patterns such as the use of hidden command-line interfaces or persistence techniques. Quantitative indicators could involve an unusually high volume of data queries, unexpected authentication attempts, or disproportionate use of administrative functions.

Interestingly, an event may be classified as notifiable even if the access was performed by an employee or otherwise authorized individual, provided that it still results in a loss of confidentiality, or deviates from expected operational behaviors, as identified through qualitative or quantitative indicators. The purpose pursued or the identity of the actor is not relevant; any access outside of existing authorizations is sufficient to trigger the notification obligation.

The introduction of this category responds to the increasing operational relevance of insider threats and credential-based intrusions, both of which are commonly used as preliminary stages in complex cyber-attack campaigns. The regulation therefore establishes the obligation to notify both confirmed and suspected incidents of unauthorized or abusive access to ICT assets, ensuring that early signs of compromise are promptly brought to the attention of national cybersecurity authorities.

Conclusion

This DPCM reinforces the centrality of notification obligations and expands the scope of the Perimeter’s protections, aiming to anticipate emerging cyber threats through broader and more precise reporting requirements.

Author: Federico Toscani

 

Technology

From Lab to Law: the quantum infrastructure as a new sovereignty frontier

Quantum technologies are no longer just a distant promise, they have become a battleground of geopolitical, industrial and regulatory competition.

The turning point came with the European Declaration on Quantum Technologies (hereinafter, the “Quantum Declaration”), which set out a shared political vision for building a secure and interoperable European quantum infrastructure.

Building on this commitment, the European Commission announced an European Strategy for Quantum Technologies (hereinafter, the “European Quantum Strategy”), formalized in COM(2025) 363 from the Commission to the Parliament and the Council, anticipating the adoption of a Quantum Act to harmonize programs, investments, and standards among Member States.

Italy has actively joined this process with the official presentation of the National Strategy for Quantum Technologies (hereinafter, the “Italian Quantum Strategy”) on July 31, 2025, the result of joint work by the National Cybersecurity Agency (ACN), the Ministry of University and Research (MUR), Ministry of Enterprise and Made in Italy (MIMIT), Ministry of Defense, and Department for Digital Transformation.

The strategy outlines a clear set of objectives structured around several key pillars, from scientific research to accelerating industrial transition, from training post-quantum skills to national security.

1. From quantum mechanics to Qubit

Quantum technologies (QT) refer to a suit of hardware and software solutions grounded in the principles of quantum mechanics, a branch of physics that explores the behavior of subatomic particles. Unlike classical digital systems, which process information in binary bits, quantum technologies use qubits: units of information that can exist simultaneously in multiple states, thanks to physical phenomena such as superposition and quantum entanglement.

This intrinsic feature enables QT to process data volumes and physical simulations that are inaccessible even to traditional supercomputers. Rather than being a singular invention, quantum technologies form a multifaceted ecosystem, structured along five core application areas, as recognised by the Italian Quantum Strategy:

1. Quantum computing: devices that leverage qubits to solve computationally intensive problems (e.g. molecular modelling, logistics optimization, cryptanalysis) at exponentially higher speeds than classical systems.
2. Quantum simulation: specialized devices that reproduce the behavior of physical, chemical, or biological systems that are too complex for conventional methods;
3. Quantum communication: data transmission technologies based on mechanisms such as quantum key distribution (QKD), capable of guaranteeing a theoretically unbreakable level of security;
4. Quantum metrology: ultra-precise instruments for measuring time, gravity, or fundamental physical constants, with applications across science, aerospace, and finance.
5. Quantum sensing: advanced sensors capable of detecting imperceptible changes in magnetic fields, rotation, position, or temperature, useful in medicine, defense, and geophysics.

Since 2018, the European Union has massively invested in these areas through initiatives such as the Quantum Manifesto, the Quantum Technologies Flagship, the EuroHPC-JU program for supercomputing, and the EuroQCI project for European quantum communication infrastructure.

However, with increasing global geopolitical competition — particularly with the United States, China, the United Kingdom, and Israel — the stakes have shifted from technological development alone to building European quantum sovereignty based on its own infrastructure, interoperable standards, and common rules.

In this context, both the European Quantum Strategy and the Italian Quantum Strategy aim to turn quantum technologies into a secure, strategic, and sustainable competitive advantage for Europe.

2. The European strategy: towards a sovereign quantum infrastructure

The European Commission has recently formalized the first European Strategy for Quantum Technologies, marking a decisive step change in EU technology governance. The stated goal is to transform Europe into a global leader in the quantum sector, equipping it with an integrated, interoperable, and sovereign industrial ecosystem.

At the core of the strategy lies a fundamental principle: there can be no technological leadership without the autonomous ability to design, develop, and deploy quantum technologies in strategic sectors such as cybersecurity, defense, energy, healthcare, finance, and space.

Hence the vision to build a distributed pan-European quantum infrastructure — for computing, communication, and sensing — that is fully interoperable between Member States and resilient to extra-EU dependencies.

The document identifies several operational guidelines, including, by way of example:

• Development of pan-European quantum infrastructure, through the extension of the EuroHPC initiative and the integration of EuroQCI networks, to create a unified environment for supercomputing, sensing, and secure quantum communication.
• Regulatory alignment and harmonization of national programs, to be achieved through the future Quantum Act, a legislative instrument that will define common rules for investment, interoperability, and certification.
• Targeted support for industrial transition, with a focus on deep-tech SMEs, European manufacturing of quantum components, and the creation of an internal market for applications with high strategic value.
• Training and attracting talent by promoting specialized curricula, industrial doctorates, and intra-EU mobility schemes, also to stem the brain drain to non-European ecosystems.
• Development of a technological trust framework based on European standards, security certification, and post-quantum cryptographic approaches in line with the recommendations of ENISA and Regulation (EU) 2019/881 (Cybersecurity Act).

Ultimately, the strategy emphasizes the urgent need to define a European technical standardization instrument to avoid fragmentation among Member States and prevent forms of quantum dependence on third parties.

3. The Italian strategy: building an ecosystem between excellence and fragility

Italy formalized its National Strategy for Quantum Technologies on July 31, 2025, aligning itself with the broader European trajectory and recognizing the systemic importance of quantum technologies for national security, competitiveness, and digital sovereignty. The document offers a snapshot of a dynamic yet still fragile landscape, proposing a multi-layered roadmap to strengthen the domestic ecosystem.

• From a scientific point of view, Italy boasts internationally recognized excellence and an active presence in all pillars of quantum technologies. However, strategic analysis highlights significant disparities in technological maturity between different areas: while sensor technology and communication are at advanced stages of development, the quantum computing and simulation sector has an urgent need for access to adequate infrastructure.
• Looking at the financial picture, public funds allocated between 2021 and 2024 amount to approximately €227.4 million, a significant figure but still lower than the investments planned by the main European and international competitors. The limited number of deep-tech startups operating in the sector, compared to countries such as the United States, France, Germany, or the United Kingdom, also points to a structural shortfall in the mobilization of private capital and technology transfer.
• Delving into the regulatory and programmatic engineering, the Italian Quantum strategy identifies areas for action along the lines of the guidelines identified at EU level, but particular attention is paid to the need to build a clear, transparent, and multi-level governance model capable of coordinating the various stakeholders.
• Finally, the strategy recognizes that standardization and certification are essential enablers for ensuring the interoperability and security of the solutions developed.

In this perspective, Italy aims to actively contribute to the definition of common European standards, strengthening dialogue with European technical standardization bodies and positioning itself as a proactive player in the construction of the European quantum infrastructure.

4. Strategic convergences in systemic gaps: Italy and Europe towards an integrated quantum governance?

Although the Italian Quantum Strategy is moving along the path outlined in the European Quantum Strategy and inspired by the political framework of the Quantum Declaration, it still reflects a predominantly adaptive approach, rather than one truly convergent with the European regulator's integrative ambition.

In both strategies, quantum technologies are identified as strategic levers for digital sovereignty, industrial autonomy, and national security. The common multidimensional approach calls for a commitment to infrastructure, research, training, industrial development, and cybersecurity, with a clear reference to the need to invest in the four fundamental pillars: quantum computing, communication, metrology, and sensing.

However, alignment between the two documents is largely confined to high-level principles and diverges significantly in operational and structural terms.

• First, the European Quantum Strategy proposes a multi-layer governance model, in which the Commission takes a leading role in harmonizing national investments, standards, and programs. The aim is to build an internal market for quantum technologies, based on an interoperable infrastructure and a unified regulatory framework, to be consolidated through the Quantum Act. While the national strategy evokes the need for public-private synergies and coordination with European programs, it remains anchored to a ministerial logic and an aggregation of existing projects. The absence of a single, permanent governance structure with strategic autonomy and cross-cutting implementation capacity risks weakening the coherence and impact of national action.
• Secondly, divergence is manifest in the ability to mobilize resources. While the European document envisages a strengthening of public-private partnerships and an increase in investment on a continental scale (including through dedicated instruments such as EuroHPC-JU), the Italian strategy starts from a modest base and does not provide for dedicated fiscal or regulatory instruments to attract private capital, nor does it provide for de-risking measures for deep-tech startups active in the sector.
• A further gap concerns the regulatory and standardization profile. The Commission explicitly envisages the development of a unified regulatory framework capable of ensuring the security, interoperability, and certifiability of quantum systems. The national strategy, on the contrary, does not systematically address the regulatory dimension, nor does it propose a regulatory agenda for the adoption of shared standards, leaving crucial issues such as technological risk management, security in critical sectors, and the governance of sensitive data unresolved.

In conclusion, Italy has outlined a strategy that is solid in its assumptions and consistent in its objectives. Nonetheless, effective alignment with the European trajectory will require a qualitative leap in terms of both the capacity to govern the system and legal and institutional ambition.

Without more organic integration into European structures and instruments, there is a tangible risk that the national strategy will remain peripheral to the design of genuine European quantum sovereignty.

On a related topic, you might find interesting our podcast episode on Quantum Computing: Infinite Potential and Legal Risks’ of interest.

Author: Giulio Napolitano

 

Intellectual Property

Selective Distribution and Brand Integrity: Milan Court Affirms Limits of Trademark Exhaustion

With its order of June 9, 2025 (R.G. No. 10346/2025), the Milan Court addressed the delicate balance between the free movement of goods and the protection of a trademark’s reputational function, reaffirming - consistent with EU case law - that the aura of luxury associated with a brand constitutes a legally protectable interest in its own right.

The case arose from a precautionary application under Article 700 of the Italian Code of Civil Procedure, jointly filed by two companies - the trademark owner and its exclusive distributor in Italy - seeking an injunction against the marketing of trademarked products through unauthorized distribution channels.

According to the claimants, the resale methods adopted by certain third-party operators - outside the selective distribution network - were likely to severely undermine the brand's distinctive character and reputational positioning, which were the result of a carefully controlled and selective distribution strategy.

As is well known, the principle of trademark exhaustion is enshrined in Article 5 of the Italian Industrial Property Code and Article 15 of Regulation (EU) 2017/1001. According to these provisions, once a product has been lawfully placed on the EU market by the trademark holder (or with their consent), the holder may not oppose its further commercialization - unless there are “legitimate reasons” to do so.

As clarified by the Court of Justice of the European Union (see, inter alia, Cases C-337/95 Dior, C-59/08 Copad), such legitimate reasons may include commercial practices that compromise the perceived quality of the product or damage the brand image, particularly in cases involving luxury or high-end trademarks.

In the case at hand, the defendants engaged in resale practices that failed to meet the standards imposed by the brand’s selective distribution system, including:

• indiscriminate display of cosmetics alongside household cleaning products and food items;
• lack of trained or qualified sales personnel;
• sale of products in disorganized settings lacking specialized departments (e.g., no dedicated fragrance or beauty section);
• “under-the-counter” distribution;
• deterioration of the original packaging.

These conditions were deemed likely to negatively affect the perceived quality of the brand, undermining not only its distinctive function but also its advertising and investment functions, as recognized by both EU case law and academic commentary.

In rejecting the defendants’ appeal, the Milan Court invoked the established CJEU case law on the protection of prestigious trademarks, holding that the documented resale methods constituted a “concrete and actual detriment” to the identity of the trademark, thereby justifying the opposition to resale under Article 5(2) of the Industrial Property Code.

Significantly, the Court clarified that the protection granted to the trademark goes beyond the mere guarantee of origin - it also extends to the ability of the mark to communicate a selective image, which is shaped by deliberate distribution, marketing, and positioning choices.

In luxury markets in particular, the immaterial value of a brand is inextricably linked to the consistency of the purchasing experience. Its degradation - even indirectly - may constitute a legally relevant interest sufficient to oppose unauthorized resale.

The defendants raised several objections, including:

• the alleged invalidity of the contractual clause prohibiting out-of-network resale (Articles 1341 -1342 of the Italian Civil Code);
• the alleged unlawfulness of the selective distribution system in light of the “Metro” criteria;
• the absence of actual and concrete harm to the brand;
• the lack of standing of the exclusive distributor.

The Court rejected each argument, stressing that:

• the existence of a legitimate reason under Article 5 IPC does not depend on the validity of the contractual clause, but rather on an objective prejudice to the trademark’s reputation;
• standing may also be recognized in favor of the exclusive distributor, insofar as it is an active part of the authorized network;
• the evidentiary findings in the interim proceedings were sufficient to establish actual - not merely potential - harm to the brand.

The Milan Court’s decision reaffirms a fundamental principle in trademark law: the principle of exhaustion is not absolute and must yield when the integrity of the trademark’s commercial and reputational identity is jeopardized by inconsistent distribution practices.

In the luxury goods sector, selective distribution is not merely a marketing strategy but a functional element in preserving the brand’s intangible value. The alignment between brand and distribution context - far from being a superficial concern - assumes legal relevance under Article 5(2) IPC.

This ruling fits squarely within the broader framework of EU case law, which, while promoting the free movement of goods, acknowledges the decisive role of a trademark’s advertising and investment functions in assessing the legitimacy of its post-sale protection.

Author: Maria Vittoria Pessina

 

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Dorina Simaku, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

 Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.