Innovation Law Insights

Data Protection and Cybersecurity 

What is a significant incident under the NIS 2?

From January 2026, the obligation to notify significant incidents under Italian Legislative Decree No. 138 of 2024 (NIS 2 Decree) will come into effect. This obligation, which applies to all entities falling within the scope of the NIS 2 Decree, constitutes one of the main pillars of the new regulatory framework, introducing strict notification requirements for so-called significant incidents.

The definition of “significant incident” under the NIS 2

Under the NIS 2 Decree, an incident is considered significant if:

1. it has caused, or is capable of causing, serious operational disruption of services or financial losses for the affected entity;
2. it has had, or is capable of having, repercussions on other natural or legal entities, resulting in considerable material or immaterial losses.

The definition of a significant incident is therefore different from that of data breach under the GDPR. While the latter encompasses cases involving the loss of confidentiality, integrity or availability of personal data, the definition in the NIS 2 Decree goes beyond such exfiltration, identifying as significant those incidents where – regardless of data leakage – there has been an event causing or capable of causing an operational disruption of services, financial losses or significant damages to natural or legal persons. However, the definition remains quite broad, leaving room for interpretation as to the scope of the incident that would trigger the notification obligation.

In this regard, to better understand what should be considered a significant incident, it is essential to refer to the implementing acts adopted by the European Commission and by national authorities. In particular, a critical role is played by:

• the Implementing Regulation on cybersecurity measures and significant cyber incidents under the NIS 2 Directive adopted by the European Commission, which applies only to certain categories (Cloud Service Providers, IT & Security Managed Service Providers, online marketplace operators, online search engine providers, social networking platforms, and trust service providers);
• at the national level, Determination No. 164179 of 14 April 2025 issued by the Italian National Cybersecurity Agency (ACN) issued, laying down the basic specifications of the measures to be adopted to ensure compliance with the NIS 2 Decree, including those defining which significant incidents must be notified.

The European Commission’s Implementing Regulation provides detailed indications on the definition of a significant incident for some critical entities (as listed above). Specifically, under Article 3, an incident is deemed significant if:

• it has caused or is capable of causing a financial loss exceeding EUR 500,000 or 5% of the total annual turnover of the previous financial year;
• it has caused or is capable of causing the exfiltration of trade secrets;
• it has caused or is capable of causing death or serious harm to a person’s health;
• it involved unauthorized access to network and information systems, suspected to be malicious and capable of causing severe operational disruptions;
• it consists of recurring incidents (i.e., an incident that is not significant in itself has occurred at least twice within six months, shares the same apparent root cause, or collectively meets the turnover impact criteria).

In addition, further specifications are provided with regard to certain categories of entities. For instance, a cloud computing service is considered significant if it is completely unavailable for more than 30 minutes; a data center if unavailable for more than one hour; and an online marketplace if it is completely unavailable for more than 5% of its users in the EU or for more than 1 million such users, whichever is lower.

As for the ACN Determination, the following incidents are considered significant:

• the NIS entity has evidence of the loss of confidentiality, to the outside, of digital data it owns or controls, even partially (for both important and essential entities);
• the NIS entity has evidence of the loss of integrity, with external impact, of digital data it owns or controls, even partially (for both important and essential entities);
• the NIS entity has evidence of a breach of the expected service levels of its services and/or activities, based on the established service levels (SL) (for both important and essential entities);
• the NIS entity has evidence – also based on the qualitative and quantitative parameters defined under measure DE.CM-01 – of unauthorized access, or access obtained through abuse of granted privileges, to digital data it owns or controls, even partially (only for essential entities).

Expansive interpretations by the European Commission and ACN

In both cases, the interpretations adopted by the European Commission and by ACN reflect an expansive approach. The Commission explicitly includes unauthorized access within the scope of significant incidents, provided that such access is suspected to be malicious and capable of causing severe operational disruption. Similarly, ACN identifies as significant any incident involving a confirmed loss of confidentiality or integrity of data, regardless of the actual or measurable impact.

As a result, the definition of “significant incident” becomes considerably broad. By reading extensively the “capable of causing” requirement set out in the NIS 2 Decree, the scope is not confined to events that produce tangible and quantifiable harm but also encompasses situations where there is evidence of unauthorized access or data loss carrying only a potential for adverse effects. In practice, unless it can be reasonably demonstrated that the event is clearly non-malicious in nature – a difficult argument given that unauthorized access and data breaches are generally presumed to originate from hostile actors – and that the potential adverse effect would be minimal and not significant, following this strict interpretation entities would be expected, as a precautionary measure, to notify almost any incident involving unauthorized access or compromise of data confidentiality or integrity (in particular according to ACN, which makes no reference to the potential impact in the afore mentioned determination).

However, it remains crucial to monitor future guidance and the practical application of the NIS 2 framework. The wording of the NIS 2 Decree still allows for a more restrictive interpretation, limiting notification to cases where the risk of significant harm is concrete rather than merely potential or abstract. The key will be to see whether authorities – including ACN itself – will follow this expansive approach, which treats even potential risks as notifiable, or adopt a narrower interpretation requiring evidence of an actual likelihood of harm and thus excluding minimal events from the scope of notification.

Measures to be adopted

To meet the strict time requirements set by the legislation (which, for essential entities, imposes an initial notification within 24 hours), it is crucial to have an effective cybersecurity framework in place to prevents significant incidents and promptly detect them and adopt the necessary countermeasures. Specifically, it is necessary to implement measures and procedures relating to:

• continuous monitoring of networks and services to detect potentially adverse events through technical tools designed to promptly identify significant incidents;
• usage of endpoint protection systems which must be updated, properly maintained, and configured to detect malicious code;
• definition and documentation of the expected service levels of services;
• monitoring of hardware, processing software, runtime environments, and related data to identify potentially adverse events;
• identification of individuals with specific roles and responsibilities relating to monitoring, detection, and management of specific incidents.

Conclusion

The notification obligation is expected to have a significant impact on companies subject to the NIS 2 Decree. To meet the strict timeframes and governance requirements set by the regulation, organizations must act now to build effective monitoring and incident detection capabilities, ensuring they are fully prepared to comply by January 2026.

Author: Federico Toscani

 

Intellectual Property

Use of the Trademark and Revocation: The Decision of the Court of the European Union

On 25 June, the Sixth Chamber of the Court of the European Union issued an interesting decision about trademarks. The proceedings originated from a revocation application filed in 2019 with the EUIPO – the defendant in the proceedings – by a private citizen, who had challenged the use of a trademark registered as early as 2006.

The trademark at issue, figurative and composed of parallel vertical stripes of different widths arranged in the color sequence navy blue, orange, yellow, orange, and navy blue, had been registered for products in classes 18 (leather goods, luggage, bags) and 25 (clothing, footwear, headgear).

The EUIPO had partially upheld the application, declaring the revocation of the trademark for several products, with the exception of outerwear and footwear.

The Board of Appeal, in 2024, subsequently recognized genuine use also for suitcases, backpacks, wallets, headgear, and various clothing items, limiting the revocation to other products such as handbags, vanity cases, and shopping bags.

The company then brought the case before the EU Court, arguing that the evidence submitted – invoices, catalogs, press coverage, trade fair documentation, and single-brand store records – demonstrated genuine use also for the excluded products.

The Court, while largely confirming the assessments of the Board of Appeal, partially overturned the EUIPO decision, recognizing that shopping bags had indeed been marketed under the contested trademark, based on the link between the models reproduced in the catalogs and those listed in the invoices.

Otherwise, the European judges reaffirmed the established principles regarding genuine use:

• Use cannot be merely symbolic but must serve to maintain or gain market share;
• Evidence must be concrete, objective, and refer to the relevant period (in this case, 2014-2019);
• The mere presence of the sign on single-brand store signage is not sufficient to prove that each product was marked with the trademark;
• Invoices lacking a clear connection to the products depicted in catalogs or publications are insufficient to demonstrate use.

In conclusion, the ruling confirms the EU Court’s strict approach regarding trademark use evidence: it is necessary to properly demonstrate the link between the products sold and the registered sign, without relying on assumptions.

At the same time, the decision provides a significant opening, recognizing genuine use where the connection between commercial documentation and invoices is reliable, as in the case of shopping bags.

The message to rights holders is clear: keeping detailed, systematic evidence of trademark use is essential to defend against revocation and protect distinctive marks.

Author: Noemi Canova

 

Legal Tech

LegalTech: the global market between explosive growth and implementation challenges

Analysis of data for 2024-2025 reveals a rapidly expanding sector, but with clear critical issues in terms of ROI measurement and the geographical distribution of investments

For several years now, I have been analyzing the evolution of the LegalTech market documenting the transformations of a sector that has experienced alternating phases of enthusiasm, a flood of investments (in the post-pandemic period), disillusionment, and then consolidation. During the first half of 2025, there has been no shortage of strategic M&A activity at a global level and market coups with last-minute acquisitions. In fact, we have witnessed major transactions involving significant capital, attracted in part by the hype generated by the AI sector.

Looking at the numbers, there is a trend towards consolidation in the Legal Tech sector in general in Europe and, in particular, for the first time, in Italy. Italy has been the scene of a busy spring and summer season of international LegalTech events: from Future Lawyer Europe in Milan to Legal Tech Island in Palermo, to the AI Salon, the traveling event dedicated to artificial intelligence bringing together founders, builders, investors, and partners of the AI ecosystem, where vertical themes on technology applied to the legal sector also emerged. A particularly significant sign of the growing maturity of the Italian ecosystem was the first ILTA (International Legal Technology Association) conference organized in Italy, together with various events promoted by the Global Legal Tech Hub. The fall will also bring us the Legal Tech Forum in Bologna, completing a calendar that testifies to how Italy is increasingly becoming a reference point for European legal innovation, benefiting somewhat from the freshness and novelty effect after years of events focused on London or Berlin.

Participating in these meetings and interacting with other speakers, LegalTech company exhibitors, and various participants has given me a privileged perspective on the evolution of the market and allowed me to compare Italian dynamics with international ones. The data emerging from the 2024-2025 global market analysis reveals a scenario that is as fascinating as it is complex, characterized by explosive growth but also by structural critical issues that deserve in-depth analysis, which we will summarize below.

The numbers of an expanding market

The global legal services market reached a value of $1.05 trillion in 2024, maintaining steady growth with a compound annual growth rate (CAGR) of 4.5-4.6%. At the same time, the LegalTech sector showed a decidedly more aggressive dynamic, reaching $26.7 billion with an estimated CAGR of 12.8%.

The difference between these growth rates is particularly significant: while the traditional legal market is growing at a moderate and stable pace, the legal technology sector is expanding at almost three times that speed. This gap in CAGR not only indicates the acceleration of technology adoption in the legal sector, but also suggests that in the coming years we will see a progressive redistribution of value within the legal ecosystem, with a growing share going to innovative solutions.

However, these seemingly encouraging figures hide a more complex reality. The LegalTech market represents just 2.54% of the total legal market value, highlighting enormous untapped growth potential. This relatively modest percentage suggests that technology penetration in the legal sector remains limited, with good opportunities for market entry (for those who can find the right product-market fit in the relevant niches).

The geographical gap in investments

One particularly significant aspect that emerged from the analysis is the geographical concentration of investments. Approximately 70% of LegalTech funding is concentrated in the United States, while Anglo-centric markets (United States, Canada, United Kingdom) collectively capture 80% of total funding.

This uneven distribution creates significant opportunities in underserved markets, where specific cultural expectations and different legal regimes require local, tailor-made LegalTech solutions. For the Italian market, this scenario represents both a challenge and an opportunity: the need to develop solutions specific to the national regulatory context, but also the possibility of creating value in a market that is less saturated than the UK one – taking into account, however, the major challenge of access to data, first and foremost, those of judgments and regulations, which are still not fully accessible in a smart way in a market where incumbents are pushing to protect their knowledge monopolies, but who are clearly questioning the future of their business models and the potential of making their knowledge base liquid and accessible.

The General Counsel’s point of view

During my conversations at various conferences and meetings with clients, I am receiving more and more specific questions about the best tools to use for certain legal activities. This growing demand for technological guidance is symptomatic of a rapidly expanding market demand and a greater awareness of the transformative potential of technology.

Speaking directly with General Counsel, it is clear that organizations are beginning to internalize tools to automate repetitive tasks, but at the same time, there is a growing appreciation for external consultants who not only know how to use these tools effectively, but are also able to guide clients in the implementation and strategic use of technologies to create tangible added value.

This trend is confirmed by data from a recent study, which involved 60 Italian General Counsel and Chief Legal Officers. The study reveals that enabling the business through generative artificial intelligence is a priority for 65% of legal departments, while 47% consider it a priority to refine their technology strategy and integrate legal and business technology.

However, despite growing interest, 62% of respondents are still in the ideation and experimentation stages of GenAI, suggesting that there is still a significant gap between strategic intentions and operational implementation. Currently, the main uses of GenAI are in legal document drafting (38%), knowledge management (35%), and regulatory compliance (32%).

Among the main obstacles to technological acceleration are budget constraints (52%) and disorganization in data management (43%), highlighting that the challenges are not only technological but also organizational and structural. This scenario confirms the importance of a consultative approach that addresses not only technical aspects but also strategic and implementation issues.

The adoption of AI: between enthusiasm and measurement

Data on the adoption of artificial intelligence in the legal sector shows significant growth but also some critical issues in the strategic approach. According to the Thomson Reuters Generative AI in Professional Services Report 2025, 41% of legal professionals now use public AI tools, with an additional 17% employing industry-specific AI solutions.

Organizational use of AI has nearly doubled, from 12% in 2024 to 22% in 2025. Even more impressive is the future perception: 95% of legal professionals believe that AI will be central to their organizations’ workflows within five years, despite only 13% considering it central today.

However, a critical gap emerges in the measurement of results: only 20% of organizations currently measure the ROI of their AI investments, while 59% do not measure at all. This suggests widespread but unsystematic experimentation, which can lead to wasted time and budget and, ultimately, a loss of confidence among decision makers.

The challenges of strategic implementation

During the panels I participated in this year, it became clear that, although enthusiasm for AI remains high and most organizations have experimented with or integrated AI solutions, the key to success lies in focusing on process pain points rather than technological features.

The main challenge is not identifying promising AI tools, but understanding where the organization’s operational bottlenecks actually exist and determining which specific technologies can effectively address them. Many legal teams approach technology adoption backwards, selecting seemingly useful and sophisticated solutions before clearly mapping their operational challenges.

Several critical issues emerged from market analysis and feedback gathered from operators:

• Complexity in vendor selection: With nearly 9,500 LegalTech companies globally, legal teams face decision paralysis when selecting solutions. The abundance of options often obscures fundamental questions about process compatibility and genuine value creation.
• Cultural integration: Over 95% of legal professionals believe that AI will be central within 5 years, according to the Thomson Reuters Generative AI in Professional Services Report 2025, while over 41% use public AI tools. However, the human element – training, change management, and workflow integration – remains the main implementation challenge.
• ROI measurement: The lack of methodologies and KPIs for systematically measuring ROI in the industry suggests that many organizations are investing in technology without establishing clear metrics for success or adequate evaluation frameworks.

Future prospects and process-first methodologies

To address these challenges, it is advisable to implement process mapping methodologies to identify actual operational pain points and analyze opportunities for intervention in a strategic manner, taking into account both the available budget and priorities (the famous Pareto principle whereby automating 20% of activities can yield 80% of the overall benefits). This approach involves a strategy based on four macro pillars:

1. Discovery of pain points: systematic documentation of current workflows to identify time-consuming, error-prone, or frustrating activities.
2. Bottleneck analysis: quantifying the impact of each identified pain point on productivity, quality, and customer satisfaction.
3. Technological alignment: matching specific technological capabilities to the mapped process challenges.
4. Implementation prioritization: ranking of opportunities for intervention based on potential impact and implementation complexity.

Each of the four pillars is usually explored in depth through a series of cascading analyses, which allow the process to be approached in a structured and scientific manner. But the overall picture is clear: innovation – especially in the legal field – requires an approach that is as creative and bold as it is rigorous and predictable, capable of combining strategic vision and analytical methods.

Conclusions: strategic intelligence beyond technological enthusiasm

The LegalTech market is at a critical turning point (yet again). While the potential for growth remains enormous, success (real, impactful, not just million-dollar exits) will increasingly depend on strategic, process-focused implementations rather than technology-first approaches.

In a market crowded with solutions, the competitive advantage belongs to those who can identify what they actually need.

As we move into 2025, the question is no longer whether to adopt Legal Tech, but how to do so in an intelligent, measurable, and sustainable way. The maturity of the sector will be measured not so much by enthusiasm for new technologies, but by the ability to implement them strategically to create real and lasting value.

Author: Tommaso Ricci

 

Legal Design

From the stage of the Legal Design Summit: working together to redesign law with AI

Our Italian team, consisting of Deborah Paracchini, Enila Elezi, and Francesca Oprandi, will participate in the BrainFactory at the Legal Design Summit 2025 in Helsinki.

On September 10, DLA, with the support of Newcode.ai, will host the workshop “Designing the Future of Law: AI-Powered Legal Design Sprint” at its offices in Helsinki.

In an intense 4-hour session, lawyers, designers, engineers, and other industry experts will work side by side to create innovative solutions on high-impact issues: access to justice, transparency, user experience, contract simplification, and training. All this to understand how we can leverage AI to accelerate the adoption of Legal Design in the legal profession.

Guided by the BrainFactory and DLA methodology and inspired by lightning talks from Legal Design pioneers and AI solution providers, participants will brainstorm, prototype, and present concrete ideas for making legal systems, processes, and documents more human, efficient, and accessible.

Don’t miss this opportunity to see how the future of law can become clearer, faster, and more people-centered!

 

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Dorina Simaku, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

 Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.