16 April 2025 • 30 minute read

Innovation Law Insights

16 April 2025

Podcast

What happens when AI hallucinates case law?

What happens when an AI tool like ChatGPT invents a legal ruling and that ruling ends up in a courtroom filing? In this episode of Diritto al Digitale, Giulio Coraggio explores two real cases, one in Italy and one in Canada, where lawyers unknowingly relied on hallucinated case law generated by AI.

Listen to the episode here.

Legal Leaders Insights | Jole Bertone, Director of Legal Affairs at Iliad Italy on future of the telecom sector

Explore the intersection of law, technology, and innovation in this insightful episode of Diritto al Digitale, featuring an exclusive interview with Jole Bertone, Director of Legal Affairs and Compliance at Iliad Italy. Gain a deeper understanding of integrated compliance strategies that bridge privacy (GDPR), cybersecurity (NIS2), and AI regulations, and learn how these legal frameworks support rather than hinder innovation in today’s digital economy. Listen to the episode here.

Data Protection and Cybersecurity

Digital Accessibility Act: New digital accessibility obligations coming into effect in Italy

From June 28, 2025, the new digital accessibility obligations introduced in Italy by Legislative Decree No. 82 of May 27, 2022 (the Accessibility Decree) will apply. The Accessibility Decree implements EU Directive 2019/882 (the European Accessibility Act) into Italian law.

The measure introduces a comprehensive set of accessibility obligations on economic operators to ensure that certain digital products and services are accessible to people with disabilities. These new rules will apply to a wide range of products and services that will be placed on the market from the specified date and will involve various stakeholders, regardless – except for some specific cases – of the size of the company.

Products and services affected in Italy

The Accessibility Decree introduces accessibility obligations for a broad range of products and services that will be placed on the market from June 28, 2025.

In terms of products, the decree applies to physical devices with digital interfaces or that otherwise allow interaction with the end user, including:

computer hardware and operating systems
self-service terminals (eg ATMs, ticket machines)
terminal equipment with interactive IT functionality used for electronic communication services (eg smartphones)

Regarding services, the decree applies to several essential services with significant social impact, including:

electronic communication services
services providing access to audiovisual content
passenger transport services (air, rail, road, or water transport), including related digital elements such as websites, apps, e-tickets, and travel information
banking services for consumers
e-commerce services

Obligated parties in the production chain

The Accessibility Decree allocates accessibility obligations throughout the entire chain of parties involved in developing and distributing the product or service.

Specifically, for products, the following parties are involved:

Manufacturers: They must ensure and certify that products are designed and manufactured in compliance with accessibility requirements. They have to prepare technical documentation, perform a conformity assessment, issue the EU Declaration of Conformity, and affix the CE marking. Upon request from the competent authorities, manufacturers must also provide the necessary information and documentation to demonstrate the product’s compliance with legal requirements. Manufacturers can appoint an authorized representative to perform certain tasks, such as storing technical documentation and providing information to the competent authorities.
Importers: They can only place products on the market that comply with the accessibility requirements and must verify that the manufacturer complies with its obligations under the Accessibility Decree (including conformity assessment and related documentation). If the manufacturer hasn't complied with its obligations, importers must inform the competent authorities and refrain from marketing the product.
Distributors: They must verify that the products carry the CE marking and are accompanied by the required documentation before making them available on the market. In other words, distributors have to ensure that both manufacturers and importers have complied with their obligations under the Accessibility Decree. Similarly, they also have to refrain from marketing the product in case of non-compliance.

Regarding services, the Accessibility Decree identifies the service providers as the final responsible parties for designing and providing services that comply with accessibility requirements, preparing and publishing necessary information, and ensuring ongoing compliance over time.

It's important to note that, based on a systematic interpretation of the Accessibility Decree in conjunction with the Italian Law No. 4/2004 (Stanca Law), which governs accessibility in Italy, parties that have contributed to developing services (such as software and website developers) may also be indirectly involved in accessibility obligations. The Stanca Law provides for the nullity of contracts for developing non-accessible websites.

There will be a growing need for economic operators – even those not formally subject to the Stanca Law, which has a more limited scope based on the economic operator’s turnover – to include specific clauses in contracts requiring developers to comply with accessibility requirements. But the final responsibility for any violations of the Decree rests with the service provider.

Accessibility obligations: Principles, content, and limits

The accessibility obligations set out by the Accessibility Decree are based on the principles outlined in the Web Content Accessibility Guidelines 2.1 (WCAG 2.1), internationally recognized as the reference for the inclusive design of digital content. WCAG 2.1 is structured around four fundamental principles:

Perceivable: Information and user interface components must be presented in ways that allow users to perceive them, even through alternative channels.
Operable: User interfaces must be fully navigable and functional for all individuals, regardless of the type of disability.
Understandable: Content and interaction methods must be clear, consistent, and easy to understand.
Robust: Content must be sufficiently robust to be reliably interpreted by a wide range of technologies, including assistive technologies.

Based on these principles, the Accessibility Decree defines a series of specific obligations for economic operators. The specific requirements are outlined in the annexes to the Accessibility Decree and in the WCAG 2.1. The key obligations include:

Providing accessible information: All information related to products and services must be made available in accessible formats, adopting:

simple and clear language
use of multiple sensory channels (visual, auditory, tactile)
text formats compatible with assistive technologies
equivalent alternatives for non-text content (eg images, audio, video)

Accessible design of interfaces and features: The user interface and functionality of products and services must be designed to ensure that everyone, including those with disabilities, can access and interact with them effectively.
Accessibility of packaging and instructions: Even product accessories such as packaging, labeling, and user manuals must be designed to be accessible. Overall, the entire product or service must be accessible as a whole.

The EU Declaration of Conformity serves as the official certification of compliance with the obligations set forth by the manufacturer or service provider.

Exemptions and applicability limits

In certain cases, the Accessibility Decree allows exemptions from accessibility obligations. Specifically, Article 13 provides that:

compliance isn't required if it would substantially modify the nature of the product or service, altering its essential characteristics;
obligations can be waived if they would impose a disproportionate burden on the economic operator, based on an objective assessment considering costs, benefits, and the size of the business.

Sanctions and competent Italian authorities

The Accessibility Decree provides for sanctions for not complying with its provisions, with penalties varying based on the severity of non-compliance and the number of non-compliant products or services, and the extent of impact on end users.

The competent authorities for monitoring compliance with the regulation are:

The Ministry of Enterprises and Made in Italy (Mimit) for products
The Agency for Digital Italy (AgID) for services

The control actions by the competent authorities mainly involve two scenarios:

Request for corrective measures: If non-compliance with a product or service is found, the competent authority orders the economic operator to adopt the necessary corrective measures to make the product or service compliant with the Accessibility Decree within a reasonable time. If the operator fails to comply, the Ministry can order the withdrawal of the product from the market.
Financial penalties: In addition to corrective measures, financial penalties are imposed, which can reach up to EUR40,000 depending on the severity of the violation.

Since the regulations provide specific channels for consumers to report potential violations, companies could face a significant risk of complaints.

Final considerations

Companies should conduct a thorough evaluation of their compliance with accessibility requirements.

Specifically, companies providing in-scope products or services should conduct a detailed Gap Analysis to:

assess the current level of compliance of products and services against the requirements of the Accessibility Decree;
identify areas requiring corrective interventions;
plan and implement necessary actions to ensure all products and services comply fully with the regulation by the set deadline.

Companies should also prepare and make accessible clear accessibility policies for consumers. They should outline how accessibility requirements for products and services are guaranteed, and how compliance will be ensured for new products or services to be released after June 28, 2025. The policies should highlight accessibility considerations from the stages of design, development, and release of new products.

By extending its scope to include economic operators not covered by the Stanca Law, the Accessibility Decree is expected to have a significant impact. While awaiting the guidelines and circulars implementing the provisions of the Decree after it enters into force, companies have to adopt robust accessibility practices to meet the technical and organizational requirements introduced by the new regulatory framework.

Author: Federico Toscani

Data Act: EU Data Regulation coming into force

With the aim of ensuring a uniform and harmonized approach to technological innovation, the European legislator has, over the last few years, adopted various laws aimed at regulating the impact of new technologies in different sectors.

Just think of the AI Act, the DORA Regulation or the NIS 2 Directive, to name but a few. These are complex and highly innovative pieces of legislation that impose new obligations and outline specific regulatory frameworks. Regulation (EU) 2023/2854 (known as the Data Act) is no exception. It's the first European regulatory framework for managing data generated by connected products or related services.

The Regulation was published on December 22, 2023, and entered into force on January 11, 2024, with its provisions set to apply gradually starting from September 12, 2025. Its significance is further amplified by its interaction with the AI Act, which came into force on August 1, 2024.

Legal framework and key obligations under the Data Act

The Data Act is designed to ensure fair access to data for users – both consumers and businesses – generated through the use of what the Regulation refers to as connected products. These include any products that obtain, generate, or collect data in relation to their use and can transmit the data via electronic communications services. Essentially, this definition encompasses all Internet of Things (IoT) devices.

The Regulation introduces key obligations for parties that interact with connected products or are involved in related services (defined as services enabling one or more functionalities of the connected product).

Providers of connected products and/or related services have to provide users with detailed information, including several specific elements listed directly in the Regulation.
Manufacturers of connected products have to design and build devices that allow users to access the data generated during use in a direct and user-friendly way. They also have to disclose information regarding the nature of the data, access methods, data volume, and expected format.
Businesses involved in handling and processing data have to implement technical and contractual measures throughout the supply chain to ensure that end-user rights are effectively upheld.

In addition to regulating relationships with end users, the Data Act also introduces several rules governing business-to-business data sharing. It provides safeguards against unfair contractual terms by defining certain clauses as abusive and therefore unenforceable.

Another notable aspect is the framework for public sector access to privately held data under exceptional circumstances, which outlines the specific conditions under which public authorities can request such access.

The Regulation also places strong emphasis on interoperability and data portability in cloud and edge computing services. Specific provisions are included to facilitate switching between service providers and to prevent vendor lock-in scenarios. Cloud service providers have to ensure that data migration can be carried out in a structured, efficient, and cost-free manner, within defined timeframes.

Finally, Chapter VIII addresses data access by EU bodies and public authorities for purposes of public interest. Chapter IX promotes the development of European standards for interoperability – both technical and contractual. Adhering to these standards is strongly encouraged to ease compliance and reduce legal uncertainty.

Data Act and AI Act

The rules governing access to and use of data are particularly relevant in the context of AI systems, which typically comprise complex datasets, models, software, and hardware components.

Where AI systems are embedded in connected products or related services – for instance, smart voice assistants, machine learning-based industrial automation systems, or other IoT-integrated applications – companies will need to assess how the two frameworks interact and ensure that both technical and contractual safeguards are in place to meet all applicable obligations.

One example is the Data Act’s requirement that connected products must enable users to easily and securely access, use, and share the data they generate. This obligation dovetails with the AI Act’s focus on transparency and accessibility, making it essential for organizations to implement measures that fulfill the requirements of both regulations.

Compliance readiness

The new regulatory landscape introduces several areas that organizations will need to focus on in the coming months to ensure they comply effectively on time.

Risk assessment and gap analysis: Organizations should conduct thorough assessments to understand how the Regulation impacts their business and what steps are needed to achieve full compliance.
Defining contractual responsibilities: Contracts between all relevant parties – manufacturers, service providers, distributors, resellers, and end users – should clearly set out the measures in place to ensure data access and sharing, allocate responsibilities for implementing and monitoring these measures, and establish each party’s rights and obligations.
Technical interoperability and standardization: Companies must evaluate whether their existing infrastructure supports compliance with the Regulation’s requirements. For example, they should determine whether users can effectively access all the data generated by the device, or whether new measures need to be introduced to enable this.

The European Commission is expected to develop model contractual clauses to support businesses in drafting fair and balanced data-sharing agreements.

Implementation timeline

In line with the EU’s recent regulatory practice, the Data Act adopts a phased implementation approach:

From September 12, 2025: General application of the main provisions on data access obligations for manufacturers of connected products and providers of related services.
From September 12, 2026: Entry into force of specific obligations on the design and manufacture of connected products that must ensure user-friendly access to generated data.
From March 12, 2027: Application of the rules governing data portability and switching between data processing service providers.

In the coming months, businesses need to develop a clear understanding of the regulatory framework and its intersections with existing laws, particularly the AI Act.

The first step must be to identify the concrete actions required to achieve full and effective compliance, along with a realistic implementation timeline that accounts for both technical measures and the necessary contractual and informational adjustments.

Author: Edoardo Bardelli

Securitization SPV must appoint a DPO, says Italian Data Protection Authority

In a recent and thought-provoking decision, the Italian Data Protection Authority (Garante) sanctioned a securitization Special Purpose Vehicle (SPV) for failing to comply with several GDPR requirements – most notably, for not appointing a Data Protection Officer (DPO).

At first glance, this may seem like a straightforward enforcement action. But the decision reveals a deeper tension between the GDPR and the regulatory framework governing securitizations – a framework that explicitly allows SPVs to operate without employees or an internal organizational structure.

The Garante’s position: Formal responsibility prevails

Despite the clear legislative framework that defines the SPV as a legally passive entity operating entirely through outsourced services, the Garante held that the SPV – as a data controller – is fully responsible for GDPR compliance and can't prove compliance through its service providers. This includes obligations that are typically tied to entities with operational capacity, such as:

appointing a Data Protection Officer;
keeping a record of processing activities; or
implementing internal audit procedures on processors and sub-processors.

The Authority’s position implies that even in the total absence of staff, an SPV must still establish these structures – in effect, treating legal accountability as divorced from the operational realities permitted by financial regulation.

When legal frameworks collide

This raises a critical regulatory question: can GDPR obligations be applied in a vacuum, ignoring the specific legal regime that governs the entity in question?

Securitization laws are designed to allow SPVs to function without employees. Operational activities are lawfully and deliberately outsourced to regulated third parties – such as servicers and sub-servicers – under a regime that ensures financial and operational transparency.

But the Garante’s interpretation appears to disregard this context, applying the GDPR as if the SPV were a traditional, staffed business. The result is a potential conflict between two compliant legal models: one under financial law, one under data protection law.

Proportionality at risk?

The GDPR is built on principles of accountability and proportionality, requiring data controllers to implement measures appropriate to the risk and context of processing. But when an SPV with no internal resources must appoint a DPO – whose only function would be to oversee third parties already governed by securitization law – does it truly enhance protection for data subjects, or merely introduce duplicative and formalistic compliance burdens?

The takeaway for the market

This decision is a wake-up call for the structured finance sector. Legal and compliance teams should reassess the GDPR implications of securitization structures and consider DPO appointments, even for “empty” SPVs. In the case of businesses that perform several securitizations through several SPVs, the obligation to appoint a DPO will become an additional cost.

Author: Giulio Coraggio

Intellectual Property

The flyPersia case and the GC's interpretation of English terms in trademark law

Introduction

In case T-30/23, the General Court (GC) examined two figurative marks; the sign “flyPersia” – applied for air, land, sea and rail transport services in Class 39 – and the earlier mark “flydubai,” registered for air transport services also in Class 39.

The dispute concerns the assessment of the likelihood of confusion arising from the presence, in both signs, of the lexical element “fly” and the ability of the non-English speaking public to understand its meaning, in connection with the distinctive graphic elements that complement each figurative mark.

Previous jurisdictional positions and differences in interpretation

The orientation of the Board of Appeal

The Board of Appeal (BoA) found a likelihood of confusion between the two figurative signs, basing its assessment on the assumption that the non-English-speaking public – in particular users in Slovakia, Slovenia, Hungary and the Czech Republic – were unable to correctly interpret the English word “fly” in the context of air services.

According to the BoA, that lexical element had significant distinctiveness, as it contributed substantially to forming the identity of the mark, justifying the recognition of a similarity likely to lead to confusion as to the commercial origin of the services.

The General Court’s orientation

Contrary to the BoA's assessment, the GC annulled the contested decision, concluding that there was no likelihood of confusion between the two figurative marks. The GC stated that:

Frequent use of the English word “fly” and its comprehensibility:

In the air service industry, the English word “fly” is used very frequently – both in advertising and in corporate design – so even the non-English-speaking public, including Slovak, Slovenian, Hungarian and Czech consumers, can grasp its meaning immediately. Only a negligible part of the audience wouldn’t be able to interpret the English term “fly” in this context, constituting a predominantly descriptive element without a high distinctive value.

Dominance of graphic elements in the terms “Persia” and “dubai”:

Although recognizable as not inherently distinctive elements, “Persia” and “dubai” are dominant in forming the overall impression of the figurative signs. Their graphic representation: greater length, the darker color tone and, in particular for the sign “flyPersia,” the presence of the iconography (an airplane) increases their visual and phonetic impact, contributing decisively to their differentiation from the element “fly.”

Proportionality of overall similarity:

Considering that the earlier mark “flydubai” shows weak distinctiveness, a high degree of global similarity would be required to establish a likelihood of confusion. But the GC’s overall analysis – with reference to both visual and phonetic aspects – shows a low degree of similarity between the two figurative signs, such that a perceptible likelihood of confusion between them is excluded.

Analysis and legal considerations

The GC's pronouncement is based on an integrated assessment of the lexical and graphic aspects of figurative signs.

The element “fly” is, in a sectoral context in which English constitutes a lingua franca, also perceived in a unified manner by non-English speaking persons, by virtue of the wide media and commercial exposure which has consolidated its meaning. That element assumes a descriptive function and doesn’t contribute significantly to conferring a distinctive value on the mark.
The elements “Persia” and “dubai,” although not possessing a mark identifying capacity in themselves, prevail in forming the overall impression of the sign. The peculiar graphic characteristics – length, color intensity and iconography – determine that these elements assume an essential role in differentiating the figurative sign as a whole, neutralizing any similarity triggered by the presence of the “fly” element.
The structure of the figurative sign, consisting of the English word “fly” followed by a geographical reference (real or in a broader sense), isn’t sufficient to give rise to a likelihood of confusion if not accompanied by a congruous overall similarity, which, in the present case, appears to be of a low degree.

Conclusions

The GC's ruling fully discharges the protection of the identification of the commercial origin of the services, avoiding excessive protection for signs characterized by essentially descriptive elements. The widespread use of the English word “fly” in the aviation sector, confirmed by the constant visual and phonetic exposure, guarantees the public – including the non-English-speaking public – will interpret it correctly. At the same time, the graphical and stylistic differences, expressed through the elements “Persia” and “dubai,” reinforce the uniqueness and the identifying capacity of the figurative marks, allowing for the exclusion of the wrongful attribution of commercial confusion.

Ultimately, the GC correctly held that, given the weak distinctiveness of the earlier mark, a significantly high degree of overall similarity would be required to establish a likelihood of confusion – a condition that wasn’t met in this case. This guidance is an important reference for future trademark disputes, helping to define more precisely the boundaries between what’s functionally descriptive and what can be considered distinctive in European judicial practice.

Author: Maria Rita Cormaci

Gambling

New Italian online gambling technical guidelines – What’s new in the certification requirements?

The Italian Gambling Authority (ADM) has issued new draft guidelines for certifying online gaming platforms (Guidelines). They outline the technical rules and procedures relevant to gaming platforms under the new Italian online gambling license.

Intended as a reference for both certification bodies and license holders, the Guidelines cover critical areas including IT infrastructure, software architecture, data governance, and access management. Below is a summary of the most notable changes.

The guidelines grant considerable new obligations to certification bodies that will be responsible not only for technical verifications but also to assess the compliance of Italian licensed gambling platforms with the applicable requirements. This means that certifications might have to be substantially more detailed and time-consuming. Below is a summary of the most relevant changes:

Introducing the concept of Italian gambling operator’s system and checking legal compliance

The operator’s system is defined in the unified nomenclature of definitions as the “IT environment that includes one or more gaming systems and the operator’s gaming account system.” Among the components of the operator’s system, the following must be clearly identified:

each gaming system
each gaming platform
each gaming application
each game acceptance system
the game presentation system (website and/or app)
the operator’s gaming account system

In addition to the components listed above, the system for automated software integrity verification and the various hardware and software groups involved in each functionality concerning must also be clearly identified. Each component of the operator’s system must be pre-verified and validated through visual inspections, functionality tests, and source code inspection, possibly with the assistance of documentation provided by the manufacturer.

The technical compliance verification must ensure both the correct and compliant use of the operator’s system components and the continuous adherence – including from a pure legal perspective – to the technical regulations in the interactions between them. It should also consider all possible configurations during the exchange of information between the operator’s system components and ADM’s centralized control system.

These checks also include verifying the location of the technical infrastructure. In the past the operator could self declare.

Enhanced disaster recovery requirements and malfunctioning requirements

The Guidelines place stronger emphasis on business continuity. Operators must have a comprehensive disaster recovery plan, ensuring real-time backup and mirroring at a secondary site. They also have to demonstrate that data replicated at the secondary site are functional and capable of ensuring uninterrupted gameplay.

As for malfunctions, the procedures differ based on the specific type of game:

Virtual games:

Open events during a malfunction must be canceled with full refunds. In multiple bets, canceled odds are excluded from winnings.
Closed events must continue post-recovery, even without display. Results must still be reported.
Multi-events and tournaments with canceled virtual events are fully canceled and refunded. No new events can be added to affected tournaments.
The system must resume only upcoming events after recovery, and protocols must allow data recovery and proper reporting.

Skill games, casino and card games and bingo:

If play continues, the operator must fix issues promptly.
If play is blocked, integrity checks must be performed, ADM and players notified, and full refunds issued.

Integrity verification:

Ensure data is saved properly, interrupted games are resumed or restored, and if not, refunds are provided.

Limitations in case of usage of cloud infrastructure by Italian licensed online gambling operators

Cloud computing solutions can only be used if:

all resources are hosted within the European Economic Area(EEA);
the cloud provider is qualified according to the requirements of the Italian digital authority (AGID) and the Italian cybersecurity authority (ACN), making it eligible for use by public administrations under the Italian regime for providing cloud computing services to public administrations.

This means that Italian licensed online gambling operators can only use cloud providers that are enrolled in the dedicated registry of ACN and whose compliance with AGID and ACN’s requirements has been verified.

Stricter player self-limitation measures and in-session alerts

Self-limitation remains mandatory but becomes more stringent. When activating their account, players must set limits that they can’t initially exceed:

3 hours of gameplay per day
EUR100 daily spending limit
EUR200 daily top-up limit

Operators must implement real-time alerts that notify users once they reach:

1 hour of gameplay; or
EUR100 in spending.

Italian gambling site’s domain name ownership and mobile apps

The domain name used for the gaming site – which has to have the Italian extension “.it” – must be registered directly under the license-holder’s name. Licensing or third-party registration, even within corporate groups, isn’t permitted. License-holders are fully responsible for managing any mobile apps related to their games. The apps must function properly, be aligned with the central system and comply with the same standards as the web platform. This requirement is a considerable problem for large groups where IP rights are held in a single entity to the benefit of the whole group.

Platform sharing

When a license-holder hosts gaming systems for other operators, the license-holder will acquire the position of “service provider license-holder.” Acting as service provider license-holder means guaranteeing that the gaming systems must be logically or physically separated. It must always be possible to isolate data related to each individual operator.

RNG validation

Random Number Generators (RNGs) are now subject to stricter requirements:

confidence level raised from 95% to 99%;
new statistical tests to assess causality, statistical independence, equal probability, non-reproducibility, and unpredictability.

Data storage and real-time reporting

Operators must implement robust data governance protocols, ensuring:

real-time access to all gameplay and operational data from the last six months;
on-demand availability of all accounting and transaction data for at least two years;
five-year archival of all data, ensuring integrity, readability, and secure accessibility throughout the retention period;
capability to execute custom queries across stored datasets, with exportable results delivered within 48 hours of the request.

Further, operators have to generate and deliver, within 48 hours:

a complete list of all player accounts as of a specific date, including account status (active, suspended, closed, etc.) and associated player details;
a report highlighting accounts that exceed predefined thresholds for deposits, withdrawals, or winnings in a selected timeframe, based on customizable parameters set by the operator.

Automated systems and AI in gameplay

In games where outcomes can be influenced – fully or partially – by automated decision-making systems, algorithms, or external computing tools (eg AI in chess or virtual betting advisors), operators have to explicitly disclose the presence and function of such systems in the game rules before game participation, to provide players with the necessary context to make an informed choice about whether to engage in the game. This is something totally new, but the use of AI in the gambling sector is expanding exponentially, including for responsible gaming verifications.

Multi-Factor authentication (MFA)

User sessions must only be opened after multi-factor authentication (MFA), involving:

credential input;
a second layer of verification, chosen by the operator (eg OTP, biometric, push notification).

Jackpot certifications

The guidelines mention that for gaming systems used in “gaming network” mode – where multiple operators share a platform – no logical or physical separation is required. This allows wagers from different operators on the same platform. But the guidelines don’t specifically address network jackpots or network games, which could imply restrictions or future updates.

Additionally, there’s uncertainty regarding the certification process for shared platforms in the systems of multiple operators. It’s likely that ADM will introduce new rules for certification procedures, updating previous guidelines that currently allow platform cross-referencing and certifications through the network leader.

Transition to the new system

License applicants awarded new licenses can reuse components previously certified or approved by ADM under the old regime, provided they have already passed conformity checks. Only the integration of these components must be verified, simplifying the transition. This option is valid until the term for activating the platform complying with the Guidelines.

The new Italian online gambling guidelines mark a decisive shift toward higher operational standards, aimed at improving system integrity, regulatory alignment, and player protection, creating considerable new obligations for operators.

A large number of the guidelines’ provisions are still unclear and it’s possible to submit comments to the draft Italian online gambling guidelines until April 15, 2025. Read more in this article: New Tender for Italian online gaming licenses Launched – Here are the updated FAQs!

Authors: Vincenzo Giuffrè and Federico Toscani

Legal Design Tricks

Trick #8: Write Clearly – Words Matter!

You’ve tested your solution. Great. Now it’s time to simplify the language and make your documents crystal clear!

Why clarity really matters

Legal documents often speak a language few understand. Legal jargon is frequently perceived as obscure, overly technical, and reserved for insiders.

But an incomprehensible document is also an ineffective one.

Remember: Clarity makes the law accessible, builds trust, and simplifies your work.

Legal Design = clarity + accessibility

Legal Design promotes clarity and accessibility. A text is truly clear when the reader can find the information, understand it, and use it with ease.

Clarity = no more useless legalese
Accessibility = content that’s understandable for everyone, not just lawyers

What is plain language?

According to the ISO plain language standard, a text is truly understandable when:

it gives users what they need (relevance)
it's easy to navigate (findability)
it’s immediately understandable (comprehensibility)
it’s easy to use (usability)

How to simplify legal language?

Use simple, familiar words – avoid unnecessary technicalities.
Remove outdated or archaic terms (“herein,” “aforementioned,” “shall”).
Avoid unnecessary foreign terms or jargon.
Keep sentences short – one idea per sentence.
Explain difficult legal terms clearly – include definitions when needed.
Prefer the active voice (“The company sends the invoice”) over passive (“The invoice is sent by the company”).
Replace negatives with positives where possible (“not permitted” → “prohibited”).
Speak directly to your reader with a friendly tone.

Is your language truly readable? Run a readability test!

There are online tools that help you measure how easy your text is to read.

In Italian, the most widely used tool is the Gulpease Index, which considers sentence and word length.

In English, try the Flesch Reading Ease or Flesch-Kincaid Grade Level: they show how readable your text is, and for what education level.

Remember: If the score is low… it’s time to rewrite!

Let’s take a look at an example!

Our usual client has tested their contract but… users still ask too many questions. So, the legal team decides to:

rewrite it using shorter sentences and active verbs;
simplify definitions and clauses;
eliminate legalese and clarify unclear parts.

The result? More clarity, fewer emails, faster signature!

Did you know?

The ISO standard on plain language is the first ever to certify when a text is truly clear.

It was developed by experts from around the world to simplify legal, technical, and informational content.

Its motto?Say what you mean. Mean what you say.

What’s next?

You’ve simplified the language but how do you really design an effective legal document? In the next episode of Legal Design Tricks, we’ll talk about information architecture – because layout and structure matter, especially when it comes to contracts!

Author: Deborah Paracchini

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.