Innovation Law Insights

Legal Break

Italy’s new online gambling licenses are now in force – Here’s what changed

As part of our “Legal Break” video series we cover the impact of the new Italian gambling licensing regime that became applicable from 13 November 2025, what that means for the market and the obligations for operators and suppliers. Watch the episode here.

 

Artificial Intelligence 

AI Risk Management: 7 key data protection lessons from the EDPS guidelines

As companies rapidly adopt AI, the need to manage the significant data protection risks has become a critical boardroom issue. On 11 November 2025, the European Data Protection Supervisor (EDPS) published its “Guidance for Risk Management of Artificial Intelligence systems”, to provide EU Institutions, Bodies, Offices and Agencies (EUIs) with some practical advice on how to ensure compliance when developing or using AI systems.

While this guidance is officially directed at EUIs, its principles and frameworks (which are built on the ISO 31000:2018 risk management methodology), are highly relevant for the private sector. The guidance serves as a best-practice blueprint for any company looking to build a robust and legally compliant AI governance strategy.

Takeaway 1: Making interpretability and explainability the AI system’s foundation

The EDPS considers interpretability and explainability not as interchangeable buzzwords, but as distinct, crucial concepts for understanding and trusting AI. As defined in the guidance, interpretability is the degree to which a human can comprehend how a model works and grasp the connections between its inputs and outputs. Explainability, on the other hand, is the ability to clarify why a model made a specific decision in a way that’s accessible to an end-user.

A system that’s interpretable and explainable allows AI providers to build confidence with customers, demonstrate compliance to regulators, enable effective audits, and more easily correct errors. This means that AI systems require a built-in solution to query why a decision was made, not just generate a clear  and straightforward output.

Takeaway 2: Tackling bias from every angle: data, algorithms, and interpretation

The EDPS clarifies that the principle of fairness requires that personal data not be processed in a way that is “unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject”. It makes clear that bias isn’t a monolithic problem but a multi-faceted risk that can emerge at different stages of the AI lifecycle. The document identifies five distinct root causes of bias:

• Lack of data quality: AI systems operate on a “garbage in, garbage out” principle. Inaccurate, incomplete, or poorly labelled training data can lead to flawed and biased outputs.
• Bias in training data: This can arise from historical biases reflected in the data or sampling errors that result in datasets that aren’t representative of the real-world population.
• Overfitting: This technical risk occurs when a model learns the training data, including its noise and outliers, so perfectly that it cannot generalize to new data, leading to poor and often biased real-world performance.
• Algorithmic bias: The very design of the AI system, including the choice of mathematical functions or algorithms, can be inherently biased and produce unfair results, regardless of the data quality.
• Interpretation bias: Even with a perfect model, human analysts can introduce bias by drawing skewed or incorrect conclusions from the AI’s outputs, often influenced by their own preconceptions.

Operationally, this requires a cross-functional “responsible AI” working group that includes data scientists, legal counsel, and business line owners, with the mandate to challenge assumptions at each stage of the AI lifecycle.

Takeaway 3: Understanding the two faces of accuracy

The EDPS guidance highlights a critical distinction that’s often lost in translation between legal and technical teams: the difference between legal accuracy and statistical accuracy. Under data protection law, accuracy means personal data must be factually correct, while statistical accuracy is a performance metric measuring how often a model’s predictions are correct. This distinction is vital. An AI model can have very high statistical accuracy but still produce legally inaccurate personal data, creating a serious compliance gap. This is especially true for generative AI tools. Businesses must implement verification measures, such as human oversight, to ensure the factual accuracy of AI outputs that constitute personal data.

Takeaway 4: Navigating the tension between data minimization and AI’s data hunger

There’s an inherent conflict between the core data protection principle of data minimization and the fact that most AI systems require vast datasets to learn effectively. To address this, the EDPS suggests several technical mitigation measures, including data sampling (using a representative subset of data), anonymization, pseudonymization or synthetic data to reduce the amount of identifiable personal data processed.

Takeaway 5: Updating security frameworks for AI-specific threats

The guidance correctly notes that AI systems introduce unique security vulnerabilities that go beyond traditional IT security threats, including:

• Training data disclosure: Attackers can use techniques like model inversion and membership inference to query a model’s output and reverse-engineer it to reveal sensitive personal data that was part of the original training set.
• Data and model poisoning: A malicious actor could intentionally manipulate the training data or the model itself to introduce hidden biases, backdoors or critical errors.
• API vulnerabilities: Poorly secured Application Programming Interfaces (APIs) that provide access to the AI model can become a major vector for personal data leakage.

Corporate cybersecurity playbooks must be expanded to account for these new attack vectors, as securing the AI model, its training data and its APIs is now just as critical as protecting traditional databases and networks.

Takeaway 6: Operationalizing data subject rights for the AI Era

AI systems pose significant technical challenges to fulfilling fundamental data subject rights. The core difficulty, as the guidance points out, is how to identify and then erase or correct specific personal data once it’s been absorbed in the parameters of the model. The EDPS introduces “machine un-learning” as a potential technical solution, to develop methods that selectively make a model “forget” specific data points it was trained on without having to retrain the entire model from scratch. When machine un-learning isn’t viable, output filtering can be used, to detect and block personal information before reaching users though real-time scanning. This means that an erasure request may now trigger a complex and potentially costly model retraining or filtering process, creating a significant governance gap if not planned for in advance.

Takeaway 7: Demanding transparency when procuring AI systems

For the many companies that procure third-party AI systems rather than building them in-house, the EDPS guidance serves as a powerful checklist for due diligence. Simply trusting a vendor’s claims isn’t enough. Rather, the AI vendor should have to provide:

• General documentation on what the AI system does and how its underlying algorithms work.
• Specific information on how the system addresses transparency and explainability.
• Documentation on cybersecurity measures related to model integrity.
• Details on the provider’s data governance practices, including how the training data was sourced and processed.
• The results from validation and testing procedures, including performance metrics on fairness and bias across different demographic groups.

Conclusion: From risk management to responsible innovation

The central message from the EDPS is clear: deploying AI requires a shift from a defensive, compliance-focused posture to a proactive and systematic risk management culture. This isn’t about stifling innovation with red tape; it’s about enabling sustainable and trustworthy innovation by managing its inherent risks from a position of strategic foresight.

Author: Marianna Riedo

 

Intellectual Property

The ‘best-case scenario’ principle in Puma/CMS Italy

The judgment of the General Court of the European Union of October 22, 2025, in Case T-491/24, CMS Italy (fig.) v PUMA SE marks a significant development in the interpretation of Article 8(5) of Regulation (EC) No 207/2009 on the EU trademark (now Article 8(5) of Regulation 2017/1001).

The court not only further clarified the substantive boundaries of the concept of “reputation” under EU trademark law but also introduced a principle of systemic procedural importance: the obligation for the EUIPO to assess the case under the most favorable hypothesis (best-case scenario) for the party whose arguments are rejected.

Facts and the dispute

The dispute originated from an opposition filed by Puma SE against the application for registration of the figurative mark CMS Italy, lodged by the Italian company CMS Costruzione Macchine Speciali S.p.A. The opposition, dated 21 November 2013, was based on Article 8(5) of Regulation No 207/2009, relying on Puma’s earlier international marks depicting the well-known leaping feline, widely recognized in the field of sportswear and footwear.

With its decision of 28 November 2014, the Opposition Division dismissed the opposition on the ground that the reputation of the earlier marks had not been proven.

On 26 January 2015, Puma filed an appeal before the EUIPO, submitting additional evidence intended to establish the reputation of its marks. The Second Board of Appeal, however, dismissed the appeal on 29 January 2016 (first decision).

By order of 22 May 2019 (Puma/EUIPO – CMS, T-161/16, EU:T:2019:350), the General Court annulled that decision, holding that the Board of Appeal had wrongly excluded both earlier EUIPO decisions submitted to prove the reputation of Puma’s marks and the additional evidence filed during the appeal proceedings.

A new decision was subsequently adopted by the Fourth Board of Appeal on 24 September 2020 (second decision), which was again appealed.

In its judgment of 5 October 2022 (Puma/EUIPO – CMS, T-711/20, EU:T:2022:604), the General Court annulled the decision once more, finding that the Board of Appeal had failed to carry out a global assessment of the reputation of the earlier marks, limiting its analysis to a partial comparison of the signs and unjustifiably excluding one of the earlier marks invoked.

Following that annulment, the Fifth Board of Appeal of the EUIPO adopted a new decision, again dismissing Puma’s appeal. While recognizing that the earlier marks enjoyed “at least a medium degree of reputation” in several member states (Germany, Italy, Spain, the UK and the Czech Republic), it concluded that there was no link between the marks at issue and no detriment to the reputation of the PUMA mark.

The General Court’s ruling

Seized once again by Puma, the General Court annulled the decision of the Fifth Board of Appeal, finding that the EUIPO had committed an error of law.

Although the EUIPO acknowledged a certain degree of reputation, it had failed to assess explicitly the most favorable hypothesis for the opponent, namely that the reputation of the earlier marks was “high” or even “very high”.

As stated at paragraph 31 of the judgment: “In that regard, it must be held that, where, as in the present case, EUIPO examines the application of Article 8(5) of Regulation No 207/2009, it is not sufficient for it to find that the earlier mark has ‘at least an average’ degree of reputation, but it is required either to determine precisely the degree of strength of that reputation (average, high or even very high), which is a relevant factor for the overall assessment of the link, or, at the very least, expressly to take into account the best-case scenario for the losing party before it, in this case the applicant. It must be pointed out that the concept of ‘losing party,’ in this context, refers to the party whose arguments concerning the strength of the reputation are rejected by EUIPO”.

The court further clarified that where the EUIPO uses approximate expressions such as “at least” or “at most”, it must nevertheless reason explicitly based on the most favorable scenario for the unsuccessful party (paragraphs 33-36).

Failure to do so vitiates the global assessment of the existence of a link or of detriment to the reputation of the earlier mark (paragraph 34).

Accordingly: “It must be concluded that the Board of Appeal, by not expressly taking into account the best-case scenario for the applicant (which, moreover, was relied on by the applicant), namely that of a ‘very high’ degree of reputation, in the overall assessment of the link between the marks at issue, infringed the obligation set out in paragraphs 31 to 37 above and thereby erred in law” (paragraph 54).

This omission, the court noted, constitutes a defect in reasoning and undermines the analytical soundness of the overall assessment of whether a “link” exists between the marks and whether there is a potential detriment to the reputation of the earlier mark.

The “best-case scenario” principle and the EUIPO’s procedural diligence

Through this judgment, the General Court codifies a general methodological principle: the EUIPO must, in its assessment, consider the most favorable hypothesis for the proprietor of the earlier mark whenever its findings are indeterminate or based on elastic expressions.

This obligation reflects a specific application of the duty of administrative diligence, which requires the institution to examine “carefully and impartially all the relevant factual and legal elements of the case” (paragraph 37).

It follows that a decision based on a finding of “at least a medium degree of reputation” without examining whether a higher degree could be established is incomplete and legally flawed, as it fails to consider the full range of factual possibilities advanced by the parties.

The court also made clear that an implicit or inferential reasoning cannot remedy this deficiency: the assessment of the “best-case scenario” must appear expressly in the reasoning of the decision.

Consequently, the contested decision was annulled in its entirety, and the case was remitted to the Board of Appeal for a fresh examination consistent with the principles laid down by the court.

Conclusions

The significance of the ruling extends well beyond the dispute between Puma and CMS Italy. The “best-case scenario” principle marks a further step towards greater transparency and predictability in EUIPO decision-making.

It requires the Office to justify its assessments comprehensively, considering not only the most probable evaluation but also the most favorable hypothesis for the unsuccessful party.

By doing so, the General Court reinforces the standard of procedural diligence and analytical rigor in the protection of trademarks with a reputation – an approach that enhances both the fairness and the credibility of decision-making in the EU trademark system.

Author: Rebecca Rossi

Early TM screening: A new AI ally for professionals and enterprises

EUIPO has recently introduced a new tool that could become a major boost for those working in the field of trademarks. Early TM Screening, launched as part of the SP2030 strategic plan, is designed to make the EU trademark registration process simpler, more transparent and reduce the possibility of mistakes. The platform relies on AI to carry out a preliminary diagnosis of the main issues that a trademark may encounter during the examination phase.

Accessing the screening is easy: you simply enter the sign and select the relevant classes of goods or services. The system then performs an automatic assessment that includes both the research for potential conflicts with earlier rights (EU trademarks, national trademarks, domain names, company names) and an evaluation of possible absolute grounds for refusal, such as descriptiveness, lack of distinctiveness, deceptiveness, or conflict with public policy or accepted principles of morality. It also checks for any interference with specific rights such as geographical indications. The user can download a summary report and seamlessly proceed to the actual filing form.

Compared to the checks already available in online filing modules, Early TM Screening stands out for its ability to bring together in a single dedicated space a series of verifications that, until now, were scattered across different sections or required external tools. In particular, the plug-in based on the TMview tool allows for a quick and up-to-date comparative assessment, while other AI modules help identify conceptual similarities and automatically compare the sign with previous EUIPO’s decisions in similar cases. The result is a richer and more predictive solution that offers users more landmarks than in the past.

The platform doesn’t aim to replace the interpretative and strategic work of experts: the results are purely informative and not exhaustive, and the absence of reported issues doesn’t equate to a guarantee of registrability. Algorithmic analysis, although sophisticated, cannot capture every subtlety of potential conflicts, finer conceptual similarities or peculiarities of the relevant markets. The technology is designed to be used as a preliminary phase, useful for refining initial choices and anticipating possible obstacles, but not sufficient to replace a full clearance search or an in-depth legal assessment.

Equally noteworthy is the new landing page dedicated to the innovative screening system. It gives users educational support. In addition to tutorials and illustrated infographics, it features concrete examples of cases in which a trademark may be considered descriptive or non-distinctive, suggestions on possible solutions, and a structured list of the most frequent absolute grounds for refusal. This initiative clearly reflects the EUIPO’s intention to guide users and professionals towards a more informed and structured approach, reducing the number of applications requiring subsequent corrections or clarifications.

Early TM Screening is not just a new digital tool, but a significant step in the modernization of trademark protection in Europe. The automated pre-evaluation helps identify potential issues early on, facilitating a more solid and informed preparation phase. At the same time, it’s a support that must be combined with legal expertise, not replace it. Only the combination of algorithmic analysis and professional judgment can ensure a truly effective filing strategy.

For law firms, the tool presents a valuable opportunity: it allows them to offer clients immediate and accessible first screening and it enables them to establish from the outset a clearer and more transparent dialogue on risks, opportunities and operational choices. A synergy between technology and consultancy which, if properly harnessed, can contribute to making the entire EU trademark ecosystem more efficient, more predictable and more responsive to the concrete needs of the market.

Author: Noemi Canova

 

Technology, Media and Telecommunications

AGCom publishes Platform to Business Report for 2025

On 4 November the Italian Communications Authority (AGCom) published its annual report on the application of Regulation (EU) 2019/1150 on platform-to-business relations (the P2B Report).

The P2B Report, approved on 28 October 2025, reports the results of AGCom’s annual monitoring of the state of application of Regulation 2019/1150 (P2B Regulation) by online intermediation service providers and online search engines offering services in Italy, aimed at assessing their degree of compliance with European standards and the level of satisfaction of user companies.

The report has five sections:

• the regulatory framework applicable to “positioning” and related regulatory developments
• AGCom’s enforcement activities
• monitoring of the application of Regulation 2019/1150 by online platforms and search engines
• best practiceson “positioning”
• concluding remarks

The first and fourth sections of the P2B Report are dedicated to “positioning,” which Regulation 2019/1150 defines “the relative prominence given to the goods or services offered through online intermediation services, or the relevance given to search results by online search engines, as presented, organised or communicated by the providers of online intermediation services or by providers of online search engines, respectively, irrespective of the technological means used for such presentation, organisation or communication” (Article 2(8)).

“Positioning” refers to how online intermediation service providers and search engines present, organize or communicate information about goods or services to consumers, ie search results, and thus positionthe results based on certain parameters defined unilaterally. The use of these parameters over others must be supported by specific reasons that online intermediation service providers and search engines have to disclose through specific notices, pursuant to Article 5 of the P2B Regulation.

Section 2 examines the relationship between these information obligations, referred to in the P2B Regulation, and the transparency obligations provided for in Regulation 2022/2065 (Digital Services Act or DSA) with regard, in particular, to the recommendation systems of online platforms (Article 27). AGCom notes that both regulations aim to ensure greater awareness for users and that they’re complementary to each other, insofar as the P2B Regulation is aimed exclusively at commercial users, while the DSA is aimed at all types of users.

On the subject of “positioning”, following a specific call for input, AGCom also adopted a document on “Best practices on positioning”, which aims to identify the best operating methods by which online intermediation service providers and search engines can ensure the availability, comprehensibility and completeness of information on positioning in the disclosures made to users pursuant to Article 5 of the P2B Regulation.

The second section of the P2B Report describes the operational methods by which AGCom has implemented its activities to monitor the implementation of the P2B Regulation, describing the initiatives undertaken within the framework of the “Technical Working Group for the adequate and effective application of Regulation (EU) 2019/1150”, as well as the supervisory activities carried out by the Authority.

The aim of the Technical Working Group is to examine in depth the methods of application of the P2B Regulation and to identify shared guidelines on specific issues, also with a view to promoting the possible adoption of codes of conduct and best practices. Along these lines, the Technical Working Group has undertaken discussions to identify shared solutions to overcome the critical issues in the application of the P2B Regulation, focusing on two lines of action:

• raising awareness among commercial users and corporate website owners of the protections offered by the P2B Regulation through targeted information/training campaigns; and
• strengthening the effectiveness of the implementation of regulatory provisions by platforms, including through adhoc studies on any critical issues in application and the identification of best practices.

In the third section, the P2B Report illustrates the methodology and scope of monitoring. In a nutshell, AGCom carried out the monitoring by first conducting a preliminary mapping of entities operating as online intermediation service providers and online search engines in Italy. Then, after identifying them, requests for information were sent to the various operators with the aim of monitoring the proper implementation of the P2B Regulation.

In light of the evidence emerging from the monitoring and supervisory activities, with reference to the work of the Technical Working Group, AGCom identified four priority areas in relation to which best practiceimplementation documents were adopted:

• availability of terms and conditions and related information;
• access to and functioning of the internal complaint management system;
• mediation;
• requirements for information relating to positioning and differentiated treatment (as mentioned above).

The P2B Report provides some food for thought and forward-looking guidance on the initiatives that the Authority intends to implement, with the aim of consolidating the results already achieved, exploring in greater depth how ranking systems work and their impact on businesses operating in the digital ecosystem. AGCom intends to launch a specific study through a large-scale analysis of the T&C of intermediation service providers and search engines, as well as a further study on the perspective of commercial users, with the aim of understanding the benefits perceived by users in terms of the transparency of positioning parameters and the critical issues.

Authors: Massimo D’Andrea, Flaminia Perna, Matilde Losa

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Giovanni Chieco, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Andrea Pantaleo, Deborah Paracchini, Maria Vittoria Pessina, Tommaso Ricci, Marianna Riedo, Rebecca Rossi, Dorina Simaku, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.