Innovation Law Insights

Podcast

Webinar – Data Act: What to know from a legal and technical perspective

The new European Data Act is just around the corner and will profoundly change the way data is generated, shared and used, particularly in the world of the Internet of Things (IoT).

This webinar is designed for companies, startups, professionals, and stakeholders operating in the digital space who want to understand the concrete legal, operational, and strategic changes the new regulation will bring. Watch the recording (in Italian) of the webinar here.

Artificial Intelligence

The AI Continent Action Plan: The European Commission’s strategy for the future of AI in Europe

In April 2025, the European Commission adopted the AI Continent Action Plan, an ambitious plan designed to position the EU at the forefront of global AI development.

This comprehensive strategy seeks to leverage the EU’s key strengths – such as research excellence, advanced industry, and a highly skilled workforce – to drive economic growth, enhance competitiveness, and stimulate innovation in strategic sectors.

In a global context where major tech players are heavily investing in AI, the EU aims to define a sustainable and competitive development model rooted in ethical, trustworthy, and interoperable technology. The Action Plan is structured around five strategic pillars intended to reinforce the EU’s digital capacities by 2030 and ensure broad and equitable access to AI resources and benefits.

Building a large-scale AI computing infrastructure

At the core of the plan lies the creation of a European network of high-performance computing infrastructure essential for training and deploying advanced AI models:

• 13 AI Factories are to be established across various member states by 2026, building on the existing EuroHPC supercomputing network. These centres will provide technical support and computing resources to startups, SMEs, large enterprises, and researchers for the development and testing of cutting-edge AI applications.
• Up to 5 AI Gigafactories will be built as large-scale facilities equipped with vast computing capacity and dedicated data centres for training generative AI models at scale. The aim is to position the EU as a global leader in frontier AI technologies.

These initiatives will be financed through InvestAI, a public-private investment mechanism expected to mobilize over EUR20 billion to expand Europe’s digital capabilities.

In parallel, the plan foresees the adoption of the Cloud and AI Development Act, a new legislative instrument aimed at fostering private investment in cloud infrastructure and data centres, with a strong emphasis on environmental sustainability. The stated goal is to triple the EU’s data centre capacity within 5-7 years, with priority given to green data centres.

Ensuring access to high-quality data

AI systems depend on the availability of reliable, rich, and well-structured data. To this end, the plan promotes the Data Union Strategy, which seeks to create a unified European data market accessible to both businesses and public administrations:

• AI Factories will include Data Labs, tasked with collecting, structuring, and harmonizing interoperable datasets sourced from diverse sectors, in full compliance with European ethical standards.
• The plan aims to simplify rules for data access, sharing, and reuse, facilitating the integration of AI solutions across public and industrial domains.

This strategy is intended to treat data as a European public good, capable of powering responsible and transparent innovation.

Promoting AI in strategic sectors

One of the plan’s core objectives is to encourage the widespread adoption of AI in key sectors, addressing the current technology uptake gap:

Currently, only 13.5% of European companies use AI solutions. To reverse this trend, the Commission will launch the Apply AI strategy, focused on promoting the use of AI in industry, public administration, healthcare, and scientific research.

Implementation will be supported by the AI Factories and the European Digital Innovation Hubs (EDIHs), which will serve as regional catalysts for digital transformation.

The strategy aims to ensure that AI solutions are accessible to SMEs and traditional sectors through testing services, training, and expert guidance.

Developing AI skills and talent

Acknowledging the critical role of human capital in the AI economy, the Commission is launching the AI Skills Academy, which will offer:

• EU-funded scholarships, PhD programmes, and international mobility schemes focused on generative AI and related technologies.
• Specialised university degrees and professional development programmes, with particular emphasis on reskilling and upskilling workers in manufacturing SMEs and low-digitalisation sectors.

The goal is to nurture a new generation of highly qualified AI professionals capable of developing advanced solutions and leading Europe’s digital transformation.

Facilitating the implementation of the AI Act

Finally, the Action Plan includes measures to support the effective implementation of Regulation (EU) 2024/1689 (AI Act). By summer 2025, the Commission will establish the AI Act Service Desk, an operational helpdesk providing legal and technical assistance to businesses.

The Service Desk will offer tailored advice on regulatory compliance under the AI Act, helping companies adapt internal processes, label systems appropriately, and manage algorithmic risks.

This initiative aims to guide businesses through a compliance path that's both sustainable and innovation-friendly, strengthening public trust in AI systems.

Conclusion

The AI Continent Action Plan is intended to mark a decisive step toward European technological sovereignty in AI. Through this strategy, the Commission seeks to build an integrated, ethical, and competitive AI ecosystem capable of supporting the continent’s digital transition.

The responsibility now shifts to the member states, who must coordinate investments, industrial policies, and educational strategies to ensure that Europe becomes a leading global actor in the AI domain in the years ahead.

Author: Giacomo Lusardi

Data Protection and Cybersecurity

UNI/PdR 174:2025, (also) support for ISO 27001-certified NIS entities

On 30 April 2025, the UNI/PdR 174:2025 Reference Practice was published. It was developed by UNI in collaboration with Accredia, CINI, UNINFO and other institutional actors. The document defines the requirements for a cybersecurity and information security management system that enables the harmonisation of the two main international reference frameworks in the field: UNI CEI EN ISO/IEC 27001:2024 and the NIST Cybersecurity Framework (CSF) 2.0.

A structured integration between two approaches

UNI/PdR 174:2025 was developed to address the complex task of achieving convergence and harmonisation between two widely adopted yet structurally and methodologically different models: the UNI CEI EN ISO/IEC 27001:2024, based on organisational requirements and aimed at accredited certification, and the NIST Cybersecurity Framework (CSF) 2.0, designed as a flexible tool for self-assessment and improving cybersecurity posture.

Both models share common goals – such as data and information protection, risk management, threat mitigation, and the implementation of structured processes for incident response and recovery. However, differences in operational methods, technical terminology, and implementation logic often make it difficult for organisations to integrate the two approaches effectively.

In this context, the practice aims to provide practical, well-documented support to organisations that:

• already operate a system compliant with ISO/IEC 27001 and intend to assess their coverage against the NIST CSF categories and subcategories; and
• have structured their security governance based on the NIST CSF and intend to initiate alignment with ISO requirements in view of certification.

Potential implications for NIS2 compliance

Although UNI/PdR 174:2025 isn't binding and doesn't constitute an implementing measure of Legislative Decree No. 138/2024 (the Italian transposition of the NIS2 Directive), it may be particularly relevant for entities falling within the scope of the decree, especially concerning the adoption of the minimum security measures set out in Articles 24 and 42.

Specifically, the practice incorporates several key elements from the National Framework for Cybersecurity and Data Protection, which served as the foundation for defining the “basic” security measures formalised in ACN Determination No. 164179 of 14 April 2025 and its technical annexes.

As is now known, these measures – to be implemented by October 2026 – are structured as follows:

• 37 measures and 87 requirements for important entities;
• 43 measures and 116 requirements for essential entities.

UNI/PdR 174:2025 can serve as a concrete operational support for NIS entities already certified under ISO/IEC 27001, providing a methodological framework for assessing, documenting, and systematising compliance with the required measures in line with regulatory deadlines.

The C-ISMS System: A reference scheme, not a new standard

Among the key elements of the practice is the concept of C-ISMS (Cybersecurity and Information Security Management System), a management system that takes into account both the requirements of ISO/IEC 27001 and the objectives of the NIST CSF. This is not intended as a new model but as a way to contextualise an approach that highlights the complementarity of existing systems.

In this sense, the practice doesn't introduce new obligations, but provides a methodology for assessing and documenting cybersecurity posture in a structured manner. Its declared aim is to facilitate self-analysis, continuous improvement, and – where relevant – voluntary certification, without supplanting existing regulations.

Conclusions

UNI/PdR 174:2025 serves as a technical reference for organisations seeking to strengthen the consistency and maturity of their cybersecurity management systems, by adopting an integrated approach based on internationally recognised standards. The ability to harmonise ISO/IEC 27001 requirements with the objectives of the NIST CSF helps improve control traceability, reduce operational fragmentation, and optimise resource use.

In this context, the practice – available free of charge when registering on the UNI website – can also provide practical support for NIS entities already certified to ISO/IEC 27001, as they prepare to comply with the minimum security measures set out in Legislative Decree No. 138/2024 and ACN Determination No. 164179/2025.

Author: Gabriele Cattaneo

Gaming and Gambling

Online Gambling and the European Accessibility Act: Regulatory Profiles in Italy and the EU

With the implementation of the European Accessibility Act in most of EU countries (including Italy with Legislative Decree No. 82 of 5 August 2022), a new phase has begun for the accessibility of digital services, including online gambling services, offered in the European market (see Digital Accessibility Act: New obligations applicable from 28 June 2025). This is a topic often underestimated but one that is beginning to produce effects even in highly digitized sectors such as remote gambling.

How does the Accessibility Act apply to online gambling

Although the Accessibility Act doesn't explicitly mention online gambling services among those subject to accessibility obligations, it appears that such platforms may fall within the scope of e-commerce services, pursuant to Article 2(1)(hh) of the same decree. The conclusion of consumer contracts at a distance through digital interfaces, initiated by the user, constitutes the qualifying element – also supported by relevant case law.

The upcoming transition to the new Italian online gambling licensing regime is also significant, as it will require the deployment of a technically and contractually updated platform. Where substantial changes are introduced, the resulting service may be qualified as a “new service”, triggering the immediate applicability of accessibility provisions from the go-live date – without benefiting from the transitional regime until 2030.

Extension to integrated electronic communication services

Additional relevant aspects concern electronic communication services potentially integrated into gambling platforms – such as live chat, messaging systems, customer support, or call-back tools. The definition under the Accessibility Act is broad, but actual qualification depends on technical and operational factors, such as proprietary development, the operator’s level of control, and the mode of user interaction.

In the absence of binding interpretative guidance, it's advisable to assess each case individually, particularly for services developed in-house or linked to regulated activities (eg responsible gambling, account management).

Core obligations for digital service providers

The Accessibility Act, including its Italian implementation decree, imposes on digital service providers (which are likely to include online gambling operators) the obligation to ensure compliance with accessibility requirements, following technical criteria which – pending harmonized European standards – primarily refer to WCAG 2.1 AA. Key obligations include accessible design, publication of compliance information, and implementation of corrective measures where necessary.

Moreover, it will also be necessary to prepare and make an accessibility statement publicly available, in both written and oral form, including within the provider’s terms and conditions. The statement must be drafted in accordance with the template set out in the annex of the implementing decree, and must be accessible to people with disabilities. The statement and the related documentation must be retained for the entire period during which the service is in operation.

The practical implementation of the Accessibility Act obligations requires a case-by-case technical and contractual assessment, especially in sectors such as online gambling, where platforms often involve complex architectures and third-party components.

The EU context: Harmonised but uneven

The Italian decree implementing the EU Accessibility Act is part of a harmonized EU framework, which establishes accessibility requirements for all products and services placed on the EU market, regardless of the provider’s geographic location. As a result, even non-EU gambling operators offering services accessible to European users may fall under the same legal obligations provided by the EU Accessibility Act – although practical enforcement may vary across member states.

Italy, notably, is among the most advanced EU member states in implementing the EU Accessibility Act, both in terms of formal transposition and AgID’s active role in developing future technical guidelines.

Final remarks

In a sector undergoing rapid legal and technological change like the online gambling sector, compliance with the Accessibility Act requirements calls for a proactive approach – not limited to formal aspects, but grounded in a comprehensive review of the service model, technical stack, and legal framework.

Our team regularly assists online gambling operators in evaluating their compliance with Italian and European accessibility regulations.

Author: Enila Elezi

Intellectual Property

UPC: A review two years after the inauguration

1 June 2025 marked the second anniversary of the Unified Patent Court (UPC) becoming operational.

According to the most recent case load (here), the Court of First Instance has handled 883 cases over the past two years. Among these, 320 were infringement actions and 304 were counterclaims for revocation. German Local Divisions are the most active. Among the Central Divisions, Paris currently leads, followed by those of Munich and Milan.

The Court of Appeal registered 279 proceedings, most of which concerning procedural issues.

English is the predominant language of the proceedings (55%) and its use has gradually increased since June 2023. It's followed by German (38%). And French (3%), Italian (2%), Danish and Dutch (1%) close the ranking.

As for the industrial sectors most involved, the majority of the proceedings concern inventions belonging to classes H (Electricity), A (Human necessities), B (Performing Operations and Transporting) and G (Physics) of the International Patent Classification (IPC).

Finally, much attention is being paid to the now imminent launch of the UPC's Patent Mediation and Arbitration Centre (PMAC), which is expected to occur, according to recent reports, in early 2026. The public consultation on the draft of the rules of procedure that will govern proceedings before this body was recently launched. More information can be found here.

The launch of the PMAC will pave the way for a likely effective alternative to litigation and will mark the final step in the completion of a system that, although still young, has already demonstrated great attractiveness.

Author: Massimiliano Tiberio

Technology Media and Telecommunication

AGCom adopts new Regulation on transparency in the provision of electronic communications services and in the presentation of the calling number

With Resolution No. 106/25/CONS, published on 19 May, AGCom adopted the new “Regulation containing provisions for the protection of end users regarding transparency in the provision of electronic communications services and in the presentation of the calling number (CLI),” which fully replaces the previous regulation set out in Resolution No. 252/16/CONS.

The adoption of Resolution No. 106/25/CONS follows the procedure and public consultation initiated by AGCom through Resolution No. 457/24/CONS in relation to the aforementioned Regulation. The Regulation is aimed at ensuring greater consumer protection by introducing measures designed to amend the previous framework set out, as mentioned, in Resolution No. 252/16/CONS. This will be done with new provisions aligned with Article 98-quindecies of Legislative Decree No. 259/2003 (Electronic Communications Code), specifically dedicated to “Transparency, comparison of offers and publication of information” for the protection of end users.

As stated in the press release, the initiative is part of the work of the technical working group dedicated “to exploring measures to strengthen transparency in the terms of electronic communications service offers and to counter the practice known as spoofing, ie the unlawful alteration of the caller’s telephone number (CLI – Calling Line Identity).” The new provisions include measures aimed at countering aggressive and unlawful telemarketing and telesales practices, as well as frauds carried out by using a modified telephone number designed to appear to the called user as a public or private entity.

Among the main innovations, the new regulation:

• introduces a more detailed list of the information that providers of telephone and internet access services have to publish, aimed at strengthening user rights through greater clarity, completeness, and comparability of the offers available on the market;
• introduces an obligation to inform users annually of the terms of their contracts, to notify users when they exceed 80% of the data cap included in their offer, and to include an explicit reference to the automatic blocking of data traffic once 100% of the data threshold has been reached;
• introduces a classification system for mobile communication service offers using 5G technology, based on the characteristics of the service offered and, in particular, on the presence of any limitations on download and upload speeds available to the end user. Specifically, this “classification” will be represented by a green, yellow, or red label – depending on whether the maximum achievable speed is respectively higher or lower – which must indicate the speed limit value imposed by the provider;
• introduces an obligation for providers to give at least one month’s notice to end users in the event of service termination, with the requirement to provide such notice in an appropriate manner and to include information on the possibility of switching to another provider;
• provide technical measures against spoofing. In particular, to counter the fraudulent use of CLI, an obligation has been introduced for domestic operators receiving calls delivered by foreign operators to block incoming calls that display a national calling number inconsistent with the origin of the call. Operators must apply this measure, starting three months after the entry into force of Resolution 106/25/CONS, to calls with a national fixed CLI, and after six months also to calls with a national mobile CLI.

Authors: Massimo D'Andrea, Flaminia Perna, Matilde Losa

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra, Enila Elezi.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.