Innovation Law Insights

The Legal Break

How to Build an AI Committee under the EU AI Act

Under the EU AI Act, every company using artificial intelligence will need a governance framework – and at its core sits the AI Committee. In this 60-second episode of Legal Break, Giulio Coraggio breaks down:

• Who should be part of your AI Committee (it’s not just IT or legal).
• Why some companies are appointing a Chief AI Officer.
• How to give the committee real authority – from reviewing AI projects to reporting directly to senior leadership.

You can watch it here.

 

Data Protection and Cybersecurity 

EU Commission to codify legitimate interest as legal basis for AI training: a turning point for GDPR and innovation

The European Commission’s proposal to codify legitimate interest as a legal basis for AI training marks the most significant reform to the GDPR since its adoption. By explicitly recognizing legitimate interest as legal basis for AI training, the Commission aims to reconcile data protection with the realities of modern artificial intelligence. 

If confirmed on 19 November 2025 as part of the EU Digital Omnibus package, this change would move beyond interpretation and give legal certainty to a question that has divided EU regulators for years: Can AI developers lawfully train models with personal data under the GDPR? 

From legal uncertainty to clear regulatory ground

Until now, the use of legitimate interest as legal basis for AI training has been a grey area. Some national authorities allowed it under strict conditions, while others rejected it outright. The European Data Protection Board (EDPB), in its Opinion 28/2024 on AI model training, took a restrictive view – warning that companies must carry out detailed balancing tests and could not presume that legitimate interest applies automatically.

The Commission’s initiative represents a shift from uncertainty to codification. Instead of relying on variable national interpretations, this reform would anchor AI training directly in EU law through a new provision in the GDPR – similar to the “soft spam” exception under the ePrivacy Directive.

This approach would harmonize rules across Member States and offer a clear, predictable framework for AI innovation.

Legal implications of codifying legitimate interest for AI training

The proposed reform carries major legal and practical consequences for the interplay between the GDPR and the EU AI Act.

1. Greater legal certainty for AI developers

The explicit inclusion of legitimate interest as legal basis for AI training would give companies a stable legal ground for processing personal data to train models, particularly when using publicly available information. It would finally end the patchwork of national interpretations that created compliance risks and discouraged innovation.

2. Harmonization and consistency

By codifying legitimate interest within the GDPR, the EU would ensure uniform application across all Member States. This consistency would simplify compliance for multinational organizations and reduce the risk of conflicting regulatory decisions.

3. Protection of special categories of data

The reform would not open the door to unrestricted processing. Sensitive personal data – including those revealing health, ethnicity, religion, or sexual orientation – would remain under Article 9 GDPR safeguards. Only “ordinary” personal data could fall within the legitimate interest scope, provided controllers perform balancing assessments and apply technical measures such as data minimization and pseudonymization.

4. Impact on transparency and user rights

AI developers relying on legitimate interest AI training would still need to comply with GDPR transparency requirements. Individuals must be clearly informed that their data may be used for AI model training and must retain their rights to access, object, and erasure.

A pragmatic answer to the EDPB’s caution

In its 2024 opinion on AI model training, the EDPB highlighted serious privacy concerns about large-scale data scraping, repurposing, and lack of user awareness. It argued that legitimate interest could not justify indiscriminate collection of personal data.

As analyzed in my previous article “EDPB opinion on AI model Training: How to Address GDPR Compliance?”, the EDPB’s caution was understandable – but it also created regulatory paralysis. The Commission’s proposal aims to restore balance by acknowledging the necessity of data for AI development while maintaining strong safeguards.

This move signals a policy shift toward pragmatism: Europe is realizing that innovation and data protection are not mutually exclusive.

Balancing innovation and fundamental rights

The challenge ahead is ensuring that legitimate interest as legal basis for AI training does not undermine fundamental rights. Even with a codified lawful basis, companies must continue to demonstrate accountability by:

• applying privacy-by-design and by-default principles;
• ensuring clear transparency notices for data subjects;
• avoiding any use of special categories of data without explicit consent.

As to the legitimate interest assessment, a LIA might not be needed if the underlying legitimate interest is expressly provided by the law. However, companies will have prove that their AI training fits within the scope of the relevant provision.

Codification will not exempt companies from compliance – it will redefine the compliance boundaries. The real question is whether authorities and organizations can strike a balance that supports innovation while safeguarding personal freedoms.

Aligning the GDPR with the AI Act

The EU AI Act establishes risk-based obligations but does not define the lawful basis for processing data during training. The Commission’s amendment would fill that gap, creating a coherent bridge between data protection and AI governance.

If implemented effectively, this change could make Europe a global benchmark for trustworthy AI regulation – combining legal certainty with robust rights protection.

However, its success will depend on the scope of the final wording. If too broad, it may weaken privacy protection; if too narrow, it could fail to provide the clarity that businesses urgently need.

A decisive step for Europe’s digital future

The codification of legitimate interest as legal basis for AI training could redefine how Europe approaches both privacy and technological development. It represents a strategic evolution – not a retreat – from the GDPR’s original spirit.

By embedding this principle directly into the regulation, the EU sends a clear message: Europe wants to remain the global leader in responsible AI innovation.

Whether this move will satisfy both privacy advocates and industry players remains to be seen. But it undeniably marks a turning point in the dialogue between data protection and digital progress – one that could shape Europe’s AI landscape for the next decade.

Author: Giulio Coraggio

The EU’s Digital Package on Simplification: Streamlining GDPR, AI and Data Rules

The Digital Package on Simplification, proposed by the European Commission, updates key EU laws – including the GDPR, the AI Act, the Data Act, the NIS2 Directive, and the ePrivacy Directive – to modernize and simplify the entire European digital regulatory framework.

Also known as the Digital Omnibus, this proposal aims to streamline compliance, remove overlapping obligations, and reduce administrative burdens, while preserving the EU’s high standards for data protection and digital trust.

By consolidating outdated rules and harmonizing legal obligations, the Digital Package on Simplification seeks to create a more efficient, innovation-friendly digital environment that benefits both businesses and regulators.

A Political Push for a “Simpler and Faster Europe”

The Digital Package on Simplification is part of the European Commission’s broader political agenda titled “A Simpler and Faster Europe.”
This initiative follows the Draghi and Letta reports on European competitiveness, which stressed that excessive regulatory layering undermines innovation and growth.

Responding to repeated Council conclusions in 2025, the Commission pledged to rationalize the EU’s digital acquis by merging or repealing redundant texts and clarifying the interaction among existing digital regulations. The Digital Omnibus is the first concrete result of this simplification drive.

What the Digital Package on Simplification Proposes

According to an unofficial version of the document leaked from the EU Commission, the proposal introduces a single omnibus regulation that consolidates several major instruments.

It amends:

• GDPR (Regulation 2016/679)
• AI Act (Regulation 2024/1689)
• Data Act (Regulation 2023/2854)
• NIS2 Directive (Directive 2022/2555)
• ePrivacy Directive (Directive 2002/58/EC)

It repeals:

• Platform-to-Business (P2B) Regulation
• Data Governance Act (DGA)
• Free Flow of Non-Personal Data Regulation
• Open Data Directive
• By merging these acts into a unified structure, the Digital Package on Simplification eliminates inconsistencies, simplifies reporting requirements, and harmonizes definitions across the digital legislative corpus.

The Three Pillars of Simplification

• The Digital Package on Simplification is built around three strategic pillars:
• Data framework consolidation
• Unified incident reporting
• Alignment of AI and data protection rules

1. Streamlining the Data Framework

The proposal merges the Data Governance Act, the Open Data Directive, and the Free Flow of Non-Personal Data Regulation into the Data Act, establishing a single point of reference for data sharing and reuse.

Key innovations include:

• Turning the registration system for data intermediaries into a voluntary trust framework within the Data Act.
• Consolidating rules for data altruism and public-sector data reuse.
• Clarifying cloud-switching and interoperability provisions.

This simplification is expected to cut administrative costs and improve legal predictability for companies working with data across borders.

2. One-Stop System for Incident and Breach Reporting

One of the most tangible improvements in the Digital Package on Simplification is the creation of a single EU-wide platform for incident and data-breach notifications, to be managed by ENISA.

This “report once, share with all” mechanism enables companies to fulfil obligations under the GDPR, NIS2, DORA, and Digital Identity Regulation simultaneously.

It will drastically reduce duplicate reporting, ease coordination between authorities, and increase efficiency – all while maintaining existing legal competences.

3. Aligning AI Compliance with Data Protection

To reconcile the AI Act and GDPR, the proposal introduces clarifications on:

• the concepts of personal data and pseudonymization;
• the lawful use of personal data for AI training, under legitimate safeguards;
• streamlined obligations for low-risk data processing.

These clarifications respond to long-standing industry concerns about legal uncertainty around AI training datasets and ensure a balance between innovation and privacy.

The End of the Platform-to-Business Regulation

The Platform-to-Business Regulation will be repealed, as its objectives are now fully achieved by the Digital Markets Act (DMA) and the Digital Services Act (DSA). This repeal reduces duplication and brings all platform governance rules under the same digital policy framework, improving consistency and enforcement.

Economic Impact: Reducing Red Tape

The Digital Package on Simplification is also an economic reform.

According to the Commission, it will generate:

• EUR1 billion in annual savings;
• EUR1 billion in one-off savings;
• EUR4 billion total savings by 2029.

Small and medium-sized enterprises (SMEs) and small mid-caps will benefit most from reduced compliance obligations and simplified reporting mechanisms, strengthening Europe’s digital competitiveness.

Legal Basis and Fundamental Rights

Grounded in Articles 114 and 16 of the TFEU, the Digital Package on Simplification safeguards both market integration and privacy protection.
The Commission stresses that the initiative does not weaken the GDPR or the EU Charter of Fundamental Rights, but instead ensures a clearer and more coherent application of existing standards across all digital regulations.

A New Chapter: Toward a Digital Acquis 2.0

The Digital Package on Simplification marks a fundamental shift from regulatory expansion to consolidation.
It sets the foundations for a Digital Acquis 2.0 – a unified, transparent, and innovation-oriented legal framework that strengthens Europe’s position as a global leader in digital governance.

If adopted, the Digital Package on Simplification could become a model for how the EU modernizes complex legislation without compromising its core values of privacy, security, and accountability.

Author: Giulio Coraggio

FIDA: New Rules on Sharing Financial Data

With the proposed Financial Data Access Regulation (FIDA), presented by the European Commission on 28 June 2023, the European Union is preparing to redefine the management and sharing of financial data, completing the process begun with PSD2 and paving the way for an integrated, secure, competitive open finance ecosystem.

FIDA aims to create a single market for financial data based on common standards of interoperability, security, and transparency, allowing consumers and businesses to fully control access to and use of their information.

The regulation represents the information pillar of the Digital Finance Package, together with the reform of Payment Services (PSD3), the new Payment Services Regulation (PSR) and the Digital Operational Resilience Regulation (DORA).

In this context, FIDA introduces a key principle: financial data as strategic European infrastructure. No longer a static asset held by institutions, but a dynamic resource available to customers, freed up through a regulated ecosystem of exchange based on informed consent, technical security, and accountability.

FIDA, therefore, marks the transition from open banking to open finance, but also, more profoundly, from a bank-centric system to one based on the digital and financial self-determination of the user.

1. From the PSD2 model to the single market for financial data

FIDA was born as a natural evolution of PSD2, but radically expands its scope. While the 2015 directive introduced the principle of open banking, requiring banks to open access to payment accounts via API interfaces for the benefit of authorized third parties, the new regulation extends the model to all financial data generated in the customer’s economic life cycle.

The scope thus becomes much broader: not only current accounts and payment cards, but also mortgages, loans, investment products, insurance policies, pension plans, and asset management services.

The aim is to enable users – individuals or businesses – to decentralize and share all the information held by different operators in a secure and transparent manner, overcoming the fragmentation of channels and formats.

This evolution marks an important conceptual shift: financial data is no longer the prerogative of the intermediary, but an information asset owned by the customer, accessible and transferable according to standardized methods and under their exclusive control.

To make this vision operational, FIDA introduces two key tools:

• Financial Information Service Providers (FISPs), a new category of regulated entities responsible for providing services based on users’ financial data;
• Financial Data Permission Dashboards, digital interfaces through which customers can view, grant, or revoke access to their data in real time.

The mechanism is based on the principle of informed and granular consent: no data may be shared without clear and specific authorization from the data subject.

This model, which is inspired by Article 20 of the GDPR on the right to portability, allows for true informational self-determination, strengthening the user’s control over the circulation of their data.

Finally, the regulation abandons the idea of free access introduced by PSD2 and introduces the notion of fair and proportionate compensation: data holders may be remunerated for the costs incurred in setting up interfaces, implementing security measures, and managing requests.

In this way, FIDA transforms the obligation of openness into a regulated partnership between financial institutions and new digital operators, with economic incentives and common technical standards that make the European open finance ecosystem sustainable.

2. Data sharing schemes and the new open finance infrastructure

The operational core of FIDA lies in the obligation for all entities that hold or use financial data to adhere to European-recognized sharing schemes (Financial Data Sharing Schemes).

These are sectoral consortia or cooperative bodies tasked with defining common rules on technical standards, governance, security, and remuneration models, ensuring uniform, interoperable, and reliable access to data.

Each scheme must establish in particular: (i) common data formats and API specifications to ensure full interoperability between different operators; (ii) authentication and authorization protocols based on high cybersecurity standards and compliant with the DORA Regulation; (iii) rules on contractual liability and dispute resolution between participants; (iv) criteria for determining fair and proportionate compensation for data holders, avoiding market imbalances.

Only exchanges carried out within these schemes will be considered lawful.

Adherence to the schemes will therefore become an essential condition for operating in the open finance market: no entity, whether a data holder or data user, will be able to access or share data outside a framework of rules approved and supervised by the competent European authorities.

This architecture is inspired by the institutional interoperability model already tested in SEPA payments and, more recently, in the European Single Access Point (ESAP) framework.

Looking ahead, Financial Data Sharing Schemes will form the backbone of the single market for financial data, promoting a competitive but regulated environment in which collaboration between operators becomes the very condition for innovation.

3. The new players in the ecosystem

FIDA profoundly redefines the map of entities involved in the management and exchange of financial data, introducing a new functional tripartite division based on roles, responsibilities, and transparency obligations.

a. Data holders are entities that hold financial data generated or collected in the course of providing a service – including banks, payment institutions, investment firms, insurance companies, asset management companies, pension funds, and credit intermediaries. They are required to allow access to data requested by users or entities authorized by them, in accordance with the principles of non-discrimination, security, and technical interoperability.

Refusal to grant access may only be justified on grounds of cybersecurity, fraud prevention, or breach of professional secrecy, in line with recital 28 of the proposal.

b. Data users are entities that request access to data in order to provide innovative services to customers: asset management applications, credit scoring, automated financial advice, ESG investment solutions, or aggregate business flow analysis platforms.

Their work is based on the principle of informed and reversible consent: customers can limit or revoke access to data at any time through their Financial Data Permission Dashboard, with immediate effect and without penalty.

Data users must also comply with the accountability and data minimization requirements of the GDPR, ensuring that information is used only for the purposes stated.

c. At the heart of this dynamic is a new regulated figure: the FISP. These are specialized operators who will act as qualified intermediaries between data holders and data users, providing data collection, aggregation, standardization, and analysis services, as well as certified API interfaces.

To obtain authorization, FISPs will have to comply with stringent governance, solvency, cybersecurity, and business continuity requirements, in line with Articles 62 and 68 of the DORA Regulation.

In addition, they will be subject to direct supervision by the competent national authority and, in cases of cross-border relevance, to joint supervision by the European authorities in the sector.

The model outlined by FIDA therefore creates a multi-level ecosystem, in which data flow is no longer unidirectional but regulated by mechanisms of consent, auditability, and traceability. In this perspective, FISPs take on a strategic role similar to that of Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) under PSD2, but with a broader, cross-sectoral scope, capable of connecting the banking, insurance, and investment worlds in a single trusted infrastructure.

4. Security, consent, and personal data protection

The most sensitive aspect of FIDA concerns the point of contact between open finance and personal data protection. The entire framework of the regulation is based on a complex balance between transparency, individual control, and cybersecurity, in the knowledge that user trust is a necessary condition for the development of the single market for financial data.

Consent becomes the cornerstone of the system: it must be explicit, specific, informed, and revocable at any time, in accordance with the criteria set out in Articles 4(11) and 7 of the GDPR.

In terms of security, the FIDA requires operators to adopt technical and organizational measures in accordance with DORA, imposing stringent requirements for cyber resilience, business continuity, and incident reporting.

All access to data must be authenticated using strong customer authentication (SCA) mechanisms, and all transactions must be recorded in encrypted logs, stored for a limited period, and accessible only in the event of an audit.

The regulation also addresses the issue of combining data from different sources, imposing a principle of functional limitation: correlation between datasets is only permitted if strictly necessary for the authorized purpose and cannot involve further profiling or automated assessments not provided for.

This results in direct alignment with Articles 5(1)(b), 6, and 22 of the GDPR, which prohibit decisions based solely on automated processing without adequate safeguards for the data subject.

Finally, FIDA introduces a specific obligation of data protection by design and by default for all participants in sharing schemes.

FISPs, in particular, will have to integrate encryption, pseudonymization, and minimization functions from the API design stage, ensuring that no excess data is processed or stored.

5. Opportunities, challenges, and prospects for implementation

FIDA aims to extend to the world of financial, insurance, and asset brokerage the same logic of interoperability that PSD2 introduced in payments.

Looking ahead, the regulation represents a paradigm shift: access to data is no longer a competitive advantage, but a shared responsibility based on trust, security, and reciprocity.

The opportunities are clear.

• For consumers, FIDA paves the way for a truly integrated financial services market, where data becomes the key to personalized solutions, portability of contractual relationships, and greater competition among operators.
• For businesses, the ability to aggregate information from banks, insurance companies, and asset managers will enable the development of new predictive analytics models, ESG scoring, and automated advice.
• Finally, for supervisory authorities, the standardization of data flows will strengthen risk-based supervision, reducing compliance burdens and improving the ability to monitor systemic phenomena.

However, the challenges remain significant.

• First, effective implementation will depend on the ability to harmonize rules and infrastructure across Member States, avoiding the risk of technological and regulatory fragmentation.
• Secondly, the cost of compliance, particularly for smaller entities, could slow down participation in sharing schemes, undermining the regulation’s goal of inclusiveness.
• Finally, the balance between innovation and privacy protection will continue to be a structural tension: any secondary use of data must be strictly justified, verifiable, and proportionate.

The success of FIDA will ultimately depend on the ability of the European financial ecosystem to translate compliance into innovation.

It is not just a matter of ensuring technical interoperability, but of building a financial data market based on trust, transparency, and shared responsibility.

In this sense, FIDA represents the most advanced stage of a broader process: the transformation of the European financial sector into a regulated data governance infrastructure, where competitiveness is achieved through compliance and information sovereignty becomes the real driver of innovation.

Author: Giulio Napolitano

 

Gaming & Gambling

The New Italian Online Gambling Licence Applies NOW: What Changes for Operators, New Entrants and Suppliers?

As of today, the new Italian online gambling licence regime is officially in force, marking the most significant regulatory shift in Italy’s online gambling sector in over a decade. This reform does not simply renew the market: it reshapes the entire structure, raises compliance expectations, and redefines how operators, new entrants and suppliers can access and compete within Italy’s regulated environment.

This is a turning point, and the way companies respond in the coming weeks will determine their competitive position for the next nine years.

A New Regime Built on Higher Entry Standards

The new Italian online gambling licence introduces a unified nine-year concession covering all remote-gambling verticals. ADM has moved from a fragmented tender to a consolidated structure intended to improve legal certainty, reduce technical inconsistency and promote long-term investment.

The key features include:

• EUR7 million licence fee (EUR4 million at award + EUR3 million at go-live)
• much stricter technical, AML and organisational controls
• a reduction in the number of concessionaires, now approximately 46
• stronger controls on multi-brand and multi-skin models
• a clearer focus on responsible gaming and platform integrity

This is not a marginal update. Today marks the beginning of a far more selective and scrutinised Italian online gambling market.

A More Selective Market: Concentration is Now a Structural Design

With the regime applying from today, the competitive effects are immediately visible. The high cost of the Italian online gambling licence, combined with ADM’s more rigorous vetting, has resulted in fewer authorised operators. The sector is entering a consolidation phase where:

• economies of scale matter more
• compliance maturity becomes a competitive advantage
• operational robustness is no longer optional
• only structurally sound operators can sustain long-term growth

This is not a market in which “testing the waters” or “partial investments” will work. ADM has built a regime that rewards long-term commitment.

What Today Means for New Entrants

For companies considering entry into Italy, the new framework presents both opportunities and significant barriers.

1. High Financial and Structural Thresholds

The EUR7 million fee is only the beginning. New entrants must demonstrate:

• verified technological capability
• a resilient platform able to meet ADM’s real-time reporting expectations
• proven AML systems
• business continuity and disaster-recovery controls
• a structured responsible-gaming framework

ADM expects new entrants to be operationally mature before go-live, not after.

2. Stronger Business Planning Requirements

New entrants must adopt a business model capable of absorbing:

• increased supervisory reporting
• market-concentration dynamics
• stricter supplier due-diligence obligations

Entering Italy today requires a strategic approach, not a speculative one.

3. A Longer-Term Opportunity

The Italian market remains one of Europe’s largest and most profitable, but the new regime ensures that only well-governed, well-capitalised operators can participate. For new entrants that meet the requirements, today marks the beginning of a stable, predictable nine-year cycle.

What Changes for Game Suppliers and Platform Providers

The reform directly impacts not just operators but also the entire supply chain. Game suppliers, platform providers, betting engines and technology vendors face new obligations starting today.

1. Mandatory Certification and Technical Controls

Suppliers must ensure that:

• all games comply with the updated technical standards
• platforms meet ADM’s requirements on fraud detection, session tracking and transparency
• RNG and RTP certifications are fully aligned with new rules
• reporting capabilities support operators’ real-time obligations

2. Stricter Due-Diligence by Operators

Under the new Italian online gambling licence, operators are required to apply enhanced oversight to their suppliers, which includes:

• detailed AML and integrity checks
• supplier risk assessments
• contractual controls and audit rights
• verification of technical conformity

Suppliers must therefore elevate their compliance posture or risk losing access to the market.

3. A Shift Toward Fewer, More Strategic Partnerships

Because operators today are more selective, suppliers should expect:

• longer-term, more structured integrations
• higher expectations on uptime and game performance
• demand for stronger responsible-gaming tools
• pressure to modernise legacy tech stacks

This is an opportunity for high-quality suppliers – and a challenge for those that fail to adapt.

The Road Ahead: A Market for the Prepared

The new Italian online gambling licence regime applying from today is not simply regulatory housekeeping. It represents a structural redesign of Italy’s digital gambling ecosystem. Operators, new entrants and suppliers must all elevate their governance, technology and compliance approaches.

Those who act immediately – strengthening their frameworks, reviewing supplier ecosystems, investing in platform integrity – will secure a competitive advantage that lasts throughout the nine-year cycle.

Those who wait will struggle.

A Final Question for Industry Leaders

Now that the regime applies from today, the real discussion begins:
Which operators and suppliers are ready to meet Italy’s new standards – and which will fall behind?

Author: Giulio Coraggio 

 

Legal Tech Bytes

Expert Insights on the Latest Trends and Innovations

The lawyer-in-the-loop mandate: what in-house teams need to know about the legal tech market shift

A confluence of regulatory developments, provider policy changes, and market data is crystallizing a fundamental truth about legal AI: technology in the legal domain must be designed (and operate) to support, not replace, licensed professionals. For in-house legal teams evaluating legal tech vendors, understanding these dynamics is essential for making strategic technology investments that will remain viable and compliant.

LLM policy evolution: from disclaimers to architectural guardrails

One of the most popular US-based LLM providers recently updated its usage policies with a significant clarification: users cannot employ their services for provision of tailored advice that requires a license, such as legal or medical advice, without appropriate involvement by a licensed professional.

This policy now applies not only to the chat interface but also to enterprise services agreements, meaning it governs API integrations, RAG (Retrieval-Augmented Generation) implementations, and the technology powering many legal tech companies’ AI services. The underlying principle is clear: legal advice, like medical advice, relates to administering justice and protecting fundamental rights. These activities are inherently critical and cannot rely on fully automated processes.

This isn’t an isolated development. Italian AI legislation (Law 132/2025, Art. 13) explicitly addresses this, requiring that AI provide only “instrumental and support activities” with “prevalence of intellectual work” by licensed professionals.

Other major LLM providers are likely to follow suit, driven not just by liability concerns but by a growing understanding that instrumental technologies require appropriate safeguards when deployed in domains affecting fundamental rights.

What this means for in-house legal technology procurement

Recent survey data from the Association of Corporate Counsel and Everlaw – based on responses from 657 in-house legal professionals across 30 countries – reveals important insights about the current state of legal AI adoption:

• 91% of legal professionals report increased efficiency as GenAI’s top benefit, demonstrating universal recognition of the technology’s value as a support tool
• 58% of in-house professionals say their departments are the primary drivers of GenAI adoption, signaling that procurement decisions rest firmly with corporate legal teams
• 20% are already encouraging their outside counsel to use GenAI, a number that continues to grow as adoption matures
• 20% have already seen more efficient turnaround times on legal work from technology-enabled workflows
• 43% foresee an increase in value-based billing models, signaling evolution in how legal services are delivered and priced

Taken together, these trends suggest that the legal profession is heading toward a significant evolution in roles and competencies. The combination of high AI adoption rates and strengthening requirements for professional oversight doesn’t mean less technology – it means more sophisticated integration of technology with professional judgment. Legal departments will increasingly need professionals who can design, implement, and oversee these hybrid systems: legal engineers, legal operations professionals with technical depth, and lawyers who understand not just law but the architecture of the tools they use.

Author: Tommaso Ricci

 

Legal Design Tricks

Little tips to use legal design in your daily activities

Trick #11: The Right Tools Make All the Difference

You have a brilliant idea and clear content… but how do you turn it into documents that are readable, visual, and engaging?

The choice of the right tool isn’t a minor detail: it can be the difference between a confusing document and one that truly communicates, guides the user, and highlights your work.

With the right tool, you can:

• save valuable time
• collaborate more effectively
• create clear, testable prototypes
• turn complex concepts into understandable, visual elements

Remember: in Legal Design, what matters is choosing the tool that best fits the outcome you want to achieve

For quick visuals, try:

Canva
Pro: intuitive, ready-made templates, integrated icons and colors
Con: less flexible for complex projects

PowerPoint/Keynote
Pro: great for slides and rapid mockups
Con: static layouts, limited interaction, and collaboration

For prototypes and interactive documents, use:

Figma
Pro: powerful for layout and visual design, live collaboration
Con: steeper learning curve

Notion/Coda
Pro: excellent for document prototypes, checklists, workflows
Con: less visual unless customized

Adobe Express
Pro: polished visuals, brand kits, professional export options
Con: less commonly used in legal settings

For maps and process visualization, try:

Lucidchart/Miro (flowcharts)
Pro: ideal for internal processes, workflows, and escalations
Con: requires some initial setup

XMind/MindMeister
Pro: perfect for mapping concepts, clauses, definitions
Con: less effective for final deliverables

Excel
Pro: easy to create, great for tables
Con: limited in graphics and interaction

AI for Legal Design

ChatGPT & Co.
Pro: support for clear text, visual examples, layout suggestions
Con: always needs human review

Canva AI/Magic Design
Pro: generates visual drafts in seconds
Con: results need customization

Gamma/Tome AI
Pro: create slides and prototypes from a prompt
Con: limited for legal-specific layouts

How to choose the right tool

Pick based on:

• Time – do you need something ready-to-go or fully custom?
• Output – slides, policies, contracts, prototypes?
• Audience – colleagues, internal clients, end users?
• Collaboration – solo or in a team?
• Skill – do you need “plug & play” simplicity?

Tip: start simple, then upgrade your tool as the project grows.

Did you know?

Tools like FigJam or Miro aren’t just for maps and diagrams: they’re perfect for brainstorming, virtual post-its, and user journeys. They really help engage the team and get ideas out on the table in a visual, collaborative way.

Author: Deborah Paracchini

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Giovanni Chieco, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Andrea Pantaleo, Deborah Paracchini, Maria Vittoria Pessina, Tommaso Ricci, Marianna Riedo, Rebecca Rossi, Dorina Simaku, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.