Innovation Law Insights

Podcast

Is your software an AI system under the EU AI Act?

Could everyday software like spreadsheets and routine business tools soon be labeled an “AI System” under EU’s sweeping new AI Act? Join us as we unpack the European Commission’s fresh guidelines, revealing how the EU plans to draw the line between traditional software and true AI. Properly qualifying software allows businesses to better understand the obligations and applicable regime, so they can limit potential risks and exploit the technology. Listen to the episode here.

 

Data Protection and Cybersecurity

The deadline is fast approaching: Entities subject to NIS2 have to register on the ACN Portal

The deadline for registration in Italy under the NIS2 Directive with ACN is 28 February 2025. And there are fines for not registering.

The NIS2 Directive was implemented in Italy through Legislative Decree No. 138/2024, which has expanded the scope of the regulation at the national level. One of the first obligations imposed by the decree is registration on the National Cybersecurity Agency (ACN) portal.

Who needs to register and by when?

The registration requirement applies to all companies falling within the scope of the NIS2 regulation. Some categories are clearly defined – such as the energy, healthcare, transport, and large-scale distribution sectors. But other areas are more debatable. And some companies that were initially excluded from the applicability of the Legislative Decree have now been included. For instance, the NIS2 Legislative Decree appears to apply to cloud service providers, potentially including all SaaS providers, even in corporate groups.

Based on the definitions outlined in Annexes I to IV of the NIS2 Legislative Decree, companies that believe they fall within its scope have to register on the ACN platform.

But the decree has introduced two different deadlines:

• By 17 January 2025, domain name system service providers, top-level domain name registry operators, domain name registration service providers, cloud computing service providers, data center providers, content distribution network providers, managed service providers, managed security service providers, and online marketplace providers, online search engine providers, and social networking service platform providers had to register.
• By 28 February 2025, registration will become mandatory for all other entities falling within the scope of the decree.

How to register on the portal?

As we’ve previously shared and as clarified in Determination 38565/2024 (ACN Determination), the registration process on the portal consists of three phases:

• identifying the point of contact;
• associating the point of contact with the NIS entity;
• completing the NIS declaration.

The point of contact has to access the ACN Portal using the Public Digital Identity System (SPID) and complete their personal profile with the required information (if not already provided through SPID). Once identified, the point of contact has to link their account to the designated NIS entity by entering its tax identification code. After this step, the portal will automatically retrieve the company’s details (name, address, digital domicile, and legal headquarters contact information), which the point of contact has to review and confirm.

Associating the point of contact’s account with the NIS entity requires validation through a request sent to the digital domicile of the NIS entity. When the identification and association process is complete, the entity will receive a confirmation notification at its digital domicile.

Only after completing these steps can the NIS declaration be submitted.

This declaration must include:

• The sectoral law provisions mentioned in Annexes I and II of the NIS Decree that apply to the entity.
• The turnover, balance sheet, and number of employees to classify the registering entity as a medium or large enterprise according to Recommendation 2003/361/EC. Turnover must be calculated considering any links with other companies, specifically:
• for affiliated enterprises (ie where one company holds the majority of voting rights or has a dominant influence over another), the personnel and turnover data of the controlling company must be fully consolidated; and
• for associated enterprises (ie where one company holds between 25% and 50% of another), the data of the holding company must be proportionally consolidated based on the participation share.
• The types of entities listed in Annexes I, II, III, and IV of the NIS Decree to which the registering entity belongs.

Additionally, there’s an obligation to declare any affiliated companies that either meet or satisfy at least one of the criteria outlined in Article 3, paragraph 10, concerning the registering entity. For example, the registering company must indicate affiliated companies providing ICT or security services.

The goal of this procedure is to enable ACN to identify, in addition to the registering company, any affiliated enterprises that perform critical activities related to cybersecurity risk management for the registering company, or vice versa.

The registration process is complex and requires a thorough preliminary analysis of the entity’s structure, and its relationships with other companies in the group concerning cybersecurity and, more broadly, IT system management.

Sanctions

Entities that fail to register, communicate, or update information on the ACN portal could be subject to an administrative fine:

• For essential entities, up to a maximum of 0.1% of the total worldwide annual turnover for the previous financial year.
• For important entities, up to a maximum of 0.07% of the total worldwide annual turnover for the previous financial year.

Companies falling within the scope of the regulation have little time left to complete their assessments and register on the ACN portal.

Author: Giulia Zappaterra

NIS2 ’Safeguard Clause’: Decree published with application criteria

The Decree of the President of the Council of Ministers No. 221 of 9 December 2024 has been published in the Italian Official Journal (Gazzetta Ufficiale). It contains the Regulation on the criteria for the application of the safeguard clause provided for by Legislative Decree No. 138 of 4 September 2024 (the Decree through which the NIS2 Directive was transposed in Italy).

The Regulation, which is already in force, reflects the guidance set out in Recital 16 of the Directive, clarifying the requirements for companies seeking to invoke the “safeguard clause” and the associated benefits.

Safeguard clause

The safeguard clause, provided for in Article 3 (Paragraphs 4 and 12) of the NIS2 Decree, offers the possibility for companies that fulfil the criteria not to be subject to disproportionate obligations arising from the legislation, if they can demonstrate that they operate with a high degree of autonomy from the group they belong to.

The clause states – in the way described in Article 6(2) of Recommendation 2003/361/EC – that companies can exclude headcount and accounting criteria data concerning linked companies from the calculation of company size.

Who can request the application of the clause

Article 3 of the new Regulation sets out the two criteria that individual organizations have to meet for the application to be accepted.

The criteria appear to be particularly stringent, requiring jointly:

• the total independence of the company’s own NIS and network systems from those of linked companies, meaning the affiliated entities’ systems don’t in any way contribute to the functioning of the undertaking’s NIS and network systems; and

• the total independence of the company’s NIS activities and services from those of linked companies, such that the affiliated entities’ activities and services don’t contribute in any way to the company’s operations or the provision of its NIS services.

Paragraph 2 of Article 3 further specifies that the application of the clause cannot be requested by those entities to which the NIS2 Decree applies only by virtue of Article 3 paragraph 10 (companies linked to essential or important entities to which one of the conditions specified therein is fulfilled).

Timing and application procedure

According to Article 4 of the Regulation, the application of the safeguard clause must be requested when the organization registers, by filling in the appropriate fields (CRT.4) of the NIS Declaration on the digital platform made available by the National Cybersecurity Agency (ACN). The Agency will communicate its response through the same platform.

Conclusions

The introduction of a safeguard clause in NIS2 seems to be intended to balance the needs of IT security with the need to avoid overly burdensome regulations for companies that, although belonging to large groups, individually considered had small numbers (eg micro and small enterprises) and/or operated with a certain degree of autonomy.

Instead, the new Regulation opts for a strict application of the Decree, requiring very clear conditions (total independence) and limiting how organizations can exclude group metrics from their calculations.

With the deadline for registration now imminent (28 February), the clarification is nevertheless very helpful in raising awareness for organizations and their contact points.

Author: Gabriele Cattaneo

 

Intellectual Property

UPC: Court can order compensation for damages deriving from an infringement assessed by a national court

On January 16, the Court of Appeal issued an important decision in the matter of jurisdiction and damages for infringement.

The decision stems from a dispute brought before the Düsseldorf Regional Court long before UPC started operations. The proceeding ended with an assessment of infringement of a patent on a compact module for the electrolytic production of aluminum and a general order for the defendant to pay damages.

Following this decision, the patent-holder brought a proceeding before the UPC and before the Hamburg Local Division, seeking compensation for the damages resulting from the infringement already found by the German judges. In response to the defendant’s preliminary objection, the Court of First Instance declared not to have jurisdiction. According to Local Division, the UPC doesn’t have jurisdiction to rule on a claim for damages arising from a patent infringement established by a national court and not by the UPC.

This led to the present ruling, in which the court upheld the appeal against the first instance decision. During the appeal proceedings, the parties argued about the interpretation of Section 32(1)(a) UPCA. The Court of Appeal, referring to the criteria of interpretation of the Vienna Convention on the Law of Treaties, pointed out that, although the provision includes infringement actions among the matters falling within the competence of the UPC, it doesn’t preclude the UPC from deciding only on the damages resulting from the infringement, without necessarily having to decide on the merits of the infringement.

This interpretation is also confirmed by other provisions of the UPCA, including Section 32(1)(f), which, although not applicable to the present case, provides that the UPC can decide on actions for damages arising from infringement prior to the grant of the patent. The Court of Appeal considers it illogical to exclude the jurisdiction of the UPC for damages resulting from infringement of the patent when it is recognized ex lege for damages related to the provisional protection offered by the publication of the application.

In its reasoning, the Court of Appeal also examined the competence of the UPC to decide on damages for infringement established by a national court in the context of the Brussels I bis Regulation. This regulation rules on the enforcement of judgments in civil and commercial matters. In this respect, the judges of the Luxembourg Division ruled out any conflict of laws, pointing out that the UPC, as a court common to several member states, must be considered in the same way as a court of a member state under the Regulation. This entails the automatic recognition of judgments given by national courts in the UPC system, as provided for in Article 36 of the Regulation.

The court also confirmed its jurisdiction to rule on infringements committed before the entry into force of the UPCA on 1 June 2023, provided that the European patent applied for is still valid and effective on that date.

Finally, the Court of Luxembourg, in reforming the first instance decision, highlighted the efficiency of the solution, which provides for the possibility (already stated for in the laws of some UPCA member states) of bringing two separate actions for assessing the infringement and for the quantification of damages.

Author: Laura Gastaldi

Analyzing EUIPO study on the protection of Geographical Indications for craft and industrial products

Introduction

Geographical Indications (GIs) are fundamental legal instruments for protecting and enhancing products whose qualitative or reputational characteristics are closely linked to their geographical origin. Although historically associated with agricultural and food products, GIs are also gaining increasing importance in the area of craft and industrial products.

The European Union Intellectual Property Office (EUIPO) published a detailed study in December 2024, entitled “Study on EU Member States’ potential for protecting craft and industrial Geographical Indications”, which analyses existing regulatory frameworks and practices in the various member states. This article aims to expand on the results of the study with a specific focus on Italy.

Regulatory framework

Regulation (EU) 2023/2411, which was published in the Official Journal of the European Union on 27 October 2023, and entered into force on 16 November 2023, introduced a harmonized regulatory framework for the protection of GIs of artisanal and industrial products in all member states.

As of 1 December 2025, it will be possible to submit applications to register Protected Geographical Indications (PGI) for these product categories as well. In Italy, the Ministry of Enterprise and Made in Italy has pointed out that products (eg natural stones, wooden objects, jewelry, textiles, lace, cutlery, glass, porcelain, leather and skins) that have an intrinsic link with specific Italian geographical areas will be able to benefit from this new protection regime.

Background and objectives of the study

The EUIPO study is based on a comparative analysis of national regulatory frameworks, supplemented by interviews with industry experts and representatives of the competent authorities. Various aspects were examined, including registration procedures, requirements for obtaining GI protection, control mechanisms and enforcement measures. In addition, the study considered the cultural and historical peculiarities of each country, recognizing the importance of diversity in European craft and industrial traditions.

Through this analysis, the study aims to support legislators and stakeholders in developing effective strategies to protect and promote European traditional products.

Main Results

• Diversity of regulatory frameworks: significant heterogeneity has emerged among member states regarding GI protection for craft and industrial products. Some countries have well-established and specific systems, while others rely on general IP regulations or don’t provide any specific protection for these product categories.
• Good practice examples: countries such as France have implemented robust systems for protecting GIs in the craft and industrial sectors, offering models that could be adopted by other member states.
• Common challenges: among the main difficulties encountered are a lack of awareness among producers about the benefits of GIs, bureaucratic complexities in registration procedures and the need for effective control to prevent abuse and counterfeiting.

As far as Italy is concerned, the study highlights several key points.

• Rich craft and industrial heritage: Italy has a long tradition of high-quality craft and industrial products, many of which are associated with specific regions. Emblematic examples include Murano glass, Deruta ceramics, Carrara marble, Caltagirone ceramics and Como textiles. These products not only represent Italian manufacturing excellence but also contribute to the country’s cultural identity and heritage.
• Pre-existing legal framework: before the adoption of Regulation (EU) 2023/2411, Italy didn’t have a specific system for the protection of GIs in the craft and industrial sector. Protection was often obtained through collective trademarks or certificates of origin, which didn’t offer protection equivalent to that of GIs in the agri-food sector.
• Opportunities arising from the new regulation: the implementation of the new regulation offers Italy the opportunity to fill this regulatory gap by providing specific and harmonized protection at European level for artisanal and industrial products. This will enable Italian producers to better protect their products from imitations and misuse of the geographical name, while guaranteeing consumers the authenticity of the products.
• Challenges in implementation: the study also highlights some challenges Italy might face in implementing the new GI system for artisanal and industrial products. These include the need to raise awareness among local producers of the importance of GI registration, defining clear and detailed production specifications and establishing effective control and surveillance mechanisms to ensure compliance with product specifications.

Implications for Italian producers

For Italian producers, the possibility of registering GIs for artisanal and industrial products represents a significant opportunity to enhance and protect their production. Registering a GI can offer several advantages:

• Legal protection: once registered, the GI provides legal protection against unauthorized use of the geographical name, enabling producers to take legal action against imitations or misuse.
• Product valorization: the GI acts as an indicator of quality and authenticity, increasing the perceived value of the product on the market and potentially allowing producers to charge a premium price.
• Territorial promotion: GIs help to promote regions of origin by supporting tourism and other related economic activities.

Conclusions

The EUIPO study emphasizes the importance of strengthening GI protection for artisanal and industrial products in the EU. It recommends promoting awareness among producers about the advantages of GIs, simplifying registration procedures and implementing effective control mechanisms. Furthermore, the harmonization of regulations at the European level could offer more consistent protection and further enhance the EU’s cultural and industrial heritage. For Italy, this is a significant opportunity to enhance and protect its manufacturing excellence, while promoting economic development and safeguarding local traditions.

Implementing the proposed recommendations could have a significant impact on the European economy, contributing to the valorization of traditional products and strengthening the competitiveness of artisanal and industrial enterprises. Effectively protecting GIs can increase consumer confidence by guaranteeing the authenticity and quality of the products.

Author: Maria Rita Cormaci

 

Technology Media and Telecommunication

New measures against fake online reviews in Italy

On 14 January 2025, the Council of Ministers approved the annual bill on small and medium-sized enterprises (the Bill). Chapter IV of the Bill, titled “Fight Against Fake Reviews”, regulates online reviews in specific sectors deemed particularly affected by this phenomenon.

The Bill primarily aims to curb the spread of fake online reviews in the restaurant and tourism attraction sectors. It introduces measures to ensure that those publishing reviews have actually used the product or service in question. It also establishes time limits for posting reviews.

Scope of the measures

The Bill applies exclusively to reviews concerning products, services, and performances offered by:

• restaurants in Italy
• tourist sector establishments (eg accommodation, spas) in Italy

It also applies to any form of tourist attraction offered in Italy.

The scope of application is significantly limited, and the Bill doesn’t apply to reviews related to products or services outside these categories.

Key measures introduced by the Bill

The Bill introduces several measures to ensure the authenticity and truthfulness of online reviews.

• Consumers wishing to publish a review must verify their identity and demonstrate they’ve actually used the service or product.
• Reviews must be posted within 15 days from the date of service or product use.
• Reviews must be sufficiently detailed and relevant to the type of product or service being reviewed.

The legal representative of the reviewed business has the right to respond to reviews and request they be removed if:

• the author of the review hasn’t actually used the product or service;
• the review is misleading, false, or excessively critical;
• the review is no longer relevant because:
• two years have passed since the service was used; or
• corrective action has been taken to address the issues raised in the review.

Finally, the Bill explicitly prohibits, under criminal penalties, the purchase or sale of reviews, ratings, or online interactions, regardless of their subsequent dissemination. This implies that a review can only be validly published on the platform where it was originally posted, and it can’t be reused on other platforms through any form of exchange or transfer.

Implications for hosting providers

Although the primary aim of the Bill is to protect SMEs from fake reviews that could potentially harm their businesses, its provisions – if approved – would also have a significant impact on hosting providers that allow users to post reviews.

Specifically, the Bill provides that:

• the Italian Communications Authority (AgCOM) must regulate and establish codes of conduct for intermediaries and platforms that facilitate online reviews. These codes of conduct should define measures aimed at effectively reducing the number of fake reviews by:
• verifying the identity of reviewers;
• ensuring reviews are written by consumers who have actually used the service or product;
• guaranteeing that reviews are sufficiently detailed and relevant;
• regulating the procedure for removing non-compliant reviews;
• the Italian Competition Authority (AGCM) must issue guidelines to help businesses adopt appropriate measures to ensure the authenticity of reviews, and procedures for monitoring and assessing compliance.

The Bill places an active responsibility on hosting providers to prevent and manage fake reviews. For instance, they may have to implement systems for verifying users’ identities, such as requesting identification documents, or to confirm service usage through proof of purchase, such as a receipt or booking confirmation.

Another key issue is managing review removal requests. If the Bill grants business owners the right to request the deletion of misleading or outdated reviews, hosting providers may face an increased number of removal requests. This would require the establishment of clear criteria to distinguish legitimate requests from unfounded ones, potentially requiring platforms to enhance their moderation processes or allocate more resources to handling disputes.

This legislation would further confirm the central role of hosting providers in ensuring the reliability of online reviews. But the extent of their obligations remains uncertain, as the Bill doesn’t specify the exact methods through which these measures should be implemented. To fully assess the practical impact of these requirements, it will be essential to follow the evolution of the Bill and the eventual adoption of the codes of conduct and guidelines.

Conclusions

The Bill introduces mechanisms aimed at improving the reliability of online reviews and preventing misleading content that could unfairly impact a business’s reputation. But some provisions, like the 15-day limit for posting a review, could be overly restrictive for consumers.

And the potential impact on hosting providers raises concerns about how platforms will have to adapt to new verification and moderation obligations. It’s crucial to monitor the progress of the Bill and subsequent regulatory developments to fully understand its impact on the digital ecosystem.

Author: Federico Toscani

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Giorgia Carneri, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani,  Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as a report analyzing key legal issues arising from the metaverse qui, and a comparative guide to regulations on lootboxes here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.