Innovation Law Insights

DLA Piper AI Journal – Diritto Intelligente

We wanted to start with a genuine thank you to our clients and our team for navigating a year in which AI moved from “experimental” to a core regulatory and business challenge.

Our Christmas gift is the December issue of Diritto Intelligente, the AI law journal of DLA Piper’s Italian Intellectual Property and Technology team: a clear, no-nonsense look at AI training and legitimate interest, EU digital simplification, AI risk management, and real cases where law meets reality. Think of it as holiday reading for those who enjoy GDPR, the AI Act, and governance frameworks – before a short break and a hopefully simpler, wiser 2026. The issue is available here.

 

Legal Break

AI governance – EU AI Act, privacy and innovation with Oliver Patel of AstraZeneca

This episode of Legal Leaders Insights from Diritto al Digitale explores how AI is transforming the pharmaceutical and life sciences sector while increasing regulatory and governance complexity. Giulio Coraggio of DLA Piper and Oliver Patel, Head of Enterprise AI Governance at AstraZeneca, discuss how AI governance works in practice, the interaction between AI innovation, privacy, and intellectual property, and the concrete impact of the EU AI Act, with a focus on enabling responsible AI without slowing innovation. The episode is available here.

 

Privacy and Cybersecurity

ACN clarifies the concept of “main establishment” under the NIS2 Decree

The Italian National Cybersecurity Agency (ACN) has published on its website an updated version of FAQs no. 2.8, 2.10, 3.1 and 3.15, providing relevant interpretative clarifications regarding the definition of “main establishment,” set out in Article 5 of Legislative Decree No. 138/2024, implementing the NIS2 Directive (the NIS2 Decree).

Relevantregulatory framework

Article 5, paragraph 1(a), of the NIS2 Decree provides that companies carrying out one of the relevant activities and with their registered office in Italy are subject to Italian jurisdiction. However, point (b) of the same paragraph introduces a specific regime for certain categories of entities (eg cloud computing service providers and managed service providers), for which jurisdiction must be determined by reference to the concept of main establishment.

Pursuant to Article 5, paragraph 2, of the NIS2 Decree, the main establishment in the EU is defined as:

• the member state in which decisions relating to cybersecurity risk management measures are predominantly taken;
• where it’s not possible to determine the member state or where those decisions aren’t taken within the EU, the member state in which cybersecurity operations are carried out;
• where neither of the above criteria applies, the member state in which the entity concerned has the establishment with the largest number of employees in the EU.

ACN’s interpretation

With the latest update of the FAQs, ACN clarified, on the assumption that the NIS2 Decree applies to the single legal entity, that the main establishment must be identified exclusively among the establishments of that same legal entity, without considering affiliated companies or their respective establishments.

According to this interpretation, a company that doesn’t have an operational establishment in Italy cannot be subject to Italian jurisdiction, even where Italy could theoretically qualify as the main establishment, for example because decisions relating to cybersecurity risk management measures are taken there by the parent company.

The criterion of the main establishment may in fact apply only where the same legal entity has several establishments in different member states, or branches without legal autonomy. Conversely, in the case of affiliated companies that don’t have an establishment in Italy, following this interpretation, they cannot be subject to Italian jurisdiction for the purposes of applying the NIS2 Decree.

Conclusions

The updated FAQs clarify the interpretative approach adopted by ACN with respect to the notion of main establishment for applying the NIS2 Decree, specifying that the assessment must be carried out with reference to the single legal entity.

Author: Federico Toscani

 

Intellectual Property

Euipo’s Common Practice on distinctiveness of slogans

In November, the EUIPO adopted Common Practice CP17 on the assessment of the distinctiveness of slogans. The document is the result of joint work between intellectual property offices and stakeholder associations and aims to establish shared and predictable criteria for determining when a slogan is capable – beyond its promotional function – of fulfilling the essential trademark function of indicating commercial origin.

Slogans have long constituted a particular category of signs: short, easily memorable phrases, often conveying advertising, emotional or value-based messages. Precisely because of this hybrid nature, situated at the intersection between commercial communication and distinctive signs, their registrability as trademarks has generated significant litigation over time. And decisions haven’t always been fully aligned across offices. Common Practice CP17 intervenes not by altering the existing legal framework – rooted in Article 7(1)(b) of the EU Trade Mark Regulation and Article 4 of the Trade Marks Directive – but by clarifying how those provisions should be applied specifically to slogans.

The criteria governing the registration of slogans as trademarks are relatively strict. Although the Court of Justice has established (Case C-398/08) that all signs must be assessed in light of the same principles, in practice slogans may be less readily perceived by the public as indicators of origin. The central issue is whether the sign is capable of distinguishing the goods or services of one undertaking from those of others, taking into account both the goods or services claimed and the perception of the relevant public.

The Common Practice clarifies that there’s no statutory definition of a “slogan”; rather, the concept has developed through case law. A slogan may have a strong promotional function while still being capable of indicating commercial origin. For registrability, however, it must display at least a minimum degree of originality or resonance, such that it requires the public to make an interpretative effort or triggers a cognitive process, even a limited one. The slogan doesn’t need to be particularly imaginative or surprising, but it must go beyond a purely laudatory, descriptive or motivational message.

Against this background, the Common Practice identifies a non-exhaustive list of factors that may guide the assessment of distinctiveness. These include the presence of multiple meanings, wordplay, elements of surprise or conceptual intrigue, a certain degree of originality or resonance, and the use of unusual syntactic structures or linguistic devices. Importantly, none of these elements is decisive on its own: the assessment must be global and conducted on a case-by-case basis. A slogan might be considered distinctive even if it meets only one of these criteria, just as it may lack distinctiveness despite the presence of one of them.

Another relevant aspect concerns what falls outside the scope of the Common Practice. CP17 focuses exclusively on slogans applied for as word marks and on the examination of inherent distinctiveness. It doesn’t address issues such as distinctiveness acquired through use, other absolute grounds for refusal, or procedural aspects specific to individual offices. This focused approach enhances the clarity and practical usability of the document, avoiding overlap with areas regulated elsewhere.

From a practical perspective, the extensive section devoted to examples is particularly valuable. Through concrete cases – many drawn from EU case law – the Common Practice illustrates how slogans perceived merely as invitations, value statements, or motivational messages are considered devoid of distinctive character, as they’re understood by the public solely as advertising. By contrast, slogans that prompt reflection, present a semantic “riddle,” or employ unexpected linguistic constructions may be perceived as genuine indicators of commercial origin and therefore accepted for registration.

For trademark owners and practitioners, the EUIPO publication is a useful tool for more accurately assessing the prospects of registering a slogan and for guiding creative decisions from the earliest stages of brand development. For offices, it contributes to greater consistency and predictability in decision-making, strengthening legal certainty in the internal market.

In an economic environment in which communication plays an increasingly strategic role, clarity regarding the boundary between an advertising slogan and a distinctive trademark is essential. CP17 fits squarely in this space, reminding us that not every phrase that’s effective from a marketing perspective is automatically registrable as a trademark. With the right balance between message and originality, a slogan can become a truly distinctive sign, capable of recognition and protection at the European level.

Author: Noemi Canova

 

Technology Media and Communications

AGCom: New implementing anti-spoofing measures for calls with mobile network CLI

With Resolution No. 271/25/CONS, published on 19 November, AGCom adopted a series of implementing measures of those in Resolution No. 106/25/CONS, aimed at countering the phenomenon of spoofing, the practice of manipulating or altering information regarding the calling line identity (CLI), which prevents the originator of a telephone call being identified or traced.

The resolution complements Resolution No. 106/25/CONS, through which the Authority, last June, introduced the Regulation containing provisions for the protection of end users in terms of transparency in providing electronic communications services and in presenting the calling number (CLI), including technical measures for blocking calls originating from abroad with an altered telephone number (CLI).

Resolution 106/25/CONS also established a technical working group tasked with analysing the feasibility of measures for blocking calls from fixed and mobile numbers not in use by end users. Within this framework, operators highlighted the need for clarifications from AGCom regarding certain specific cases of calls originating from abroad, which weren’t explicitly addressed in the resolution, including:

• international calls from numbers for specialised mobile and personal services (such as mobile satellite services);
• international calls from numbers used for machine-to-machine (M2M) communication services;
• international calls from mobile numbers corresponding to operators that haven’t implemented the APIs (Application Program Interfaces) provided under Resolution 106/25/CONS, necessary to verify whether the called user is actually roaming internationally.

To address these operational needs, Resolution No. 271/25/CONS defines the implementing methods for blocking spoofing calls in the above cases, which weren’t explicitly covered by Resolution 106/25/CONS. The measures provided for by Resolution No. 271/25/CONS include:

• extending the obligations introduced by Resolution 106/25/CONS to providers of specialised mobile and personal services and machine-to-machine (M2M) communication services (art. 1);
• operators that don’t generate outbound calls from abroad (art. 1);
• introducing a procedure for blocking calls originating from abroad with CLI from mobile operators that haven’t implemented the measures under Resolution 106/25/CONS that allow verification that the calling number corresponds to a user who is actually roaming internationally (art. 2).

Authors: Massimo D'Andrea, Matilde Losa

 

Legal Design

Legal Design Tricks – Little tips to use legal design in your daily activities

Trick #12: How to explain AI

The new Italian Law on AI has officially come into force – and it speaks the language of principles, accountability, and transparency.

But what does “transparency” really mean in the context of AI? And how can we turn it into something useful for people, not just another compliance requirement?

In this episode of Legal Design Tricks, we explore what European and Italian regulations say about transparency and explainability, and how legal design can make these principles clear, tangible, and actionable in practice.

1. What the AI Laws Say About Transparency

The EU AI Act

The European AI Act introduces a set of transparency obligations for both providers and users of AI systems.

For example:

• 50 – Users must be clearly and recognisably informed when interacting with an AI system.
• 13 – High-risk AI systems must be designed to ensure transparency and explainability, including documentation of logic, decision-making processes, and datasets used.
• Even for limited-risk systems, user information remains essential: knowing that an algorithm stands behind a decision or a piece of content is a right, not an option.

Italian Law No. 132/2025

Italy is the first EU country to adopt a national AI law. In addition to implementing the principles of the AI Act, it introduces specific obligations on transparency, traceability and human oversight.

In particular:

• Information about AI systems must be provided in clear, simple, and accessible language.
• Users must be able to understand the risks, the logic behind the system and the effects of automated decisions.
• They must have the right to request explanations or a human review of a decision.
• In sensitive contexts (eg employment, healthcare, public administration), human supervision is mandatory.

In short: transparency isn’t just about saying there’s an algorithm – it’s about explaining how it works and how it impacts people.

2. Explainability: Turning transparency into understanding

Explainability is the qualitative side of transparency: it’s not enough to make processes visible – they must also be understandable.

• A system is transparent when it reveals that it exists.
• It’s explainable when it allows people to understand why it produced a given result.

In legal terms, this means enabling individuals to grasp:

• the logic behind an automated decision;
• the factors the AI considered when generating its output; and
• the limits and scope of human intervention.

The AI Act requires high-risk systems to provide context-appropriate explanations, tailored to the audience, because a judge, a doctor, and a general user don’t share the same needs (or the same technical language).

3. From principles to practice: What it means for legal design

The principles of transparency and explainability open a wide space for legal design to turn obligations into user-friendly experiences.

Here are three design levers to make transparency work in practice, and build trust along the way.

Inform to build trust

The obligation to inform can become an opportunity to build trust and credibility. AI notices shouldn’t be walls of text.

Tell users what the AI does, why it does it, and what they can (or cannot) do about it – using icons, diagrams, or micro-texts to illustrate key functions and limitations.

Example: “This system uses AI to detect anomalies in employee data → all outputs are reviewed by a human analyst → you can request a review within three days.”

Communicate at the right time

Users shouldn’t be overwhelmed with information all at once.

Show only what’s needed, when it’s needed: contextual hints, pop-ups or tooltips can make AI actions transparent without breaking the flow of interaction.

Short, clear, timely – that’s the golden rule of legal design for transparency.

Make rights navigable

Knowing that you have a right isn’t enough – you must be able to exercise it easily.

Create simple, guided flows for users to request a human review or clarification on AI-generated outcomes.

Example: “1. Identify the automated output → 2. Go to the AI Review section → 3. Fill in the request form → 4. Receive confirmation and tracking.”

By doing so, you don’t just comply with the law – you design a user experience that empowers people.

Did you know?

The Italian law refers to “algorithmic transparency” multiple times. That’s a clear message: it’s not enough to be compliant – you must be comprehensible.

Even before the AI Law, the 2022 “Transparency Decree” had already introduced obligations for employers using automated systems in the workplace.

Now, with the Italian AI Law, this evolves into a true right to transparency and digital explainability – two sides of the same coin: knowing and understanding.

So…

Have you noticed how the new AI law isn’t just a list of technical obligations?

It’s actually an invitation to rethink how we communicate the law – and how we make the technologies we use every day intelligible to everyone.

Legal design is the bridge between complex rules and real understanding. And explaining AI – with clarity, human language and visual thinking – is the first step toward making it truly ethical and trustworthy.

Author: Deborah Paracchini

 

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Giovanni Chieco, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Andrea Pantaleo, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Marianna Riedo, Rebecca Rossi, Dorina Simaku, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, , Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA)

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani