Abstract_Lights_P_0152

23 April 202514 minute read

Innovation Law Insights

23 April 2025
Podcast

NIS2 – The countdown to compliance in Italy has officially started

NIS compliance in Italy is no longer optional. The Italian cybersecurity authority (ACN) has formally notified impacted entities, starting the race to meet regulatory cybersecurity obligations.

Listen the podcast episode here.

Legal Leaders Insights | Dario Evangelista, Deputy General Counsel at Betsson on the gambling sector

In this episode of Legal Leaders Insights, Giulio Coraggio welcomes Dario Evangelista, General Counsel of Betsson Group, to explore how legal teams can drive innovation while staying compliant in the fast-evolving world of iGaming.

Listen to the podcast here.

 

Artificial Intelligence

Legal challenges of AI, Deepfakes, and the NO FAKES Act

AI generated deepfakes create significant legal challenges regarding personality rights and content authenticity in the creative industry. The industry must balance technological innovation with protecting personality rights.

The US Legal Landscape: The NO FAKES Act

First introduced in 2023 and reintroduced in 2024 without making it through the legislative process, the federal NO FAKES Act – short for Nurture Originals, Foster Art, and Keep Entertainment Safe – is once again at the center of US legislative debate. Supported on a bipartisan basis, the bill aims to establish a uniform legal framework to protect individuals’ rights to their image and voice in the face of rapidly advancing generative AI technologies.

The latest version of the draft law, the result of months of negotiations with stakeholders from the tech and media sectors, seeks to curb the unauthorized use of deepfakes and digital replicas. It addresses the current patchwork of state-level protections, given that image and personality rights are typically governed by state law, with no consistent federal standard. If passed, the NO FAKES Act would introduce a federal private right of action and set clearer rules for the removal of unlawful content.

Key legal measures in the NO FAKES Act

The latest version introduces essential legal protections and enforcement mechanisms:

  • Obligations for online services: Platforms won’t be held liable for hosting illegal digital replicas if they promptly remove the content upon receiving a valid notice and inform the uploader. Platforms “designed or promoted” specifically to create deepfakes are excluded from these protections.
  • Investigation powers for rights holders: Rights holders will be able to obtain, through a court order, identifying information of anonymous users who uploaded content in violation of image rights.
  • Stricter safe harbor conditions: Service providers can only benefit from liability exemptions if they implement effective mechanisms for removing unlawful content and suspending repeat offenders.
  • Fingerprinting technologies: Platforms will be have to adopt digital identification tools (such as cryptographic hashes) to prevent the re-uploading of content that has already been flagged and removed.
  • Expanded definition of “online service”: The scope of the law is broadened to include search engines, ad networks, marketplaces, and cloud services, provided they register an agent with the Copyright Office.
  • Graduated penalty system: Fines range from USD5 thousand per violation up to USD750 thousandper piece of content, targeting platforms that fail to show good faith efforts in complying with the law.
  • No proactive monitoring obligation: In line with the DMCA, platforms don’t have to actively monitor content, but must act swiftly on valid notices to retain safe harbor protections.

Compared to earlier versions, the revamped NO FAKES Act has gained support from key players in the tech and entertainment industries, including major record labels and the Recording Industry Association. But the bill continues to raise concerns among civil liberties groups, who fear it could impose overly restrictive limits on freedom of expression.

Italy’s legal response: ANAD’s stand on AI deepfake

The reintroduction of the NO FAKES Act comes within a broader and increasingly sensitive context, particularly in sectors where the debate is heating up. One source of concern is the use of software for AI voice cloning and manipulation. For instance, such technology was recently used in the film The Brutalist to refine the Hungarian pronunciation of its two lead actors, altering their voices.

In this regard, ANAD – the Italian National Association of Voice Actors – has recently raised objections to the use of technologies capable of sampling actors’ voices without their consent and outside clear and shared regulatory frameworks. The association has specifically called for the recognition of voice as a biometric datum, comparable to a fingerprint, to ensure the broadest possible protection.

Italy’s dubbing industry is long-established and among the first to take regulatory steps. During the drafting of the new national collective bargaining agreement in June 2024, a specific clause was introduced to regulate the lawful (or unlawful) use of actors’ voices by AI systems.

How the EU AI Act regulates deepfakes

The AI Act defines a “deep fake” in Article 3(60) as “AI-generated or manipulated image, audio or video content that resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic or truthful.”  Article 50 of the AI Act introduces transparency obligations:

  • for Providers: Entities that develop AI systems capable of generating synthetic content (such as images, audio, or video) must ensure that outputs are clearly marked as artificially generated or manipulated. This involves embedding technical solutions like watermarks, metadata, or cryptographic markers to indicate the content’s artificial nature;
  • for Deployers: Organizations or individuals using such AI systems in professional contexts have to disclose that the content has been artificially generated or manipulated. This disclosure should be clear and provided at the latest upon the first interaction or exposure to the content.

There are exceptions to this disclosure obligation that apply to:

  • Artistic or Satirical Content: If the AI-generated content is evidently part of an artistic, creative, satirical, or fictional work, the disclosure can be made in a manner that doesn’t hinder the enjoyment or display of the work; and
  • Law Enforcement Use: AI systems authorized by law for purposes such as crime detection or prevention may be exempt from certain transparency requirements.

While deepfakes are generally categorized under “limited risk” AI systems, their classification can escalate to “high risk” if used in contexts that significantly impact individuals’ rights or society, such as political manipulation or defamation. High-risk classification entails stricter regulatory requirements under the EU AI Act.

Balancing Legal Protections and Innovation

In an era where faces and voices – especially those of public figures – are becoming valuable digital assets, using AI to replicate them strikes a sensitive chord and involves a wide range of legal areas: from privacy to personality rights, from defamation to financial damages resulting from unauthorized use. It will be crucial to strike a balance between creativity, innovation, and the protection of fundamental rights.

Author: Lara Mastrangelo

 

Data Protection and Cybersecurity  

Second phase of NIS2 implementation is underway: A summary of the three ACN resolutions

The Italian National Cybersecurity Agency (ACN) has published three key resolutions on its portal regarding the implementation of Legislative Decree No. 138 of September 4, 2024, which transposes Directive (EU) 2022/2555 (NIS2). These resolutions mark the start of the second phase of NIS2 implementation in Italy.

This overview outlines the main contents of the three resolutions, aiming to provide a useful summary for regulatory and operational compliance of the entities involved.

ACN Resolution No. 136117

Effective from April 15, this resolution updates and replaces the previous ACN resolution No. 38565 of November 26, 2024, concerning the use of the ACN portal and NIS Services. It reaffirms topics related to registration, annual updates of information, and the designation of representatives in the EU, while also introducing new roles, including:

  • Vice-point of contact: a natural person, distinct from the primary point of contact, appointed in the same manner and with the same functions, except for the ability to register the entity.
  • Secretary: a natural person who supports the point of contact and the deputy in their interactions with ACN.
  • Operator: a natural person who assists with the point of contact and the deputy by working directly with the NIS services.

Specifically, the point of contact can now invite additional users as operators and – at most – one user with the secretary role, who can perform certain operations on the ACN portal under the direction of the point of contact.

The resolution also provides detailed guidance on the annual update of information under Article 7, paragraphs 4 and 5, already communicated to NIS2 subjects by ACN in recent days. This resolution will be further updated by June 30, 2025.

ACN Resolution No. 136118

Also effective from April 15, this resolution outlines the procedures for NIS2 subjects to notify ACN of their participation in voluntary agreements for sharing cybersecurity information, as per Article 17 of the NIS2 Decree.

Specifically, NIS2 subjects must submit, via the dedicated digital platform, a communication including the full text of the agreement, its official name, and a detailed list of participating entities. The mandatory annual update of the submitted information aligns with the broader update process under Article 7, paragraph 4 of the NIS2 Decree, to be carried out each year between April 15 and May 31.

Any changes to previously notified agreements must be promptly communicated to ACN within 14 days of the modification. Additionally, by May 31, 2026, entities must notify ACN of agreements already active and signed before the entry into force of the NIS2 Decree.

ACN Resolution No. 164179 and related annexes

This resolution, coming into force from April 30, defines the minimum technical specifications required to meet cybersecurity and significant incident notification obligations under Articles 23, 24, 25, 29, and 32 of the NIS2 Decree.

It introduces detailed technical requirements provided in four annexes:

  • Annexes 1 and 2: outline the mandatory minimum-security measures for “important” and “essential” entities, respectively, regarding cybersecurity risk management requirements. Important entities must implement 37 measures across 87 requirements, while essential entities must adopt an additional 6 measures and 29 requirements, totaling 43 measures and 116 requirements.
  • Annexes 3 and 4: define the types of significant incidents that must be reported to ACN. Important entities must monitor three categories of incidents, while essential entities have to report four distinct incident types.

These minimum-security measures must be implemented within 18 months of receiving the official notification of inclusion in the NIS list. Incident notification obligations will begin 9 months after the same notification, with full implementation expected by January 2026.

The resolution also includes specific obligations to ensure the security and resilience of Domain Name System (DNS) services, pursuant to Article 29 of the NIS2 Decree, as well as clarifications on notification obligations for entities within the National Cybersecurity Perimeter.

Finally, a transitional regime is defined for Operators of Essential Services (OES) under Legislative Decree No. 65 of May 18, 2018 (implementing the original NIS Directive) and for telecommunications operators.

Conclusions

With the publication of these resolutions, the second phase of implementing the NIS2 framework in Italy formally begins. Entities within the scope of the decree must promptly take steps to comply with the new measures and deadlines.

Author: Gabriele Cattaneo

 

Intellectual Property

UPC and long-arm jurisdiction: Paris Local Division issues another decision

On March 21, in proceedings between two manufacturers of security devices, the Paris Local Division of the UPC issued an interesting decision on jurisdiction.

The judges reaffirmed the principle recently established by the Court of Justice in the case of BSH v Electrolux and, even earlier, by the Düsseldorf Local Division (which we wrote about here and here, respectively), according to which the UPC can extend its jurisdiction to the infringement of European patents validated in countries that aren’t members to the UPC Agreement, when the defendant is domiciled in a UPC member state. But the court also seems to have suggested that this principle applies to defendants not domiciled in a UPCA member state.

The action, initially brought by a French company against a competitor domiciled in France and its Swiss subsidiary and subsequently withdrawn against the latter, concerned the alleged infringement of a European patent with unitary effect validated also in Spain, the UK and Switzerland. The defendant raised preliminary objection, asking the court to declare that it lacked jurisdiction to rule on the infringement of the European patent in non-UPCA member states, regardless of whether a counterclaim for invalidity had been brought.

The Paris Local Division, applying the principles recently established by the CJEU in BSH v Electrolux, dismissed the objection, confirming its jurisdiction to rule on the infringement in non-UPCA countries with respect to the acts committed by the defendant domiciled in France. In addition, with regard to the Swiss portion of the European patent, the court also affirmed its jurisdiction over the Swiss defendant, even though it was domiciled in a non-EU country. This, on the basis that the Lugano Convention – expressly referred to in Article 31 UPCA and to which Switzerland is a party – constitutes a legal basis comparable to the Brussels I bis Regulation.

If confirmed, this interpretation would extend the jurisdiction of the UPC to the infringement of European patents in non-UPCA member states, even against defendants who are not domiciled in a UPC member state.

Author: Massimiliano Tiberio

 

Technology Media and Telecommunication

AGCom initiates procedure for updating regulatory framework on mobile number portability

On April 1, the Italian Communications Authority (AGCom) published Resolution No. 12/25/CIR, by which it announced the initiation of a procedure aimed at updating the current regulatory framework on mobile number portability.

The initiative to update the regulatory framework on mobile number portability is part of the implementation of Article 98-duodecies, paragraph 1-bis of the Electronic Communications Code (Legislative Decree No. 259/2003 and subsequent amendments – ECC). Paragraph 1-bis has been introduced by Law No. 214/2023 (Annual Law for the Market and Competition 2022) and subsequently amended by Law No. 193/2024 (Annual Law for the Market and Competition 2023).

Article 98-duodecies, para. 1-bis (first sentence) of the ECC firstly prohibits providers of electronic communications networks or services from using information obtained through the mobile number portability database – or information collected for strictly operational purposes – to propose offers to end users that include access or usage conditions (including technical and economic conditions) that differ depending on the originating network or service provider. The procedures for monitoring and supervising the use of the database in accordance with this provision must be defined by the Authority through the update of the regulatory framework.

Paragraph 1-bis assigns AGCom the task of updating the regulation approved with Resolution No. 147/11/CIR (which governs mobile number portability procedures), introducing monitoring and oversight mechanisms to ensure the database for mobile number portability is used in accordance with the provisions of the first sentence of paragraph 1-bis.

Resolution No. 147/11/CIR, as supplemented by Resolution No. 86/21/CIR, mainly governs the technical and operational procedures through which users can retain their telephone number if they change operator. Resolution No. 86/21/CIR has made amendments and additions to the number portability procedure set out in Resolution 147/11/CIR. And it’s introduced measures aimed at increasing security in cases of SIM replacement (so-called SIM swap).

Interested parties can submit their comments regarding the procedure for updating the regulatory framework on mobile number portability by April 30, 2025.

The deadline for concluding the procedure is set for July 30, 2025 (subject to any suspensions).

Authors: Flaminia Perna, Matilde Losa

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo BardelliCarolina BattistellaCarlotta Busani, Noemi CanovaGabriele Cattaneo, Maria Rita CormaciCamila CrisciCristina CriscuoliTamara D’AngeliChiara D’OnofrioFederico Maria Di VizioNadia FeolaLaura GastaldiVincenzo GiuffréNicola LandolfiGiacomo LusardiValentina MazzaLara MastrangeloMaria Chiara MeneghettiDeborah ParacchiniMaria Vittoria Pessina, Marianna Riedo, Tommaso RicciRebecca RossiRoxana SmeriaMassimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’AndreaFlaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio CoraggioMarco de MorpurgoGualtiero DragottiAlessandro FerrariRoberto ValentiElena VareseAlessandro Boso CarettaGinevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.

Print

Related capabilities

Intellectual Property