Innovation Law Insights

Artificial Intelligence

Italy passes its own law on artificial intelligence: the AI bill has been approved

During the session of 17 September 2025, the Italian Senate approved Bill No. 1146-B, entitled “Provisions and delegated powers to the Government regarding artificial intelligence.” The text, adopted without further amendments to that approved by the Chamber of Deputies on 25 June 2025, has thereby become law and now only awaits publication in the Official Gazette to come into force.

The new law (the AI Law), divided into 28 articles split into six chapters, outlines fundamental principles, areas of application, national strategies, protection of rights, responsibilities, and international cooperation in the field of artificial intelligence (AI). It does not introduce new obligations with respect to Regulation (EU) 2024/1689 (AI Act), but rather complementary provisions based on the requirements delegated to Member States by the AI Act itself and to account for the specificities of the national context.

The Senate's final approval upheld the amendments introduced by the Chamber of Deputies, which had eased certain technical constraints and redefined control mechanisms, while introducing clarifications and additions aimed at strengthening consistency with the European framework and expanding democratic and social guarantees. The conclusion of the legislative process therefore hands the country its first national regulatory framework on artificial intelligence: an important framework, but one that, as we will see, still needs to be filled in.

Content of the Italian AI Law

The Italian AI Law is inspired by the guiding principles of the AI Act, namely the centrality of fundamental rights, proportionality of rules, safety and transparency, but differs in its approach. While the European regulation adopts a cross-cutting approach based on risk levels applicable to all sectors (with a few sectoral exceptions, for example with regard to certain high-risk AI systems in the financial and insurance sectors), Italian rules focus on specific areas considered to be of particular relevance:

• Healthcare: Article 7 expressly prohibits the use of AI systems to select or condition access to healthcare services, imposes an obligation to inform patients about the use of AI technologies, and requires continuous performance measurement to minimize the risk of errors; at the same time, it reiterates that artificial intelligence must remain a mere support to prevention, diagnosis, and treatment, leaving the doctor with the ultimate responsibility for clinical decisions and the burden of monitoring and verifying the outputs of the systems.
• Scientific research: Article 8 classifies the development of AI systems in the healthcare sector by non-profit private entities or IRCCS (Scientific Institutes for Research, Hospitalization and Healthcare) – as well as by public and private actors in partnership with such entities – as being of significant public interest, pursuant to Article 9(2)(g) of the GDPR. This allows for the processing of personal data without the consent of the data subjects. However, the lawfulness of the processing remains subject to prior notification to the Data Protection Authority. Article 8 also allows, subject to notification to the data subjects, the processing of personal data – including sensitive data – for the purposes of anonymization, pseudonymization, or synthesization for scientific research activities, also in the field of sports, in compliance with the general principles of the law and the economic rights of the organizers of competitive activities.
• Work: Article 11 requires employers to adequately inform workers about the use of AI systems. In doing so, the provision is in line with the rules already defined by Italian legislation on the remote monitoring of workers but establishes a broader information obligation than that provided for in Article 26(7) of the AI Act, which applies only to high-risk AI systems. In addition, Article 12 provides for the establishment of a National Observatory tasked with monitoring the employment impacts of AI, developing regulatory strategies, and identifying the sectors most affected by digital transformation.
• Learned professions: Article 13 prohibits professionals from entrusting their work entirely to an AI system and imposes a clear and comprehensible obligation to provide information on the use of this technology. However, significant questions remain regarding the distinction between purely auxiliary and prevalent use, as well as the consequences of violations (which are already emerging in case law, for example, with a recent ruling by the Court of Turin that classified the filing of an unfounded appeal formulated with the use of AI without control and review by a lawyer as "lite temeraria", i.e., reckless litigation).
• Justice and public administration: Articles 14 and 15 establish that AI can only operate as a support tool and cannot replace the assessment and decision-making of human operators, while at the same time they promote training programs aimed at developing the digital skills necessary for the responsible use of technologies.
• Copyright: Article 25 explicitly extends copyright protection to works created with the aid of AI systems, provided that they are the result of the ‘intellectual work’ of the human author. This, however, leaves the definition of the criteria for the prevalence of human input over that of the AI system unresolved. The provision in question also allows reproduction and extraction (text and data mining) from lawfully accessible materials for the purpose of training AI models and systems, in line with the provisions of Articles 70-ter and 70-quater of the Italian Copyright Law.
• Procedural and criminal law: the legislator assigns exclusive jurisdiction to the courts for disputes relating to the functioning of AI systems (amendment to Article 9 of the Code of Civil Procedure), while introducing specific aggravating circumstances into the Criminal Code relating to the use of AI in the commission of crimes and regulating a new criminal offense aimed at punishing the unlawful dissemination of deepfakes.

As regards the competent authorities in the field of AI, Italy has designated:

• the Italian Digital Agency (AgID), as the notifying authority with the task of accrediting and monitoring the bodies responsible for verifying the compliance of AI systems; and
• the National Cybersecurity Agency (ACN), with the role of supervisory authority and, therefore, of enforcing AI regulations and imposing sanctions in the event of violations, as well as the leading authority for the use of AI for cybersecurity.

In the management of AI, the Bank of Italy, CONSOB, and IVASS maintain a sectoral supervisory role for the credit, financial, and insurance sectors. The powers of the Italian Data Protection Authority and those of AGCOM as Coordinator of Digital Services under the Digital Services Act also remain unaffected. However, the designation of AgID and ACN, which are government authorities, appears to overlook the requirement of independence already highlighted in the opinion on the first draft of the AI Bill issued by the European Commission in November 2024 (C(2024) 7814). Leveraging the requirements of independence and the interrelationship between AI and data protection, including automated decision-making processes, in the spring of 2024, the Italian Data Protection Authority had written to Parliament and the Government to urge them to reconsider their choice.

Finally, Article 19 of the AI Law provides for the establishment of a Coordination Committee, tasked with supporting the Government in the development and implementation of the AI strategy, coordinating public and private initiatives, and ensuring an integrated approach between ministries, research institutions, and industry stakeholders.

A first in the EU, but with a yet incomplete framework

Although the Senate's final approval made Italy the first European country to adopt a national law in line with the AI Act, the overall regulatory framework remains far from complete. Numerous provisions of the Italian AI Law remain suspended, pending the issuance of decrees, regulations, or guidelines that define the specific implementation methods:

• In the healthcare sector, the Ministry of Health will have to issue two decrees: one to regulate trials of projects based on AI and machine learning, with the creation of “testing grounds,” and the other to define the conditions for the use of AI systems in the healthcare sector. At the same time, AGENAS will be able to draw up guidelines for procedures for anonymizing personal data and creating synthetic data for scientific research purposes.
• In the labor sector, the establishment of the National AI Observatory remains subject to a decree by the Ministry of Labor, which will have to define its functions, tools, and methods of interaction with social stakeholders.
• Article 16 entrusts the Government with the adoption of legislative decrees to establish criteria on the data and algorithms used to train AI systems, a central and sensitive issue that will require the involvement of ministries, independent authorities, and parliamentary procedures. The issue is complex, as the training of AI systems has various legal implications, including in relation to the AI Act, intellectual property, privacy, and sector-specific regulations. Therefore, future interventions aimed at regulating this area will have to contend with a complex regulatory framework, taking care not to upset the balance.
• Article 19 delegates to the Government the preparation of the National Strategy for AI, intended to coordinate public and private initiatives between the State, businesses, universities, and research centers. We previously covered the Italian Strategy for AI in this article.
• Finally, Article 24 grants the Government a broad set of powers to adopt legislative decrees in various areas, including the regulation of AI use in the financial and insurance sectors, the adaptation of public administration, criteria for the adoption of AI systems, and the regulation of sanctions.

Conclusions

While it is true that the Italian AI Law is formally in line with the AI Act, as it does not introduce any new obligations or divergent definitions, it is still insufficient to ensure full alignment of the national framework with the European regulation. Effective harmonization will depend on the adoption of decrees and guidelines, a complex process that is likely to take a long time.

In the meantime, several provisions of the AI Act are already applicable immediately, and others will become operational in 2026, creating inevitable uncertainty for public and private operators, who are forced to navigate a dual regulatory environment. Ultimately, in the coming months, businesses and operators will have to focus primarily on the AI Act, where deadlines and obligations are already certain, while closely monitoring the evolution of Italian legislation to understand when and how these additional rules will become operational.

Authors: Giacomo Lusardi, Marianna Riedo

 

Data Protection and Cybersecurity

FaceBoarding, biometric data, and the limits of facial recognition in airports: the Italian DPA’s interim measure against SEA

With a decision adopted on 11 September 2025, the Italian Data Protection Authority (DPA) (Garante per la protezione dei dati personali) ordered the temporary suspension of the “FaceBoarding” facial recognition system implemented by SEA S.p.A. at Milan Linate Airport.

The decision represents a particularly significant moment in the process of defining the legal rules applicable to facial recognition systems in the airport context. The intervention, in fact, follows the path traced at the European level by the European Data Protection Board (EDPB), with its Opinion No. 11/2024, a document that analyses, from the perspective of compatibility with Regulation (EU) 2016/679 (GDPR), the use of facial recognition aimed at streamlining passenger flows at airports.

Specifically, the EDPB identified four distinct scenarios, each characterized by a different degree of protection of the rights and freedoms of data subjects, thus distinguishing situations compatible with the GDPR from those that must instead be considered unlawful. The first two scenarios, considered in line with EU law, involve processing methods that greatly limit the risk of harm to the rights of the individuals involved. The first case (i) is based on the storage of the biometric template solely by the data subject: the template remains on the passenger’s personal device and is not transferred to or processed by third parties; authentication occurs locally, so the data never leaves the data subject’s sphere of control (Opinion, Sec. 3.2.1). The second scenario (ii), while allowing for centralised storage within the airport, requires that the template be encrypted with a secret key known only to the passenger, who thereby retains exclusive control over the processing and access to their biometric data (Opinion, Sec. 3.2.2). Conversely, the Board found two other scenarios to be non-compliant with EU law, as they involve more invasive and less transparent methods of biometric data collection and storage. The third situation (iii), in fact, involves centralised storage of biometric templates in a database located within the airport and under the control of the airport operator, without the data being encrypted with a personal key of the data subject (Opinion, Sec. 3.2.3.1). The final scenario (iv) envisages the storage of data in a cloud accessible by the airline, with even greater risks in terms of localization, control, and security (Opinion, Sec. 3.2.3.2).

The third scenario (iii) clearly corresponds to the FaceBoarding system implemented by SEA, as confirmed by the inspection activities carried out by the DPA. Documentary evidence shows that the biometric template of passengers is generated and stored entirely in SEA’s centralised systems, whether enrolment in the service occurs through physical kiosks at the airport or via the mobile app provided by the company. In the latter case, the Digital Travel Credential stored in the app merely retains the facial image acquired via selfie and the identifying data from the passenger’s ID document, while the actual biometric template is processed and stored on company servers, thus remaining outside the data subject’s control. Not only that: the information notice provided by SEA to users was found to be inaccurate, stating that the biometric model would be stored exclusively on the passenger’s smartphone. This claim, refuted by the technical findings of the Authority, violates Art. 13 of the GDPR, which requires transparency and accuracy of the information provided to data subjects. Another critical issue arises from the failure to use encryption techniques for the storage of biometric templates in SEA’s systems, in violation of Art. 32 of the Regulation, which requires the adoption of appropriate technical and organisational measures to ensure data security. The situation is further aggravated by the fact that, in cases of enrolment in the “Long-Term Programme”, biometric data are stored for up to twelve months: a retention period excessive in light of the principles of data minimisation and storage limitation, thus breaching Arts. 5(1)(e) and 32 GDPR. Particularly concerning, finally, is the fact that FaceBoarding gates can be used even by passengers who are not enrolled in the system. In such cases, as confirmed by the investigation, a facial image is nonetheless captured and a biometric template generated, despite the absence of explicit consent from the data subject or an appropriate legal basis. This practice clearly violates Art. 6 GDPR, which makes lawful processing conditional upon the existence of at least one of the legal grounds provided by the Regulation.

In this context, given also the very high number of individuals involved (24,550), the DPA deemed it necessary to adopt an urgent measure, ordering the provisional restriction of biometric data processing at Milan Linate Airport through the FaceBoarding system. The measure takes immediate effect and aims to prevent the continuation of processing activities potentially harmful to the fundamental rights of data subjects, pending the conclusion of the investigation. The publication of the decision on the Authority’s website was also ordered, along with its entry in the internal register of measures adopted.

This decision by the DPA, firmly rooted in the interpretation offered by the European Board, thus assumes a systemic relevance: it does not merely sanction an unlawful processing activity, but rather strongly reaffirms the primacy of dignity and fundamental rights in the governance of emerging technologies— a systemic principle that must guide the entire regulatory and practical development of artificial intelligence.

Author: Giovanni Chieco

 

Intellectual Property

Europe Rewrites the Rules on Fashion Waste

On 9 September 2025, the European Parliament gave its final green light to a landmark revision of the Waste Framework Directive, introducing binding measures to reduce both food and textile waste across the EU. The act – already agreed by the Council earlier this summer – is now deemed adopted and will soon be signed by both co-legislators before publication in the EU’s Official Journal.

Extended Producer Responsibility for Fashion

At the heart of the new rules is the introduction of mandatory Extended Producer Responsibility (EPR) schemes for textiles. Within 30 months of the directive’s entry into force, every EU member state must set up a system that requires producers to cover the costs of collecting, sorting, and recycling the textiles they place on the market.

The scope is wide-ranging, covering clothing, footwear, accessories, hats, blankets, bed and kitchen linens, and curtains. Crucially, obligations extend beyond EU borders: non-EU producers selling into the single market via e-commerce will also fall under the regime. This ensures that online fast-fashion giants face the same accountability rules as European brands.

Micro-enterprises will benefit from an additional year to comply, but otherwise, no blanket exemptions are foreseen. The directive also allows EU countries to establish similar EPR schemes to other high-waste categories.

Confronting Fast and Ultra-Fast Fashion

The legislation explicitly empowers member states to address fast fashion and ultra-fast fashion practices in their EPR systems. Governments will be able to modulate producers’ financial contributions based on the environmental footprint of their products. This opens the door to higher fees for short-lived, low-quality garments that are hard to recycle, while rewarding companies investing in durability, repairability, and circular design.

This approach reflects mounting political and consumer pressure to tackle the environmental toll of the industry. In the EU alone, around 12.6 million tonnes of textile waste are generated annually, including 5.2 million tonnes of clothing and footwear – equivalent to 12 kilograms per person. Globally, less than 1% of textiles are recycled into new products.

By shifting costs from taxpayers to producers, EU lawmakers hope not only to improve waste management but also to steer the industry away from disposable business models and toward more sustainable practices.

Cutting Down Food Waste

Alongside textiles, the directive sets out binding food waste reduction targets to be met by 31 December 2030:

• 10% reduction from food processing and manufacturing;
• 30% per capita reduction from retail, restaurants, food services, and households.

These targets will be calculated against the average levels of 2021–2023, ensuring a robust baseline.

Parliament also pushed through an additional obligation: EU countries must require economic operators with a significant role in the food supply chain to facilitate the donation of unsold food that is safe for consumption, in order to prevent edible goods from becoming waste.

The EU currently wastes nearly 60 million tonnes of food annually (around 132 kilograms per person), underscoring the urgency of action.

Background and Legislative Process

The revision of the Waste Framework Directive was first proposed by the Commission in July 2023, as part of its broader efforts to tackle the bloc’s waste footprint. Every year, the EU produces:

• 60 million tonnes of food waste;
• 12.6 million tonnes of textile waste (including 5.2 million tonnes of clothing and footwear).

The second reading in Parliament confirmed the final text, after negotiations with the Council concluded earlier in 2025. With Parliament’s vote on September 9, the act is now formally adopted.

Next Steps

The law will now be signed by the Parliament President and the Council, and published in the Official Journal of the European Union. Member states will then have 20 months to transpose the directive into national law.

For the fashion sector, the reform represents the start of a new era of accountability: brands that once externalized the environmental cost of their products must now integrate waste management into their business models. How effectively member states design their EPR schemes – especially in relation to ultra-fast fashion – will determine whether this legislation becomes a turning point toward a circular, sustainable industry.

Author: Maria Vittoria Pessina

 

Technology, Media and Telecommunications

DSA: the EU General Court annuls the Commission’s decisions setting the supervisory fee owed by two operators designated as very large online platforms under the DSA

On 10 September, the General Court of the European Union annulled the European Commission’s implementing decisions that had set the amounts owed by two operators designated as very large online platforms (VLOPs) as supervisory fees under Regulation (EU) 2022/2065 (the Digital Services Act or DSA). The Court, however, ordered the temporary preservation of the effects of the annulled decisions for a maximum of twelve months from the date on which the judgment becomes final, in order to safeguard legal certainty and the continuity of supervisory activities.

VLOPs are providers of online platforms which, by exceeding certain thresholds reflecting the number of users within the EU, are classified as "very large" under the DSA.

Under the DSA, VLOPs (among others) – precisely because of their size – are subject to specific obligations. In addition, the Commission may impose annual fees on such operators, calculated in proportion to the average monthly number of active recipients of their services, in order to finance the supervisory activities carried out by the Commission under the DSA. These supervisory activities include, inter alia, the designation of VLOPs, the creation and maintenance of specific databases for information management and information sharing, the management of reporting and communication channels to the Commission and other activities such as monitoring and enforcement activities against providers.

The amounts of the fees owed by VLOPs are determined by the Commission through implementing decisions.

In the case at hand, the VLOPs concerned – the addressees of the Commission’s implementing decisions later annulled – each brought an action before the General Court.

The General Court annulled the contested decisions on the ground that the Commission could not establish the methodology for calculating the average monthly number of active users of VLOPs by means of implementing decisions. According to the Court, since this parameter is an essential element for determining the supervisory fee owed by VLOPs, its determination required the adoption of a delegated act as per the DSA.

As provided by the DSA, the Commission must, by means of delegated acts, define the methodology and detailed procedures for determining the individual annual supervisory contributions.

The General Court nonetheless considered that the contested decisions were not vitiated by defects such as to exempt the applicants from the obligation to pay the supervisory contribution to the Commission for 2023. It therefore ordered the preservation of the effects of the annulled decisions "until such time as the measures necessary to comply with the […] judgment have been taken, which must occur within a reasonable period that cannot exceed 12 months from the day on which the […] judgment becomes final", i.e. until the adoption of a delegated act governing the contributions owed by VLOPs.

On a related topic, see also the article "The Commission opens an investigation into a social network for breach of the provisions of the DSA."

Authors: Massimo D'Andrea, Flaminia Perna, Arianna Porretti

 

Gaming and Gambling

Italian Online Gambling Licences – 46 Operators Approved in Stage 2

The Italian gambling licence tender has reached a decisive moment on 17 September 2025 when the Italian gambling authority, the Customs and Monopolies Agency (ADM) officially admitted 46 operators to Stage 2 of the online gambling licence application process.

This step represents a major milestone for Italy’s new online gambling market, but it is not the end of the journey: operators must now meet strict documentation and compliance requirements before their new concessions become fully effective.

The Stage 2 Approval

According to ADM’s determination, all 46 applicants that submitted bids before the 30 May 2025 deadline have been admitted. The Commission in charge verified that each application complied with the tender rules and that the operators met the minimum eligibility criteria.

The Stage 2 approval confirms the assignment of concessions for the online gambling verticals covered by Article 6 of Legislative Decree No. 41/2024, including online casino games, poker, bingo, and sports betting.

What Happens Next

Stage 2 approval is not the end of the process. Under ADM’s rules, the following steps are crucial:

• Documentation Deadline: Approved operators must submit the required documentation within 35 days of the award publication. This includes corporate, financial, and compliance paperwork listed in the administrative rules.
• Anti-Mafia Checks: Operators remain subject to the controls under Legislative Decree No. 159/2011, the so-called “Anti-Mafia Code”.
• Licence Execution: Only once these verifications are complete and the documentation approved will the licence agreements be signed and operators formally recognised as new concessionaires.
• Go-Live Period: Concessionaires will have up to six months to activate their platforms under the new regime, expected to be operational by March 2026.

Licence Fees and Duration

The financial structure of the new Italian online gambling licences is significant:

• Each licence costs EUR7 million per vertical, payable in two instalments:
  • EUR4 million upfront at award stage;
  • EUR3 million upon actual commencement of the gaming service by the concessionaire, to be activated no later than six months after the concession is granted;
• The licences will last for nine years, a notably longer period compared to the previous framework.

This cost structure, combined with ongoing tax obligations (24.5% on betting GGR, 25.5% on casino GGR, plus a 3% NGR annual fee), sets a high entry bar that will inevitably reshape the market.

Impact on Existing Operators

For operators that did not apply for a new licence, the transition rules are equally important:

• Their concessions will expire on 18 September 2025, unless they requested an extension by 5 September 2025.
• With an extension, they may continue operations only until 12 November 2025, at which point the old framework ends.
• They are also required to either close accounts or migrate player databases to operators approved in the new tender, following ADM’s guidance and ensuring compliance with GDPR and consumer protection standards.

This migration mechanism offers approved concessionaires a unique growth opportunity, as they may acquire entire player bases from operators leaving the Italian market. Read more (Italian Online Gambling License: A Unique Opportunity to Acquire Player Databases Before November 2025).

Market Outlook

The Stage 2 approvals mark the beginning of a new era for the Italian online gambling market:

• Consolidation is inevitable: with only 52 licences awarded to 46 operators, fragmentation will reduce, and stronger brands are likely to capture greater market share.
• Compliance and investment requirements are substantial, which may deter smaller operators but also increase the credibility of the market as a whole.
• Player protection remains central: ADM has confirmed obligations such as mandatory funding for responsible gambling campaigns (0.2% of GGR, capped at EUR1 million per year).
• Strategic opportunities are open for operators that can leverage player migrations, build local partnerships, and adapt quickly to ADM’s technical and reporting standards.

Key Deadlines to Remember

• 17 September 2025: ADM publishes the Stage 2 approval list.
• Within 35 days of publication: Approved operators must submit all required documentation.
• 12 November 2025: Extended concessions for non-applicants expire; account migrations must be completed.
• By March 2026: Expected go-live of new platforms under the reformed licence regime.

Are operators ready for the next steps?

The approval of 46 operators at Stage 2 of the Italian gambling licence tender is a turning point. While the process is far from complete, the foundations are now set for the relaunch of Italy’s online gambling industry under a modernised, nine-year framework.

For operators, the coming months are critical. Documentation, compliance checks, and migration strategies must be handled with precision — because missing a deadline now could mean missing out on one of Europe’s most valuable online gambling markets.

Feel free to contact me if you would like to discuss the above. On a similar topic, you can read the article “New Italian Guidelines for Certification in Online Gambling: Key Changes and Open Questions“. Also, you can have an outline on the Italian gambling law regime in DLA Piper’s Gambling Laws of the World Guide available here and access further gambling law news here.

Author: Giulio Coraggio

 

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Giovanni Chieco, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Dorina Simaku, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.