Innovation Law Insights

Legal Break

Age verification in Italy: What adult content websites must do now

As part of our “Legal Break” video series, we discuss the impact of the Caivano Decree, which introduces a significant change: as of 12 November, pornographic websites have to adopt age-verification systems to prevent minors accessing them. Watch the episode here.

 

Artificial Intelligence 

AI in public procurement: Insights from the Italian Supreme Court Decision

The Italian Administrative Supreme Court, the Council of State, issued decision No. 8092/2025 which offers an important contribution to the ongoing discussion on the use of AI in public procurement and on the role of public authorities in authorising and supervising such technologies. While the court ultimately rejected the appellant’s claims, it took the opportunity to outline a set of principles that contracting authorities should follow when an economic operator proposes to use automated systems in preparing bids or performing contracts.

The case: AI in the technical offer and the commission’s discretion

The case arose from a tender for cleaning and sanitation services for entities in the National Health Service. The successful bidder stated that it intended to use AI tools as part of its operational model. The appellant argued that the evaluation committee had given disproportionate weight to this element and questioned the reliability of the assessment. The Council of State clarified that the committee had based its evaluation on a range of technical factors, and that the use of AI, while innovative, had not been decisive.

This point is significant: technological innovation cannot be assumed to be inherently advantageous, nor should it automatically raise concerns. It’s for the contracting authority to determine whether the proposed technology aligns with the contract’s objectives and complies with the legal obligations binding the administration.

The legal framework: Authorization, transparency and human oversight

The use of AI in public procurement is governed by a layered regulatory framework, starting with Legislative Decree 36/2023 (Public Contracts Code or the Code) and extending to the more recent Law No. 132/2025 on AI in public administration.

Article 30 of the Code expressly allows public authorities to rely on automated solutions, including AI systems, if specific principles are respected. Automated decision-making must be transparent and understandable for both the authority and the economic operators involved. AI systems can’t be used to make fully automated decisions: human oversight remains mandatory. Contracting authorities also have to ensure that the logic and functioning of the systems are knowable, providing access to source code and technical documentation, at least to the extent compatible with intellectual property protections.

Law No. 132/2025 further strengthens this framework by stating that AI can support – but never replace – administrative decision-making. A natural person must always remain responsible for the decision. As a result, adopting AI technologies in procurement requires a prior assessment by the contracting authority, which must authorise use only after understanding the logic, functionality and operational implications.

The role of the authority’s consent and authorisation

Whenever the use of AI involves processing personal data – like in the healthcare services – the regulatory requirements become more stringent. Article 35(5-bis) of the Code requires economic operators to submit their consent to data processing through the virtual dossier system. But this alone isn’t enough when sensitive data is involved.

In such cases, it’s the public authority that must expressly authorise the use of AI, after verifying compliance with the principles of technological neutrality, transparency, cybersecurity and data protection set out in Article 19 of the Code.

Authorisation plays a central role. It’s not a mere formality: it’s the moment at which the administration fulfils its duty to safeguard the public interest, assessing the level of control it will be able to maintain over the AI system during contract performance.

Algorithmic transparency and control over automated processes

A closely related issue is algorithmic transparency. Article 30 of the Code requires authorities to ensure that the logic behind automated systems used in procurement procedures is understandable. This means that a contracting authority cannot simply rely on a bidder’s general description of the technology. It must have access to the technical information necessary to evaluate how the system works and how it will be supervised.

Case law on access to administrative records – such as TAR Lazio Decision No. 11335/2018 – makes it clear that generic claims of technical confidentiality cannot restrict the right of access, especially when transparency is essential to verify the legality of administrative action. This implies that AI solutions must be subject to real and effective scrutiny, compatible with industrial property rights but sufficient to ensure full administrative accountability.

Data protection and the authority’s responsibility

Using AI in public procurement inevitably involves processing personal data. Law No. 132/2025 requires this processing to be lawful, fair and transparent, and mandates that data subjects receive clear and understandable information. In sectors involving highly sensitive data, such as healthcare, the authority must also ensure that the operator uses AI systems strictly aligned with the purposes for which the data was collected, and that any risks are properly mitigated.

The authority’s responsibility doesn’t end with authorisation. It must continue to monitor the use of AI during performance, ensuring that the technologies employed don’t generate unlawful, discriminatory or otherwise harmful effects.

Technological innovation, technical evaluation and judicial review

The decision also highlights that technological innovation can be taken into account in the context of the most economically advantageous tender. However, the introduction of AI still has to comply with the objective evaluation criteria set out in Article 108 of the Code and is subject to the limits of judicial review.

Case law – such as TAR Lombardia-Brescia Decision No. 1039/2016 – holds that technical evaluations by tender committees are generally not subject to judicial scrutiny unless they’re manifestly illogical, unreasonable, or based on factual errors. AI has to be assessed with the same rigor applied to other components of the bid: it’s neither inherently superior nor inherently suspect.

Conclusions

Council of State Decision No. 8092/2025 confirms that integrating AI into public procurement isn’t a unilateral decision by the economic operator. It requires informed authorisation and continuous oversight by the contracting authority. The administration remains solely responsible for any automated processes used in the contract and must therefore be able to understand, evaluate and monitor the proposed technologies.

The challenge ahead will be to build the internal expertise necessary to manage this technological shift, balancing innovation with the principles of transparency, data protection, security, and accountability that define public administration. AI can add value to public tenders, but only within a clear regulatory framework and under the supervision of an authority capable of truly governing how these systems operate.

Author: Dorina Simaku

 

Blockchain and Cryptocurrency

EU redrafts the rules against fraud and opacity with PSR and PSD3

The European Parliament and the Council of the European Union have reached a political agreement on the new Payment Services Regulation (PSR) and the Third Payment Services Directive (PSD3), with the aim of modernising the European framework for payment services, strengthening the fight against fraud, and increasing transparency for consumers and businesses. The agreement, announced on 27 November 2025, concludes the technical negotiations and introduces a package of measures that redesigns the responsibilities of payment service providers and large digital intermediaries and technology solution providers.

The new regulatory framework stems from the growing prevalence of increasingly sophisticated forms of fraud, including on online platforms and search engines, establishing for the first time a direct link with the due diligence obligations set out in the Digital Services Act (DSA). Platforms that fail to remove fraudulent content after a report will be liable to Payment Service Providers (PSPs) that have reimbursed affected customers. In addition, only operators duly authorised in a member state will be able to advertise financial services online.

PSR and PSD3 strengthen fee transparency, ensuring that users receive clear information before each transaction, and introduce structural measures to improve access to cash, particularly in rural areas, by authorising stores to provide cash withdrawal services without any purchase obligation.

Finally, the agreement aims to stimulate competition in the payments sector by requiring banks to ensure non-discriminatory access to accounts for open banking providers and by obliging mobile device manufacturers and operating system providers to allow, on fair terms, the use of the technical features necessary for the provision of payment services.

1. The new European anti-fraud infrastructure

The PSR-PSD3 package radically redesigns the relationship between users, payment service providers, and digital platforms. The two European institutions agree on a very clear message: the fight against digital fraud can no longer be left to the initiative of individual operators. Common rules, clear responsibilities and a systemic approach are needed to anticipate abuse before it results in economic or reputational damage. It’s precisely these new forms of social engineering that the legislator is addressing, giving service providers an active role rather than a merely reactive one.

1.1. IBAN verification, SCA and blocking suspicious transactions

The first line of defence involves clear and non-negotiable technical requirements. PSPs will have to verify that the beneficiary's name and international bank account number (IBAN) match, rejecting the transaction if there’s any discrepancy and immediately informing the payer. At the same time, all transactions must undergo strong customer authentication (SCA) and a risk assessment.

In addition, the receiving PSP will have to freeze any transaction that presents anomalies: a preventive mechanism that allows the chain of fraud to be broken before the money is dispersed. Users will be able to set spending limits and blocking tools, introducing an additional level of customisable protection.

1.2. Impersonation fraud

One of the most innovative measures concerns impersonation fraud. When a criminal induces the user to authorise a payment by pretending to be an operator of their PSP, the transaction is classified as fully unauthorised.

The consequence is radical: the PSP is responsible for full reimbursement, provided that the user reports the incident to the police and promptly informs their service provider. This is a reversal of the traditional paradigm: it recognises that, in today's digital landscape, the line between legitimate operators and imposters is increasingly blurred, and that consumer protection inevitably requires advanced technological safeguards.

1.3. The role of digital platforms

Parliament has achieved a significant result: for the first time, online platforms and search engines are taking on indirect responsibility in the anti-fraud chain, so that if they’re informed of the presence of fraudulent content and don’t remove it, they become liable to PSPs that have reimbursed the user who has suffered damage.

At the same time, financial services advertisers will have to prove to Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) that they’re authorised in the member state in which they operate, or that they’re acting on behalf of authorised entities: an essential filter to prevent the promotion of “ghost” services.

Finally, the package introduces a common-sense principle that’s too often overlooked. Users must be able to speak to a real person. PSPs will have to provide human customer service and not exclusively chatbot-based service.

2. Transparency of fees and access to cash: bringing clarity back to the payment experience

The other pillar of the PSR-PSD3 agreement speaks directly to the daily lives of European citizens: understanding how much you’re paying and being able to access your money even when ATMs are far away.

While the first section of the package addresses digital risk, this section tackles the more concrete and often problematic dimension of payments: opaque costs, unexpected fees and barriers to the use of cash.

2.1. A new grammar of transparency

For years, the real cost of a payment has remained shrouded in a certain opacity: fees retained by automated teller machines (ATMs), spreads applied to exchange rates, card circuit charges that aren’t always made explicit.

The new regulation radically changes this approach. Before each transaction, the customer must know exactly the costs applied, any currency conversion fees, and any other amounts that will be charged. It doesn’t matter who operates the ATM or which network is used: the principle is that the price must be known before the payment is authorised, not after.

This is a return to the essence of consumer protection in a sector that has for too long relied on technical complexity to justify information asymmetries. The obligation also applies to operators offering card acceptance services to merchants, who will have to clearly detail the fees applied.

2.2. Cash as an economic right

The package also introduces a measure that’s as simple as it is crucial: shops will be able to offer cash withdrawals of up to EUR150 (but at least EUR100), with no obligation to make a purchase. For many rural areas and peripheral communities, where ATMs are decreasing year by year, this isn’t a detail but a safeguard of financial inclusion.

2.3. Reducing the distance between consumers and charges

There’s one last piece that strengthens the framework of transparency: the merchant's trade name must match the name that appears on the customer's account statement. This detail is only obvious at first glance. Many disputes arise from legitimate payments that the user doesn’t recognise because the name displayed by the provider doesn’t match that of the point of sale.

3. The opening of the payments market: a new competitive balance

While the fight against fraud represents the defence of the infrastructure, the third pillar of the PSR-PSD3 package looks to the future of financial innovation. This is where the most delicate game is played: how to make the European payments market more open without sacrificing security, fair competition and user confidence.

3.1. Removing the barriers that hold back open banking

Since 2018, European open banking has only taken shape halfway. APIs were often not truly interoperable, Account Servicing Payment Service Providers (ASPSPs) erected implicit or explicit barriers, and Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) struggled to gain stable access to customer accounts.

PSR and PSD3 tackle this market distortion head-on: banks will no longer be able to discriminate against open banking service providers, who must be able to access account data under the same conditions as traditional services. The regulator even introduces a list of prohibited barriers to data access to prevent competition from being stifled by technically legal but essentially exclusionary solutions.

3.2. A single dashboard for your data

Users gain a power that seemed inconceivable just a few years ago: a dashboard to monitor and revoke the consent given to various providers.

This is a natural extension of the principles of the General Data Protection Regulation (GDPR): it’s not enough to grant access, it must be possible to revoke it at any time, using a simple and intuitive interface. This mechanism enhances transparency and reduces one of the most underestimated risks of open banking: forgotten authorisations that are never revoked and remain active in the background for years.

3.3. An open ecosystem, also from a technological perspective

Openness isn’t just about access to payment accounts. The new rules also require mobile device manufacturers and electronic service providers to allow payment apps to access the data necessary to initiate and authorise transactions, under fair, reasonable and non-discriminatory conditions.

3.4. Access to accounts for non-bank payment providers

Negotiators have also agreed that banks will have to grant payment institutions access to accounts on non-discriminatory terms. This is another step towards gradually bringing banks and non-banks closer together, reducing regulatory imbalance and promoting a market in which all players – old and new – compete on service quality rather than on established positions.

4. Simplification of authorisations: towards a more fluid regime, CASPs included

Alongside consumer protection and market opening, the PSR-PSD3 package addresses a third strategic issue: making the authorisation process for payment service providers simpler, more uniform, and more predictable. This isn’t a technical detail, but a step that could determine who will truly be able to compete in the new European ecosystem.

4.1. Clearer, faster more proportionate authorisation

The European legislator has acknowledged a chronic problem: under the Second Payment Services Directive (PSD2), obtaining authorisation as a Payment Institution (PI) was a long, costly, and often heterogeneous process between member states.

The result was a market in which competition was stifled at the entry stage.

With PSD3, the logic changes: authorisation remains strict, but becomes more linear, more harmonised, and calibrated to the operator's risk.

Four elements emerge as key:

• Solid prudential requirements, but more proportionate to the actual risk of the services provided.

  Initial capital is scaled according to the business model, preventing the authorisation process from discouraging smaller or highly specialised operators.

• More accurate own funds calculations, so as to prevent underestimation of risk but also regulatory excesses.

• Harmonised timelines between member states to avoid unjustified divergences that make it more convenient to establish oneself in some jurisdictions than others.

• More reliable budget forecasts, required as an integral part of the authorisation dossier: a way to anticipate not only the financial soundness but also the operational sustainability of the operator.

The result is an authorisation regime that doesn’t compromise on prudence but, for the first time, recognises that market entry is itself a factor of competitiveness.

4.2. The big news: the “fast track” for CASPs already authorised under MiCAR

A decisive point is the impact of the new package on the world of crypto-assets. Official sources make it clear: Crypto-Asset Service Providers (CASP) already authorised under the Crypto-Asset Markets Regulation (MiCAR) will have access to a simplified procedure for obtaining authorisation as a payment institution.

This isn’t an exemption, nor is it automatic. Risk control remains, as does the obligation to comply with all the prudential and operational safeguards required of traditional PSPs. However, the legislator recognises that CASPs have already undergone stringent supervision and that many checks –governance, financial soundness, AML, expertise of representatives, cybersecurity – shouldn’t be duplicated.

This decision sends a clear signal to the markets: Europe no longer considers the digital asset sector to be a foreign body, but rather a segment that can contribute to the competitiveness of the payments market, provided that it operates within a regulated and supervised framework.

4.3. A balance between rigor and openness

All this confirms the underlying philosophy of the European strategy: strengthening controls where they’re really needed, removing regulatory friction where the risk no longer justifies the administrative and regulatory burden.

Net of the technical challenges still to be addressed – implementation times, coordination with national rules, uniformity of anti-fraud systems – the PSR-PSD3 package represents a clear political statement: Europe wants a payments sector that’s as secure as critical infrastructure, as open as a competitive market, and as understandable as a basic service.

Authors: Andrea Pantaleo and Giulio Napolitano

 

Intellectual Property

Signs describing the subject matter of goods and/or services: EUIPO's new common practice

The recent adoption of Common Practice CP16 – “Signs Describing the Subject Matter of Goods and/or Services,” published just a few days ago, helps clarify when a sign should be considered descriptive of the content of specific goods or services so isn’t eligible for trademark registration.

The initiative responds to a well-recognised need – particularly evident in the digital era – to harmonise the criteria used by European trademark offices when assessing signs that refer to the theme, subject or content of a product or service. This assessment is especially relevant in areas like software, publications, games, educational services and advertising, where content is a key component of the offering.

From a legislative standpoint, the main reference is Article 4(1)(c) of the Directive 2015/2436. It excludes some trademarks from registration. Excluded trademarks include those that are exclusively composed of signs or indications that, in the course of trade, may serve to designate the kind, quality, quantity, intended purpose, value, geographical origin or the time of production of goods or of providing services, or other characteristics of the goods or services.

Against this backdrop, CP16 focuses its analysis on the subject matter of the goods or services and clarifies in which cases the nature of the goods or services makes the sign’s subject matter relevant. For goods, this occurs when they’re designed to convey information or content – such as books, magazines, software, electronic publications or games. For services, it occurs when their function consists of creating, disseminating or processing content, such as educational, editorial, writing or advertising services. In these categories, content isn’t a secondary element but a decisive factor in consumers' perception.

CP16 also sets out an assessment method based on four elements: defining the relevant public, identifying the meaning of the sign, analysing the nature of the goods or services and, finally, determining whether there’s a direct link between the meaning of the sign and the subject matter of the goods or services. The key question is whether the sign is perceived by the public – without any interpretative effort – as an immediate and relevant description of the theme or subject of the goods or services. Where a direct and commercially significant link exists, the sign can’t be registered as a trademark.

The examples provided in CP16 are particularly illustrative. Signs like “Rock Music” for music CDs and DVDs, “Crosswords” for magazines or “Ancient History” for educational software are considered descriptive because they clearly indicate the content of the product and reflect market expectations. Conversely, signs like “Nights” for books or creative expressions like “Angry Plumbers” for board games aren’t perceived as descriptive, as they don’t refer to a commonly recognised or predictable theme for those types of goods.

Particular attention is given to advertising services. CP16 clarifies that the object of the advertising – namely the product, service or sector promoted – may constitute the “subject matter” of the advertising services themselves, but only where there are genuine market segmentations or specialised structures that make the connection between the sign and the content immediately recognisable to the public. So terms like “Fashion” or “Food & Wine” are considered descriptive for advertising services, as the market includes agencies specialising in those sectors; by contrast, a term like “Lipstick” isn’t considered descriptive, as there’s no standalone advertising segment devoted exclusively to lipsticks.

CP16 doesn’t alter the existing legal framework but introduces shared interpretative criteria aimed at strengthening the predictability of decisions and supporting professionals and businesses in strategic trademark management. Public perception – assessed in light of the nature of the goods or services and market practice – plays a central role in this approach.

For law firms and intellectual property practitioners, CP16 offers a valuable tool for preventing objections, improving the quality of trademark applications and assisting clients more effectively. It’s an important step toward greater harmonisation in applying trademark law across Europe.

Author: Noemi Canova

 

Technology, Media and Telecommunications

AGCom Communication Markets Monitoring System for the first half of 2025

The Italian Communications Authority (AGCom) has published the Communications Markets Monitoring System No. 3/2025 with data for the first half of 2025.

The data reveals that the total number of direct fixed-line accesses at the end of June 2025 didn't register any substantial change compared to June 2024, amounting to approximately 20.54 million lines. On a quarterly basis, an increase of 29,000 accesses was recorded. Compared to the corresponding period of 2024, there was a slight growth of 62,000 accesses (0.3% higher than June 2024).

AGCom also notes that copper-based lines decreased by approximately 150,000 units on a quarterly basis and by just under 650,000 units compared to June 2024. Over the last four years, the decrease amounts to just under 3.7 million units.

Compared to lines based on more advanced technologies, quarterly increases were observed, although the values show a decline compared to last year. Broadband lines are estimated to total around 19.24 million as of June 2025, with a quarterly increase of approximately 81,000 accesses and an annual decrease amounting to 158,000 accesses.

FTTC (Fiber to the Cabinet) accesses at the end of June 2025 totalled 8.74 million, recording an annual decrease of 754,000 lines, corresponding to a 7.9% drop compared to the same month of 2024. FTTH (Fiber to the Home) accesses, totalling 6.5 million in June 2025, increased by over 320,000 units on a quarterly basis and by 1.26 million units on an annual basis, while compared to June 2021 the increase amounts to just over 4.1 million lines. Fixed Wireless Access (FWA) lines also increased (by approximately 237,000 units annually), reaching about 2.48 million accesses at the end of June 2025.

This trend indicates a significant improvement in connection speeds, as between June 2021 and June 2025 the share of lines with speeds of 100 Mbit/s or higher rose from 57.2% to 80.8% of the total. Over the same period, the share of lines offering transmission speeds of 1 Gbit/s or higher increased from 10.8% to 31.2% of the total.

The data from the Communications Markets Monitoring System confirm the continued increase in data consumption. The average daily traffic in terms of total volume during the first half of 2025 recorded a further increase of 8.4% compared to the corresponding value for 2024, and of 45% compared to 2021. These figures are reflected in daily broadband traffic per line: unit consumption increased by 40.2% compared to 2021, rising from 7.18 GB to 10.07 GB per line on average per day.

With regard to the mobile network segment, AGCom reports that the total number of active SIMs at the end of June 2025 (including both “human” SIMs, ie “voice only,” “voice+data,” and “data only,” which require human interaction and M2M, ie “machine-to-machine”) is estimated to be slightly above 110 million, increasing by 1,773,000 units annually. Specifically, M2M SIMs increased by 616,000 units on an annual basis, reaching 30.7 million units. Human SIMs, totaling 79.3 million as of June 2025, grew by approximately 1,157,000 units compared to the same period of 2024. According to AGCom, 14.6% of human SIMs in June 2025 were business SIMs, while the remaining 85.4% were intended for residential customers.

According to AGCom, just under 61 million human SIMs generated data traffic during the first half of 2025. These figures show that mobile data traffic continues to grow; traffic recorded in June 2025 increased by 12.2% compared to the same period in 2024 and by over 113% compared to 2021. Correspondingly, the average daily unit consumption in the first half of the year is estimated to be around 0.94 GB.

Authors: Massimo D'Andrea, Matilde Losa

 

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Giovanni Chieco, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Andrea Pantaleo, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Marianna Riedo, Rebecca Rossi, Dorina Simaku, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, , Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA)

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani