Innovation Law Insight

Podcast

Dual-use technologies: The hidden military side of Europe’s AI, chips and space industry

In this episode of the Diritto al Digitale podcast, Giulio Coraggio discusses the European rules on dual-use technologies and their impact on strategic technologies such as AI, semiconductors, and aerospace systems. Watch the episode here.

 

Privacy and Cybersecurity

Are advertising cookie identifiers personal data? French court decision raises questions for AdTech and AI training

A recent decision on advertising cookie identifiers of the French Conseil d’État has reignited a fundamental debate in EU data protection law: when do online identifiers qualify as personal data under the GDPR? 

The ruling confirmed the legality of a sanction imposed by the French data protection authority (CNIL) in relation to large-scale behavioural advertising activities. The most significant aspect of the decision concerns the legal qualification of advertising identifiers collected through cookies and tracking technologies.

Beyond its relevance for the AdTech sector, the decision also raises broader questions about pseudonymisation and identifiability, which are increasingly central to debates on AI training and the future of EU digital regulation.

The court’s approach to online identifiers

Under Article 4(1) GDPR, personal data includes any information relating to an identified or identifiable natural person. Identification may occur directly or indirectly, including through an identifier such as a name, identification number, location data, or an online identifier.

Recital 30 of the GDPR explicitly refers to cookie identifiers, device identifiers, and similar technologies as potential elements that may make individuals identifiable.

In the case examined by the Conseil d’État, the advertising identifiers were associated with a large volume of additional data points, including:

• IP addresses and geographic location
• device identifiers
• identifiers associated with partner websites
• browsing history and user behaviour
• interactions with advertisements and purchases

Through the aggregation of these data points, the system allowed the creation of detailed behavioural profiles linked to specific identifiers.

The court concluded that these identifiers qualified as personal data because the identification of certain individuals would not be technically impossible and could occur without disproportionate effort in terms of time, cost or manpower.

In other words, even if the identifiers were pseudonymous and didn’t directly reveal the identity of individuals, the “mere possibility” of linking them to identifiable persons meant that they remained within the scope of the GDPR.

A potential tension with recent CJEU case law

The reasoning adopted by the French court appears difficult to reconcile with the approach taken by the Court of Justice of the European Union (CJEU) in EDPS v SRB on pseudonymisation.

In that decision, the CJEU clarified that the assessment of whether data qualifies as personal data must be conducted from the perspective of the entity processing the data.

If the controller doesn’t have the additional information necessary to identify individuals and has no reasonable means of obtaining it, the data may not necessarily be considered personal data for that controller.

This interpretation reflects an important principle of EU data protection law: identifiability must be assessed in a contextual and relative manner, taking into account the realistic capabilities of the actor involved.

The Conseil d’État decision appears to adopt a broader approach.

The court emphasized that identification of certain individuals was not technically impossible, particularly considering the volume of information associated with the identifiers and the possibility of combining multiple datasets.

This reasoning raises an important question: should the theoretical possibility of re-identification be sufficient to qualify data as personal data?

The CJEU has previously suggested that the analysis should focus on whether identification is reasonably likely, taking into account the means realistically available to the controller.

By contrast, the reasoning of the French court appears to rely more heavily on the structural characteristics of the broader data ecosystem.

This difference in approach may create legal uncertainty for organisations operating across the EU.

Why this matters for AI training

The implications of this interpretation extend far beyond behavioural advertising.

The qualification of pseudonymized data as personal data is also central to ongoing debates on AI training datasets.

Many AI systems rely on large-scale datasets that include pseudonymized identifiers or behavioural information. In many cases, the developers of AI models don’t have the additional information required to identify individuals associated with these data points.

The question therefore becomes critical: should such datasets be considered personal data simply because identification may be theoretically possible somewhere within the broader data ecosystem?

This issue has become particularly relevant in the context of the Digital Omnibus package, where European policymakers are currently discussing whether the legal framework should clarify the concept of personal data when used for AI training purposes.

In recent policy discussions, some stakeholders have suggested introducing clearer rules on when pseudonymized datasets used for AI training may fall outside the scope of the GDPR.

The objective would be to provide legal certainty and facilitate the development of AI systems while maintaining appropriate safeguards for individuals.

However, decisions like the one delivered by the Conseil d’État may complicate this debate.

If courts adopt a broad interpretation according to which data remains personal data whenever re-identification is theoretically possible, the scope of the GDPR could expand significantly.

This would create challenges for organisations seeking to develop AI systems using large-scale datasets derived from digital services, behavioural analytics, or pseudonymized identifiers.

The role of data ecosystems in identifiability

Another important element highlighted by the decision is the role of data ecosystems in determining whether individuals can be identified.

The identifiability of individuals cannot be assessed by analysing a single data element in isolation. Instead, regulators and courts increasingly examine the entire ecosystem in which data is processed, including:

• the scale of the dataset
• the ability to combine multiple sources of data
• the technological capabilities of the controller
• the involvement of third parties
• the purposes of the processing

In complex digital environments such as behavioural advertising, identifiers often circulate within networks involving advertisers, publishers, ad exchanges and data brokers.

These interconnected ecosystems increase the ability to profile users and potentially re-identify them.

However, this ecosystem-based approach may also raise difficult questions about how far the notion of identifiability should extend.

If the possibility of re-identification somewhere in the digital ecosystem is sufficient to classify data as personal data, the concept of anonymisation may become extremely difficult to achieve in practice.

A debate that will shape the future of data regulation

The Conseil d’État’s decision highlights a broader regulatory dilemma.

On the one hand, the GDPR adopts a broad definition of personal data to ensure that individuals are protected in increasingly complex digital environments.

On the other hand, technological innovation – particularly in areas such as AI development, data analytics, and digital advertising – often relies on large-scale pseudonymized datasets.

Balancing these two objectives is becoming one of the most difficult challenges in European digital regulation.

As discussions continue around the Digital Omnibus package and the use of data for AI training, the interpretation of concepts such as identifiability, pseudonymisation, and anonymisation will play a decisive role.

For companies operating in both AdTech and AI ecosystems, the message is clear: the legal boundaries of personal data are fluid, and regulatory expectations around data governance are likely to become even more demanding in the coming years.

Author: Giulio Coraggio

 

Gaming and Gambling

Italy’s 2026 gambling licenses tender: A structural reform of land-based gaming

Italy’s 2026 gambling licenses tender could become the most significant regulatory overhaul of the country’s land-based gaming sector in more than a decade.

With expected investments exceeding EUR1.5 billion, the reform isn’t simply about renewing gambling licenses but about reshaping the structure, economics, and compliance framework of Italy’s retail gambling industry.

For operators, investors, and regulators alike, the 2026 gambling licenses tender is a turning point. It introduces higher financial thresholds, potential consolidation among operators, and new regulatory constraints that could significantly alter the competitive landscape of the Italian gambling market.

Italy’s gambling market is entering a new phase

Italy already hosts one of the largest regulated gambling markets in Europe, combining a strong retail network with a highly developed online sector. However, the regulatory framework governing land-based gaming has gradually become fragmented due to overlapping national rules and local restrictions.

The upcoming 2026 gambling licenses tender aims to restore a more coherent structure to the sector. By redefining the allocation of betting and gaming machine gambling licenses, the government intends, though the operations of the Italian gambling regulator ADM (Agenzia delle Dogane e dei Monopoli), to modernise the system while ensuring continued fiscal revenues for the Italian Ministry of Economy and Finance (MEF) and stronger regulatory oversight.

The reform is also part of the broader reorganisation of the Italian public gambling sector, which seeks to balance three main objectives:

• ensuring tax revenue stability for the state;
• strengthening responsible gambling safeguards; and
• maintaining a controlled and transparent market structure.

Within this context, the 2026 gambling licenses tender becomes a cornerstone of the Italian government’s strategy for the gambling industry.

The economic scale of the 2026 gambling licenses tender

The financial dimension of the 2026 gambling licenses tender illustrates the magnitude of the reform.

Two key segments will be involved: retail betting operations and gaming machines.

Betting shop gambling licenses

The tender is expected to include gambling licenses for approximately 10,000 betting points across Italy. These licenses will be divided into 200 lots, each covering around 50 betting locations.

The estimated base value for the betting segment alone is approximately EUR280 million, although the final auction price may increase depending on market demand.

Gaming machine gambling licenses

The second major component concerns gambling licenses for gaming machines, specifically:

• AWP (Amusement with maximum prizes of EUR00) machines
• VLT (Video Lottery Terminals whose maximum prizes are of EUR500,000)

The tender is expected to allocate gambling licenses covering:

• 200,000 AWP machines
• 46,000 VLT machines

These will be organised into 50 lots, each containing approximately 4,000 AWP units and 920 VLT units.

The expected value of this part of the 2026 gambling licenses tender could reach EUR1.25 billion, making it the largest financial component of the reform.

Why the 2026 gambling licenses tender could trigger market consolidation

Beyond the financial dimension, the 2026 gambling licenses tender may accelerate a process already visible in several European gambling markets: operator consolidation.

Higher license fees and increased compliance obligations mean that only operators with sufficient capital and operational scale will be able to compete effectively.

In practical terms, the new framework could favour:

• large international gambling groups;
• operators with integrated online and retail platforms; and
• companies capable of managing complex regulatory compliance systems.

As a result, the number of independent operators holding gambling licenses in the Italian market may gradually decrease.

This shift isn’t necessarily negative from a regulatory perspective. A more concentrated market can make regulatory supervision easier and may improve the effectiveness of responsible gambling measures. But it also raises questions regarding competition and market diversity.

Territorial restrictions remain one of the biggest challenges

While the 2026 gambling licenses tender seeks to reorganise the national framework, operators will still have to navigate territorial gambling restrictions imposed by regional and municipal authorities.

Over the past decade, several local governments have introduced distance rules (distanziometri), which prohibit gambling venues from operating within a certain distance from locations considered sensitive, such as schools, churches or youth centres.

The practical consequences are significant.

Industry estimates suggest that between 15% and 40% of existing retail gambling venues could face relocation or closure because of these rules.

This creates a structural tension in the Italian gambling regulatory system: while the state issues national gambling licenses through the 2026 gambling licenses tender, local regulations simultaneously limit the physical spaces where gambling activities can legally operate.

For operators evaluating the new gambling licenses, this regulatory uncertainty represents one of the most complex variables in the investment decision.

The possible strategic role of retail after the PVR limits

Another factor that could reshape the market following the 2026 gambling licenses tender is the introduction of new restrictions affecting shops selling top-up cards for online gambling accounts (PVR).

Under Legislative Decree No. 41/2024, cash vouchers for online gaming accounts through PVRs are limited to EUR100 per week.

The primary objective of the measure is to reduce potential risks related to money laundering and excessive gambling behaviour. But the rule may also produce an unexpected market effect.

By limiting certain online payment mechanisms, the regulation could increase the relevance of physical retail networks, which remain an essential interface between players and operators.

If this dynamic materializes, the 2026 gambling licenses tender may ultimately reinforce the strategic importance of retail gambling rather than accelerate its decline.

Safeguards against excessive market concentration

Given the likelihood of consolidation, policymakers are reportedly evaluating competition safeguards within the 2026 gambling licenses tender.

Among the measures under discussion are limits on the share of gambling licenses that a single operator or corporate group may hold. Preliminary proposals suggest:

• a 25% cap per individual company
• a 35% cap for corporate groups

These limits aim to prevent excessive concentration while still allowing the sector to evolve toward more economically sustainable structures.

The future of Italy’s land-based gambling sector

The 2026 gambling licenses tender signals that the Italian government doesn’t intend to abandon the retail gambling model. Instead, the objective appears to be a smaller, more structured, and technologically advanced network.

The reform could lead to:

• fewer but stronger operators
• higher compliance and monitoring standards
• greater integration between retail and online channels

For the gambling industry, the message is clear: the retail sector is not disappearing, but it is evolving.

Operators that successfully adapt to this new regulatory and economic environment will likely define the next phase of Italy’s gambling market.

You can read about the different gambling regimes in almost 50 jurisdictions in the DLA Piper Gambling Laws of the World guide.

Author: Giulio Coraggio

 

Blockchain and Cryptocurrency

From no action to enforcement: EBA’s supervisory priorities for EMT services as the grace period comes to an end

Regulation (EU) 2023/1114 (MiCAR) brought electronic money tokens (EMTs) into a harmonised EU framework, but it didn’t dissolve their functional proximity to “funds” and payment services within the meaning of Directive (EU) 2015/2366 (PSD2). Against that background, the European Banking Authority (EBA) No Action Letter (NAL), published on 10 June 2025, deliberately engineered a short, proportionate bridge:

• It narrowed the overlap between MiCAR and PSD2 to a subset of EMT-related activities that may qualify as payment services.
• It postponed the expectation of PSD2 authorisation until 2 March 2026, at the end of a nine-month transition period.
• It encouraged a streamlined authorisation pathway leveraging information already submitted in crypto-assets service providers (CASPs) filings, coupled with a pragmatic stance on supervisory priorities to preserve business continuity while limiting the duration of unauthorized payment activity.

The EBA/OP/2026/01, issued on 12 February 2026, (the Opinion) doesn’t reopen that interpretative compromise; it rather operationalises its endgame. Confronted with uneven national workloads and a surge of applications, the EBA gives the National Competent Authorities (NCAs) a convergence-driven enforcement architecture from day one after the transition. It comprises:

• a structured supervisory triage of three scenarios
• a conditional tolerance framework for “pending” applicants anchored to concrete prerequisites and inter-authority checks
• and, crucially, clear expectations of restrictions or, where conditions are not met, immediate cessation of the relevant EMT payment activity and client offboarding, all reinforced by a sharper articulation of when EMT transfers fall within PSD2 regardless of wallet classification

A supervisory triage for the decentralised industry

EBA identifies three distinct scenarios to ensure convergence across NCAs once the transition period expires:

• First, where CASP has obtained authorisation as a payment institution (PI) or electronic money institution (EMI) or operates through a partnership with a duly authorised payment service provider (PSP), EMT transactions that qualify as payment services may continue in line with the scope of that authorisation.
• Second, where a CASP has submitted an application but authorisation has not yet been granted, temporary continuity may be allowed, subject to strict cumulative conditions:
  • the application must be complete under Article 5 PSD2 and the relevant EBA Guidelines;
  • the applicant must respond exhaustively and promptly to supervisory queries; no material supervisory breaches under MiCAR, anti-money laundering (AML) or other EU law must undermine its suitability; and
  • and the competent authority must have reasonable grounds, following a preliminary assessment, to expect approval within a very short timeframe.
• Third, where no application has been submitted, or where the above conditions aren’t met, competent authorities are advised to require the immediate cessation of EMT-related payment services and the orderly offboarding of clients.

Conditional continuity

The temporary tolerance contemplated under the second scenario is neither automatic nor neutral. It’s framed as a tightly controlled supervisory concession aimed at containing risk during the final stretch of the authorisation process.

Where a competent authority decides to allow a CASP to continue providing EMT transactions pending approval, that continuity must be accompanied by concrete restrictions (unless the CASP is operating under MiCAR grandfathering period), namely:

• the cessation of all marketing activities relating to EMT services that qualify as payment services; and
• a prohibition on onboarding new clients for such services.

This conditional approach is further reinforced by the requirement of close coordination between authorities designated under PSD2 and those responsible under MiCAR. Supervisory assessments must consider potential infringements under MiCAR, national transitional virtual asset service provider (VASP) regimes, and AML frameworks, ensuring that authorisation under PSD2 isn’t evaluated in isolation from the applicant’s broader compliance record.

A sharpened substantive test

Beyond supervisory sequencing, the Opinion refines the substantive perimeter of PSD2 in the EMT context. It reiterates that the execution of transfers involving EMTs may qualify as a payment service, most notably as the execution of payment transactions under point 3 of Annex I to PSD2, irrespective of whether the custodial wallet offered by the CASP qualifies as a “payment account.”

Equally significant is the confirmation that PSD2 contains no exception for first-party transfers. Even where payment transactions are executed between accounts held by the same user – and even where those accounts are serviced by the same provider – the transaction may still fall within the scope of PSD2; as also clarified in para. 71 of the NAL. Applied to EMTs, this means that transfers performed as part of custody and administration services, including internal pay-outs to the same client, can constitute regulated payment transactions in their own right.

The effect and aim, once again, is to anchor the overlap between MiCAR and PSD2 not in labels or technological architecture, but in economic function. Where EMT activity entails the execution of a transfer of funds on behalf of a client, the PSD2 perimeter is engaged.

The de facto consolidation of the dual authorisation regime

Taken together, the Opinion signals a decisive shift from transitional accommodation to supervisory consolidation. The window for regulatory flexibility has actually narrowed and what remains is a controlled posture towards compliance, backed by clear consequences for inaction.

The EBA’s intervention also underscores its institutional role in shaping a common supervisory culture. By prescribing coordinated assessments between PSD2 and MiCAR authorities, aligning expectations on marketing restrictions and client onboarding, and articulating a functional test for EMT transfers, the Opinion reduces the scope for divergent national approaches. In doing so, it mitigates the risk of regulatory arbitrage and reinforces legal certainty for cross-border operators.

Until PSD3 and the forthcoming Payment Services Regulation (PSR) formally recalibrate the perimeter, the message is unambiguous: EMTs may be crypto-assets under MiCAR, but where they operate as payment instruments in substance, they’ll be treated as such in supervision. The dual regime is no longer a temporary anomaly but, for the time being, the governing architecture of EMT-related services in the EU.

Author: Andrea Pantaleo and Giulio Napolitano

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Josaphat Manzoni, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Andrea Pantaleo, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.