Innovation Law Insights

Legal Break

Europe’s digital overhaul: The massive EU regulatory reset explained

In our latest episode, Giacomo Lusardi of DLA Piper discusses the EU’s Digital Omnibus package and what it means for GDPR, NIS2, the Data Act and the AI Act. Is Europe finally simplifying its digital rulebook? And will it be enough to stay competitive with the US and China? Watch the episode here.

 

Privacy and Cybersecurity

The definition of personal data will remain unchanged: Impact on AI training under the Digital Omnibus

The definition of personal data remains unchanged under the Digital Omnibus. What does this mean for AI training and legitimate interest under GDPR?

The definition of personal data and AI training: Why the Digital Omnibus matters

The definition of personal data and AI training are tightly connected after the latest developments on the Digital Omnibus. According to recent information from Brussels, the European legislator does not intend to modify or narrow the scope of “personal data” under the GDPR.

At first glance, this may seem like a technical confirmation. However, for AI developers and companies deploying large-scale AI systems, the impact is significant.

By keeping the definition of personal data unchanged, the European framework preserves the broad interpretative perimeter that already applies to AI training activities. As a result, legal uncertainty remains.

Why the definition of personal data directly affects AI training

Under Article 4(1) GDPR, personal data includes any information relating to an identified or identifiable natural person. European case law has consistently interpreted identifiability broadly. Even indirect or contextual identifiers may be sufficient.

For AI training, this is critical.

Training datasets often include:

• publicly available web content
• text corpora containing embedded identifiers
• metadata and contextual information
• scraped online material

Even where direct identifiers are removed, the risk of re-identification or inference may prevent datasets from qualifying as anonymous. Consequently, much AI training continues to fall within the GDPR framework.

Because the Digital Omnibus doesn’t adjust the definition, the existing broad approach remains the benchmark.

Legitimate interest and AI training: Uncertainty persists

The relationship between legitimate interest and AI training is one of the most debated issues in European data protection law.

Article 6(1)(f) GDPR allows processing based on legitimate interest, provided that:

• A legitimate interest is clearly identified.
• The processing is necessary.
• The balancing test favours the controller over the data subject.

In theory, AI innovation and technological development may constitute legitimate interests. In practice, the balancing test creates structural challenges.

How can organisations conduct a meaningful balancing assessment at web scale?
How can transparency be ensured when datasets are sourced from diffused public environments?
How can objection rights be operationalized in large training datasets?

The Digital Omnibus was seen as a potential opportunity to clarify this issue. But the proposed changes don’t materially strengthen or codify the ability to rely on legitimate interest for AI training.

Therefore, the legal feasibility of this approach remains uncertain and context-specific. Enforcement risk remains real.

Anonymisation thresholds remain high

Another important consequence of maintaining the existing definition is that the threshold for anonymisation remains unchanged.

True anonymisation requires irreversibility, considering all means reasonably likely to be used. In an AI context, this assessment is complex. Advanced models may generate outputs that reintroduce personal elements or allow indirect identification.

As a result, many technically transformed datasets will still qualify as personal data. The distinction between anonymisation and pseudonymisation is decisive.

The Digital Omnibus does not lower that threshold.

Regulatory fragmentation across the EU

Because the legislative text is unchanged, interpretation will continue to depend on supervisory authorities and courts.

We’ve already observed differences across member states regarding scraping practices, transparency obligations and proportionality assessments. Without further harmonization, divergent enforcement approaches remain possible.

For multinational companies, this means:

• compliance asymmetries
• increased litigation exposure
• strategic uncertainty in AI deployment

The definition of personal data and AI training will continue to be shaped not only by legislation but also by enforcement practice.

AI governance becomes a strategic imperative

In this context, AI governance is no longer optional.

Organisations should consider:

• rigorous data mapping of training datasets
• documented legitimate interest assessments
• scalable transparency mechanisms
• alignment between GDPR compliance and AI Act obligations

In my experience advising boards and AI teams, one recurring expectation has been regulatory relaxation to facilitate AI development. The current trajectory suggests otherwise.

Europe appears determined to preserve a high standard of fundamental rights protection, even in the context of AI innovation.

The legal perimeter has not shifted

The definition of personal data remains unchanged. Consequently, the legal feasibility of AI training continues to depend on careful interpretation, documentation, and governance.

The Digital Omnibus doesn’t remove uncertainty around legitimate interest. It doesn’t lower anonymisation thresholds. It doesn’t fundamentally recalibrate the GDPR framework for AI training.

Instead, it confirms that organisations have to operate within the existing structure.

The strategic question for businesses is straightforward: are they prepared to defend their AI training models under the current GDPR framework, including a robust legitimate interest balancing test?

The answer to that question will define the next phase of AI governance in Europe.

Author: Giulio Coraggio

 

Artificial Intelligence

EIOPA survey on GenAI and insurance: Where are we now?

On 2 February 2026, EIOPA published its EU-wide survey on the adoption of Generative AI (GenAI) in the insurance sector. The survey, based on responses from 347 insurance companies in 25 countries, shows that GenAI is already widely used: 65% of insurers have implemented the technology and a further 23% plan to adopt it in the next three years. However, most applications remain in the proof-of-concept phase, reflecting a cautious and gradual approach.

The main use cases

Sixty-four percent of the use cases that emerged from the survey relate to internal productivity functions, operations (document analysis, coding assistants, data extraction), and decision-making support. Customer-facing applications (36%) such as chatbots, voicebots, and marketing content are less mature.

It’s significant that most use cases aren’t linked to a specific line of business. Many are cross-functional and can be implemented in both life and non-life insurance, particularly in back-office operations and initiatives aimed at improving overall process efficiency.

In terms of the degree of autonomy of the systems, those designed to support human assessments and decisions remain prevalent. More autonomous systems and AI agents are on the rise.

Risks, obstacles and governance

Among the main risks highlighted by survey participants are hallucinations (inaccurate, complacent, misleading outputs), specific IT vulnerabilities, potential customer data breaches, and problems with explainability of how a particular output was obtained.

Added to these is the challenge of regulatory compliance: several companies report that navigating such a complex regulatory landscape is a significant obstacle, including industry regulations, the AI Act, privacy, intellectual property and more.

Another critical issue concerns the human factor. Many companies have highlighted a significant shortage of internal skills, both in finding suitable profiles and in training existing staff. This gap makes it difficult to build in-house teams capable of effectively developing, managing and governing GenAI systems.

As for governance, the survey shows that 49% of companies now have a dedicated AI policy. However, far fewer companies have gone further and adopted comprehensive AI governance.

Make or buy? How companies procure AI

The survey revealed a prevailing “make or buy” strategy, whereby the AI system is chosen based on the use case. For general, non-strategic needs, such as increasing internal productivity, insurers tend to buy standard “off-the-shelf” solutions. Conversely, for core processes where they want a competitive advantage, they prefer to develop their own solutions. However, this option doesn’t mean having to create Gen AI models from scratch, but rather developing customised in-house applications based on existing third-party or open-source models.

By doing so, companies have greater control over the final application and data, while leveraging the power of market-leading technologies.

GenAI customization: Between RAG and fine-tuning

On the data front, companies mainly adopt two strategies: RAG and fine-tuning. The survey shows that 38% of respondents use RAG techniques. They allow the model to be enriched with proprietary or contextual knowledge without changing its weights, thus maintaining control over sources and reducing the risk of hallucinations, with a good balance between cost and performance. In contrast, 21% said they use fine-tuning, a more expensive and complex option that involves retraining the model on internal data to achieve deeper customization. Finally, 27% use neither RAG nor fine-tuning, relying on pre-trained models as they are.

Agentic AI

The survey also focuses on agentic AI: of the 957 use cases identified, only 84 fall into this category and are mainly in the early stages of development. Insurers expect an impact mainly in customer-facing applications (49 cases), thanks to more autonomous chatbots and voicebots, while 35 cases relate to back-office activities. Some use cases are already in production, such as chatbots that provide information on claims or systems that automatically summarize customer calls. In the medium term (3-5 years), wider adoption is expected, especially in core areas such as claims, underwriting, and fraud detection, albeit with significant challenges related to the explainability, traceability, and reliability of autonomous systems.

How to interpret this data and key points to consider

The figures show an acceleration in the adoption of AI in the insurance sector. At the same time, large-scale adoption is being held back by a number of factors. Among these, the insurance sector should consider very carefully:

• the complex and evolving regulatory framework, including the AI Act, which requires a shift from sporadic initiatives to an orderly compliance program: mapping use cases, classifying them by risk level, monitoring regulatory developments, and adopting a horizontal and multidisciplinary approach;
• third-party risk with regard to the procurement of AI from third-party suppliers, to be managed through targeted contract review and new sets of clauses for AI, as part of a procurement process that truly assesses cyber risk, concentration and business continuity;
• governance, which must go beyond a mere “AI policy” and become a cross-functional process within the relevant business functions, with clear rules, defined roles and responsibilities, and concrete controls over how AI is used.

For insurance companies, the message is simple. But it’s not one that can be implemented overnight: they need to move quickly, but methodically.

Author: Giacomo Lusardi

 

Intellectual Property

Private Copying and Cloud Storage: Italy’s New Decree Extends Copyright Levy to Cloud Services

On 23 February 2026, Italy’s Minister of Culture signed a groundbreaking ministerial decree that redefines the tariffs for private copying compensation.

For the first time, the new Italian cloud storage copyright levy extends the obligation to pay compensation for reproduced copyrighted works to cloud storage services – a move that will reshape how digital storage providers operate in the country.

The decree addresses an area long marked by tension between the technology industry and rights holders. However, it introduces a structural change to the entire digital ecosystem: the extension of the private copy levy to cloud storage. For the first time in Italian legislative history, remote storage space is now treated, from a functional standpoint, as equivalent to a physical medium and subject to private copying compensation.

What is “Private Copying”?

The concept of private copying emerged in the 1980, in a technological context radically different from today’s. Back then, individuals would listen to the radio and record songs onto blank cassette tapes, or later duplicate CDs for personal use. These were reproductions made by individual users for exclusively private purposes, without any commercial intent.

Both Italian and European law allow private individuals to make copies of copyrighted works for personal use. However, as a compensating mechanism, manufacturers or importers of recording media must pay a fee to collecting societies (formerly SIAE, now the Fondazione Copia Privata Italia), which then redistribute it to authors.

Originally, relatively few parties were obligated to pay: manufacturers of blank cassettes and VHS tapes, then blank CDs and DVDs, as well as recorder manufacturers. This was a limited scope, consistent with a market still heavily tied to physical media. With technological evolution, however, the pool of payers has progressively expanded. The introduction of digital devices with internal or external memory led to the inclusion of new categories: manufacturers of computers, smartphones, USB drives, external hard drives, and generally any device capable of storing protected content.

What the New Italian Decree Covers

The new decree updates the private copying tariffs (last revised in 2020), adjusting them based on the ISTAT index. The detailed technical annex specifies the compensation due for each device category based on storage capacity.

For example, for USB drives:

• Up to 1 GB: no compensation due
• 1 to 8 GB: compensation of EUR0.12
• 8 to 32 GB: compensation of EUR0.11

According to data compiled by IsICult (Italian Institute for Cultural Industry) and reported by DDay.it, the increases compared to the 2020 decree range from 15% to 40%, depending on the device and memory tier.

Notably, compensation will now apply for the first time to refurbished devices. This means that for such devices, the levy may be paid multiple times: at the initial purchase and at each subsequent resale of the same refurbished device.

Cloud Storage: The Most Significant Change

The most significant innovation concerns cloud storage. The decree explicitly provides, under letter q) of Article 2 of the technical annex, compensation for “cloud memory or cloud storage space”. Unlike physical devices, where the fee is a one-time payment, cloud storage compensation must be paid monthly.

The tariffs are set at EUR0.0003 per gigabyte between 1 and 500 GB, dropping to EUR0.0002 for gigabytes beyond that threshold. Storage up to 1 GB is exempt, though this affects a minimal percentage of users, given that free plans typically start at 5 or 15 GB. The maximum cap is EUR 2.40 per month per user, amounting to nearly EUR30 annually – on top of subscription costs.

While the decree does not clarify the operational procedures for collecting the compensation, it does specify that the quarterly declaration required under Article 71-septies, paragraph 3, of Law No. 633/1941 must indicate, for each month of the quarter: (i) the number of active users, recorded on the last day of the month, and (ii) the cloud memory capacity or storage space available to them. Clearly, cloud providers will need to submit this declaration.

Compatibility With European Law

The Court of Justice of the European Union addressed the extension of private copying rules to cloud storage in Case C-433/20 (Austro-Mechana). According to the Court, the private copying exception under the InfoSoc Directive must be interpreted to mean that “reproductions on any medium” includes making backup copies of copyrighted works for private purposes on a server where a cloud service provider has made storage space available to a user.

A copy in the cloud therefore constitutes a reproduction of a protected work, since uploading to the cloud results in storing a copy. The Court also clarified that identifying who must pay fair compensation falls within the discretion of Member States implementing the private copying exception. Each national legal system may therefore decide whether to provide compensation for private cloud copying, as well as determine the elements of the compensation system, including obligated parties, the form, method, and level of compensation owed to copyright holders.

Many jurisdictions have chosen not to introduce compensation systems for private cloud copying. In the era of streaming and platforms, consumption of creative works occurs differently than in the past, and it is now rare for users to upload copyrighted materials to the cloud.

Tech Industry Reactions to the Cloud Storage Levy

Unsurprisingly, the introduction of a fair compensation system for cloud copies has sparked strong reactions from the technology industry. Both Big Tech companies and various trade associations – including AIIP, Assintel, and Anitec-Assinform – have challenged the decree.

In a joint statement, the associations noted that the final text of the decree did not incorporate the corrections proposed to the Ministry during the public consultation, particularly regarding the scope of application, exemptions for the B2B market, and risks of levy duplication.

AIIP and Assintel – while announcing their intention to file an appeal – have reiterated several substantive and procedural concerns, including:

• Risk of double taxation along the supply chain: Those who have already paid compensation on storage devices and media risk facing an additional monthly, cumulative levy simply for having cloud storage available.
• Indiscriminate application to B2B cloud services: Storage used by businesses and public administrations for backup, operational continuity, compliance, data processing, and security does not relate to private copying of protected works.
• Disproportionate compliance and reporting burdens: These impose a particularly heavy impact on SMEs and national operators.
• Competitive distortions: There is a risk of penalizing operators based in Italy, while favoring large international platforms that may be harder to reach through control and collection mechanisms.

Other operators have criticized the anachronistic nature of the regulation, observing that “private copying” – understood as the physical duplication of a protected work onto a personal medium – is now a residual practice. Music and audiovisual content are predominantly consumed via streaming. Additionally, the reimbursement mechanism designed to exclude cloud services not used for reproducing protected content has been described as excessively cumbersome, potentially discouraging its actual use.

Previous Legal Challenges Set a Precedent

The private copying framework is no stranger to administrative litigation. In 2023, the Italian Administrative Supreme Court, the Council of State, in ruling No. 1183/2023, annulled the Ministry of Cultural Heritage and Activities’ decree of June 18, 2019, regarding “Exemptions from payment of compensation for private reproduction of phonograms and videograms”. The court found that the decree failed to provide predefined, objective, and transparent criteria for identifying exemption cases and regulating reimbursements. It also granted SIAE discretionary power to determine when to grant exemptions – deemed unlawful due to the entity’s conflict of interest.

Although exemption rules are now governed by a new decree adopted in September 2024, it remains to be seen whether new appeals will emerge and whether additional grounds for illegality will be identified, both in the exemptions decree and in the new ministerial decree determining compensation – particularly concerning the inclusion of cloud services within the scope of private copying compensation.

On a similar topic, you can read the article “The Digital Services Act introduces relevant changes on the liability regime of ISPs”.

Author: Lara Mastrangelo

Intellectual property-intensive industries: New EUIPO data confirm their central role in the EU economy

The European Union Intellectual Property Office (EUIPO) has recently published its latest study on the economic contribution of intellectual property rights (IPR)-intensive industries, updating the previous edition released in 2022.

The new report provides updated macroeconomic data and introduces additional analytical elements that further clarify the structural role of IP in Europe’s economy.

The headline figures are clear: during the period 2021-2023, IPR-intensive industries generated 30.6% of all jobs in the EU, slightly up from 30.1% in 2017-2019 (after adjusting for methodological differences). On average, more than 65 million people were employed in these sectors. Their contribution to economic output is even more significant: over the same period, IPR-intensive industries accounted for 47.9% of total EU GDP, corresponding to EUR7.7 trillion.

Trade data further highlights the global integration of these sectors. IPR-intensive industries are markedly more trade-oriented than non-IPR-intensive sectors: 76.4% of EU imports consist of goods and services from IPR-intensive industries, while their share of EU exports reaches 78.3%. Overall, these industries generated a trade surplus of EUR108 billion, contributing to keeping the EU’s external trade broadly balanced.

The study also examines the functioning of the internal market. More than 7.2 million IPR-related jobs in EU member states are created by companies from other member states. In some countries, such cross-border employment represents more than 25% of total employment in IPR-intensive industries, underscoring the degree of integration of value chains within the Single Market.

Another structural feature concerns wages and productivity. IPR-intensive industries pay significantly higher wages than other sectors, with a wage premium of 40.9%. This reflects higher value added per worker and confirms the link between IP, innovation and economic performance.

For the first time, the study also analyses the relationship between IPR intensity and the ability to attract risk financing. The findings are striking: over 88% of total private equity and venture capital funding in the EU between 2021 and 2023 – equivalent to EUR70.7 billion – was invested in startups operating in IPR-intensive industries. This confirms the central role of IP assets in supporting innovation-driven growth and attracting capital.

Methodologically, the study builds on previous editions by combining EUIPO and EPO register data (trademarks, designs, patents) to identify IPR-intensive industries, and integrating this with Eurostat data on employment, value added and trade, as well as Crunchbase data on venture capital flows.

Overall, the report reinforces a structural conclusion: IPR-intensive industries aren’t a niche segment of the European economy. They’re a backbone of the Single Market, a driver of cross-border job creation and a magnet for private investment. For policymakers and businesses alike, the data confirm that IP protection is closely intertwined with competitiveness, innovation and long-term economic resilience.

Author: Federico Maria Di Vizio

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Giovanni Chieco, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Andrea Pantaleo, Deborah Paracchini, Maria Vittoria Pessina, Tommaso Ricci, Marianna Riedo, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.