31 March 2026

Innovation Law Insights

31 March 2026

Legal Break

European banks face new third-party risk management rules: What you need to know

Alessandro Ferrari, Partner at DLA Piper, breaks down the EBA's new guidelines on third-party risk management during a quick coffee break. Watch the episode here.

Podcast

Dual-use technologies: The hidden military side of Europe’s AI, chips and space industry

In this episode of the Diritto al Digitale podcast, DLA Piper partner Giulio Coraggio explores what qualifies as a dual-use technology, examines the EU legal frameworks governing these technologies, and asks why companies developing AI, chips, robotics and aerospace technologies are increasingly affected by defence regulation. He looks into the industrial opportunities for European and Italian companies in this rapidly evolving sector and the growing intersection between technology, law and geopolitics. Listen to the episode here.

Artificial Intelligence

AI Act delay approved by European Parliament: A necessary adjustment or the first sign of structural challenges?

The European Parliament committees IMCO and LIBE have now formally supported the postponement of certain obligations under the EU AI Act, according to the latest official press release. The proposal focuses on delaying the application of specific requirements – particularly those affecting high-risk AI systems – with the objective of ensuring that both companies and supervisory authorities are adequately prepared for implementation.

This is a significant development.

It’s one of the first concrete adjustments to the AI Act timeline and signals that the transition from legislation to implementation is proving more complex than anticipated.

What exactly has been agreed?

The committees’ position supports a targeted postponement, rather than a general delay of the AI Act.

The rationale is clear:

Companies need more time to operationalize compliance.
Regulators need to build enforcement capabilities.
Additional clarity is needed on how certain provisions should be applied in practice.

The postponement concerns obligations linked to high-risk AI systems, which are the most demanding and complex part of the AI Act framework.

Why high-risk AI is the central challenge

The AI Act is built around a risk-based approach, with high-risk AI systems subject to stringent requirements, including:

risk management systems
data governance and quality controls
technical documentation and record-keeping
human oversight mechanisms
conformity assessments

But in practice companies are encountering difficulties in applying these rules. The main challenge isn’t compliance itself, but qualification.

Determining whether a system qualifies as high-risk often requires interpreting broadly drafted legal provisions assessing use cases that fall into grey areas and understanding how AI components interact within complex products or services.

This creates legal uncertainty, which in turn slows down implementation.

A regulatory reality check

The postponement reflects a broader reality: regulatory ambition has outpaced operational readiness. This applies not only to companies, but also to regulators.

Supervisory authorities across the EU are still in the process of developing technical expertise, coordinating enforcement approaches and issuing guidance to ensure consistent interpretation.

Without this preparation, there’s a tangible risk that enforcing the AI Act will become fragmented across member states, undermining the objective of harmonisation.

The risk for businesses: A false sense of security

One of the key risks associated with this postponement is how it will be interpreted by the market.

There’s a natural tendency to see delays as additional time to prepare. In reality, the situation is more nuanced.

AI adoption in organisations is accelerating rapidly and often occurs in a decentralised manner, driven by business needs rather than compliance considerations. This creates a structural risk.

By the time legal or regulatory issues are identified, AI systems may already be embedded in core processes. Remediation may require significant operational changes. Costs may increase substantially. And reputational exposure may become material.

Postponing regulatory obligations doesn’t reduce risk. It may, in fact, increase it.

AI governance as the real differentiator

This is where the concept of AI governance becomes central. The postponement doesn’t change the direction of travel. The AI Act will apply, and expectations will remain high.

The real differentiator for organisations will be their ability to identify and map AI systems early, assess legal and ethical risks before deployment, implement scalable governance frameworks, and ensure accountability across functions.

Companies that adopt a proactive approach will be better positioned not only in terms of compliance, but also to manage broader business risks.

A shift in the regulatory narrative

This development also signals a shift in how the AI Act is being approached at political level.

The focus is no longer only on adopting rules, but on ensuring that those rules are implementable and enforceable in practice.

This raises important questions about the future of the framework:

Will further adjustments be introduced?
How will consistency across member states be ensured?
To what extent will guidance shape the practical application of the rules?

These questions will be central in the coming months.

Conclusion

The European Parliament’s support for postponing some AI Act obligations shouldn’t be interpreted as a weakening of the regulatory framework. It’s better understood as a necessary adjustment to align legal requirements with operational and enforcement realities. For businesses, the key message is clear: waiting isn’t a strategy. The postponement provides time – but it also increases scrutiny on how that time is used.

Author: Giulio Coraggio

Privacy and Cybersecurity

When can a GDPR access request be rejected? The CJEU draws a clear line

With its judgment in Brillen Rottler (C-526/24), the Court of Justice of the European Union (CJEU) has now clarified that, under specific circumstances, a data controller is entitled to refuse an access request – even if it is the first one submitted by the data subject.

This is the real turning point of the decision.

The key principle: Access requests can be rejected if abusive

The CJEU explicitly confirmed that a request under Article 15 GDPR may be considered “excessive” and therefore refused under Article 12(5) GDPR, where it is abusive.

Importantly, this is not limited to repetitive requests.

Even a firstaccess request can be rejected.
The decisive factor is not frequency, but purpose.

According to the court, a request is abusive where it is made:

not to understand how personal data is processed;
but to artificially create the conditions for claiming compensation under the GDPR.

This clarification significantly expands the practical scope for refusing access requests.

From formal compliance to purpose-based assessment

The decision introduces a substantive assessment of intent.

Until now, controllers were generally expected to comply with access requests unless they were manifestly unfounded or repetitive. The CJEU now makes clear that formal compliance with GDPR requirements is not sufficient if the underlying purpose is abusive.

This means that companies may:

assess the broader context of the request;
consider patterns of behaviour;
rely on evidence suggesting strategic or systematic litigation conduct.

For example, the court acknowledged that repeated requests followed by compensation claims across multiple organisations may indicate abusive intent.

But the threshold remains high

While the judgment opens the door to rejecting access requests, it doesn’t lower the bar.

The burden of proof remains on the controller.

This creates a delicate situation:

rejecting a request without sufficient evidence may itself breach the GDPR;
complying with abusive requests may expose companies to opportunistic claims.

In practice, this means that refusal must remain the exception, not the rule.

Compensation claims: No automatic entitlement

The CJEU also reinforces that damages under the GDPR require actual harm.

To succeed in a compensation claim, the data subject must prove:

a GDPR infringement;
actual material or non-material damage;
a causal link between the two.

Crucially, the court clarifies that no compensation is due where the damage is caused by the data subject’s own conduct.

This is particularly relevant where access requests are used strategically to trigger claims.

Operational impact: A new compliance dilemma

This judgment has immediate practical implications.

Companies should now reassess how they handle access requests, particularly in scenarios involving:

repeated or patterned requests;
short time gaps between data provision and access requests;
indications of litigation-driven behaviour.

At the same time, organisations must implement robust internal processes to:

document evidence of potential abuse;
ensure consistency in decision-making;
involve legal teams in high-risk cases.

A broader shift in GDPR enforcement?

The ability to reject a GDPR access request in case of abuse reflects a broader evolution in EU data protection law.

The GDPR was designed to empower individuals – but not to enable systematic exploitation of its mechanisms.

The CJEU is now sending a clear message: data subject rights are fundamental, but they are not immune from limits when used in bad faith.

What’s next?

The Brillen Rottler decision marks a critical clarification: GDPR access requests aren’t absolute – they can be rejected when abusive.

For companies, this creates both an opportunity and a risk:

an opportunity to push back against strategic misuse;
a risk of misjudging intent and triggering non-compliance.

The real challenge going forward will be operational: how can organisations confidently identify abusive requests without undermining legitimate data subject rights?

Author: Giulio Coraggio

EDPB-EDPS joint opinion on the Cybersecurity Act 2 and NIS2 amendments

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a joint opinion (the Joint Opinion) on the European Commission’s proposals to revise the EU cybersecurity framework, namely the Cybersecurity Act 2 (CSA2) and the amendments to the NIS2 Directive (jointly, the Proposals). The opinion provides a structured assessment of the proposed changes, outlining their main implications and raising key considerations regarding the protection of personal data.

ENISA: Strengthened role and single-entry point

The Proposals introduce significant changes to the role of ENISA:

on the one hand, they strengthen its mandate, making it more operational and central in supporting EU cybersecurity policy;
on the other hand, they assign ENISA a key function as a single-entry point for incident reporting, aimed at simplifying obligations for organisations.

The EDPB and the EDPS welcome these developments, particularly the potential efficiency gains stemming from a centralized reporting system. The need to notify incidents in multiple member states currently represents a significant compliance burden for organisations and may also affect the overall awareness of incidents among competent authorities.

At the same time, the Joint Opinion underlines that the expansion of ENISA’s tasks may entail the processing of large volumes of information, potentially including personal data. For this reason, the Joint Opinion stresses the need to clearly define the scope of such processing and to ensure that appropriate safeguards are in place, in line with the principles of necessity and proportionality set forth by the GDPR and the applicable data protection rules.

European Cybersecurity Skills Framework (ECSF)

Article 19 of the CSA2 Proposal introduces the European Cybersecurity Skills Framework (ECSF). The framework aims to ensure that cybersecurity professionals, employers, training providers and public authorities across member states share a common understanding of what specific cybersecurity roles require. It contributes to defining clear job profiles, setting transparent qualification requirements, and improving the alignment between education systems and labour market needs. It also provides a structured basis for training activities, particularly in support of EU cybersecurity legislation and cooperation among member states.

The EDPB and the EDPS welcome this initiative, as it is designed to raise the overall level of cybersecurity skills across the EU. However, they recommend extending its scope beyond cybersecurity professionals. As recent cyber incidents increasingly stem from human error – including actions carried out by employees in operational or non-specialized roles – it’s essential that basic cybersecurity awareness and skills are spread across the entire workforce. Limiting the framework to specialists would risk overlooking one of the main sources of vulnerability.

ICT supply chain security

The CSA2 Proposal also introduces measures aimed at strengthening the security of ICT supply chains, including the management of non-technical risks such as geopolitical, legal and strategic dependencies.

The EDPB and the EDPS welcome this initiative as an important step towards enhancing the resilience of critical sectors. Although not strictly linked to cybersecurity, such risks can significantly affect the operational continuity of organisations; it’s therefore essential, also in line with the approach of the CER Directive, that companies are able to manage incidents of different nature.

Extension of essential entities under NIS2

The proposed amendments to the NIS2 Directive extend the scope of “essential entities” to include, among others, providers of digital identity wallets and business wallets. The EDPB and the EDPS support this extension, noting that such services play an increasingly central role in the EU digital ecosystem. In particular, these providers are expected to gain even greater relevance in light of the developments surrounding the EU Digital Identity Wallet, which is intended to become a key instrument for secure digital identification and interactions across the EU.

Reporting of ransomware attacks

The Proposals also introduces new obligations concerning the reporting of ransomware attacks. Entities may have to provide detailed information to Computer Security Incident Response Teams (CSIRTs), including whether a ransom has been paid, the amount and the recipients.

This measure is particularly relevant in light of the growing sophistication of recent cyberattacks. Access to detailed information is essential to better understand threats, improve response strategies and contribute to combating criminal organisations. Moreover, the sharing of such information across member states at EU level is crucial to ensure an effective and coordinated response. At the same time, the EDPB and the EDPS emphasise that such reporting may involve sensitive data and therefore requires appropriate data protection safeguards.

Conclusion

Overall, the Joint Opinion shows general support for the proposed reforms, while placing particular emphasis on the need to ensure a high level of protection of personal data, especially in the context of information sharing.

It only remains to await the legislative developments to understand the future of cybersecurity in the EU and the extent to which the observations raised in the Joint Opinion will be considered.

Author: Federico Toscani

Intellectual Property

AI and Copyright: WIPO’s AIII as a bridge for shared technical solutions

On 17 March, the World Intellectual Property Organization (WIPO) launched a new initiative aimed at strengthening the coordination between the protection of intellectual property rights and technological innovation, which is increasingly shaped by AI. The project, known as the Artificial Intelligence Infrastructure Interchange (AIII), is conceived as a technical and operational forum rather than a regulatory one. Its underlying premise is that any regulatory framework on AI risks being ineffective unless supported by concrete solutions, such as interoperable standards, tracking tools, and reliable systems to identify works and contributions, whether human or AI-generated.

At the core of the initiative is an international network of experts from diverse sectors, including the technology industry, the creative sector, academia, and civil society. Participants include leading players such as Shutterstock, and Universal Music Group, alongside AI developers and rightsholders.

Among its key priorities is developing a systematic mapping of the existing copyright infrastructure and related technologies. Understanding current practices in managing rights, metadata, and information on creative works is a crucial step in identifying the most pressing areas for intervention. At the same time, the initiative will examine the challenges arising from the growing use of generative systems – such as large language models – which are increasingly blurring the traditional boundaries of authorship between humans and machines.

To ensure transparency and stakeholder engagement, the outcomes of the experts’ discussions and the progress of the initiative will be presented at an annual public meeting. The first meeting, scheduled for 2 October, will be a key opportunity to gather feedback and shape the next phases of the project.

In his opening remarks, Director General Daren Tang emphasised that every major technological innovation requires a corresponding evolution of the systems that support it. In this respect, AI is no exception: to fully realize its potential, it requires a robust and reliable infrastructure capable of combining operational efficiency with the protection of rights.

The AIII emerges at a critical moment in the redefinition of the balance between technology and law, promoting a pragmatic approach grounded in the development of shared solutions. Rather than setting new rules, the initiative seeks to create the conditions for their effective implementation, bridging the gap between abstract principles and practical reality.

Author: Noemi Canova

Gaming and Gambling

Italy online gambling rules: Are retail gambling vouchers the new pressure point for payment providers?

Italy’s online gambling rules are entering a new enforcement phase as the Italian gaming authority (ADM) introduces stricter controls on retail gambling vouchers, including a EUR100 weekly cap and mandatory traceability requirements starting May 2026.

This development isn’t just about retail networks – it has direct and potentially significant implications for payment providers operating in the Italian market. What’s often referred to in Italy as PVRs (Punti Vendita Ricariche) should be understood more clearly as retail points where players purchase gambling vouchers or top up their online gaming accounts, often using cash or other payment methods. These retail gambling vouchers have long represented a bridge between the physical and digital gambling environment. That bridge is now being tightly regulated.

Italy online gambling rules and the EUR100 weekly cap on retail gambling vouchers

At the centre of the updated Italy online gambling rules is the confirmation that no further delays will be granted on the introduction of the EUR100 weekly limit on the purchase of retail gambling vouchers using cash or non-traceable instruments.

This limit applies across all transactions carried out through retail networks and is designed to prevent excessive or uncontrolled use of anonymous payment methods in online gambling.

ADM has set a clear implementation roadmap:

5 March 2026: testing environments opened to operators
16 March 2026: operational systems made available
13 May 2026: full enforcement, including mandatory transaction monitoring

From that point onward, operators must be able to ensure that each player doesn’t exceed the weekly EUR100 threshold when purchasing retail gambling vouchers.

Why gambling operators and payment providers are directly impacted

One of the most underestimated aspects of Italy’s new online gambling rules is the impact on payment providers. The reform introduces a fundamental requirement: all gambling-related financial flows must be traceable and linked to the verified holder of the gaming account.

This means that:

payment instruments used for deposits to gaming accounts must be identifiable and attributable to the player;
anonymous or cash-based mechanisms are significantly restricted; and
withdrawals must be processed through regulated financial institutions.

Retail gambling vouchers, traditionally used as a cash-based access point, are being transformed into fully traceable instruments. As a result, payment providers – particularly those enabling cash-in solutions, prepaid instruments, or hybrid retail payments – will need to reassess their role in the gambling ecosystem. This isn’t just a compliance adjustment. It’s a structural shift in how payments are integrated into online gambling.

These new restrictions also open up new avenues:

Alternative Payment Solutions: Operators can collaborate with e-wallet services and digital payment providers to facilitate larger, traceable transactions while remaining compliant with Italian laws.
Strategic Partnerships with Voucher Shops: By forming complex arrangements, such as designating Italian gambling voucher shops as agents of payment providers, operators can continue leveraging these retail outlets to promote their brands and services.

Enforcement is already underway

The tightening of Italy online gambling rules is supported by intensified enforcement activity. The Italian tax police, together with ADM, has conducted widespread inspections across Italy, resulting in:

324 retail points sanctioned in 2025
frequent fines of several thousand euros per infringement
enforcement based on the assumption that the EUR100 weekly limit already applied

This created a regulatory gap between legal requirements and technical enforcement tools.

ADM’s recent circular closes that gap by activating systems that allow for real-time monitoring and verification.

No more delays: A clear regulatory stance

Another key element is ADM’s firm decision to avoid further postponements.

Apart from a limited extension until 13 November 2026 for platform certification processes relating to platforms of operators holding new Italian gambling licenses, all other obligations are now fully effective or about to become so.

Operators have already been required to:

operate a single licensed website under a national domain;
collect full identification data at onboarding; and
implement secure digital identification mechanisms.

The direction is clear: Italy’s online gambling rules are becoming increasingly focused on traceability, identity and control.

Responsible gambling and user-level restrictions

The reform also introduces stricter responsible gambling measures, which complement the payment restrictions.

Players must set limits before activating their accounts, including:

maximum 3 hours of play per day
maximum EUR100 daily spending
maximum EUR200 daily recharge

For players aged 18 to 24, stricter thresholds apply:

maximum 2 hours of play per day
maximum EUR50 daily spending and recharge

These limits reinforce the idea that payment controls and player protection are now deeply interconnected under Italy’s online gambling rules.

Strategic implications for operators and financial intermediaries

The combined effect of these measures is significant. Operators must now ensure:

full integration between retail gambling voucher systems and online platforms
real-time monitoring of player-level limits
extension of AML and KYC controls to all payment touchpoints
strict oversight of retail and payment partners

For payment providers, the implications are equally relevant:

increased compliance obligations when supporting gambling-related transactions
need for enhanced transaction monitoring and reporting
potential redesign of products that rely on cash or semi-anonymous instruments

This may accelerate a broader shift toward fully digital, traceable payment ecosystems.

Italy online gambling rules redefine the role of payments

The latest evolution of Italy’s online gambling rules isn’t only about regulating retail gambling vouchers. It’s about redefining how money flows within the gambling ecosystem. By imposing strict limits and traceability requirements, the regulator is effectively integrating payment providers into the core of the compliance framework. For both operators and financial intermediaries, the challenge is no longer limited to understanding the rules. It’s about building systems capable of enforcing them in real time.

Read about the different gambling regimes in almost 50 jurisdictions in the DLA Piper Gambling Laws of the World guide.

Author: Giulio Coraggio

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Josaphat Manzoni, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Andrea Pantaleo, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.