Abstract_Lights_P_0152

14 July 202636 minute read

Innovation Law Insights

14 July 2026
Legal Break

Is the DPO responsible for a cyber-attack?

In this episode of Legal Break, Giulio Coraggio, location head of DLA Piper’s Italian Intellectual Property and Technology Law group, and the journalist Antonio Ravenna explain an important Italian court decision about DPO liability, GDPR, and cyber fraud. Watch the video here.

 

Commercial

Approving online contracts in Italy: A checkbox isn’t enough according to the Supreme Court

Online contracts in Italy concluded with a simple checkbox cannot enforce their most protective clauses, the Italian Supreme Court has just ruled in an order that every foreign company selling into Italy should read.

The decision (Court of Cassation, order No. 20945 of 20 June 2026) is short, but its message is sharp. A “flag” ticked on a web form is not a signature. And without a proper signature, the clauses that matter most to your business simply don’t bind the other side.

Let me explain why this reaches well beyond the dispute it decided.

What the case on online contracts in Italy was about

The facts are ordinary, and that is exactly the point. An Italian company, ATI, ran a hotel and bought electricity from Enel, a major Italian electricity company, through an online offer. ATI accepted the deal on Enel’s website by ticking a few boxes – the “touch point” process. Later, ATI sued Enel before the court of its own area, Viterbo, claiming it had been overcharged.

Enel objected. It argued that the contract contained an exclusive jurisdiction clause pointing to the courts of Rome, so Viterbo had no power to decide. The lower court agreed that Rome was competent, although on a different ground. ATI then took the jurisdiction question up to the Supreme Court. And the Supreme Court sided with ATI.

A checkbox isn’t a signature

Here is the core of the ruling. Under Italian law, certain clauses in T&Cs that haven’t been negotiated between the parties are treated as “unfair” or onerous – the “clausole vessatorie” of Article 1341 of the Civil Code. Exclusive jurisdiction clauses are textbook examples. Limitation-of-liability clauses, automatic renewals, and restrictions on the right to raise defences sit in the same family. To bind a party, these clauses must be approved specifically and in writing. A generic acceptance of the terms isn’t enough.

This means in practice that the party that hasn’t drafted the T&Cs, eg the company running an e-commerce website or any B2C supplier, needs to approve the agreement twice, once in relation to the whole agreement and a second time after the list of unfair clauses. Without this second acceptance, the unfair clauses cannot be enforced against the party that hasn’t drafted the agreement, ie the buyer.

Does the online world change this? It doesn’t

The court confirmed that, under Italian eCommerce law, the ordinary rules on the conclusion of contracts apply to deals closed by electronic means. Therefore, the same specific written approval is required online.

So what counts as “in writing” on a website? The court accepted that a light electronic signature can do the job for contracts that don’t require a written form by law. In practice, that usually means an OTP – a one-time password sent by SMS or email and entered on the platform – within the meaning of the eIDAS Regulation (EU) 910/2014. What doesn’t do the job is a mere tick in a box. Ticking a checkbox, the court held, isn’t specific approval. As a result, Enel’s jurisdiction clause had no effect, and the Italian customer could litigate at home.

This rule applies between businesses, not only consumers

Foreign companies often assume that these formalities protect consumers alone. That assumption is wrong, and the case proves it. Both parties here were businesses. The contract was a pure B2B supply. But the court applied the strict approval rule all the same. In other words, “we only deal business-to-business” isn’t a defence. If your Italian counterparty is a company, the rule still bites.

Why this matters for your online contracts with Italian counterparts

The practical fallout is significant, and it goes far beyond jurisdiction clauses.

If your online terms with Italian businesses rely on a checkbox, your forum-selection clause might collapse. You drafted it to litigate at home, or in a neutral seat. Instead, you can be dragged before an Italian local court, at the place where the obligation arose or had to be performed.

The same weakness hits your other shield clauses. Liability caps, exclusions, automatic renewals, and similar protections all qualify as unfair clauses. If they were only “flagged,” they may be unenforceable. That can turn a contained commercial risk into an open-ended one.

There’s also a burden-of-proof message. The party invoking the clause must prove specific approval. A PDF that shows nothing more than a ticked box won’t carry that burden – as Enel learned.

What foreign companies should do now

I would treat this decision as a prompt to revisit your Italian onboarding flow. A few concrete steps follow.

  • Map the unfair clauses. Identify every clause in your online terms that qualifies under Article 1341, jurisdiction, arbitration, liability caps, renewals, withdrawal limits, penalties.
  • Group and surface them. Reference those clauses specifically in a dedicated section, rather than burying them in the general terms.
  • Add a real signature step. Layer a light electronic signature – typically an OTP – over a separate, specific approval of those clauses. One generic “I accept” isn’t enough.
  • Keep the evidence. Store the signature logs, so you can later prove specific approval and not merely acceptance.
  • Review legacy contracts. Deals already signed with a checkbox alone may be exposed. Identify the high-value ones and consider re-papering them.

The fix isn’t hard. The cost of ignoring it can be.

In short

Online contracts in Italy are still perfectly valid when concluded electronically. What the Supreme Court tightened is the standard for their most sensitive clauses. A checkbox closes the deal; it doesn’t arm your protections. For that you need a signature, even a light, electronic one. Build it into your flow now, before a clause you were counting on turns out to be worthless.

Author: Giulio Coraggio

 

Artificial Intelligence

AI Act: When can a system be exempted from high-risk classification?

On 19 May 2026, the European Commission published the Draft Guidelines on the classification of high-risk AI systems under Article 6 AI Act, subject to public consultation until 23 July 2026, following an extension of the deadline granted by the Commission.

The Guidelines aim to provide interpretative clarifications on the classification of high-risk AI systems pursuant to Article 6 of the AI Act and to offer practical examples to facilitate the uniform application of the regulation by providers, deployers and competent authorities. Although they’re not yet a final version and are non-binding in nature, the Draft Guidelines are of considerable practical relevance. They offer one of the few interpretative references currently available on a topic on which many companies still lack sufficiently clear guidance.

For this reason, the Guidelines can already be used to carry out preliminary assessments on implementing and using specific AI systems, enabling organisations to anticipate compliance choices and to prepare for the application of the AI Act's provisions.

Among the most significant aspects addressed by the Draft Guidelines is the filter mechanism provided for by Article 6(3) of the AI Act. This mechanism is particularly important for economic operators, as it allows, under certain circumstances and following an assessment carried out by the provider, to exempt from high-risk classification certain AI systems that would, in principle, fall within the use cases listed in Annex III of the AI Act. A correct understanding of this mechanism is essential, given that its application results in the inapplicability of most of the obligations set out in Title III of the AI Act for high-risk AI systems.

The filter mechanism: Function and conditions

Article 6(2) of the AI Act classifies as high-risk a number of AI systems intended to be used in specific areas listed in Annex III, such as employment, education, access to essential services, justice, migration and biometrics. But the European legislature recognised that not all systems that fall within those use cases necessarily pose significant risks to fundamental rights or to the health and safety of natural persons.

Article 6(3) introduces an exemption mechanism that allows certain AI systems not to be classified as high-risk, even though they fall within Annex III, where they don’t materially influence the outcome of decision-making and don’t lead to a significant risk of harm. The Draft Guidelines emphasise that the filter mechanism is a tool of proportionality aimed at avoiding unnecessary regulatory burdens.

The conditions set out in Article 6(3) are exhaustive and must be interpreted narrowly. It’s sufficient for one of the conditions to be met for the system to benefit from the exemption, provided that profiling isn’t performed and that the system doesn’t materially influence the outcome of the final decision.

AI systems intended to perform a narrow procedural task

The first condition concerns AI systems intended to perform a narrow procedural task. These are systems that are limited to categorising data, changing the format, structure or presentation of data, or changing its metadata, without performing substantive assessments of the individuals concerned. Examples include systems that transform unstructured data into structured data, classify documents into predefined categories or detect duplicates.

For instance, a system that sorts incoming applications for admission to school according to the grade or educational level applied for, without evaluating applicants’ suitability, could benefit from the exemption.

Conversely, the filter cannot apply where the system performs a value judgement of data relevant for decision-making, for example by categorising input data as “useful” or “less useful” for the human assessment, or by attributing a score or ranking to input data.

AI systems intended to improve the result of a previously completed human activity

The second condition concerns AI systems that are solely intended to improve the result of a previously completed human activity.

According to the Draft Guidelines, the system must intervene after a human assessment or decision has already been completed and must be limited to verifying or refining its result, without substantially changing its content or replacing it. In this regard, it’s particularly relevant that the AI Act deliberately chose the formulation “improve,” rather than “review,” to make this distinction. In particular, any improvement introduced by the AI system shouldn’t change the rights, protection, or the legal or economic position of the people who might be affected by the system’s output or by decisions taken on the basis of that output.

The examples provided refer to systems that flag errors, inconsistencies or quality issues in documents or decisions already made by natural persons, as well as systems that convert human-validated content for interoperability or accessibility purposes, transforming but not replacing human output.

Where, on the contrary, the system provides a radically different solution or replaces the original human judgement, it cannot benefit from the exemption.

AI systems intended to detect decision-making patterns or deviations

The third condition concerns AI systems intended to detect decision-making patterns or deviations from prior decision-making patterns.

The Guidelines specify that the notion of “decision-making pattern” should be interpreted narrowly, referring to patterns or trends derived from past data that predict or analyse how decisions are taken over time on a specific subject matter.

In this context, the system may compare decisions already made by humans with similar decisions taken in the past to highlight possible inconsistencies or anomalies. However, to limit the impact of these systems, the system must not replace or influence the previously completed human assessment without proper human review, and must operate strictly ex post, ie following a human assessment that has already been completed.

The Draft Guidelines refer, for example, to systems used for quality-assurance and reporting purposes to verify the consistency of decisions made by public officials, without proposing operational recommendations or evaluating concrete cases still pending.

AI systems intended to perform a preparatory task

The fourth and final condition concerns AI systems that are exclusively intended to perform a preparatory task to an assessment relevant for the purposes of the use cases listed in Annex III of the AI Act.

As can be readily understood, this exemption refers to a task that occurs before the actual assessment process. In this regard, it’s specified that where a narrow procedural task occurs before the assessment and is preparatory in nature, both points (a) and (d) of Article 6(3) of the AI Act may apply.

For a preparatory task to benefit from the exemption, the possible impact of the output of the system must be very low in terms of representing a risk for the assessment to follow, as the system must not be able to materially influence the decision-making process.

For example, this category includes systems used for searching, indexing, linking or retrieving information, such as references to the relevant legal provisions or information on jurisdiction, which will subsequently support a human decision.

By contrast, a system that produces specific recommendations or assessments in relation to a concrete case, exercising a material influence on the decision-making process, cannot benefit from the exemption.

The exception to the exemption: When the AI system performs profiling

Even where one of the four conditions described above is met, the filter mechanism cannot be applied if the AI system profiles natural persons. The rationale behind this provision is that the AI system is presumed to pose significant risks to the health, safety or fundamental rights of natural persons.

The Draft Guidelines refer to the definition of profiling set out in the GDPR, to which the AI Act expressly refers, clarifying that it means any form of automated processing of personal data intended to evaluate personal aspects relating to a natural person, such as work performance, reliability, behaviour, preferences or economic situation. Whether this condition is met will depend entirely on the assessment of the specific circumstances in light of the definition provided by the GDPR.

Consequently, an AI system that uses personal data to evaluate or predict individual characteristics will remain classified as high-risk, even if it could otherwise fall within one of the four exemption categories.

The provider's assessment and safeguards against circumvention

The application of the filter mechanism is based on a self-assessment carried out by the provider. It’s for the provider to determine, on the basis of the conditions laid down in Article 6(3) AI Act, whether its AI system may benefit from the exemption from classification as a high-risk AI system. But this assessment cannot be carried out in a superficial or opportunistic manner.

The AI Act provides specific safeguards against the misuse of the filter mechanism. Under Article 80, market surveillance authorities can assess the classification of AI systems, require the provider to bring the system into compliance with the requirements applicable to high-risk AI systems, and request the adoption of corrective measures. Where a market surveillance authority finds that an AI system has been incorrectly classified as non-high-risk to circumvent the obligations applicable to high-risk AI systems, it may also impose penalties pursuant to Article 99 AI Act.

Documentation, registration and monitoring obligations

Applying the filter mechanism means that the AI system isn’t classified as high-risk and that, accordingly, the obligations laid down in Chapter III of the AI Act for providers and deployers of high-risk AI systems do not apply.

This doesn’t mean, however, that the provider is exempt from all obligations. Article 6(4) AI Act imposes two specific obligations on the provider: to document the assessment before the AI system is placed on the market or put into service; and to register the AI system in the EU database established under Article 71 AI Act, to ensure the traceability of exempted AI systems.

The documentation should include:

  • the intended purpose of the AI system;
  • the reasons why the system would, in principle, qualify as a high-risk AI system under Article 6(2) AI Act;
  • the specific exemption condition or conditions relied upon, together with the reasons why they apply; and
  • the reasons why the AI system doesn’t perform profiling.

This documentation should be retained in such a way that it can be made available at any time upon request by the market surveillance authorities. The Draft Guidelines also encourage deployers to verify, as part of their due diligence activities, that the exemption has been registered in the EU database.

Conclusions

Although the Draft Guidelines on the classification of high-risk AI systems are still under public consultation, they already represent a valuable tool for carrying out preliminary assessments of whether the filter mechanism may apply to specific AI systems.

In this context, the postponement of the application of the obligations for high-risk AI systems until 2 December 2027, as proposed under the Omnibus package, shouldn’t be interpreted as an opportunity to delay compliance activities. On the contrary, the very fact that the EU legislator considered it necessary to grant businesses additional time suggests that the overall level of preparedness was considered insufficient.

The postponement period should be used to start compliance activities without delay, particularly since undertaking those activities only after the implementation of non-compliant AI systems, or of systems adopted without the necessary risk management measures and organisational governance processes, would be significantly more burdensome and complex.

Author: Josaphat Manzoni

 

Data protection and Cybersecurity

The EDPB's new breach notification and DPIA templates signal a shift toward operational harmonisation of the GDPR

Two recent initiatives – a common template for personal data breach notifications and a common template for Data Protection Impact Assessments (DPIA) – mark a concrete shift toward the operational standardisation of GDPR compliance across the EU.

The data breach notification template

On 8 June 2026, the EDPB adopted Guidelines introducing a common template for personal data breach notifications. The document is in public consultation until 5 August 2026.

Companies who have managed a cross-border data breach are familiar with the problem: each national supervisory authority has its own notification form, with different structures, fields and logic. A single breach affecting data subjects in five member states can require five formally distinct notifications – with all the cost, delay, and inconsistency that entails.

The EDPB template addresses this fragmentation head-on. It consists of approximately 120 numbered fields across seven sections: notification type, controller identification, initial breach information (timeline, nature, categories of data subjects and data), further information (consequences, risk assessment, measures taken), communication to data subjects, cross-border processing, and attachments.

The architecture goes well beyond the minimum that Article 33(3) GDPR requires. Predefined values, conditional logic, standardised taxonomies, and explanatory tooltips compose a digital framework – a genuine information system, engineered for technological implementation by each supervisory authority.

The DPIA template

In a parallel initiative, the Board adopted on 10 March 2026 Guidelines introducing a common DPIA template. The public consultation closed on 9 June 2026. An explainer document accompanies the template and walks users through its logic.

The template spans seven sections: overview of the processing, systematic description, analysis of processing, necessity and proportionality, risk assessment and management, involvement of interested parties, and conclusion and decision.

The most notable methodological choice is the explicit separation of structural design risks (Section 3) from operational and incident risks (Section 4). In current DPIA practice, these two dimensions are frequently conflated – many impact assessments are, in effect, cybersecurity risk analyses presented as GDPR compliance documents. The template requires practitioners to address them separately.

Other notable features include an explicit tracking mechanism for the implementation status of compliance measures (Planned / Partially Implemented / Implemented), formal documentation of DPO advice and data subject involvement, and four possible conclusion outcomes – abandon the processing, consult the supervisory authority, proceed, or conditionally proceed.

The template is compatible with ISO/IEC 29134:2017, though it adds a GDPR-specific documentary layer that makes it immediately usable in the European regulatory ecosystem.

The EDPB’s strategic shift

Read together, these two initiatives reveal a coherent strategic direction.

Since the Helsinki Statement of July 2025, the Board has been shifting its posture. The production of interpretive guidelines – for years the EDPB’s core activity – is now accompanied by the delivery of practical operational tools. The breach notification and DPIA templates are the first concrete results of this programme.

The stated objective is to establish a common documentary architecture – adoptable by all supervisory authorities and all controllers – without imposing a single methodology. The practical consequence is significant: a DPIA or breach notification produced according to the EDPB template will be recognised as structurally adequate across all member states, making national documentation adaptations unnecessary.

This amounts to practical harmonisation through standardised documentation and workflows – a compliance infrastructure that functions as a shared language between controllers, DPOs, and supervisory authorities.

Why this matters for multinational organisations

For groups operating across multiple EU jurisdictions, the operational implications are immediate.

Cross-border compliance becomes more predictable: a single notification format can serve multiple jurisdictions, a DPIA conducted according to the EDPB template can be submitted to different supervisory authorities without reworking, and the cost of tailoring documentation to varying national expectations drops. Interactions with supervisory authorities – particularly in proceedings involving multiple member states – increase in consistency.

The templates are also designed to interoperate with other EU regulatory frameworks. Asset information from Section 1.3 of the DPIA template can feed NIS2 documentation requirements. Section 3 on structural risks lends itself to AI system risk analysis, with explicit connections to the Fundamental Rights Impact Assessment under the AI Act. The breach notification template, for its part, aligns with the incident reporting logic of DORA and with the proposed single EU breach reporting portal by ENISA under the Digital Omnibus package.

Practical implications: What organisations should do now

A concrete first step is to review existing incident response procedures against the structure of the EDPB breach notification template. Can internal information-gathering workflows populate the approximately 120 fields? Is the timing of data collection compatible with notification deadlines?

Equally, it’s worth reviewing internal DPIA methodology against the template’s logic. Does the risk assessment adequately separate design risks from operational risks? Are compliance measures tracked with their implementation status? Is DPO advice formally documented?

At the organisational level, aligning internal documentation with the template structure – designing notification forms and DPIA templates that already mirror the EDPB models – reduces future compliance costs and immediately facilitates dialogue with supervisory authorities, who will recognise a familiar and complete structure. Consistency across jurisdictions and business units becomes an achievable objective.

These guidelines should be read as a signal of where EU data protection regulation is heading. Organisations that align early will have a competitive advantage in managing cross-border compliance.

Conclusion

The GDPR is entering a new phase, one where the relevant question is how breaches are notified, risks assessed, and compliance documented, uniformly, across the entire EU. The EDPB is driving this transition through the standardisation of operational tools.

For organisations, the outlook is pragmatic: practical harmonisation is the future of GDPR compliance in Europe. Those who adapt first will reduce costs, risks, and complexity.

Author: Enila Elezi

 

Gaming and Gambling

Austria online gambling licence: Draft law opens the market to private operators

The Austrian government has finally put its cards on the table on the Austria online gambling licence regime that will replace the country’s decades-old monopoly, publishing a draft amendment to the Glücksspielgesetz (the Austrian Gambling Act) for public consultation.

This draft is the first real look at how the new licensing system is meant to work in practice. Credit for the detailed analysis below goes to my DLA Piper colleagues in Vienna: Armin Redl, Claudine Vartian and Nicole Daniel, whose original client alert this article builds on.

Stakeholders can submit comments on the draft until 15 July 2026, before it moves through the Austrian parliamentary process. The text can still change, but it already gives a solid picture of where the government is heading.

From a single monopoly to multiple licences

The core of the reform is the end of Austria’s online gambling monopoly and its replacement with an unlimited multi-licensing system. Today, only one operator can legally offer online casino products in Austria; under the draft, any number of operators could apply for an Austria online gambling licence, provided they meet strict regulatory conditions.

Importantly, the government is at pains to describe this as channelling existing demand into a supervised environment rather than as market liberalisation. The stated goal is consumer protection and stronger enforcement against illegal operators, not a simple opening of the taps.

Player protection sits at the centre of the reform

Consumer safeguards are the backbone of the proposed regime, and the draft leans heavily on measures already familiar from other European markets, including:

  • mandatory player protection duties and behavioural monitoring
  • a cross-operator exclusion register shared across licensees
  • a supervision system spanning the whole online gambling sector
  • age-linked deposit and spending limits
  • tighter regulatory oversight and reporting duties

On deposits specifically, the draft sets a weekly ceiling of EUR250 for players under 26, rising to a monthly cap of EUR1,680 for players aged 26 and over. Players who have turned 23 could be granted higher limits under a risk-based approach, but only where there is no sign of gambling-related harm, and any increase must come with extra safeguards.

Enforcement gets a serious upgrade too. Regulators would be equipped with website blocking, payment blocking targeting illegal operators, public blacklists, and expanded investigative powers – a clear signal that market opening will be paired with a harder line on operators who stay outside the system.

Licence duration and who can apply

The licensing model starts with a probationary phase: the first Austria online gambling licence would run for up to five years, with renewals available for up to ten years after that.

To qualify, applicants would need to:

  • be set up as a stock corporation or limited liability company with a supervisory board;
  • have their seat in Austria or another EU/EEA member state;
  • hold paid-up share capital of at least EUR10 million;
  • demonstrate regulatory reliability and integrity; and
  • pay a EUR300,000 fee for the initial grant of the licence.

In short, the bar is set for well-capitalised, highly compliant operators – not a low-cost entry point.

The grey market faces a harder road

Operators that have served Austrian players without a local licence face the toughest part of the reform. The draft does give them a path into the regulated market, but only if they can show that all overdue, non-time-barred Austrian gambling tax liabilities have been paid, all final Austrian court judgments obtained by players have been satisfied, and Austrian civil judgments are enforceable in the operator’s home country. For many international operators, that will mean significant legal and tax due diligence before they can even submit an application.

A Dutch-style cooling-off period

The draft also borrows a page from the Dutch market-opening playbook: a cooling-off mechanism designed to push operators out of the grey market before the regulated regime launches. Operators offering unlicensed online gambling to Austrian players must stop by 1 January 2027 and stay out of the market until they hold an Austrian licence. Exiting later triggers an 18-month exclusion period, stretching to 24 months for operators still active after 31 December 2029.

What this means for operators and pending litigation

For operators eyeing the Austrian market, this draft is the first real basis for assessing what a licence will actually require, commercially and legally. But the consultation is still open, and the framework could shift before it becomes law – so anyone with a stake in Austria should watch this closely and consider responding before the 15 July 2026 deadline.

There’s also a knock-on effect for the wave of player litigation against foreign operators that has defined the Austrian market in recent years. The reform doesn’t try to wipe out player claims, but it does set a hard cut-off: any operator wanting an Austrian licence must stop unlicensed activity by 1 January 2027 and satisfy every final Austrian court judgment obtained by players before a licence can be granted. Litigation is unlikely to vanish overnight, but this could realistically mark the beginning of the end for the historic grey-market disputes.

If it passes largely as drafted, this would be one of the most significant overhauls of Austrian gambling regulation in decades – opening real commercial opportunities for licensed operators while pairing that access with some of the toughest player-protection and enforcement standards in Europe.

Author: Giulio Coraggio

 

Intellectual Property

UK initiative proposes a collective licence for using protected works in AI development

Publishers' Licensing Services (PLS), a collective management organisation for the UK publishing industry, has announced that more than 250 British publishers have joined its collective licence scheme for the use of copyright-protected works in the development of artificial intelligence (AI) systems.

The initiative was presented at the London Book Fair earlier this year and was developed in collaboration with the Copyright Licensing Agency and the Authors’ Licensing and Collecting Society. Its aim is to create a structured and supervised system through which companies developing AI can lawfully access copyright-protected content made available by rights holders in exchange for paying a fee, while complying with clear and transparent usage guidelines.

The relevant legal framework

In general terms, training AI models and, more broadly, using protected works in the development of AI systems are activities that are relevant from a copyright perspective and require the authorisation of rights holders, unless specific exceptions apply.

At EU level, Directive (EU) 2019/790 (Copyright Directive) introduced, under Article 4, an exception for text and data mining (TDM). As defined in Article 2, TDM is the automated analysis of digital texts and data in order to extract information such as patterns, trends and correlations. Under Article 4, this activity may be carried out, subject to the introduction of a specific exception by national lawmakers, in respect of works to which lawful access has been obtained, unless rights holders have expressly reserved such use.

The UK has introduced into the Copyright, Designs and Patents Act 1988 a TDM exception that applies where a person has lawful access to copyright-protected works, provided that the relevant activities are carried out exclusively for non-commercial research purposes. Subsequent attempts to extend this exception to commercial uses were abandoned following strong opposition from the publishing and creative sectors.

The UK publishing sector is seeking to provide a structured response to the issue of large volumes of copyright-protected content being used in to develop and train AI systems without the authorisation of rights holders. The introduction of a collective licence scheme for AI-related uses seeks to ensure appropriate remuneration for rightsholders when their works are used, while offering AI developers a clear and lawful tool to obtain the necessary authorisations.

How the PLS system works

The operation of the collective licence scheme for AI-related uses of protected works is relatively straightforward: publishers who voluntarily join the scheme authorise the licensing of their content to AI developers through collective agreements negotiated by the collective management organisation.

Publishers of works such as books, academic and professional publications and journals can decide which content to make available and the types of generative AI activities for which it can be licensed. Thay can choose from training AI models, fine-tuning AI systems and retrieval-augmented generation, namely the activity carried out by an AI tool when it draws on existing information to produce answers. The licence can be granted for both large and small language models.

Companies wishing to lawfully access the content covered by the scheme and collected in a content store can purchase a licence by paying a fee, the amount of which will be redistributed among the rights holders, without the need to negotiate individually with each rights holder.

As also specified in the information published by PLS, this licensing system isn’t intended to replace direct agreements between publishers and AI developers, but rather offers an alternative channel, particularly significant for smaller publishing businesses that don’t have the bargaining power required to negotiate independently with major technology players.

Practical implications for market operators

For publishers, participation in the scheme entails certain operational assessments. Since joining the scheme involves the transfer of a specific right of economic exploitation of the work, publishers must verify that the transfer is compatible with the agreements already entered into with authors and other rights holders. Secondly, publishers operating internationally will need to consider the coordination between the UK scheme and the rules applicable in the other jurisdictions in which they publish or distribute their content.

For AI developers, the use of licences granted through the PLS scheme offers a regulatory compliance route capable of significantly reducing the risk of copyright litigation linked to the unauthorised use of protected content in activities relating to AI systems.

Conclusions

As reported by PLS, collective licensing has long represented a significant and sustainable source of revenue for publishers. In 2024-2025 alone, PLS distributed GBP48 million to publishers through licensing and permissions programmes. The objective of introducing a collective licence for the use of protected content in the development of AI systems is to ensure that, as the sector grows, publishers and authors can directly benefit from the value generated by the lawful use of their works, while creating new economic development opportunities for the entire publishing supply chain.

The UK model could become an important testing ground for the development of similar solutions in other markets, including Europe, where the applicability of the text and data mining exception in the AI development sector continues to raise interpretative and practical questions.

This initiative will make it possible to assess in practice the effectiveness of a system based on collective rights management in ensuring fair remuneration for the use of protected content by AI. A comparison between the results achieved by this model and those obtained from direct agreements between publishers and AI developers will provide useful guidance for identifying the most appropriate solutions to combine technological innovation, legal certainty and rights protection.

Author: Chiara D’Onofrio

 

EUIPO 2025: Demand for intellectual property protection grows and strategic role expands

The European Union Intellectual Property Office (EUIPO) has published its Consolidated Annual Activity Report 2025, offering a particularly significant snapshot of the health of the European intellectual property system.

The opening figure is particularly relevant: in 2025, the EUIPO received 327,833 applications overall, the highest volume ever recorded, with an 8% increase compared to the previous year. During the same period, EUIPO also reached the historic milestone of 5 million cumulative applications for EU trademarks and EU designs since its establishment.

The EU trademark sector recorded 196,918 applications in 2025, with a 9.1% increase compared to 2024. Direct filings amounted to 167,561, up by 10.2%, while international registrations reached 29,357 applications, with a 3.5% increase.

The geographical distribution of applications confirms the centrality of the EU, from which 57.5% of EU trademark applications originate. Among the member states, Germany remains the main country of origin, followed by Italy, Spain, France, Poland and the Netherlands. Outside the EU, China continues to represent the most relevant non-European country of origin, with 15.9% of the total, followed by the US and the UK.

The EU designs sector also shows significant growth. In 2025, the EUIPO received 130,915 applications, with a 6.3% increase compared to the previous year. Direct filings reached 110,386, confirming the central role of design protection as a tool for protecting aesthetic and functional innovation.

One of the most innovative elements of 2025 is the launch of the new European system for geographical indications relating to craft and industrial products. The new regime, which entered into force in December 2025, gives the EUIPO a new competence and makes it possible to protect at European level non-agricultural products linked to specific territories, production traditions and local skills.

The report indicates that, already in the initial phase, 46 applications were registered, mainly from France and Portugal. The figure is still limited, but significant; the system has the potential to strengthen the protection of traditional, craft and industrial productions which, although not falling within the system of agri-food PDOs and PGIs, often represent an important economic and cultural heritage for European territories.

For businesses and producer associations, the new system may constitute an important tool not only for legal protection, but also for commercial enhancement, combating imitations and strengthening the reputation of products on the internal and international markets.

The report also confirms that the protection of intellectual property cannot end at the registration stage. The value of IP assets depends on the ability of their holders to protect them effectively against infringements, counterfeiting and unauthorised uses. From this perspective, it’s particularly significant that crimes against intellectual property have been included as a sub-priority within the new EMPACT 2026-2029 cycle, dedicated to combating serious and organised criminal threats. This confirms the growing institutional awareness of the link between counterfeiting, organised crime, economic damage and risks for consumers.

At the same time, the EUIPO has continued to strengthen alternative dispute resolution tools. Since June 2025, mediation services have also been extended to oppositions concerning EU trademarks and to invalidity proceedings relating to EU designs. This is an important development, as it allows the parties to consider negotiated solutions at an early stage of the conflict, reducing time, costs and uncertainty.

Conclusions

The EUIPO Consolidated Annual Activity Report 2025 describes a European intellectual property system undergoing significant transformation. The increase in registration applications confirms the growing trust of economic operators in the European protection of trademarks and designs.

For businesses, the message is clear: intellectual property must be managed in an increasingly conscious, integrated and proactive manner. It’s not enough to register a trademark or a design; it’s necessary to build a strategy that includes monitoring, enforcement, economic valorisation, contractual management and, where possible, the use of available public tools.

In this sense, the report is not only an account of the EUIPO’s activity, but also an indication of the main directions along which intellectual property protection in Europe will move in the coming years.

Author: Federico Maria Di Vizio

 

Technology, Media and Telecommunications

Infratel publishes report on the progress of the National Ultra-Broadband Plan as of 31 May 2026

In a press release dated 14 June 2026, Infratel announced the publication of the report on the progress of the National Ultra-Broadband Plan, updated to 31 May 2026.

The National Strategy for Ultra-Broadband – “Towards the Gigabit Society,” included in the National Recovery and Resilience Plan (Piano Nazionale di Ripresa e Resilienza – PNRR) and approved on 25 May 2021, by the Interministerial Committee for Digital Transition (Comitato interministeriale per la Transizione Digitale – CiTD), aims to bring 1 Gbp/s connectivity across Italy by 2026 and foster the development of fixed and mobile telecommunications infrastructure.

The strategy encompasses several public intervention plans to promote and incentivize the coverage of geographical areas where the provision of infrastructure and ultra-high-speed digital services by the operators is either absent or insufficient.

The operational activities of the National Ultra-Broadband Plan were initiated in 2016 by Infratel Italia S.p.A. Infratel’s aim is to intervene in market failure areas by building and integrating broadband and ultra-broadband infrastructure to extend access opportunities to high-speed internet for citizens, businesses, and public administrations. Through Infratel, the Ministry of Enterprises and Made In Italy implements measures defined in the National Ultra-Broadband Strategy to reduce infrastructure and market disparities across Italy, creating favourable conditions for the integrated development of electronic communications infrastructure.

The report describes the plan’s progress, focusing on the five main operational phases: final design (progettazione definitiva), executive design (progettazione esecutiva), works’ execution, testing, and start of service.

During the final design phase, the layouts of the networks to be built are identified, along with the infrastructure to be reused, the authorities responsible for granting authorisations for FTTH (Fiber To The Home) technology deployment, and the necessary sites for FWA (Fixed Wireless Access) technology deployment. Upon approval of the final designs by Infratel, the executive design phase begins, aimed at obtaining the necessary authorisations. Subsequently, works can commence on the sites. Upon completion of the work, Infratel conducts final verifications, which, if successful, result in the issuance of a positive testing certificate (collaudo).

The report indicates that, as of 31 May 2026, the final design for the FTTH network has been approved in 6,064 municipalities, 4 fewer than in February 2026. As highlighted in the report, the number of planned projects may vary over time due to redesigns prompted by various obstacles. Specifically, during the progress of the executive design phase, some municipalities were found to lack any “white” housing units to connect, leading to the issuance of new regional technical plans that incorporated the cancellation of interventions in certain municipalities. As a result, the number of municipalities with approved final designs for the FTTH network is slightly lower than the figure recorded in February 2026.

As for the number of municipalities in which the final design for the FWA network has been approved, there has been an increase of two municipalities. In fact, as of 31 May 2026, the number of municipalities with approved final designs for the FWA network amounts to 7,064.

As stated in the report, the municipalities for which the executive design of FTTH (Fiber To The Home) network infrastructure has been approved total 6,041, while a total of 3,232 executive projects have been approved for the implementation of FWA (Fixed Wireless Access) technology networks. This reflects a decrease of two municipalities with approved executive designs for FTTH networks compared to February 2026. For FWA technology, the number of approved executive projects has remained unchanged. As noted above, the number of projects may vary due to the cancellation of interventions in certain areas.

As of 31 May 2026, infrastructure works have been completed in 10,724 out of the 11,975 total active sites for fibre construction and in 3,200 out of the 3,255 sites for the FWA network construction.

Infrastructure works for FTTH technology were completed with positive testing in 5,437 municipalities, covering a total of 10,149 projects. Compared to February 2026, projects related to the FTTH network have been positively tested in an additional 110 municipalities, while the number of positively tested projects has increased by 122.

Infrastructure works for FWA technology were completed with positive testing in 2,917 sites, an increase of 40 sites compared to February 2026.

Authors: Massimo D'Andrea, Matilde Losa, Arianna Porretti 

 


Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo BardelliCarolina BattistellaNoemi Canova, Gabriele Cattaneo, Maria Rita CormaciCamila CrisciCristina CriscuoliTamara D’AngeliChiara D’OnofrioFederico Maria Di Vizio, Enila Elezi, Nadia FeolaLaura GastaldiVincenzo GiuffréNicola LandolfiGiacomo LusardiJosaphat Manzoni, Valentina MazzaLara MastrangeloMaria Chiara Meneghetti, Giulio Napolitano, Andrea Pantaleo, Deborah ParacchiniMaria Vittoria Pessina, Marianna Riedo, Rebecca RossiRoxana SmeriaMassimiliano TiberioFederico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena VareseAlessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and read Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.