Innovation Law Insights

Artificial Intelligence

Big Tech and the AI Pact: The future of the European AI Regulation

On 25 September, the European Commission announced that over 100 companies had signed the AI Pact, a voluntary agreement aimed at enhancing AI governance. Notably absent were Meta and other major tech firms, who, just days earlier, had published an open letter expressing concerns about the potential risks to innovation posed by the EU's regulatory approach to AI. What does the future hold for AI in the EU?

AI Act and AI Pact

On 1 August 2024, Regulation (EU) 2024/1689, which establishes harmonized rules on AI (known as the AI Act), came into force. But many of the Regulation's obligations – particularly those related to “high-risk” AI systems – are set to be implemented at a later date. This phased approach is intended to give entities within the Regulation’s scope time to better structure their AI governance policies and comply with all applicable obligations.

To support organizations during this critical transition, the European Commission launched an initiative in early 2024 aimed at preparing the ground for the full implementation of the AI Act's requirements. This initiative took shape in the form of the AI Pact, a voluntary agreement that companies can sign to commit to responsible practices in developing, managing and using AI.

The primary goal of the AI Pact is to foster regulatory harmonization between member states and organizations, creating an environment of trust and collaboration while paving the way for the application of the AI Act in line with its principles.

The AI Pact

The AI Pact is structured around two main pillars.

The first pillar is titled “Gathering and Exchanging with AI Pact Network.” The main objective of this pillar is to create a network among the companies that have signed the pact, encouraging the exchange of information and best practices. Signatories are encouraged to collaborate and share insights on strategies and steps taken to ensure compliance with the AI Act.

The European AI Office has a key role. It's tasked with creating working and training groups and providing practical training to support the implementation of the regulation’s requirements. In this spirit of full cooperation, signatories are invited to share their strategies for compliance with the regulation with other pact members. To facilitate this exchange, the European AI Office is also responsible for creating an online platform accessible to the signatories.

While the first pillar focuses on shared consultation, the second pillar aims to provide tools for the direct implementation of the AI Act’s requirements. Titled “Facilitating and Communicating Corporate Pledges,” the second pillar invites companies to take on concrete commitments, representing specific actions they've taken (or plan to take) to comply with the regulation. These actions cover a range of activities required by the regulation, such as implementing security measures, regularizing relationships with AI supply chain partners through appropriate contractual templates, and preparing relevant documentation, including internal policies and materials concerning copyright compliance.

The first three pledges outlined by the pact are:

1. Adopting an AI Governance Strategy aimed at promoting AI within the organization and ensuring future compliance with the regulation.
2. Identifying and mapping AI systems that may be classified as high-risk.
3. Promoting AI awareness and literacy among staff to ensure the ethical and responsible development of the technology.

These are certainly challenging commitments for companies, which must prepare the necessary documentation and strive to create genuine AI awareness in their organizations. This involves using effective tools and techniques to promote a practical understanding of AI and how it should be managed.

Additionally, the call to begin mapping AI systems now underscores the need for legal and technical expertise to accurately identify all the requirements set out in the regulation, enabling better planning of the activities needed before all obligations under the AI Act come into effect.

Signatories and critics

To date, over 100 companies have signed the AI Pact and committed to its proposed actions. Among them are small and medium-sized enterprises as well as tech giants

It's not surprising that Meta isn't among the signatories. Recently, the company, along with other organizations – some of which are key players in the tech market – issued an open letter with a title that leaves no room for doubt: “Europe needs regulatory certainty on AI: fragmented regulation means the EU risks missing out on the AI era.”

The near future will reveal who – the signatories or the critics – was right about the impact of European AI regulation. However, regardless of one’s stance on European legislative policies, it's clear that AI management – part of which involves complying with the AI Act – cannot be ignored. In this context, the signatories of the AI Pact are charting a path that, in a spirit of synergy, seems capable of facilitating ethical, conscious, and compliant AI governance.

Author: Edoardo Bardelli

 

Data Protection and Cybersecurity

The implementation of the CER Directive

On 23 September 2024, Legislative Decree No. 134, which implements EU Directive 2022/2557 on the resilience of critical entities (the CER Directive), was published in the Official Gazette. The CER Directive complements the existing cybersecurity compliance framework established by the NIS2 Directive, which will also be implemented soon, as previously discussed here.

The CER Directive: What is it?

The primary aim of the CER Directive is to harmonize security measures in the provision of essential services in the internal market by enhancing the resilience of critical entities and improving cross-border cooperation between relevant authorities. This regulation introduces a broader and more comprehensive approach to protecting critical infrastructure, partly to enable EU member states to better address cross-border interdependencies and manage the potential impacts of threats and incidents.

The CER Directive doesn't apply to areas covered by the national implementation of the NIS2 Directive.

To whom is CER Directive applicable?

The CER Directive applies to critical entities, which are specific public or private organizations operating in sectors designated by the directive. These sectors include energy, transportation, banking, and financial market infrastructure, as well as health (eg healthcare providers, laboratories, medical research and development entities, pharmaceutical manufacturers, and producers of critical medical devices during health emergencies). It also covers drinking water, wastewater, and irrigation water, digital infrastructure (such as cloud computing and data centre service providers, trust service providers, and communication providers), certain public administration entities, space, and food production, processing, and distribution (including logistics, wholesale distribution, and large-scale production).

Identifying a public or private entity as a critical entity is the responsibility of the competent authority, which is responsible for correctly applying and executing the provisions of the Directive and which is diversified according to the reference sectors. The competent authorities referred to in the Decree transposing the Directive are, as far as Italy is concerned:

• the Ministry of Environment and Energy Security for the energy and water sector
• the Ministry of Infrastructure and Transport for the transport sector
• the Ministry of Economy and Finance for the banking and financial market infrastructure sector
• the Ministry of Health
• the National Cybersecurity Agency for digital infrastructure in collaboration with the Ministry of Business and Made in Italy
• the Prime Minister's Office for the space sector
• the Ministry of Agriculture, Food Sovereignty and Forestry for the food sector

The competent authority identifies critical entities for each sector no later than 17 January 2026, taking into consideration:

• whether the entity provides one or more services considered essential;
• if the subject operates and its critical infrastructure are located on Italian territory; and
• whether any incidents would have significant adverse effects on the subject's provision of one or more services deemed essential or on the provision of other essential services that depend on such essential service(s).

The list of critical entities must then be submitted to the Single Point of Contact (the SPC), established within the Prime Minister's Office. The SPC is responsible for ensuring that the criteria used by the competent authorities to identify critical entities are applied consistently. By 17 July 2026, the list of critical entities will be finalized. As with the NIS1 Directive, this list will be classified and not made public, and it will be updated at least every four years.

Companies identified as critical entities will receive official notification, after which they must comply with the obligations set forth in the CER Directive within ten months of receiving the notification.

What does the CER Directive provide for?

After receiving notification, critical entities have to assess relevant risks that could impact, even temporarily, the provision of essential services and associated critical infrastructure. Based on this risk assessment, the entities must then adopt and implement technical, security, and organizational measures that are appropriate and proportionate to ensure their resilience. These measures should also take into account relevant information provided by the SPC regarding the state's risk assessment.

However, these measures must include at least the following minimum requirements:

• the implementation of processes and systems to prevent incidents and mitigate their occurrence and consequences
• systems to ensure adequate physical protection of sites and critical infrastructure
• a framework for restoring operational capabilities in the event of an incident
• appropriate personnel security management
• an obligation to inform staff about risks and the measures taken, including through the provision of training courses, informational materials, and exercises

Incident reporting requirements

Like the approach introduced by the NIS2 Directive, the CER Directive imposes strict incident notification obligations on critical entities.

Specifically, within 24 hours of becoming aware of an incident, critical entities have to notify the competent authorities and the SPC of any major incidents – defined as physical events that could significantly disrupt the provision of essential services, taking into account the number and percentage of users affected, the duration of the disruption, and the geographical area affected.

This initial “early warning” notification must be followed by a detailed incident report within 30 days. These notifications must include all relevant information to help the competent authorities and SPC understand the nature, cause, and potential consequences of the incident, including any possible cross-border impacts.

What are the sanctions?

Failure to comply with these obligations can result in substantial penalties for critical entities, with compliance monitored by the relevant competent authorities. Specifically, following a report of noncompliance by the competent authorities, administrative sanctions ranging from EUR25,000 to EUR125,000 may be imposed for certain violations, such as failing to conduct a risk assessment, not implementing required security measures, or deficiencies in reporting major incidents. Additionally, a fine of EUR10,000 to EUR50,000 may be imposed on critical entities that fail to provide requested information when asked by the competent authorities.

These sanctions differ significantly from those under the NIS2 Directive, which an impose fines of up to EUR10 million or 2% of the entity's total annual worldwide turnover from the previous financial year, whichever is higher.

Author: Giulia Zappaterra

 

Intellectual Property

Unified Patent Court: Requirements for establishing security for costs and burden of proof

On 17 September 2024, the Court of Appeal of the UPC issued an interesting judgement on the topic of security for costs. This mechanism is provided for under Article 69(4) of the UPCA and regulated by Rule 158. According to this rule, at any stage of the proceedings, upon a substantiated request from a party, the court can order the opposing party to provide, within a certain timeframe, appropriate security for the legal costs that the requesting party might have to reimburse.

The Court of Appeal's decision follows a judgement issued by the Munich local division and reforms it. In the first instance, the plaintiff, a German automobile company that brought a patent infringement claim before the Munich local division, had requested an order requiring the US-based defendant, operating in the electronic engineering sector, to provide security.

The Court of First Instance, after identifying some necessary requirements for granting the security, denied the request. One of the key criteria highlighted by the Munich local division was that the financial situation of the opposing party should be compromised to the extent that there was reasonable concern about its ability to comply with a payment order issued by the court or about the excessive burden of any enforcement proceedings. As for the burden of proof, the judges of the local division clarified that while the plaintiff has to provide detailed and substantiated evidence supporting their request, the other party must precisely contest the facts and reasons presented by the plaintiff. This principle aligns with what's known in some legal systems as the “proximity of evidence” principle, given that the opposing party has easier access to data concerning their financial and asset situation. In this specific case, the arguments presented by the automobile company, including the fact that the US location of the defendant's headquarters would complicate the enforcement of any decision by the UPC, were deemed neither convincing nor sufficient to justify the request for security, which the local division denied.

In the ruling under discussion, the judges in Luxembourg, while reaffirming what was established in the first instance regarding the burden of proof on the plaintiff, reached an opposite conclusion. Specifically, in the view of the Court of Appeal, the local division had erred in evaluating the evidence presented by the automobile company as “generic allegations,” imposing an excessively heavy burden of proof on the claimant. On the contrary, according to the court, it was up to the opposing party to provide suitable evidence of its financial resources and its ability to comply with any order for the payment of costs, in line with the principle of proximity of evidence. Among other elements that the local division had wrongly emphasized, according to the court, was the acquisition of a patent portfolio, which the defendant had claimed could serve as adequate security in the event of non-payment of costs, but for which no details regarding the price were provided. The value of the purchased patents was also not necessarily indicative of the defendant’s solvency.

Based on these considerations, the Court of Appeal, overturning the local division's decision, ruled in favour of establishing security for costs of EUR400,000.

Authors: Laura Gastaldi, Noemi Canova

 

Gaming and Gambling

New tender for Italian online gaming licenses – Here are the FAQ!

With the upcoming tender for new Italian online gaming licenses, I have decided to publish some FAQ on the regime applicable to Italian online betting and gaming licenses.

The Italian Gaming Authority will award new online gaming licenses through a tender that's expected to be launched by November 2024 and should last 60 days. This is an important deadline, as a new tender for licenses can't take place for several years.

Below is an outline of the requirements that are likely to apply to these licenses, based on the current regime and the legislation establishing the new licensing regime. Minor changes may occur as a result of the publication of the Gaming Licensing Rules:

Q. Why do I need an Italian gaming license to enter the Italian market? My company already has a foreign license, so what are the advantages of an Italian license?

Offering games to people located in Italy without an Italian online gaming license is subject to criminal sanctions and tax penalties. In addition, access from Italy to domain names of unlicensed sites will be blocked by ISPs, and the new licensing regime includes measures to block payments to unlicensed sites.

Q. Is it necessary for my company to be incorporated in Italy or for the servers to be located in Italy to apply for an Italian license?

No, companies, their technical infrastructure and personnel can be located in any country of the European Economic Area. On the contrary, it will not be possible to locate the company and the infrastructure in non-EU countries such as the UK, Gibraltar, Alderney and the Isle of Man.

The possibility of locating the company holding the license abroad will result in significant tax savings, as the operator will only have to pay Italian gaming taxes, while not having to pay Italian corporate taxes. However, if the licensee has personnel, servers or points of sale for PVRs in Italy, the Italian tax authorities might question the existence of a permanent establishment for tax purposes. As such, determining the proper establishment in Italy is critical.

Q. Can I apply for an online gaming license now? How much will it cost?

The tender for new Italian licenses is expected to be launched by November 2024. There will be an unlimited number of licenses available at a fixed price of EUR7 million for a nine-year license. The application window is expected to last only 60 days and there's no indication as to when the new tender will take place. So companies should start preparing now.

Q. I'd like to apply for a casino license and a sports betting license, what is the price?

There is no separate license for casinos, sports betting or poker. Companies applying for an Italian remote gaming license will be granted an “umbrella” license covering all regulated games that are not subject to exclusive licenses. The offer is then subject to a technical approval process, which varies depending on the type of game.

Licenses will be granted to any company that meets the eligibility requirements, applies within the application window and pays the one-off license fee of EUR7 million.

Q. My Italian gaming license expires at the end of December 2024, what should I do?

The licenses of all online gaming operators will expire at the end of 2024. So all operators in the market have to apply for a new license if they wish to continue operating in Italy.

Q. Why should I enter the Italian gaming market?

Italy is the second largest gaming market in Europe after the UK. The full liberalization of sports betting and the new sports betting regulations complete the full offering of the Italian gaming market, which already includes casino games (including slots), poker, bingo, betting exchange, horse betting and betting on virtual events. In addition, the opportunities offered by eSports and fantasy games make the market even more attractive.

Q. But how can I market my offer with the Italian ban on gambling advertising?

As recent major sponsorship deals have shown, the Italian gambling advertising regime still allows for solutions that are considered compliant. It's necessary to adapt the offer to the specificities of the Italian gaming market.

Q. Let’s talk about technical issues, I have heard that operators will have to comply with strict technical requirements.

This is true, but the problem can be overcome by relying on the platform and services already approved by the regulator. Also, the technical approval process required by the ADM has now become much smoother, with fewer requirements in terms of technical documentation to be submitted to the regulator.

Q. What taxes are applicable to Italian remote gaming licenses?

The applicable tax regime is 25% of GGR for casino games and 24% of GGR for sports betting. In addition to these amounts, the new Italian online gaming licensing regime provides for the payment of a license fee set at 3% of the licensed operator’s net margin, calculated by deducting gaming taxes from GGR; and the operator’s obligation to invest an amount equal to 0.2% of its net revenues, but not exceeding EUR1 million per year, in information campaigns or responsible communication initiatives on topics to be determined annually by a government commission.

Author: Giulio Coraggio

Consumer Protection Cooperation urges European Commission to protect consumers' rights

In recent years, the video game industry has seen exponential growth, with an increasingly large and diverse audience. But with the expansion of the video game industry, the European Consumers‘ Association has considered exposing commercial practices that jeopardise consumers’ rights, especially those of young people, in alleged violation of the European Directive 2011/83/EU on consumer rights, Directive 2005/29/EC on unfair commercial practices and Directive 93/13/EEC on unfair terms.

The CPC-Network (Consumer Protection Cooperation) urged the European Commission to take coordinated action to stop these practices and ensure that consumer rights are fully respected.

Allegedly unfair commercial practices in the video games sector

One of the most critical aspects concerns the lack of transparency in the pricing of virtual currencies used in games. Many online games include premium currencies that can be purchased with real money, but consumers, particularly younger consumers, often don't fully understand the real value of these currencies compared to local currencies. This leads to unconscious spending, facilitated by unclear information provided by game developers.

The European Consumers' Association has therefore asked for video game companies to be obliged to provide, in a clear and accessible manner, the equivalence between in-game and real currencies before the player makes a purchase. This will help consumers better understand the value of their spending and make more informed decisions.

Unfair clauses and lack of legal guarantee

Some developers reserve the right to withdraw game features at any time, exposing consumers to the loss of their virtual currencies without notice. Moreover, in many cases, companies can unilaterally change the value of in-game items without adequately informing users.

Protecting younger consumers

A particularly relevant issue is the protection of the most vulnerable consumers, ie children and adolescents, who make up a significant part of the video game audience but are often not fully aware of the economic consequences of their in-game purchases.

It was therefore proposed that:

• in-game microtransactions be deactivated by default as a professional diligence measure. The activation of in-game purchases should be a conscious and deliberate choice by the consumer or, in the case of minors, by their parents;
• a position paper is published that clearly explains the authorities' assessment of the challenged practices.

In Italy, the Italian Consumer Authority had already addressed the issue and the role of lootboxes in the national regulatory landscape by accepting the macro-commitments of some developers to adjust the information of their content.

Author: Vincenzo Giuffrè

 

Technology Media and Telecommunication

EC publishes report on the Future of Competitiveness in the EU

On 9 September the European Commission published Mario Draghi's report on the future of European competitiveness, titled “The Future of European Competitiveness.”

The report examines the challenges faced by industries and businesses in the Single Market and provides an analysis across various sectors, including telecommunications.

The report first highlights potential critical issues affecting the telecommunications sector, and then proposes recommendations to address them.

In particular, the report emphasizes the fragmentation of the telecommunications market in Europe. Unlike other countries where a few large operators dominate, the European market has a multitude of small and medium-sized players. The report attributes this fragmentation to ex-ante regulation and both EU and national competition policies, which have, on the one hand, favoured a plurality of players and, on the other hand, ensured low consumer prices.

The report goes on to identify factors that could negatively affect the European telecommunications industry, including the lack of harmonization in spectrum auctions to assign mobile frequencies across EU member states, services such as the Internet of Things and edge computing, which require relevant upfront investments by telecom operators, and the increasing management of network services by software, which poses a risk for telecom operators and traditional equipment providers of losing their role in the market.

Regarding objectives for the telecommunications sector, the report notes that it would take investment of around EUR200 billion to achieve the connectivity goals set for 2030 under the Digital Decade – namely, completing full gigabit coverage across the EU and implementing 5G networks in all populated areas.

Finally, the report highlights the potential adoption of an “EU Telecoms Act”, which would aim to:

• harmonize regulations, for instance, in the area of merger control (to facilitate cross-border operations), as well as in spectrum licensing, cybersecurity, and interception at the European level;
• incentivize the deployment of new infrastructures by defining cut-off dates beyond which older technologies (such as copper networks and 2G technology) can no longer be used;
• introduce “passporting” for business-to-business (B2B) services, a hypothetical tool that would facilitate the provision of electronic communication services by operators, regardless of the client's country of establishment; and
• coordinate technical standards for specific applications and technologies (such as edge computing and the Internet of Things) at the EU level.

Authors: Massimo D’Andrea, Flaminia Perna, Matilde Losa

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Giorgia Carneri, Noemi Canova, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Tommaso Ricci, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna and Matilde Losa.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as a report analyzing key legal issues arising from the metaverse qui, and a comparative guide to regulations on lootboxes here.

 

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.