Innovation Law Insights

AI Act

The AI Act has been published – what you need to know

The AI Act has been published on the Official Gazette of the European Union. Our team has published a guide in a legal design format on the most important legal aspects of the Act. Download the guide here.

Data Protection and Cybersecurity

The new Italian Cybersecurity Law: What does it mean for businesses?

On 2 July Law No. 90 of June 28, 2024 (Cybersecurity Law) was finally published in the Official Gazette. The law is the (long-suffering!) evolution of the Cybersecurity DDL that we had discussed in detail here.

The purpose of the Law is to strengthen Italy's cyber resilience. The Law introduces stringent requirements for public administrations, for entities falling under the Cybersecurity Perimeter, and for companies falling under the NIS1 Directive and, shortly, the NIS2 Directive. It also tightens penalties to counter cybercrime. In this article, although we provide an overview of the obligations falling on Public Administrations, we'll focus more on the impacts of the Cybersecurity Law on the private sector.

Impact on Governmental Bodies

With reference to governmental bodies, the Cybersecurity Law provides a detailed list of the entities it applies to. In fact, it goes from central governmental bodies up to metropolitan cities, including certain municipalities (for example, those with a population of more than 100,000 inhabitants or regional capitals) as well as urban and suburban public transport companies and local health agencies.

 The Cybersecurity Law requires governmental bodies to adopt at least the following four different obligations:

• Have a cybersecurity structure in place that can develop cyber policies and procedures, ensure the adoption and updating of appropriate risk assessments on its systems, and plan and implement enhancement interventions to manage cyber risks with constant monitoring on security threats and system vulnerabilities.
• Establish the figure of the cybersecurity contact person whose name should be communicated to ACN and who may also be an external person belonging to another administration.
• Adopt an appropriate incident reporting system, within a maximum of 24 hours after knowledge of the incident for initial reporting and within a maximum of 72 hours for full reporting (in line with what will be expected in NIS2 Directive).
• Provide for the adoption of the interventions indicated by ACN when specific vulnerabilities are identified within 15 days of receiving the specific communication.

Impact on private companies

Scope of application

The Cybersecurity Law doesn't only apply to the Public Administration but also to private companies, and specifically:

• companies within the National Cybersecurity Perimeter;
• companies subject to the NIS1 Directive, the list of which will soon be supplemented by companies to which the provisions of the NIS2 Directive will apply;
• enterprises providing public communications networks or publicly accessible electronic communications services.

Computer incident reporting requirements

Several obligations are configured with respect to these individuals, first and foremost those related to notifications in case of cyber incidents.

In this regard, the approach differs depending on the extent and type of assets involved. Specifically, the entities included in the National Cyber Security Perimeter, must:

• with reference to the lists of ICT assets, including networks, information systems and IT services where the malfunction, interruption or misuse of which may adversely affect national security, notify the Computer Security Incident Response Team (CSIRT) of any security incidents in accordance with the criteria and methods defined by the implementing decree DPCM No. 81/2021;
• with reference to the lists of ICT goods that, unlike those listed above, are not subject to reporting to the Ministry of Enterprise and Made in Italy, by:
  • a maximum of 24 hours from the knowledge of the incident for the so-called first report; and
  • a maximum of 72 hours from knowledge of the incident for full notification.

These timelines are in line with the NIS2 Directive. Once transposed in Italy through a decree expected to be adopted soon, it will impose a 24-hour notification deadline for companies within its scope to send an "early warning" which must be followed by notification of a detailed analysis of the incident within 72 hours of knowledge of the incident.

Security measures – focus on encryption and troubleshooting obligations outlined by ACN

In addition to the provisions on cyber incident reporting, the Cybersecurity Law then imposes a verification requirement about whether adopted IT systems that use cryptographic solutions comply with the guidelines on encryption and the one on password retention provided by ACN and the Data Protection Authority.

The NIS2 Directive, albeit incidentally, stipulates as obligations for cybersecurity risk management measures the need for companies within its scope to adopt policies and procedures relating to the use of encryption.

The Cybersecurity Law also requires companies within its scope to take the remedial actions specified by ACN where ACN identifies vulnerable situations, remedying them within 15 days of receiving the relevant communication from ACN.

The Cybersecurity Law introduces specific criteria in public contracts for IT goods and services aimed at ensuring data confidentiality, integrity, and availability, in line with the need to protect national strategic interests. These criteria, along with incentives for the use of cybersecurity technologies from Italy, Europe, NATO countries, or other countries with collaboration agreements with the EU or NATO, will be defined by a Decree of the Prime Minister, to be issued within 120 days of the entry into force of the Cybersecurity Law. The decree will also detail the cases that affect national security.

In addition, in the context of procurement contracts for IT goods and services related to the protection of strategic national interests, and in relation to the essential elements of cybersecurity, contracting stations, including central purchasing bodies and private entities within the National Cybersecurity Perimeter, will have the following obligations and faculties:

• apply the provisions of Articles 107, c. 2, and 108, c. 10, of Legislative Decree 36/2023 (Public Contracts Code) if the bid doesn't meet the essential elements of cybersecurity defined in the future Decree of the Prime Ministers;
• always consider the essential elements of cybersecurity in the quality assessment to determine the best value for money for the award;
• include cybersecurity elements among the minimum bid requirements when using the lowest price criterion, as stipulated in Article 108, c. 3, of the Public Contracts Code;
• establish a maximum limit of 10% for the economic score when using the most economically advantageous offer criterion, in accordance with Article 108, c. 4, of the Public Contracts Code, in the evaluation of quality to determine the best value for money;
• provide, in the cases indicated by the future Prime Ministerial Decree, award criteria for bids that include cybersecurity technologies from Italy, Europe, NATO countries, or other countries with collaboration agreements with the EU or NATO, to protect national security and achieve Italy's technological and strategic autonomy in cybersecurity.

Finally, the Cybersecurity Law also introduces a reform of cybercrimes, which is not discussed in detail in this article but which deals with the crime of cyber extortion, as well as the harmonization with the provisions on the administrative liability of entities under Legislative Decree 231 of 2001.

To close the circle, however, we continue to wait for the long-awaited decree transposing the NIS2 Directive that will bring a new change to the national cybersecurity sector.

Authors: Giorgia Carneri and Giulia Zappaterra

Intellectual Property

European Regulation 2024/178: Sustainability and traceability of products

On 13 June, the European Regulation 2024/1781 for defining ecodesign requirements for sustainable products was published in the EU Official Journal. The regulation will officially come into force on 18 July 2024.

The Regulation is part of a broader framework of measures adopted by the European Commission aimed at achieving the goals set forth in the 2020 Circular Economy Action Plan. This package of measures, adopted by the Commission in 2022, includes the Directive 2024/825 on Greenwashing and aims to double the circularity rate in material use, improve energy performance efficiency, and increase the environmental sustainability of products placed on the EU market.

These initiatives reflect a new awareness of the unnecessary negative environmental impact caused by the introduction of large quantities of products into the market. It's undeniable that technological innovation has increased consumers' dependence on immediate access to any type of product. The regulation aims to address this issue by raising awareness among manufacturers. In doing so, the European Commission has prioritized product categories with a high environmental impact, including chemicals, electrical, electronic products, and textiles (especially clothing and footwear).

With regard to textiles, the new European Regulation will introduce the Digital Product Passport (DPP) to address the issue of "fast fashion" production and to improve social and environmental sustainability. The DPP will be a digital identity card for products, components, and materials, providing consumers with detailed information about the product's supply chain and enabling authorities to verify compliance with legal obligations regarding sustainability and circular economy.

The European Regulation sets out the requirements for the PLR by specifying in Chapter III the information to be included, the operational requirements and the technical and operational details. The passport will have to include essential product parameters such as durability and environmental and carbon footprints, allowing consumers to assess the environmental impact of their purchases. It will also have to provide guidance on recycling and end-of-life management, giving clear guidance on how to deal with the product at the end of its life. Finally, it will need to track and report substances of concern to ensure transparency and safety for consumers and the environment. Then, it will be up to each brand to decide on the internal communication strategy to implement this obligation. Some brands have already launched new technologies involving chips, tags, or QR Codes into individual garments, allowing consumers to discover the origins of the materials that make up the garment.

The European Commission reiterates the importance of empowering consumers and guiding their choices towards more sustainable consumption by providing them with clear and understandable environmental information.

It will be interesting to see how the fashion industry reacts to the new Regulation, which is undoubtedly an excellent opportunity for companies to engage with their customers on issues of great sensitivity and to invest in technological innovation to develop original solutions that can enhance the shopping experience.

Author: Valentina Mazza and Maria Vittoria Pessina

Trademark opposition proceedings: New operational guidance on filing procedures

With its Circular no. 629 of 30 May 2024, the Italian IPO has issued new operational indications concerning the filing of documents related to and resulting from the first filing of an opposition against the registration of a trademark.

The provisions will be applicable from 15 July 2024 for new proceedings and for ongoing proceedings for which the filing deadlines have not yet expired.

The aim is to optimize administrative action by ensuring greater security, speed and efficiency in managing the files of the proceedings concerned.

The recourse to the transmission of paper documents to be included in the opposition file will be reduced as much as possible and the transmission of the same on a magnetic support (CD/DVD) will be eliminated. This will complete the process of digitalization and dematerialization of documents.

The table below reproduces the main information contained in the circular, with the following preliminary remarks:

• all documents in digital format must be filed in PDF/A format;
• only documents filed in accordance with the document types indicated in column 2 will be taken into consideration;
• in the case of paper submissions, the maximum size of the documents, including annexes, is set at 100 pages (50 sheets), with a minimum font size of 11;
• for the documents listed below, only one submission is allowed: the subsequent submission (by whatever means) of a document of the same type will be considered to cancel and replace the previous submission.