Innovation Law Insights

AI Act

The AI Act has been published – what you need to know

The AI Act has been published on the Official Gazette of the European Union. Our team has published a guide in a legal design format on the most important legal aspects of the Act. Download the guide here.

Data Protection and Cybersecurity

The new Italian Cybersecurity Law: What does it mean for businesses?

On 2 July Law No. 90 of June 28, 2024 (Cybersecurity Law) was finally published in the Official Gazette. The law is the (long-suffering!) evolution of the Cybersecurity DDL that we had discussed in detail here.

The purpose of the Law is to strengthen Italy's cyber resilience. The Law introduces stringent requirements for public administrations, for entities falling under the Cybersecurity Perimeter, and for companies falling under the NIS1 Directive and, shortly, the NIS2 Directive. It also tightens penalties to counter cybercrime. In this article, although we provide an overview of the obligations falling on Public Administrations, we'll focus more on the impacts of the Cybersecurity Law on the private sector.

Impact on Governmental Bodies

With reference to governmental bodies, the Cybersecurity Law provides a detailed list of the entities it applies to. In fact, it goes from central governmental bodies up to metropolitan cities, including certain municipalities (for example, those with a population of more than 100,000 inhabitants or regional capitals) as well as urban and suburban public transport companies and local health agencies.

 The Cybersecurity Law requires governmental bodies to adopt at least the following four different obligations:

• Have a cybersecurity structure in place that can develop cyber policies and procedures, ensure the adoption and updating of appropriate risk assessments on its systems, and plan and implement enhancement interventions to manage cyber risks with constant monitoring on security threats and system vulnerabilities.
• Establish the figure of the cybersecurity contact person whose name should be communicated to ACN and who may also be an external person belonging to another administration.
• Adopt an appropriate incident reporting system, within a maximum of 24 hours after knowledge of the incident for initial reporting and within a maximum of 72 hours for full reporting (in line with what will be expected in NIS2 Directive).
• Provide for the adoption of the interventions indicated by ACN when specific vulnerabilities are identified within 15 days of receiving the specific communication.

Impact on private companies

Scope of application

The Cybersecurity Law doesn't only apply to the Public Administration but also to private companies, and specifically:

• companies within the National Cybersecurity Perimeter;
• companies subject to the NIS1 Directive, the list of which will soon be supplemented by companies to which the provisions of the NIS2 Directive will apply;
• enterprises providing public communications networks or publicly accessible electronic communications services.

Computer incident reporting requirements

Several obligations are configured with respect to these individuals, first and foremost those related to notifications in case of cyber incidents.

In this regard, the approach differs depending on the extent and type of assets involved. Specifically, the entities included in the National Cyber Security Perimeter, must:

• with reference to the lists of ICT assets, including networks, information systems and IT services where the malfunction, interruption or misuse of which may adversely affect national security, notify the Computer Security Incident Response Team (CSIRT) of any security incidents in accordance with the criteria and methods defined by the implementing decree DPCM No. 81/2021;
• with reference to the lists of ICT goods that, unlike those listed above, are not subject to reporting to the Ministry of Enterprise and Made in Italy, by:
  • a maximum of 24 hours from the knowledge of the incident for the so-called first report; and
  • a maximum of 72 hours from knowledge of the incident for full notification.

These timelines are in line with the NIS2 Directive. Once transposed in Italy through a decree expected to be adopted soon, it will impose a 24-hour notification deadline for companies within its scope to send an "early warning" which must be followed by notification of a detailed analysis of the incident within 72 hours of knowledge of the incident.

Security measures – focus on encryption and troubleshooting obligations outlined by ACN

In addition to the provisions on cyber incident reporting, the Cybersecurity Law then imposes a verification requirement about whether adopted IT systems that use cryptographic solutions comply with the guidelines on encryption and the one on password retention provided by ACN and the Data Protection Authority.

The NIS2 Directive, albeit incidentally, stipulates as obligations for cybersecurity risk management measures the need for companies within its scope to adopt policies and procedures relating to the use of encryption.

The Cybersecurity Law also requires companies within its scope to take the remedial actions specified by ACN where ACN identifies vulnerable situations, remedying them within 15 days of receiving the relevant communication from ACN.

The Cybersecurity Law introduces specific criteria in public contracts for IT goods and services aimed at ensuring data confidentiality, integrity, and availability, in line with the need to protect national strategic interests. These criteria, along with incentives for the use of cybersecurity technologies from Italy, Europe, NATO countries, or other countries with collaboration agreements with the EU or NATO, will be defined by a Decree of the Prime Minister, to be issued within 120 days of the entry into force of the Cybersecurity Law. The decree will also detail the cases that affect national security.

In addition, in the context of procurement contracts for IT goods and services related to the protection of strategic national interests, and in relation to the essential elements of cybersecurity, contracting stations, including central purchasing bodies and private entities within the National Cybersecurity Perimeter, will have the following obligations and faculties:

• apply the provisions of Articles 107, c. 2, and 108, c. 10, of Legislative Decree 36/2023 (Public Contracts Code) if the bid doesn't meet the essential elements of cybersecurity defined in the future Decree of the Prime Ministers;
• always consider the essential elements of cybersecurity in the quality assessment to determine the best value for money for the award;
• include cybersecurity elements among the minimum bid requirements when using the lowest price criterion, as stipulated in Article 108, c. 3, of the Public Contracts Code;
• establish a maximum limit of 10% for the economic score when using the most economically advantageous offer criterion, in accordance with Article 108, c. 4, of the Public Contracts Code, in the evaluation of quality to determine the best value for money;
• provide, in the cases indicated by the future Prime Ministerial Decree, award criteria for bids that include cybersecurity technologies from Italy, Europe, NATO countries, or other countries with collaboration agreements with the EU or NATO, to protect national security and achieve Italy's technological and strategic autonomy in cybersecurity.

Finally, the Cybersecurity Law also introduces a reform of cybercrimes, which is not discussed in detail in this article but which deals with the crime of cyber extortion, as well as the harmonization with the provisions on the administrative liability of entities under Legislative Decree 231 of 2001.

To close the circle, however, we continue to wait for the long-awaited decree transposing the NIS2 Directive that will bring a new change to the national cybersecurity sector.

Authors: Giorgia Carneri and Giulia Zappaterra

Intellectual Property

European Regulation 2024/178: Sustainability and traceability of products

On 13 June, the European Regulation 2024/1781 for defining ecodesign requirements for sustainable products was published in the EU Official Journal. The regulation will officially come into force on 18 July 2024.

The Regulation is part of a broader framework of measures adopted by the European Commission aimed at achieving the goals set forth in the 2020 Circular Economy Action Plan. This package of measures, adopted by the Commission in 2022, includes the Directive 2024/825 on Greenwashing and aims to double the circularity rate in material use, improve energy performance efficiency, and increase the environmental sustainability of products placed on the EU market.

These initiatives reflect a new awareness of the unnecessary negative environmental impact caused by the introduction of large quantities of products into the market. It's undeniable that technological innovation has increased consumers' dependence on immediate access to any type of product. The regulation aims to address this issue by raising awareness among manufacturers. In doing so, the European Commission has prioritized product categories with a high environmental impact, including chemicals, electrical, electronic products, and textiles (especially clothing and footwear).

With regard to textiles, the new European Regulation will introduce the Digital Product Passport (DPP) to address the issue of "fast fashion" production and to improve social and environmental sustainability. The DPP will be a digital identity card for products, components, and materials, providing consumers with detailed information about the product's supply chain and enabling authorities to verify compliance with legal obligations regarding sustainability and circular economy.

The European Regulation sets out the requirements for the PLR by specifying in Chapter III the information to be included, the operational requirements and the technical and operational details. The passport will have to include essential product parameters such as durability and environmental and carbon footprints, allowing consumers to assess the environmental impact of their purchases. It will also have to provide guidance on recycling and end-of-life management, giving clear guidance on how to deal with the product at the end of its life. Finally, it will need to track and report substances of concern to ensure transparency and safety for consumers and the environment. Then, it will be up to each brand to decide on the internal communication strategy to implement this obligation. Some brands have already launched new technologies involving chips, tags, or QR Codes into individual garments, allowing consumers to discover the origins of the materials that make up the garment.

The European Commission reiterates the importance of empowering consumers and guiding their choices towards more sustainable consumption by providing them with clear and understandable environmental information.

It will be interesting to see how the fashion industry reacts to the new Regulation, which is undoubtedly an excellent opportunity for companies to engage with their customers on issues of great sensitivity and to invest in technological innovation to develop original solutions that can enhance the shopping experience.

Author: Valentina Mazza and Maria Vittoria Pessina

Trademark opposition proceedings: New operational guidance on filing procedures

With its Circular no. 629 of 30 May 2024, the Italian IPO has issued new operational indications concerning the filing of documents related to and resulting from the first filing of an opposition against the registration of a trademark.

The provisions will be applicable from 15 July 2024 for new proceedings and for ongoing proceedings for which the filing deadlines have not yet expired.

The aim is to optimize administrative action by ensuring greater security, speed and efficiency in managing the files of the proceedings concerned.

The recourse to the transmission of paper documents to be included in the opposition file will be reduced as much as possible and the transmission of the same on a magnetic support (CD/DVD) will be eliminated. This will complete the process of digitalization and dematerialization of documents.

The table below reproduces the main information contained in the circular, with the following preliminary remarks:

• all documents in digital format must be filed in PDF/A format;
• only documents filed in accordance with the document types indicated in column 2 will be taken into consideration;
• in the case of paper submissions, the maximum size of the documents, including annexes, is set at 100 pages (50 sheets), with a minimum font size of 11;
• for the documents listed below, only one submission is allowed: the subsequent submission (by whatever means) of a document of the same type will be considered to cancel and replace the previous submission.

Author: Tamara D’Angeli

Life Sciences

New Decree by the Ministry of Health on CBD: Regulatory updates and implications

On 6 July 2024, the Ministry of Health published the Decree of 27 June 2024 (Decree) in the Official Gazette. It included "compositions for oral administration of cannabidiol obtained from cannabis extracts" in Section B of the Table on medicinal products of the consolidated laws regulating narcotics and psychotropic substances (Presidential Decree 309/1990).

Legislative process

The Decree, effective 30 days after publication, repealed ministerial decrees of 1 October 2020, 28 October 2020, and 7 August 2023. The current regulation marks the latest step in a legislative process that began in 2020, characterized by a series of decrees and institutional opinions.

On 1 October 2020, the Ministry of Health updated the tables listing narcotic and psychotropic substances, including cannabidiol (CBD) in Section B of the table on medicinal products, subject to medical prescription. However, its implementation was suspended on 28 October 2020, pending further evaluations by the National Institute of Health and the National Health Council.

The decree of 7 August 2023 lifted the suspension, confirming the effectiveness of the decree of 1 October 2020, that categorized CBD among narcotic substances. This decree was challenged by the trade association Imprenditori Canapa Italia, citing insufficient scientific opinions and uncertainties regarding the percentage-based effects of CBD. The Regional Administrative Court of Lazio granted the association's request for interim suspension, citing deficiencies in preliminary investigations and lack of clarity on the concrete risks of physical or psychological dependence.

In response, the Ministry of Health initiated a renewed assessment, seeking opinions from the National Institute of Health and the National Health Council. The opinions, received on 17 May and 19 June 2024, supported the conditions justifying the inclusion of CBD-based compositions in Section B of table of medicinal products for public health protection. Consequently, the Ministry issued a new decree, incorporating these opinions and officially including CBD-based compositions in the table.

The future of CBD in Italy

CBD is a cannabinoid found in Cannabis sativa L, different from tetrahydrocannabinol (THC) because of its lack of psychoactive effects. This characteristic has generated increasing interest in its use and led to its inclusion in a wide range of products.

In 2017, the World Health Organization concluded that CBD poses no significant risk of dependency or harm to health, favouring its therapeutic application and trade in many countries. The European Court of Justice further confirmed in 2020 that CBD has no psychotropic effects or harmful effects on human health based on current scientific knowledge.

With the Decree coming into force, CBD-containing products for oral use will be classified as medicinal products, specifically narcotics. Consequently, their sale will be permitted only in pharmacies and strictly upon medical prescription. Manufacturing these products will require authorization for production and for handling narcotic substances, along with fulfilling other regulatory requirements.

The Decree marks a step forward in regulating CBD in Italy, but the debate on its classification as a narcotic substance remains open. It will be crucial to monitor future developments and the reactions of industry stakeholders, patients, and the scientific community to understand how regulations and CBD use will evolve in Italy.

Author: Nadia Feola

Innovation Law Insights is compiled by DLA Piper lawyers coordinated by Arianna Angilletta, Matteo Antonelli, Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Giorgia Carneri, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Alessandra Faranda, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Tommaso Ricci, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna and Matilde Losa.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here. And check out a DLA Piper publication outlining Gambling regulation here, a report analyzing key legal issues arising from the metaverse qui, and a comparative guide to regulations on lootboxes here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.