Digital Regulation

AI

The AI Act (Regulation (EU) 2024/1689) is a European regulation that introduces rules for both the development and the use of Artificial Intelligence. Here are some (of the many) practical aspects to consider:

• Classification on the basis of risk: the AI Act divides AI systems on the basis of risk; it distinguishes between prohibited AI practices, high-risk AI systems, and other systems. For example, one prohibited AI practice is the use of subliminal techniques to induce a person to take a certain business decision that they would not otherwise have made, while an example of a high-risk system is a biometric recognition system.
• Establishment of a risk management system and drafting of technical documentation: these are requirements that apply to suppliers of high-risk AI systems, but that serve to ensure that AI tools are used correctly throughout the supply chain.
• Correct use of AI tools: deployers must ensure that AI systems are used correctly according to the supplier's instructions for use.
• Impact assessment and continuous monitoring: deployers must carry out a risk analysis and must act promptly if they detect malfunctions or potential risks.
• Transparency: there are also transparency requirements for deployers, for example, explicitly disclosing if the user interacts with an AI chatbot or scoring systems based on AI models.
• Penalties: fines of up to €35 million or up to 7% of annual global turnover, whichever is higher.

The AI Act is not the only factor: AI compliance on the basis of existing legislation

When carrying out legal assessments of AI tools developed or used by the business, complying with the AI Act is (or rather, will be) only a portion of the compliance activities. In certain cases, in fact, it is already appropriate to carry out a risk assessment on the basis of existing legislation, for example, on:

• Intellectual Property
• Consumer Protection
• Personal Data Protection
• Product safety
• Contractual and non-contractual liability.

Generally speaking, for all that concerns future digital regulation, the existing rules on data protection, consumer protection and unfair commercial practices remain valid.

To learn more, please see: Succeeding with AI.

Internet of Things and data

The Data Act (Regulation (EU) 2023/2854) represents a real revolution in the Internet of Things (IoT) and cloud services sector. This regulation will, among other things, allow users to access and share both personal data and non-personal data obtained and generated by their connected devices (smartwatches, connected cars, even industrial machinery, etc.), obliging providers to make this data available to users (with some limited exceptions, for example, in relation to trade secrets). In addition, the Data Act will facilitate the transition between data processing services (mainly cloud and edge) and their interoperability.

Highlights of the Data Act:

• Access and sharing of data, including non-personal data
• New rights that also apply to business users
• Possibility of sharing data from connected devices with third parties, including for commercial purposes
• Easier switching and interoperability between data processing services.
   

The Data Act seems to be overshadowed by the AI Act but in fact represents an equally disruptive regulation in the field of digital regulation. 

To find out more, please see: Insight: Data Act Pills; Webinar Data Act: nuovi diritti di accesso ai dati nel mondo IoT e di condivisione dei dati con terzi; Webinar Data Act: clausole contrattuali abusive, passaggio tra servizi di trattamento dei dati e interoperabilità di dati, servizi di condivisione dei dati e spazi di dati. 

Data intermediation services

The Data Governance Act (Regulation (EU) 2022/868) creates a legal framework to facilitate data sharing in the EU through various measures:

• Access to protected Public Administration (PA) data: until now, PAs have (not always successfully) published datasets in their possession, insofar as they are not confidential or protected (for example, by intellectual property rights). With the Data Governance Act, the PA is urged to provide access even to these confidential or protected data, subject to certain conditions. This should make it easier for companies and researchers to access and reuse such data, potentially leading to new services and scientific discoveries.
• Data intermediaries: to really create a data market, new data intermediation services will emerge, such as data marketplaces, where companies will make certain data available to other companies (either for a fee or in exchange for other utilities). In effect, therefore, new players will emerge such as 'data intermediation services providers', helping to connect those who have the data with those who need it. The Data Governance Act regulates these services and imposes reporting obligations to the relevant authorities and a number of additional requirements (e.g. in relation to the format in which data are organised, additional services, interoperability).
• Data altruism: the Data Governance Act includes provisions to facilitate the voluntary sharing of data without the receipt of remuneration, for example, for medical research.
   

Accessibility

Directive (EU) 2019/882, known as the European Accessibility Act (EAA), aims to increase digital inclusiveness. This directive ensures that certain products and services are accessible to people with disabilities. In Italy, the directive has already been transposed by means of Legislative Decree no. 82/2022. 

Not everything in the digital environment is covered by this legislation. The main products and services to which it refers are:

• Computer, tablets and smartphones
• E-readers and digital reading devices
• E-commerce websites
• Online banking
• ATMs for public services
• E-books and digital content.

This regulation has a concrete impact on the UX/UI of digital products and services. In fact, in many cases it will require the design of products and services to be revised or even rethought and certified: for instance, compliance with accessibility requirements becomes a prerequisite for affixing CE marking on products, and, as far as concerns services, the provider is obliged to present a set of information on accessibility in its general terms and conditions or an equivalent document.

To learn more, please see: The EU Accessibility Act – Time to start implementation projects now

Digital Product Passport

Regulation (EU) 2024/1781 on the ecodesign requirements for sustainable products introduces the concept of 'digital product passport'. This innovative tool will allow up-to-date information on product characteristics to be shared electronically between companies, authorities and consumers. By scanning a QR Code (or other data carrier) placed directly on the product, it will be possible to access the information needed to trace the entire product chain, from its production or importation to its disposal.

Digitial product passport features:

• Information on the product's sustainability and environmental impact: the digital product passport will enable economic operators and authorities to verify the product's compliance with the durability, repairability, reusability, recyclability and energy efficiency requirements of the regulation and will help consumers to make informed purchasing choices.
• Mandatory: products may only be placed on the market or put into service if accompanied by the relevant digital product passport. The technical specifications of digital product passports will be defined by the European Commission through the adoption of delegated acts, with which economic operators will have to comply within 18 months.
• Repair and recycling instructions: among others, professional repairers, refurbishers, remanufacturers, recyclers and retailers will have (direct and free) access to digital product passports.
• Traceability throughout the supply chain: the digital product passport will be associated with unique product, operator and manufacturing facility site identification codes, which will be stored in a digital registerry, to be established by 19 July 2026. In addition, a publicly accessible web portal will be created, through which stakeholders will be able to search and compare the information contained in digital product passports.

To learn more, please see: What is the EU Digital Product Passport and who is it for?

Product Safety in the digital age and liability

Regulation (EU) 2023/988 on general product safety updates existing rules, adapting them to the digital age. These new rules ensure - among other things - that products sold online are just as safe as those in bricks and mortar shops.

Key points of the regulation:

• Applies to products not covered by sector-specific regulations
• Unlike the previous legislation, it also expressly applies to the online sale of products
• It imposes specific obligations on providers of online marketplaces. 

Furthermore,  Directive (EU) 2024/2853 on liability for defective products is intended to reform product liability legislation. This legislation has important implications:

• Software itself is considered as a 'product', so product liability is also extended to software, whether integrated in other products or standalone
• Extension of the definition of damage to include medically recognised and medically certified damage to psychological health as well as damage resulting from the destruction or corruption of data not used exclusively for professional purposes
• Extending liability to all actors in the product marketing supply chain and not only to the producer, where relevant. 

NIS2 Directive / Cybersecurity

Directive 2022/2555 (NIS2 Directive) aims to improve IT security in various sectors such as:

• those considered of "high criticality", e.g. health, digital infrastructure (for instance, cloud computing service providers), drinking water, electricity, transport and
• "other critical sectors', for example, postal services, medical device, computer and vehicle manufacturing, online marketplaces, social networks and research 

Depending on the sector, size and other parameters, the directive distinguishes between 'essential entities' and 'important entities', and the safety obligations arising from the directive may vary in individual Member States depending on the category in which a company falls.

The main obligations under the directive include the adoption of robust security measures, risk management, timely reporting of security incidents and cooperation between national authorities. The directive was transposed in Italy by means of Legislative Decree no. 138/2024. 

Cyber-resilience

Regulation (EU) 2024/2847 (Cyber Resilience Act), aims to make physical products containing digital elements (for example, a connected industrial machine, a smartwatch, a tablet) more resistant to cyber-attacks.

Main aspects of the regulation:

• Security obligations for manufacturers of devices with digital elements
• IT security requirements integrated into the product design and development phase
• Greater transparency on product safety features
• Introduction of the 'minimisation principle' for data use (extending to all data processed in the context of products with digital elements, not just personal data).

We can help you identify the regulations applicable to the products/services offered or used and the relevant obligations, set priorities and draw up a concrete action plan that takes into account both the legal and IT sides. 

We try to accompany clients with a holistic approach, as:

•    nowadays, compliance does not mean only updating contracts or drafting policies. Many regulations require adjustments in the technology infrastructure, source codes, interfaces (UI) and user experience (UX). Legal experts and technicians (that is, technology experts such as programmers, data architects, data scientists, etc.) must work together;

•    we believe that no compliance action can be enacted without an overall view. There are many regulations and just as many points to clarify and risks of overlap. For example, it will not be possible to update the UX/UI of a product to comply with the Data Act without also taking into account the cybersecurity obligations of the Cyber Resilience Act and the limitations on the processing of personal data arising from the GDPR.

To learn more, please find below our  Digital Regulatory Timeline and suggested Action Plan.