Innovation Law Insights – 28 August 2025

Data Protection and Cybersecurity 

Data Act effective from 12 September 2025: quick guide to the main obligations and requirements

On 12 September 2025, most of the provisions of Regulation (EU) 2023/2854 (Data Act) will enter into force. By that date, many organizations will have to take the necessary measures to ensure compliance.

The Data Act is part of the European strategy for the data economy, with the aim of creating a single market for data where access and sharing are simple, secure, and transparent, promoting innovation and competitiveness.

The Regulation imposes obligations on various economic operators, including in particular:

• companies active in the IoT sector, such as manufacturers, sellers, lessors, renters of connected products, and providers of related services;
• data processing service providers, including a wide range of digital solutions (cloud services or edge services).

Below is an overview of the main impacts that will become relevant from 12 September 2025.

Main obligations for the IoT sector

Chapter II of the Data Act regulates connected products (e.g., smart vehicles, smart appliances) and related services. Operators in the sector must introduce measures to make data use more transparent and to ensure easy and secure access and sharing for users.

In particular:

• Pre-contractual information: sellers, lessors, lessees of connected products and providers of related services must provide users, prior to the conclusion of the contract, with the information specified in Articles 3(2) and 3(3) (e.g., type, format, estimated volume of data generated by the product or service).
• Access to data: data holders must allow users access to readily available data upon request, free of charge, in a secure, complete, structured, machine-readable format and, where technically possible, in real time.
• Sharing data with third parties: upon request by the user, data holders must make readily available data available to third parties designated by the user. Such sharing must take place under fair, reasonable, and non-discriminatory conditions, in compliance with security measures and the protection of commercial interests, trade secrets, and any personal data involved.
• Accessibility by design: where technically feasible, the design of connected products and services should be such as to allow the user direct access to the data generated. This obligation is not absolute, but a certain degree of discretion is granted to those who design connected products or related services.

Main obligations for data processing service providers

As mentioned above, the definition of “data processing services” includes a wide range of digital services, including, in particular, Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS).

For all these actors, the Data Act introduces obligations aimed at facilitating the transition of customers from one provider to another, reducing vendor lock-in.

In this perspective, the Regulation introduces a general obligation to remove-and not impose-pre-commercial, commercial, technical, contractual, and organizational obstacles that may prevent customers from:

• terminate, after the maximum notice period and the successful completion of the switching process, the data processing service contract;
• conclude new contracts with another data processing service provider covering the same type of service;
• transfer exportable data and digital resources to a different data processing service provider or to a local ICT infrastructure, even after benefiting from a free offer;
• achieve functional equivalence in the use of the new data processing service in the IT environment of another data processing service provider covering the equivalent service;
• disaggregate, where technically feasible, the data processing services from other data processing services provided by the same provider.

In any case, the rights of customers and the obligations of providers must be clearly defined in a written contract, which must be made available to the customer before signing. This contract must contain the specific clauses listed in Article 25(2) of the Data Act, aimed at facilitating data portability and regulating in detail the obligations of cooperation, assistance, and technical transparency of providers.

Finally, processing service providers will not only be required to review existing contracts, but will also have to adopt appropriate technical measures to ensure interoperability between services, in accordance with the provisions of Article 30 of the Regulation.

Next steps and regulatory uncertainties

As highlighted at the beginning, most of the provisions of the Data Act will enter into force on 12 September 2025. However, the European Commission’s implementing acts and the national legislative measures necessary for the implementation of the Regulation in Italy are still missing. It should be noted that the Data Act does not directly establish the fines applicable in the event of a breach of its provisions, but leaves it to the Member States to define the relevant rules.

In view of the upcoming entry into force of the Regulation, there is therefore still significant uncertainty, both in terms of interpretation and with regard to the concrete measures that companies will be required to take to comply. In this context, timely intervention by the European and national authorities appears desirable in order to ensure the uniform and effective implementation of the Data Act and to allow companies to plan the necessary organizational and technical adjustments in good time.

Author: Roxana Smeria

 

Technology, Media and Telecommunications

Digital Freedom Act and Digital Services Act: new rights for MSPs, new duties for VLOPs

On 8 August 2025, the key provisions of Regulation (EU) 2024/1083 on a common framework for media services (hereinafter, the Media Freedom Act or MFA) entered into force, amending Directive 2010/13/EU (hereinafter, the AVMSD), which defines minimum and binding standards at EU level to protect editorial independence, ownership transparency, and the protection of journalistic sources.

The new regulatory framework does not operate in isolation but works in synergy with Regulation (EU) 2022/2065 (hereinafter, the Digital Services Act or DSA), supplementing its general guarantees on content moderation with a special regime for media service providers (hereinafter, Media Service Providers or MSPs).

At the heart of this synergy lies Article 18 MFA, which introduces a strengthened procedure for Very Large Online Platforms (hereinafter, VLOPs) under Article 33, paragraphs 1 and 4, DSA, imposing new procedural obligations when removing or restricting content published by MSPs recognized as independent and responsible.

This is the latest step in the 20-year evolution of the liability regime for Internet Service Providers (hereinafter, ISPs) and, broadly, online intermediation service providers.

The journey begins with the “Good Samaritan clause” contained in Section 230 of the US Communications Decency Act of 1996, which granted broad immunity to passive ISPs in moderating content on their platforms. In Europe, the model was radicalized in the “notice and take down” of Directive 2000/31/EC on electronic commerce (hereinafter, the eCommerce Directive), which required hosting providers to remove illegal content “without delay” after becoming aware of it. Recently, the DSA, undisputed successor to the eCommerce Directive, introduced the “notice and action” mechanisms under Article 16, shifting the focus from mere content removal to preventive cooperation. With the MFA, a further step forward has been taken, and EU law imposes a legal obligation for structured dialogue between platforms, media, and competent authorities – which we could define as “notice and comment”.

1. Regulatory background to the Media Freedom Act

The MFA is part of the European Democracy Action Plan (hereinafter, the EDAP), adopted by the European Commission in November 2020 to strengthen the democratic resilience of the Union.

The EDAP is based on three strategic pillars:

• Free and fair elections: implemented, among other things, by Regulation (EU) 2024/900 on the transparency of political advertising, which imposes traceability and information requirements on advertisers and targeting criteria.
• Countering disinformation: strengthened by the Code of Practice on Disinformation, a co-regulatory instrument with online platforms dating back to February 2025, and by the provisions of the DSA.
• Media freedom and pluralism: the MFA is a bulwark of this, together with Directive (EU) 2024/1069 against vexatious legal actions (Strategic Lawsuits Against Public Participation or SLAPPs), adopted to protect journalists and activists from abusive legal proceedings.

The proposed regulation, presented on 16 September 2022, is based on Article 114 TFEU to harmonize national media regulations, ensuring the proper functioning of the internal market, including through the protection of an essential good such as free information.

After complex political negotiations, the text was approved by the European Parliament on 13 March 2024, by the Council on 26 March 2024, and formally commenced enterning into force from 8 November 2024.

2. The framework of the Media Freedom Act

The Media Freedom Act is divided into four chapters, 29 articles and outlines a variable regulatory geometry, imposing obligations both horizontally between players (e.g. VLOPS, MSP, etc.) and vertically on member states.

• Chapter I defines the subject matter and scope of the regulation (see Art. 1), establishing key definitions (see Art. 2). By including specific references to other EU acts – from Regulation (EU) 2019/1150 (hereinafter, the P2B Regulation) to Regulation (EU) 2016/679 (GDPR), to the DSA and Regulation (EU) 2022/1925 (DMA) – it is easy to see how the principle of non-prejudice has been respected: the MFA does not replace the general safeguards provided for the digital ecosystem, but rather supplements them with measures aimed at safeguarding pluralism and editorial independence.
• Chapter II (see Arts. 3-6) codifies the rights and obligations of media service users and providers: the right of the public to access a plurality of editorially independent content; enhanced protection of confidential sources and communications; the prohibition of spyware, subject to strict exceptions, with judicial authorization and proportionality control in accordance with Directive (EU) 2016/680 (LED); the obligation for public radio and television services to be independent in their appointments and funding; transparency regarding ownership and public funds received.
• Chapter III regulates the functioning of the new European Board for Media Services (hereinafter referred to as the Board), an independent body responsible for coordinating the application of the MFA (see Section 2), promoting cooperation between national authorities (see Section 3) and adopting opinions on cross-border issues (see Arts. 8-17). This chapter includes a Section 4 on digital media, which sets out a special micro-regime applicable to VLOPs. This section constitutes the operational core of the interaction between the Media Freedom Act and the Digital Services Act, in particular:
  • Article 18 requires VLOP providers to provide a self-declaration feature for MSPs compliant with the requirements set out in Article 6, paragraph 1, MFA. When a VLOP intends to suspend or restrict content from an MSP based on its T&Cs, it must provide reasons and allow 24 hours for a response before taking action. This obligation does not apply if the platform is acting in relation to illegal content or in the context of its DSA obligations on systemic risks (see Arts. 34-35 DSA), on the protection of minors/privacy/security (see Arts. 28 DSA), or Article 28-ter of the SMAV Directive. The MFA also prioritizes complaints (see Art. 11 P2B; Art. 20 DSA), provides for mediation and/or Online Dispute Resolution (ODR) (see Art. 12 P2B; Art. 21 DSA), and requires annual transparency on the measures taken towards the media (see Art. 18, paragraph 8).
  • The above mechanism is reinforced by Article 19, which establishes a structured dialogue between VLOPs, media service providers, and civil society, coordinated by the Board, with the aim of monitoring the application of Article 18, promoting media diversity, and ensuring compliance with codes of conduct and self-regulatory initiatives. The Committee reports the outcomes of these discussions to the Commission and, where possible, makes them public, creating a circuit of accountability that complements the transparency of the VLOPs’ annual reports under Article 18, paragraph 8.
  • The framework is completed by Article 20, which, from 8 May 2027, recognizes users’ right to personalize media offerings on devices and interfaces.
    Producers/developers/importers will have by design obligations to ensure ex ante the modifiability of default settings and the constant visibility of the identity of media service providers, in order to protect editorial recognition in the digital space.
    Finally, the same chapter introduces rules on transparent audience measurement (see Art. 24) and on the distribution of state advertising according to non-discriminatory criteria (see Art. 25).

• In conclusion, Chapter IV contains the final and transitional provisions, providing for monitoring and periodic evaluation mechanisms, specific amendments to the SMAV Directive, and differentiated deadlines for entry into force (see Arts. 26 and 29).

3. From Notice and Action to Notice and Comment: a new, qualitatively reinforced paradigm?

A comparison between Article 16 of the DSA and Article 18 of the MFA highlights a fascinating transformation in the legal architecture of online content moderation, marking a shift from a reactive model, geared towards the rapid removal of potentially harmful content, to an ideally dialogic and rights-based model, focused on the protection of pluralism and editorial independence.

• Article 16 DSA regulates notice and action mechanisms, requiring hosting service providers to provide clear, accessible, and intuitive electronic tools to enable any individual or entity to report content deemed illegal. The notification must be precise and adequately substantiated, indicate the exact location of the content (e.g., the URL), provide the identity of the reporting party, except in exceptional cases, and include a statement of good faith. When the report is compliant, it generates “actual knowledge” of the alleged infringement for the provider, triggering the obligation to act without delay, in a diligent, objective, and non-arbitrary manner. The DSA also requires that the reporter be informed of the receipt and outcome of the decision, with an indication of possible remedies, and imposes transparency on the use of automated tools.
• Article 18 MFA, on the other hand, introduces a specific regime for media service providers on VLOPs, granting them a set of procedural guarantees based on a key principle: prior hearing. The mechanism is triggered when the media provider, after declaring compliance with requirements of editorial independence, absence of political or state influence, and respect for professional standards, is subject to a decision to remove, restrict, or suspend content. In such cases, the platform is obliged to give prior notice of the reasons for the decision and to allow at least 24 hours for a response, assessing the comments received before proceeding. This scheme reverses the unilateral logic typical of “notice and action”, replacing it with a structured, transparent, and participatory process. In cases of repeated restrictions, the platform must engage in a structured dialogue in good faith with the provider, with the possibility of involving the Board established by the MFA, and, if no solution is found, mediation tools or extrajudicial mechanisms consistent with the DSA and the P2B Regulation may be used.

The relationship between the two instruments is therefore not one of mere overlap but of functional synergy. The DSA operates as a basic, uniform, and general framework aimed at ensuring a swift and proportionate response to illegal content, reducing exposure times and preventing immediate harm. The MFA intervenes in a more targeted area, introducing a special procedural right for media, which balances the need for timely intervention with the safeguarding of editorial independence and pluralism of information. Notice and action remains the backbone of enforcement but notice and comment adds a dimension of regulated and verifiable dialogue, preventing algorithmic decisions or summary interventions from irreversibly curtailing democratic debate.

4. Conclusions

Ultimately, the interaction between MFA and DSA creates a dual regulatory track in which swift action and certainty of enforcement are balanced by procedural guarantees and the protection of pluralism. Where the DSA ensures a uniform and responsive framework for combating illegal content, MFA elevates moderation to a legally qualified procedure, marked by reasoned notice, effective adversarial proceedings, and traceability of decisions.

This architecture, the result of a 20-year evolution from the Good Samaritan clause to notice and comment, reflects a cultural shift: from the mere technical management of information flows to the substantive protection of the digital public space as a European common good. In a context where over 60% of users access news via digital platforms and several Member States are experiencing worrying declines in international press freedom indices, the stakes are eminently political and constitutional, and the risk is that the MFA will become a dead letter.

The challenge now is to turn these provisions into effective practice: to ensure that structured dialogue mechanisms do not become mere formalities, that the Board is able to exercise an incisive guiding role, and that VLOPs internalize the obligation to cooperate as a structural element of their governance model. If implemented consistently, the combined provisions of the MFA and DSA can constitute a solid basis for a new European balance between digital enforcement and the protection of fundamental freedoms, capable of withstanding both censorship pressures and algorithmic arbitrariness.

On a similar topic, you may be interested in the article: DSA published: new liability regime for ISPs.

Author: Giulio Napolitano

 

AGCom Communications Monitoring Report – First Quarter 2025

On 7 August 2025, AGCom published Communications Monitoring Report No. 2/2025, containing data relating to the first quarter of 2025.

According to the data included in the Report, as of March 2025, total fixed network accesses amounted to approximately 20.56 million lines, reflecting an annual increase of 1.6%. Compared to March 2024, this represents an increase of approximately 316,000 accesses, while in comparison with the corresponding period of 2021, the increase amounts to approximately 477,000 accesses.

AGCom further observes that copper-based lines decreased by approximately 170,000 units on a quarterly basis and by just under 670,000 units on an annual basis (compared to March 2024), while in comparison with March 2021, the reduction amounts to approximately 4 million lines.

With respect to lines based on more advanced technologies, the Report records an increase. Broadband and ultrabroadband amounted to approximately 19.21 million units in March 2025, increasing both on a quarterly and annual basis by approximately 347,000 lines (i.e. +1.8% compared to December 2024) and 82,000 lines (i.e. +0.4% compared to March 2024). Correspondingly, DSL lines declined by approximately 900,000 units year-on-year and by approximately 80,000 units on a quarterly basis.

AGCom further reports that, notwithstanding a year-on-year decline (amounting to 685,000 units), FTTC (Fiber to the Cabinet) lines represented 43.8% of the total customer base. As of March 2025, FTTC accesses amounted to 9 million, marking a 7.1% decrease compared to March 2024. By contrast, FTTH (Fiber to the Home) lines increased by more than 310,000 units on a quarterly basis and by 1.24 million units year-on-year. FWA (Fixed Wireless Access) lines also increased, though to a lesser extent (approximately 220,000 units year-on-year), reaching approximately 2.42 million accesses as of March 2025.

This trend demonstrates a substantial improvement in marketed connection speeds. Between March 2021 and March 2025, the share of lines with a marketed speed equal to or greater than 100 Mbit/s rose from 55.1% to 79.3% of the total. Between March 2021 and March 2025, the share of lines marketed with speeds equal to or exceeding 1 Gbit/s rose from 9.9% to 29.7%.

The Report data further confirm the upward trend in data consumption. In the first quarter of 2025, average daily traffic volumes increased by 8.8% compared to the first quarter of 2024 and by 40.9% compared to the corresponding value in 2021. This is also reflected in daily per-line broadband consumption, which increased by 37% compared to 2021, rising from an average of 7.52 GB to 10.30 GB per line per day.

With reference to the mobile network segment, AGCom reports that the total number of active SIM cards at the end of March 2025 (including both “human” SIMs (voice-only, voice+data, and data-only, intended for human interaction) and M2M SIMs (machine-to-machine)) stood at 109.2 million, an annual increase of just over 285,000 units. Specifically, M2M SIMs declined by 127,000 units year-on-year, to 30.4 million. Human SIMs, which numbered 78.5 million in March 2024, increased by approximately 410,000 units compared to the corresponding period in 2024. According to AGCom’s data, in March 2025, 14.5% of human SIMs were attributable to business customers, while the remaining 85.5% were attributable to consumer customers.

AGCom further reports that the number of human SIMs generating data traffic during the first quarter of 2025 amounted to slightly more than 60 million. The average daily mobile data traffic recorded in March 2025 increased by 11.6% compared to the same period in 2024, and by more than 112% compared to 2021. Average daily per-SIM data consumption during the first quarter of 2025 is estimated at approximately 0.92 GB, an increase of 11.6% compared to the same period in 2024, and more than double the level recorded in 2021, when daily consumption was estimated at 0.43 GB.

In this regard, “AGCom Communication Markets Monitoring System for 2024” may be of interest.

Authors: Massimo D’Andrea, Flaminia Perna, Arianna Porretti

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Dorina Simaku, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

 Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.