Pulsantiera di navigazione Home Page
Pagina Facebook Pagina Linkedin Canale Youtube Italian version
Areas of practice
AI specialized legal services.

Artificial Intelligence

AI specialized legal services.

Artificial Intelligence: Governance, Compliance and Contracting

Artificial Intelligence is now embedded in companies’ decision-making, production and commercial processes. Predictive systems, generative AI tools, automation applications, profiling solutions, virtual assistants and general-purpose AI models are used in product development, customer management, marketing, recruitment, cybersecurity and the provision of professional services.

The adoption of AI nevertheless requires decisions that cannot be left exclusively to technical teams or governed solely by suppliers’ standard terms. Companies must determine the role they assume under the applicable regulatory framework, correctly classify each system, assess the data used, allocate contractual responsibilities, establish appropriate human oversight measures and document the assessments carried out.

Attorney Alessandro del Ninno advises companies, corporate groups, regulated entities, developers and technology providers on the design, acquisition, integration and use of AI systems and models. His advice coordinates Regulation (EU) 2024/1689 — the AI Act — with Italian Law No. 132 of 23 September 2025, its implementing measures, the GDPR, the Data Act, cybersecurity legislation, copyright law, trade secret protection, employment law and the applicable sector-specific regulatory framework.

The practice also takes account of the body of European implementation guidance developed through European Commission guidelines, AI Office guidance, codes of practice, standardised documentation and interpretative tools progressively adopted to support the application of the AI Act. Regulatory monitoring also covers the continuing evolution of the European framework and legislative proposals intended to amend or simplify it, including the measures associated with the AI Digital Omnibus.

The objective is to enable companies to develop and use AI innovatively while retaining effective control, by translating regulatory requirements into workable procedures, contractual protections, internal responsibilities and operational safeguards.

AI Governance, System Inventories and Regulatory Classification

Assistance may begin with an inventory of the AI systems and models already used or planned by the organisation. Many companies rely on AI functionalities embedded in HR applications, CRM systems, marketing tools, cloud platforms, security software, analytics solutions and professional applications without having a consolidated view of their use cases or associated risks.

Attorney Alessandro del Ninno supports the preparation of AI system inventories and registers, identifying the purposes pursued, the business functions involved, the data used, the suppliers, internal users, persons affected by the system and any integration with corporate decision-making processes.

Each system is assessed against the statutory definition of an AI system and classified according to its risk level and context of use. The analysis distinguishes conventional software from systems falling within the scope of the AI Act and identifies prohibited AI practices, high-risk AI systems, applicable transparency obligations and lower-risk uses for which proportionate organisational measures may be sufficient.

The company’s role is also determined, including whether it acts as provider, deployer, importer, distributor, authorised representative or downstream provider. Particular attention is paid to circumstances in which a company may assume the responsibilities of a provider by substantially modifying a system, placing its name or trademark on it or changing its intended purpose.

The engagement results in a matrix of roles and obligations and a compliance roadmap prioritised according to risk, applicable deadlines and the strategic relevance of the projects concerned.

Prohibited AI Practices, High-Risk Systems and Transparency Obligations

Attorney Alessandro del Ninno advises companies on the preliminary assessment of use cases that may fall within the prohibited AI practices established by the AI Act, including applications involving manipulative techniques, exploitation of vulnerabilities, social scoring, particularly intrusive biometric categorisation, emotion recognition in prohibited contexts or untargeted scraping of facial images.

The assessment distinguishes uses that are fundamentally incompatible with the regulatory framework from systems that may lawfully be developed or deployed subject to appropriate safeguards. This allows businesses to avoid both unnecessarily abandoning legitimate projects and investing in technologies that could not lawfully be placed on the market or used as intended.

For high-risk AI systems, the assistance focuses on identifying and implementing the obligations that apply in light of the company’s role, the system concerned and the relevant sector.

Providers are supported in establishing the risk management system, data and data governance arrangements, technical documentation, automatic logging capabilities, instructions for use and human oversight measures. The assistance also covers accuracy, robustness and cybersecurity requirements, the quality management system, post-market monitoring, conformity assessment, substantial modifications and serious incident reporting.

Deployers are assisted in establishing procedures to ensure use in accordance with the instructions for use, effective human oversight, appropriate input data, review of outputs, retention of logs and suspension of use where risks can no longer be adequately controlled.

Where required, a Fundamental Rights Impact Assessment is prepared and coordinated with the Data Protection Impact Assessment required under the GDPR. This integrated approach addresses risks relating not only to personal data protection, but also to discrimination, access to essential services, human dignity and the ability of affected persons to understand or challenge decisions.

The practice also covers transparency obligations applicable to chatbots, virtual assistants, emotion recognition systems and AI-generated or manipulated content. For deep fakes, synthetic images, audio, video and text, appropriate labelling, disclosure and marking solutions are developed in accordance with Article 50 of the AI Act and the relevant European codes of practice.

Generative AI and General-Purpose AI Models

The use of generative AI requires a clear distinction between entities that develop a model, fine-tune or otherwise modify it, integrate it into their own products, and use it solely as an internal business tool.

Attorney Alessandro del Ninno advises providers of general-purpose AI models, downstream application developers and business users on the correct allocation of roles and the applicable obligations.

For model providers, the assistance covers technical documentation, information to be made available to downstream providers, copyright compliance policies and preparation of the sufficiently detailed summary of the content used for training. For general-purpose AI models with systemic risk, the work also addresses model evaluations, adversarial testing, systemic risk assessment and mitigation, cybersecurity and serious incident management.

The advice takes account of the voluntary General-Purpose AI Code of Practice, recognised at European level as a tool supporting demonstration of compliance with the relevant AI Act obligations. Its measures relating to transparency, copyright, safety and systemic risk are adapted to the operator’s actual position and the characteristics of the model.

For companies acquiring or using generative AI services, the advice focuses on the treatment of prompts, inputs and outputs, the possible use of business data to train or improve the model, warranties relating to generated content and the availability of information required to meet obligations towards customers, employees and supervisory authorities.

AI Contracting, Procurement and Supply-Chain Management

The compliance of an AI project frequently depends on the information and contractual assurances the company is able to obtain from its supplier. Contracts originally designed for conventional software services may be inadequate to address risks arising from data quality, evolving model behaviour, generated outputs and the allocation of roles under the AI Act.

Attorney Alessandro del Ninno advises companies on supplier selection and assessment through legal and regulatory due diligence, assessment questionnaires, review of technical documentation and negotiation of contractual terms.

The work is tailored to the nature of the project, including the procurement and use of AI systems, bespoke development, integration of third-party models into proprietary products, distribution of systems developed by others, and the supply of proprietary systems or models to the market.

Contracts define the role assumed by each party, permitted purposes and restrictions on use, declared system characteristics, performance and accuracy levels, security requirements, human oversight arrangements, updates and substantial modifications.

They also address access to documentation and logs, cooperation obligations, audit rights, subcontracting, dataset provenance, copyright compliance, ownership and permitted use of inputs and outputs, use of customer data for training, incident management and exit arrangements.

Particular attention is devoted to liability, indemnities and third-party claims, with the aim of preventing the business user from assuming risks arising from the model’s operation, the adequacy of the supplier’s documentation or technical decisions outside the user’s control.

In agreements between providers of general-purpose AI models and downstream providers, the information and assurances transferred are assessed to ensure that the downstream operator can lawfully integrate the model and subsequently place the resulting AI system on the market or put it into service.

Personal Data, Datasets and Intellectual Property

Where an AI system processes personal data, the AI Act must be applied together with the GDPR and the Italian Data Protection Code.

The assistance covers legal bases, purpose limitation, data minimisation, retention, transparency and data subject rights. Particular attention is paid to profiling, automated decision-making and systems that produce legal effects or similarly significantly affect individuals.

The Data Protection Impact Assessment is coordinated with the system’s classification under the AI Act and, where applicable, with the Fundamental Rights Impact Assessment. The analysis addresses dataset representativeness, discrimination risks, data provenance, web scraping, re-identification risks and the possible processing of special categories of personal data for the purpose of bias detection and correction.

Attorney Alessandro del Ninno also advises companies on the rights required to use datasets, software, models, content, prompts and outputs. The work coordinates AI regulation with copyright, text and data mining rules, database rights and trade secret protection.

Policies are developed to respect rights holders’ reservations, assess the risk of outputs reproducing or closely resembling third-party works or trademarks, and negotiate appropriate warranties and contractual protections for the commercial use of AI-generated results.

Italian Law No. 132/2025 and Sector-Specific Regulation

Italian Law No. 132 of 23 September 2025 supplements the European framework with national principles, sector-specific provisions and legislative delegations relevant to the use of AI in Italy.

The practice covers the application of the Italian rules in employment, healthcare, scientific research, regulated professions, public administration, judicial activities, information services and intellectual property.

In the employment context, AI systems used for recruitment, workforce management, task allocation, monitoring and performance assessment are reviewed under the combined framework of the AI Act, the GDPR, employment law and applicable information and consultation obligations.

For regulated professionals, appropriate conditions are established for the use of AI as a support tool while preserving professional autonomy, personal responsibility and the fiduciary relationship with the client. In healthcare, insurance, banking and essential services, the advice addresses limits on automation, data quality, meaningful human oversight and the ability of affected persons to challenge outcomes.

The assistance includes monitoring and implementing legislative decrees and other measures adopted under Italian Law No. 132/2025, with particular attention to the powers of national competent authorities, civil and criminal liability, education and training, and the use of AI in sensitive sectors.

AI Literacy, Internal Policies and Training

Even companies that do not develop AI systems must govern their use by employees and contractors. The disclosure of confidential information to external services, reliance on unverified outputs, unauthorised reproduction of protected content and the delegation of decisions to inadequately controlled tools may create significant legal and operational exposure.

Attorney Alessandro del Ninno assists in preparing corporate AI policies that identify approved tools, permitted use cases, categories of data that may be processed and activities requiring prior review or approval.

The policies address the protection of confidential information, human review of outputs, management of errors and hallucinations, respect for intellectual property rights, prompt retention and source verification.

AI literacy programmes are designed in proportion to the company’s role, the knowledge and experience of the personnel concerned, the context in which the systems are used and the risks they may create. Training may be tailored for boards of directors, senior management, developers, Legal and Compliance teams, HR, Marketing, Procurement, IT, Cybersecurity and end users.

The objective is to ensure that personnel can use AI tools responsibly, recognise the limitations of outputs and understand when legal, technical or control functions must be involved.

Testing, Due Diligence and Corporate Transactions

The practice may support companies from the development and testing stages, when regulatory requirements can still be embedded into the system architecture without the costs and disruption associated with later remediation.

Assistance includes the design of testing plans, selection of appropriate data, documentation of system performance and errors, and preparation of the evidence required to support the assessments made.

The possible use of AI regulatory sandboxes provided for under the AI Act and related national implementing measures is also assessed, particularly for start-ups, small and medium-sized enterprises and innovative projects that would benefit from structured engagement with competent authorities.

In investments, acquisitions, partnerships and joint-development arrangements, Attorney Alessandro del Ninno conducts due diligence on AI systems and models, datasets, chains of title, open-source components, technical documentation and the target’s or partner’s ability to comply with the regulatory obligations and conformity statements made to the market.

Incidents, Regulatory Authorities and Litigation

Errors or misuse of AI systems may result in financial loss, discrimination, personal data breaches, security failures, unlawful content and intellectual property disputes.

Attorney Alessandro del Ninno assists companies in establishing procedures to detect, classify and manage AI-related incidents, coordinating obligations under the AI Act with those arising under the GDPR, NIS 2, DORA, product safety legislation and contractual arrangements.

In the event of an incident, the assistance covers preservation of evidence, reconstruction of the system’s operation, allocation of responsibility, engagement with suppliers and assessment of any required notifications or communications.

The practice also includes dealings with national competent authorities, the Italian Data Protection Authority, the Agency for Digital Italy (AgID), the Italian National Cybersecurity Agency (ACN) and, where relevant, the European AI Office. Support covers information requests, inspections, market surveillance proceedings, disputes concerning system classification and the implementation of corrective measures.

Litigation services include disputes between customers and suppliers, claims relating to system outputs, intellectual property infringements, trade secret protection, damages arising from algorithmic decisions and civil or criminal proceedings connected with unlawful or inadequately governed uses of AI.

Ongoing Advisory Support

Assistance may be provided on an ongoing basis to boards of directors, General Counsel, Data Protection Officers, Compliance, IT, Cybersecurity, HR, Procurement and product teams in the assessment of new projects and the continuing development of the organisation’s AI governance programme.

Ongoing support enables issues to be addressed before technical and contractual decisions become difficult or costly to reverse, ensures that system classifications remain current, monitors changes in suppliers and models, and keeps policies and procedures aligned with evolving European and Italian legislation and regulatory practice.

In an environment in which technology, regulation and business models are evolving simultaneously, specialist legal advice enables companies to innovate without leaving unresolved the issues that may emerge when a product is brought to market, during contractual negotiations, in the course of regulatory scrutiny or following an incident.

Stampa la pagina