AI Liability Directive: Key Takeaways

We have already illustrated the new proposed rules for a product liability directive on this blog. We now analyze the proposal for a AI Liability Directive, which offers interesting insights on how liability rules will be tweaked when Artificial Intelligence is concerned. In fact, as noted by the Commission’s explanatory memorandum to the AI Liability Directive, “the ‘black box’ effect can make it difficult for the victim to prove fault and causality and there may be uncertainty as to how the courts will interpret and apply existing national liability rules in cases involving AI“.

These slides may help understanding the AI Liability Directive. If you have questions or doubts, do not hesitate to reach out to us.

New Rules On Whistleblowing

On December 9, 2022, a bill to implement Directive (EU) 2019/1937 on whistleblowing was submitted to the President of the Chamber of Deputies.

The draft envisages several obligations for entities of public and private sectors, including an obligation to activate a whistleblowing channel (internal or external) that guarantees the confidentiality of the identity of the reporting person, unless the reporting person gives express consent; of the person involved; of the person otherwise mentioned in the report; and of the content of the report and any related documentation.

Such reports may be made either in written or oral form, through telephone lines or voice messaging systems; the reporting person may request that a face-to-face meeting be scheduled.

The Italian Anti-Corruption Authority, after having heard the Italian Data Protection Authority, must adopt, within 3 months of the adoption of the legislation, specific guidelines on procedures for handling external reports.

To comply with personal data protection legislation, it will be necessary to:

  • Prepare adequate privacy notices regarding the processing of data collected within the reporting process;
  • Adopt appropriate technical and organizational measures to ensure an adequate level of confidentiality of the information of the reporting person and the person involved, as well as the content of the report and related documentation, to be identified on the basis of a data protection impact assessment;
  • Give an express authorization to the parties who will receive reports to process personal data;
  • Formally appoint all parties that process data related to the reports (i.e., external providers) as data processors.

The draft also provides that data related to internal and external reports, as well as related documentation, may be retained for up to a maximum of 5 years from the date of the communication of the final outcome of the reporting procedure.

Retaliation against reporting persons is prohibited and sanctions can be applied as a result.

Once approved, the whistleblowing legislation will take effect 4 months after the date of its entry into force, except for private-sector entities that have employed, over the past year, an average of not less than 50 and not more than 249 employees, with unlimited term or fixed-term employment contracts, for whom the provisions of the legislation will take effect as of December 17, 2023.

Product Liability Directive

The Proposal for a new Product Liability Directive of September 2022 is likely to be a game changer for manufacturers of products. Rules on the burden of proof are going to favor consumers more than before.

If you want to familiarize with the new rules, you will appreciate the following slides. Any questions? You know where to find us. Happy holidays!

New Rules on Corporate Sustainability Reporting

On November 28, 2022, the European Council approved the corporate sustainability reporting directive (CSRD). The CSRD strengthens the existing sustainability reporting requirements under the EU legislation and broadens their scope of application. It does so by modifying directives and regulations containing the current sustainability reporting rules, including the Non-Financial Reporting Directive (“NFRD”).

Under the CSRD a company must report the company’s impact, as well as how its development, performance and position is affected by sustainability matters. Such information shall be included in a dedicated section of the management report.

The CSRD requires an increasing number of companies to report sustainability information. While the NFRD reporting requirements are currently mandatory for large public-interest companies with more than 500 employees, the CSRD enlarges the list of entities subject to those requirements to:

  • companies with more than 250 employees and a turnover of 40 million euros (so called large companies);
  • all companies listed on regulated markets, including SMEs and with the sole exception of microenterprises; and
  • non-EU companies generating a net turnover of 150 million euro in the EU and which have at least one subsidiary or branch in the EU exceeding certain thresholds.

In light of the above, the CSRD is expected to impact nearly 50,000 companies in the EU, compared to the approximately 11,000 companies already covered by the NFRD.

The new requirements will not be immediately mandatory, as the CSRD provides that the new sustainability reporting requirements will be implemented in a four-stage process here below summarized:

Starting dateFinancial YearEntities subject to reporting requirements
January 1, 2025Financial years starting on or after 2024Companies already subject to the NFRD
January 1, 2026Financial years starting on or after 2025Large companies that are not currently subject to the NFRD
January 1, 2027Financial years starting on or after 2026Listed SMEs (with the sole exception of micro undertakings) and the remaining European companies that fall under the CSRD application
January 1, 2029Financial years starting on or after 2028Non-EU companies that fall under the CSRD application

The European Commission, with the technical support of the European Financial Reporting Advisory Group (EFRAG), will adopt sustainability reporting standards.

The CSRD still needs to be signed and published in the Official Journal of the European Union and will enter into force 20 days afterwards. After that, each Member State will need to implement the CSRD into local law within 18 months.

The Impregilo Case Clarifies the Basis for Exemption from 231 Liability

The Italian Supreme Court has recently published a judgment (no. 23401 of 2022, hereinafter the “Impregilo Case”) that sheds new light on certain elements of liability of Italian companies arising from legislative decree no. 231 of 2001.

Put it simply, legislative decree 231 has established quasi-criminal liability of companies when one of their employees commits a certain crime to its benefit or in its interest. The same law has established that the company is exempt from liability if (i) it has adopted an organizational and management model (“Model”) aimed at preventing such crimes, and (ii) it has appointed an independent compliance committee (“Committee”), which has diligently overseen the actual application of such Model. If a company has not adopted an adequate Model duly enforced by the Committee, then it is regarded as failing to diligently organize itself in order to prevent 231 crimes: having failed at its duty to prevent the crime, it is therefore at fault (so called “colpa in organizzazione”, or organizational fault) and liable. Additional information on 231 legislation can be found here.

In the Impregilo Case, which followed a tortuous path through courts of various instances, the Supreme Court has established very interesting principles:

  • The mere fact that a certain 231 crime has occurred is not sufficient to prove that the Model was inadequate: 231 liability of a company is not strict liability, rather is based on fault, i.e., depends on lack of diligence in preventing the crime.
  • Adequacy of the Model must be assessed with a focus on the specific crime occurred, and not with regard to the Model as a whole.
  • If the Model conforms to codes of conduct drafted by industry associations, a court has the duty to indicate which best practices would have effectively prevented the crime.

This judgement ultimately grants exemption from 231 liability and recognizes that, since the Model was based on best practices, it was adequately preventing the crime, even if the crime was in fact committed due to the choice of the company’s managers to circumvent the Model.

If this trend in case law continues, companies will have a stronger incentive to adopt, enforce and update Models diligently reflecting best practices in crime prevention.

Registration of MDR + IVDR Implementation Webinar

Last week Paola Sangiovanni and Flavio Monfrini participated, as speakers, to a webinar on the implementation of the MDR and IVDR.

The webinar was hosted by the firm Axon Lawyers based in Amsterdam and was especially interesting as members of the Alliance of European Life Sciences Law Firms in France, UK, Germany, Belgium, Greece, Spain, Belgium and The Netherlands contributed their expertise.

If you have missed it, worry not: you can find its registration here .

It’s “Pay Back Time” for Medical Devices’ Companies

Medical devices’ companies who sell to the Public Administration face the prospect of imminent stellar payments due to Italian Regions.

Learn about the legislative journey that led to this, and what can be done about it, in our latest Client Alert published here:

Contact us if you need assistance in reacting against pay-back obligations or if you simply want to understand more about this issue and its impact on your business.

Upcoming Webinar on EU MDR and IVDR Implementation

Save the date for Friday 18 November from 15:30 to 17:00 CET for a unique webinar about implementation of the EU MDR and IVDR in various European member states and recognition of CE marked devices on the UK market, hosted by the Alliance of European Law Firms in which medical devices legal specialists from Spain, Italy, the UK, Germany, Greece, Belgium and the Netherlands will address:

  • A compare and contrast of how competent authorities in the respective countries deal with the concepts of placing on the market and making available under the MDR and IVDR, both crucial concepts for upcoming regulatory deadlines (and maybe some news on where we expect things to go with the MDR and IVDR);
  • A compare and contrast of national implementing measures for the MDR and IVDR, such as regarding sanctions for non-compliance, enforcement policy and specific subjects where the MDR and IVDR allow significant local discretion (e.g. reprocessing of single use devices and as regards in-house produced devices);
  • A compare and contrast of national exemption possibilities under articles 59 and 97 in view of expiring MDD/AIMDD/IVDD certificates and not timely obtain an MDR / IVDR certificate. 

Do not miss out on this unique opportunity to have all your questions about medical devices and IVD regulation implementation in the UK and important EU member states addressed by our expert panel:

  • Francisco Aranega from AMyS Law (Barcelona, Spain)
  • Laure le Calve from LCH Avocats (Paris, France)
  • An Vijverman from Dewallens & Partners (Leuven/Brussels, Belgium)
  • Ioanna Michalopoulou from Michalopoulou & Associates (Athens, Greece)
  • Mathias Klümper and Claudia Lützeler from Lützeler Klümper (Hamburg/Düsseldorf, Germany)
  • Paola Sangiovanni and Flavio Monfrini from Gitti and Partners (Milan, Italy)
  • Alex Denoon and Xisca Borras from Bristows (London, UK)
  • Erik Vollebregt from Axon Lawyers (Amsterdam, The Netherlands)

If you would like to attend, please send us an email to and we will provide you with a link and technical information on joining the seminar well in advance.

Please feel free to share this save the date with colleagues or other people that may find the seminar interesting. If they send us an email, we can send them their own link and information for joining the webinar.