The original version of this article has been published on June 17, 2026 on International Comparative Legal Guides.
1. E-Commerce Regulation
1.1 What are the key e-commerce legal requirements that apply to B2B e-commerce in your jurisdiction (and which do not apply to non-e-commerce business)? Please include any requirements to register with regulatory bodies, as well as a summary of legal obligations specific to B2B e-commerce.
No prior authorisation is needed for launching a B2B platform in Italy, but a notification of the start of such activity (Segnalazione Certificata di Inizio Attività – “SCIA”) must be submitted to the Municipality where the business will be started; other fulfilments may be required in the food sector.
Further, online traders must comply with the requirements set forth by the Italian E-commerce Decree (Legislative Decree No. 70/2003 – implementing in Italy Directive (EC) No. 2000/31) including, among others: (i) the obligation to provide certain pieces of information (e.g., trader’s name, address, contact details, etc.) before the conclusion of the contract; and (ii) the obligation to acknowledge the customer order, unless agreed otherwise with the customer.
It is highly recommended to collect evidence that the customer was aware of the contract’s content before it becomes binding (for example, by requiring the customer to accept it through a proper tick-box). A double-tick mechanism would need to be adopted, as per standard market practice, to provide acceptance of the “burdensome” clauses.
1.2 What are the key e-commerce legal requirements that apply to B2C e-commerce in your jurisdiction (and which do not apply to non-e-commerce business)? Please include any requirements to register with regulatory bodies, as well as a summary of legal obligations specific to B2C e-commerce.
An online trader that provides B2C e-commerce shall comply with all the E-commerce Decree’s obligations (as none can be waived in B2C arrangements), as well as with the additional rules set forth by the Consumer’s Code (Legislative Decree No. 206/2005), including, among others, those set out below.
A minimum set of information shall be clearly provided to consumers before the conclusion of the contract (e.g., on the goods/services, withdrawal right, legal warranty, etc.). Prices shall be shown as already inclusive of taxes and all additional shipping, delivery or postal charges. Specific rules apply in the event of announcement of a price reduction (e.g., the announcement must show the prior price, meaning the lowest price applied by the trader in the 30 days prior to the application of the price reduction).
Consumers shall also be provided with confirmation of the concluded contract and the minimum set of information above, through a durable medium (e.g., by email, either as an attachment or within its body), at the latest at the time of delivery of the items. Further, online traders are required to make clear that clicking any “order button” entails an obligation on the consumer to pay money.
Consumers are entitled to withdraw from online contracts within a period of 14 days from the receipt of the item (for contracts of sale of items) and receive a refund.
Additional requirements apply to marketplaces (e.g., information requirements).
Lastly, it is highly recommended to translate into Italian language all the information directed to Italian consumers.
1.3 Please explain briefly how the EU’s Digital Services Act and Digital Markets Act and/or equivalent local legislation, such as the UK’s Online Safety Act and Digital Markets, Competition and Consumers Act, are affecting digital business in your jurisdiction.
The UK Online Safety Bill is foreign legislation and, as such, it does not apply in Italy. The same conclusion can be drawn for the Digital Markets, Competition and Consumers Bill.
However, it is important to specify that the latter Bill closely resembles the Digital Markets Act (Regulation (EU) No. 2022/1925; the “DMA”) and partially the Platform-to-Business Regulation (Regulation (EU) No. 2019/1150; the “p2b Regulation”).
Specifically, the p2b Regulation aims to ensure fairness and transparency in the relationships between online platforms and businesses. It imposes obligations on platforms, such as providing clear terms and conditions, offering effective dispute resolution mechanisms, prohibiting unfair practices, disclosing the main parameters determining ranking and ensure fair and non-discriminatory treatment. The p2b Regulation is similar to the Digital Markets, Competition and Consumers Bill because both aim to promote fairness and transparency. In fact, the Bill draws heavily from the p2b Regulation and the DMA, addressing concerns regarding the dominance of large tech companies and fostering a more competitive and equitable digital market environment.
The EU’s Digital Services Act (Regulation (EU) No. 2022/2065; the “DSA”) and the DMA are regulations. As such, they have general application, are binding in their entirety and directly applicable in all Member States (including Italy).
The DSA is specifically targeted to intermediaries, i.e., mere conduit services, caching services, hosting services, online platforms and online search engines. The DSA leaves the exemption of liability for user-generated content provided in Directive (EC) No. 2000/31 largely untouched, codifies a set of due diligence obligations and envisages a robust public enforcement framework with the aim of creating a safer online environment. Pursuant to its Art. 93, the DSA applies as of February 17, 2024.
It already applied to very large online platforms and very large search engines (“VLOP” and “VLOSE”) as of August 25, 2023, i.e., four months after their designation by the EU Commission, published on April 25, 2023.
The DMA applies to core platform services provided or offered by gatekeepers to business users established in the Union or end users established or located in the Union, irrespective of the place of establishment or residence of the gatekeepers. The DMA imposes on gatekeepers a list of dos and don’ts, mutated from competition case law and transposed in an ex ante regulatory environment. The DMA has applied since May 2, 2023. Some of its provisions (Arts 3(6), 3(7), 40, 46, 47, 48, 49 and 50) apply from November 1, 2022, and Arts 42 and 43 have applied since June 25, 2023.
The DMA and the DSA will significantly impact digital business, helping reduce illegal content online, making the internet safer and more transparent, and establishing a level playing field with a view to making digital markets more contestable and fair.
With its extensive work on digitalisation and sustainability, the EU has the power to considerably influence the transition to a more digital and circular economy. However, according to relevant stakeholders, to meet its objective, the EU needs to align with the ambition of businesses and address existing barriers and boost solutions that already exist and work today (see Ecommerce Europe, European E-commerce report 2022).
1.4 Are there are any new laws planned in your jurisdiction that will affect e-commerce going forward?
Legislative Decree No. 209/2025, implementing in Italy Directive (EU) 2023/2673, amended Legislative Decree No. 206/2005 (the “Consumer’s Code”) by introducing new provisions that will be applicable from 19 June 2026, notably:
- Art. 54-bis introduces an obligation to provide consumers that concluded a contract by means of an online interface with a specific online functionality (clear and user friendly) to exercise the withdrawal right.
- Several provisions on the contracts for the provisions of financial services concluded at a distance. In particular, the newly introduced Arts 59-bis to 59-terdecies provide specific information obligations, as well as a specific withdrawal right (extended to 30 days for certain types of contracts) with some notable exceptions and an obligation to make the online interfaces clear and not misleading is introduced.
Finally, Regulations (EU) 2022/2065 and (EU) 2022/1925, as well as Regulation (EU) 2024/1689, introduce specific transparency obligation for the digital services providers and for the entities that offer services based on AI or use AI for the provision of their services. The provisions of those regulations related to the data protection will be discussed in the following section.
2. Data Protection
2.1 How has the domestic law been developed in your jurisdiction in the last year?
In the last year, there have been developments in sectoral laws, having important data protection implications. The most relevant innovation is the adoption of Law 132/2025, setting forth rules on the regulation of AI (the “AI Law”) and which is complementary to Regulation (EU) No. 2024/1689 (the “AI Act”). Moreover, a number of laws have been adopted to adapt the Italian legislation to the evolving EU framework. In the sector of cybersecurity, Legislative Decree No. 138/2024 implementing Directive (EU) No. 2022/2555 (the “NIS 2 Directive”) and Legislative Decree No. 134/2024 implementing Directive (EU) No. 2022/2557 on the resilience of critical entities were adopted. In addition, Legislative Decree No. 23/2025 was adopted to amend the national law in compliance with Regulation (EU) No. 2022/2554, setting forth the Digital Operational Resilience Act (the “DORA”), Legislative Decree No. 144/2024 was adopted to adapt the Italian legal framework to Regulation (EU) No. 2022/868 on data governance, and Legislative Decree No. 129/2024 was adopted to amend national law in line with Regulation (EU) No. 2023/1113 on information accompanying transfers of funds and certain crypto-assets. Further amendments to the national law are still expected. For instance, a national law adapting the Italian legal framework to Regulation (EU) No. 2023/2854 on harmonised rules on fair access and use of data (the “Data Act”) is expected. In addition, Law No. 36/2026 provides that, among others, national laws shall be adopted to implement Directive (EU) No. 2016/680, Regulation (EU) No. 2024/2847 on horizontal cybersecurity requirements for products with digital elements, Regulation (EU) No. 2025/37 amending Regulation (EU) No. 2019/881 as regards managed security services, Regulation (EU) No. 2025/38 laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cyber threats, and Regulation (EU) No. 2024/1735 on establishing a framework of measures for strengthening Europe’s net-zero technology manufacturing ecosystem.
With regards to the processing of personal data relating to criminal convictions and offences, Law No. 182/2025 amended Legislative Decree No. 196/2003 (the “IDP Code”), abrogating the reference to a ministerial decree to specify the cases where processing of such data is allowed. As a consequence, now this data can be processed only if allowed by the law.
On the other hand, Art. 110 of the IDP Code has been amended by Law Decree 19/2024. Following the amendments, the Italian Authority for the protection of personal data (Garante per la protezione dei dati personali – the “Garante”) adopted a provisional new version of the Ethical rules for the processing for statistical or scientific research purposes, while the works for the definitive ones continue. Legislative Decree No. 215/2025 also amended Art. 132 of the IDP Code, adapting the Italian legal order to the Regulation (EU) 2023/1543 by providing the possibility for the public prosecutor to impose to the providers of telephonic, informatic or telematic services to store the telephone and telematic data for a maximum of six months.
2.2 What privacy challenges are organisations facing when it comes to fintech, retail, AI and digital health?
The main current issues in fintech, retail, AI and digital health are security standards, governance models and transparency requirements.
In the first place, the development of new technological means and their pervasive use puts a strain on security systems, which should be able to face the risks connected to data processing activities, as well as avoid and remedy any data breaches. This is most evidently the case for the sectors under analysis that tend to process particularly sensitive data that require even higher security standards. As a result, the European legislator has adopted several legislative acts specifically aimed at regulating cybersecurity and strengthening the resilience of organisations against cyber threats.
Secondly, the accountability principle provided under the GDPR requires organisations to define data-processing activities and data flows in advance and accurately, to ensure that the governance of the data flow is compliant with data protection requirements.
Thirdly, in response to the obligation of transparency, organisations must carefully evaluate the use of AI algorithms, especially in areas such as fintech and digital health. Indeed, such systems are characterised by the opacity of the logic involved, which can be an obstacle to understanding and explaining the processing activities, as required by the GDPR. For instance, for these reasons, the AI Law provides that the data subjects must be informed of the use of an AI system in the context of activities of medical assistance or scientific research. Furthermore, the governance issues mentioned above are heightened by the use of AI systems that often involve interaction between various and divergent actors involved in data processing, requiring a complex structure from a data protection point of view. Critical issues that will need to be dealt with at a contractual level include: auditing mechanisms; management of data flows, including data transfers in countries that do not offer sufficient guarantees on handling personal data; and management of the cyber-risk in the production chain. Notably, the AI Law provides for specific rules applying to the use of AI systems within the National Healthcare System.
Lastly, the AI Law provides that the data processing carried out by certain non-profit organisations or by private subjects involved in projects carried out also by non-profit organisations, aimed at implementing the AI in the healthcare system, are considered of relevant public interest. The same Law institutes an AI platform in support of the care activities, especially on a territorial level, that will be implemented in the future.
Moreover, the AI Law introduced the crime of illicit creation and distribution of deepfakes. In line with this, the Garante adopted several decisions and opened investigations against providers of AI-based services.
2.3 What support are the government and privacy regulators providing to organisations to facilitate the testing and development of fintech, retail, AI and digital health, such as, for example, sandboxes?
The Italian Government and regulatory authorities have been proactive and adopted various measures to support the spread of AI systems and the development of the fintech and digital health sectors. Moreover, the project “Sperimentazione Italia” (ENG: Italy Sperimentation), launched by the Italian Government to institute a sandbox to test digital solutions for public administrations (also in derogation of what is currently prescribed by existing laws and regulations), is still ongoing. Certain sectors, including fintech, are out of the scope of this project. Most recently, the AI Law allowed investments up to EUR 1 billion supporting highly innovative enterprises established in Italy and operating in the field of AI, cybersecurity and communications.
Moreover, in the framework of the Next Generation EU programme, the Italian Government is currently supporting technological development and digitalisation in these fields through the National Recovery and Resilience Plan (Piano Nazionale di Ripresa e Resilienza – the “PNRR”), which sets the relevant targets and allocates the related funds.
As regards AI, the Agency for Digital Italy (“AgID”) – the technical agency of the Presidency of the Council of Ministers –adopted the three-year plan for the information technology in the public administration 2024–2026 containing, for the first time, specific guidance on the use of AI in the public sector.
Concerning the fintech sector, at the European level, Directive (EU) No. 2015/2366 on payment services in the internal market (the “PSD2”, implemented in Italy by Legislative Decree No. 218/2017), required payment institutions to set enhanced authentication means aimed at further protecting users’ accounts and payment cards in case of fraud or unauthorised use. A proposal for a Directive on payment services and electronic money in the internal market, amending the PSD2, is currently under discussion. Moreover, Law Decree No. 25/2023 as converted into law by Law No. 52/2023, implementing Regulation (EU) No. 2022/858, includes measures aiming at simplifying fintech experiments.
3. Cybersecurity Framework
3.1 Please provide details of any cybersecurity frameworks applicable to e-commerce businesses.
In October 2025, Legislative Decree No. 138/2024 (the “NIS2 Decree”) implementing the NIS 2 Directive entered into force, setting forth national rules on cybersecurity, imposing new obligations on in-scope entities, including security and incidents reporting obligations and identifying the National Cybersecurity Agency (Agenzia per la Cybersicurezza Nazionale – the “ACN”) as supervising authority.
Moreover, Italy adopted Legislative Decree No. 23/2025 implementing the DORA and identifying national competent authorities. Also, the Cyber Resilience Act (Regulation (EU) 2024/2847), has been formally adopted, introducing a cybersecurity obligation applying to products with embedded digital elements, to improve consumers’ security and Italy is expected to adopt a national law adapting the Italian legal framework to the Cyber Resilience Act in 2026.
Against this backdrop, e-commerce businesses must comply with Legislative Decree No. 123/2022, which aligns the national framework to Regulation (EU) No. 2019/881 (known as the “EU Cybersecurity Act”) and with the provisions of the GDPR, which includes integrity and confidentiality of the personal data among the fundamental principles relating to the processing of personal data, including the implementation of technical and organisational security measures to ensure a level of security appropriate to the risk and notification requirements for data breaches.
3.2 Please provide details of other cybersecurity legislation in your jurisdiction. If there is any, how is that enforced?
In Italy, cybersecurity is a hot topic and there is a significant commitment to raising awareness on the matter, e.g., the ACN’s website contains, among the others, all the relevant information concerning the National Cybersecurity Strategy. Among the main initiatives undertaken to address the issue are: (i) the NIS2 Decree; (iii) Law Decree No. 105/2019, establishing urgent provisions regarding the perimeter of national cybersecurity, as well as the relating implementing regulations; (iv) the above-mentioned Legislative Decree No. 123/2022 implementing the EU Cybersecurity Act; (v) the abovementioned Legislative Decree No. 23/2025 amending the national law in compliance with the DORA; and (vi) Law No. 90/2024 strengthening cybersecurity, especially for the public sector. Furthermore, provisions aimed at strengthening and developing cybersecurity are included in the PNRR.
Notably, the ACN adopted a set of guidelines on encryption (i.e., guidelines on hash, guidelines on messages authentication and guidelines on password retention – the latter adopted together with the Garante – and, more recently, Guidelines on block ciphers, authenticated encryption, Transport Layer Security and the management of IT incidents).
Another sector for which specific cybersecurity rules apply is the banking sector. Indeed, the Garante issued general resolutions regulating, for instance, the traceability of the processing of personal data, the retention of inquiry logs, the implementation of alerts and periodic internal audits (e.g., the General Prescriptions on the Sharing of Personal Information in the Banking Context and on the Traceability of Banking Transactions, of May 12, 2011, as specified by the clarifications provided by Resolution of July 18, 2013), while the security measures for payment services in the internal market are provided by the PSD2 and the relating national implementing provisions. Moreover, specific IT requirements are provided by the competent regulatory authorities. For instance, the Bank of Italy (the “BoI”) recently updated its Decision No. 285/2013 establishing rules on the outsourcing of ICT resources and services by banks to address DORA requirements. Further, cybersecurity in the healthcare sector has been addressed by ENISA, which launched the eHealth Security Experts Group to ensure security and resilience of the healthcare sector in Europe. In February 2020, ENISA issued a set of tools and good practices to guarantee the security of personal data processed in the procurement by hospitals.
The enforcement of the data protection provisions set by the GDPR and the national rules is in the hands of the Garante, while the ACN has enforcement powers in the field of cybersecurity. As regards the regulatory framework, sectoral authorities are responsible for the correct enforcement of the relevant regulations, such as the BoI for the provisions on financial institutions.
4. Cultural Norms
4.1 What are consumers’ attitudes towards e-commerce in your jurisdiction? Do consumers embrace e-commerce and new technologies or do consumers still prefer shopping in person?
Unless otherwise specified, the answers in section 4 are based on public information retrieved from the following reliable sources: (i) Casaleggio & Associati, E-commerce in Italy Report 2026; and (ii) Ecommerce Europe, European E-Commerce Report 2025.
In Italy, e-commerce has started to develop relatively late compared to other European countries. At the beginning of the 2000s, e-commerce concerned mainly services and total income amounted to roughly EUR 1 million.
Only in 2010 did e-commerce start to also involve the sale of products, and in the following 10 years it has developed a lot, in 2020 registering EUR 30.6 billion of revenue, ranking only after the UK, Germany and France. In 2024, the total European turnover increased by 7%, amounting to EUR 842 billion.
While 2020 was a boom year for e-commerce, with a 99% increase in searches and interest in online purchases, 2023 effectively marked a definitive return to normality after the COVID-19 pandemic boost. In fact, 2022 reabsorbed some of the growth in citizen digital citizens due to the pandemic by returning about one million people to offline life after being forced into the digital world due to the lockdown. It should be noted that, overall, the purchasing power of consumers, the markets and the global supply chain are still affected by the war in Ukraine, which has brought about high inflation rates, surging energy prices and general geopolitical instability.
As for the spending by connected Italians, there remains, however, a wide margin of growth if we consider that, in Italy, e-shopper penetration stood at 54% in 2024, below the European average, which stands at 73%.
Overall, in 2025, the revenues from e-commerce in Italy amounted to EUR 90.6 billion, with a growth of 6%, partially sustained by an inflation of approximately 2%.
To give a full picture of Italian consumers’ attitude toward e-commerce, at the end of 2025, the number of internet users that has been recorded is 53.1 million, with a penetration of 89.9%. This figure is in line with the one in January 2024.
The Italian market sees marketplace websites such as Amazon, Subito and eBay at the top of the ranking of the most used e-commerce websites, demonstrating their dominance in the Italian market. Among the fastest-growing companies, however, the Chinese companies Temu and Shein stand out. These climbed the rankings of the most-used e-commerce websites in just a few months despite being disadvantaged by their delivery times.
4.2 Do any particular payment methods offer any cultural challenges within your jurisdiction? For example, is there a debit card culture, a direct debit culture, a cash on delivery-type culture?
Although Italian consumers’ behaviours have historically been (and still are) more inclined to be cash-friendly, a new trend – more open to cashless, paperless and home banking means – has gained a place in recent years and has been emphasised by the COVID-19 pandemic. However, a more recent trend sees cash regaining momentum (at least as an asset to store, while less visibly as a payment means), due to the current geo-political instability and cyber risks that made Italian consumers more wary and prepared for IT-infrastructure incidents (see: European Central Bank (“ECB”) – “Keep Calm and Carry Cash”, September 2025, available on the ECB’s website).
As to payment transactions specifically, paperless means (including debit cards) maintained a constant increase between 2021 and 2024, in terms of both the number of transactions and relevant amounts, also owing to e-commerce transactions being the preferred choice for consumer purchases during the lockdowns. Interestingly, compared to 2019–2020, the use of banking cashier checks increased significantly in 2021–2023, partly due to the real estate transactions, which were boosted by Italian Government measures enacted in 2022–2023 (see: Italian Payment Systems – 2025, dated 26 September 2025, available on the BoI’s website).
Consistently with the above, locally active debit, credit and pre-paid cards moved respectively from 60 to 64 million, from 12 to 13 million, and from 30 to 33 million units, between 2021 and 2024. Debit cards seem to have then experienced the most remarkable increase, now being held by almost all Italian bank account holders.
All of the BoI’s data above suggest that a trend toward a cashless payment culture by Italian customers has consolidated in recent years, and it is expected to continue in this direction in the years to come.
4.3 Do home state retailer websites/e-commerce platforms perform better in other jurisdictions? If so, why?
In 2023, Italian companies strengthened their successful reach to foreign consumers. In that, Italian digital businesses are increasingly present in many foreign markets (25% of Italian companies are present in Germany, 24% in France, 24% in Spain, 13% in the UK, 15% in Switzerland, 10% in the USA, 9% in Northern Europe, 5% in the Balkans, 4% in Latin America, 1% in Russia, 6% in Japan, 3% in China, 3% in India, 4% in other Asian states, and 3% in Africa).
Their approach is increasingly sophisticated and covers direct e-shops to strategic partnerships with e-retailers and marketplaces.
In 2023, Italian e-commerce companies that sold in foreign countries increased and today make up just over half, with the percentage of Italian digital businesses selling in Italy steadily decreasing. Within the EU, in 2023, Italy registered 39.2% of all e-commerce sales as cross-border sales.
The main strategy to have a presence in a foreign market is a multilingual website. Residually, some websites have used a specific presence strategy; for example, in the USA through marketplaces.
Consumer electronics is one of the most resistant industries to foreign markets, whereas food, fashion, home goods and furniture are the most prevalent. However, in 2023, consumer electronics companies faced challenges to their internationalisation due to product and distribution dynamics. Operators who already had an external distribution of logistics bases therefore experienced the most significant growth in this area. Overall, 2023 saw a growth of 53% in foreign sales.
4.4 Do e-commerce firms in your jurisdiction overcome language barriers to successfully sell products/services in other jurisdictions? If so, how and which markets do they typically target and what languages do e-commerce platforms support?
Recalling our previous answer to question 4.3, Italian e-commerce websites seem to have completely overcome language barriers: in fact, almost all companies selling abroad had a multilingual site.
This trend is reinforced by the growing use of AI for translation purposes, making it the third most common use of AI. This will help Italian companies to scale their presence abroad.
4.5 Are there any particular web-interface design concepts that affect consumers’ interactivity? For example, presentation style, imagery, logos, currencies supported, icons, graphical components, colours, language, flags, sounds, metaphors, etc.
Since 2019, more and more national e-commerce traders have decided to invest in offering a better user experience (e.g., by means of presentation style and graphical components) in such a way to attract more consumers and offer them a greater purchasing experience, leading them to recommend their website.
Specialised websites also recommend national e-commerce traders, above all, to: (i) include descriptions and photographs of quality products; (ii) organise and structure e-commerce pages in a rational way; (iii) display logos; and (iv) enhance ease of navigation. Italian e-consumers are used to approaching e-commerce sellers through social media platforms. Thus, e-commerce traders appear especially keen on improving their business profile on social networks.
Lastly, in relation to the implementation of AI software on e-commerce websites, e-commerce traders are getting more and more interested in exploiting this new technology. The e-commerce sector is facing a very significant shift, moving from a B2C structure to a B2A2C structure (Business to AI to Consumers). This means that traders should ensure that their catalogues and purchasing conditions are machine-readable, in order for the AI to correctly interpret it.
On the other hand, the main obstacles to the implementation of AI are the uncertainty on the right technological partner, the risks connected with data protection obligations and the lack of specific competences.
While many Italian brands continue to invest in social media advertising, there is a steady acceleration in development of online advertising carried out directly on retailers’ websites and apps together with the use of augmented reality and gamification as marketing tools.
4.6 Has the COVID-19 pandemic had any lasting impact on these cultural norms?
Throughout Europe, e-commerce is on the rise as the number and share of e-shoppers increases every year. The largest jump in e-shoppers was experienced in 2020, due to the COVID-19 pandemic pushing consumers to online shopping. All European countries experienced increases in B2C e-commerce turnover, and turnover growth rates for Europe have remained consistently in the double-digits, a trend that has continued its upward trajectory for some years.
The year 2022 was a reality check after two years of a lockdown boost. Inflation and the economic crisis – largely due to energy costs and the inflationary impact of the strong support measures introduced during the pandemic – generated uneven growth within the various sectors and rewarded those who reacted and innovated their business model. In general, some sectors have had a decrease in the absolute number of sales, but have still managed to increase sales through higher prices. This phenomenon has been particularly true for the physical product sectors such as food, home and furniture. In 2022, the tourism sector experienced the highest growth, and has finally emerged from its 2020–2021 crisis. In 2022, the growth was 47%, with one-third coming from price increases.
In 2024, after a period of high inflation in 2023 (6.2%), the average inflation rate dropped to 2.7%, thus creating the conditions for an actual growth of B2C commerce. However, consumers’ behaviour continues to evolve across Europe: many consumers are shifting from the home delivery option (which remains the preferred one) to more flexible solutions. In addition, due to economic uncertainty caused by the geopolitical situation, consumers have begun to switch to second-hand and refurbished alternatives, also considering that sustainability is becoming an important driver of consumers’ choices.
Tourism has also regained speed, thanks to new targets such as rural areas and the tourism sector, and using “smart working” (see question 9.2) to arrange long stays in the low season and combine work and leisure.
5. Brand Enforcement Online
5.1 What is the process for online brand enforcement in your jurisdiction?
Within the Italian jurisdiction, there are different processes for online brand enforcement, depending on the type of infringement.
A first example is the sale of counterfeit products and the unauthorised use of a brand and distinctive signs on online marketplaces (e.g., Amazon). These marketplaces allow rightsholders to enforce online brand protection through specific procedures (such as reporting and notice and takedown tools).
By filing online forms, rightsholders may submit to the relevant marketplace requests to remove counterfeit products from the marketplace itself. Also, the same conduct even on third-party websites may amount to unfair commercial practices when they mislead users as to the origin of the products and/or qualification of the seller. In this case, rightsholders may report the online brand infringement to the Italian Competition Authority (Autorità Garante della Concorrenza e del Mercato – the “AGCM”), asking for a takedown order against the infringing website.
Online infringement can also occur when a brand is unlawfully used in an identical or similar third-party domain name. In this case, rightsholders may start: (i) a challenge procedure before the Italian Domain Names Registry (which manages ccTLD .it domain names); and subsequently (ii) a re-assignment procedure before a provider of services of dispute resolution, specifically aimed to re-allocate the challenged domain name.
Under the DSA framework, a new system of trusted flaggers is also available from February 17, 2024, for example, for brand owners fighting counterfeit goods, and for faster and easier flagging and removal of counterfeit goods (for more information on the impact of the DSA, see our answer to question 1.3).
5.2 Are there any restrictions that have an impact on online brand enforcement in your jurisdiction?
Within the Italian jurisdiction, the online brand enforcement processes described in the answer to question 5.1 may be restricted.
In relation to notice and takedown procedures, brand owners have to provide evidence that they are the rightsholders of the infringed brand in order to obtain takedown. Moreover, they have to provide online marketplaces with a number of details concerning their claim (e.g., specifying the nature of the infringement). However, as mentioned in our answer to question 5.1, the DSA framework introduced a system of trusted flaggers to simplify enforcement procedures.
In relation to the challenge procedure before the Italian Domain Names Registry, applicants have to prove (inter alia) that they are the rightsholders of the infringed brand. Also, applicants have to provide a description of the harm caused by the infringement (e.g., the likeliness of confusion between the challenged domain name and applicants’ trademarks or other distinctive signs). In addition, to obtain re-assignment of the challenged domain name, applicants have to prove that the registrant of the challenged domain name does not hold title to it, and that it has registered and maintained the challenged domain name in bad faith.
6. Data Centres and Cloud Location
6.1 What are the legal considerations and risks in your jurisdiction when contracting with third party-owned data centres or cloud providers?
Security standards are of critical importance when contracting with third party-owned data centres or cloud providers. Providers should guarantee the implementation of technical and organisational measures aimed at ensuring, for example, encryption, regular backups and recovery and restoration procedures. As long as a physical infrastructure is involved, this should be adequately protected with security measures as well. Along with security measures, it is important to evaluate the allocation of responsibilities between the third-party providers and the service users. Further remarks concern the potential intermingling of personal data of different service users stored in the same third-party provider’s – physical or cloud – premises (to be avoided especially if sensitive data are involved in the processing). In addition, the procedures put in place by the third party must ensure the complete deletion of the personal data in case of erasure.
Other concerns heightened by the significant increase in the use of cloud service providers regard the risk that such providers might (illegally) process the service user’s personal data for further purposes other than those established by the service user himself/herself (generally speaking, the user is the controller and the provider is the processor) and that the service user’s personal data might be associated with other personal data already processed by the providers. In light of the above, it is crucial to appoint the service provider as a processor (save in cases where the actual processing of the personal data requires a different qualification) and to properly evaluate the content of the related data-processing agreement, even if, when considering dominant cloud service providers, the asymmetry of bargaining power is a difficult obstacle to overcome.
Generally speaking, cloud service providers fall under the scope of the NIS2 Decree and, therefore, they are subject to all the obligations set forth therein, including security obligations.
Regarding specific areas such as finance and the public sector, there are ad hoc requirements to be met when using a cloud service. When the processing via cloud services concerns activities that are critical or important to a financial institution’s operations, prior approval by the regulator and specific risk management and audit requirements apply. For instance, banks must perform additional checks on cloud providers, which include identifying where relevant data centres are located; in addition, the European Securities and Markets Authority (“ESMA”) published guidelines on outsourcing cloud services in the banking and insurance induFstries and the BoI recently updated Decision No. 285/2013, addressing DORA requirements for outsourcing of ICT services, including cloud services.
In line with the above-evolving framework, the Italian Authority on Communications (Autorità per le Garanzie nelle Comunicazioni – “AGCOM”) is extending its competence to cloud service providers and, more generally, digital infrastructure providers, and this seems to be confirmed by the fact that such providers are required to pay an annual contribution to AGCOM.
Law Decree No. 21/2026 introduced simplified administrative procedures to facilitate the creation of data centres and other measures to integrate the data centres into the national energy grid. In addition, the Italian Parliament is currently discussing a Draft Law on data centres, aiming at simplifying the procedures to build and operate a data centre in Italy.
Furthermore, guidelines and recommendations on the use of third-party cloud services in the e-health sector have been published by local authorities (including the Garante) and ENISA, notably regarding the electronic health record.
As a final remark, special powers attributed to the Italian Government to veto or impose conditions on certain resolutions or transactions made by foreign investors relating to Italian companies have been extended to also encompass data centres. More generally, digital sovereignty is becoming a trending topic, as shown by the AI Law, which provides that when public administrations implement AI system, AI-system providers using data centres within the national territory shall be preferred.
6.2 Are there any requirements in your jurisdiction for servers/data centres to be located in that jurisdiction?
The location of servers is not comprehensively addressed by Italian law.
As for the GDPR, in principle, under Arts 44, et seq., transfers of personal data to non-EEA countries are subject to restrictions (while the transfer of personal data is generally permitted within the EEA). In particular, a transfer of data shall be allowed in the following circumstances: (i) the recipient country’s legal system has been subject to an adequacy decision of the EU Commission; (ii) the data controller adopted appropriate safeguards (e.g., standard contractual clauses or binding corporate rules), provided that enforceable data subject rights and effective legal remedies for data subjects are available; or (iii) other specific situations occur, e.g., the data subject gives its explicit consent. Further, additional suggestions are included in the Garante’s practical guidelines for controllers using the cloud. For instance, controllers must take into consideration whether data is stored abroad and must ensure that data is kept accessible and confidential by the cloud service provider.
As to the public sector, a “national cloud” intended for all public administrations was implemented with the aim to develop a highly reliable infrastructure located in the Italian territory for the rationalisation and consolidation of the Information Processing Centres. Furthermore, central and local public administrations shall migrate their Information Processing Centres and relating IT services toward a national cloud (or other infrastructures qualified by the ACN), where these IT services do not meet the minimum security and reliability requirements as set out by the relevant AgID regulation as supplemented by ACN regulations. In addition, the AI Law establishes that, when public administrations implement an AI-system, providers that use data centres located within the Italian territory shall be preferred.
In addition, the entities falling within the perimeter of national cybersecurity established by Law Decree No. 105/2019 (the list of such entities is not publicly accessible) must meet specific data localisation requirements, mainly requiring locating infrastructure on the national territory or, exceptionally, in the EU. The perimeter was recently updated by Decree of the President of the Council of Ministers No. 111/2025, which added a new incident to the list of the incidents that have to be reported (unauthorised access or access abusing of the privileges granted).
7. Trade and Customs
7.1 What, if any, are the technologies being adopted by private enterprises and government border agencies to digitalise international (cross-border) trade in your jurisdiction?
In Italy, both private and governmental actors are significantly increasing their efforts toward digitalisation. On the one hand, larger private companies are investing in digital solutions in relation to a huge variety of situations: among others, to automate trade processes. On the other hand, the Italian Government and public administrations (e.g., the Ministry of Enterprises and Made in Italy, Ministero delle Imprese e del Made in Italy – the “MIMIT”) have provided financial grants to projects specifically aimed at SMEs, in support of their digitalisation.
Against such background, in 2021 the first significant measure enacted by the Italian Government was the establishment of the Ministry for Technological Innovation and the Digital Transition (Ministero per l’innovazione tecnologica e la transizione digitale – “MITD”), specifically dedicated to the digitisation of public administration and private enterprises, as well as at the digital transformation, growth and transition of Italy. Following subsequent governmental reorganisation, the steering of innovation/digital transition policies has continued within the Presidency of the Council of Ministers via the Department for Digital Transformation, with a specific political delegation for innovation and digital transition (inter alia, digitalisation of public administrations and coordination initiatives with enterprises).
Additionally, in March 2022, the MIMIT adopted the Voucher Plan for Businesses (Piano Voucher per le imprese), which aims to promote ultra-fast internet connectivity and digitalisation of the production system throughout Italy by providing for specific financial contributions for businesses. More recently, in December 2025, MIMIT approved a new voucher initiative (EUR 150 million) specifically aimed at SMEs and self-employed professionals for the acquisition of cloud computing and cybersecurity services.
Indeed, the most relevant initiative launched by the Italian Government to bolster innovation and digitalisation is the PNRR. The PNRR, approved at the beginning of 2021, was recently implemented through the Decree Law of March 2, 2024, No. 19. The PNRR is built on a set of reforms and investments, which address the specific challenges of Italy to secure: (i) green and ecological transition; (ii) digital transition (for both public administrations and private enterprises); (iii) economic and social resilience; and (iv) social inclusion and cohesion, as well as reduction of the gender gap.
Thus, among others PNRR supports the development and competitiveness of small, medium-sized and large Italian companies on international markets with actions in technology, research and development (“R&D”) to digitalise “Made in Italy” branded products, with investments notably in: (i) connectivity, to foster the widespread deployment of very high-capacity networks, including 5G and fibre; and (ii) the digital transition and innovation of the Italian production system, through incentives for investments in cutting-edge and 4.0 technologies, RDI, 4.0 training activities and green and digital technologies through the new Transition Plan 5.0 (nuovo piano Transizione 5.0). Operationally, Transizione 5.0 is managed through a dedicated GSE digital platform (Gestore dei Servizi Energetici); in 2025, the regulatory perimeter and operating instructions continued to be updated, and in late 2025 additional rules were introduced.
Moreover, in 2021 and 2022, there were numerous developments in the area of digitalisation of public administrations and public services, starting from the publication of the Italian Cloud strategy (Strategia Cloud Italia). In 2022 the national population digital register (“ANPR”) was completed. The uptake of e-ID (e.g., “SPID” and “CIE”) and of the app “IO” (the mobile app to access digital public services) kept increasing. However, the deployment and uptake of the electronic health record remain limited and scattered across regions.
Moreover, in 2022, the Ministry of Foreign Affairs and International Cooperation (Ministero degli affari esteri e della cooperazione internazionale) announced the start of operation of the integrated digital platform for authorisation procedures under Legislative Decree No. 221 of December 15, 2017. Such platform, called “E-Licensing”, has been operational since July 1, 2022, and it is a digital system for the submission of export applications for: (i) dual-use goods and technologies; (ii) goods subject to Regulation (EU) No. 2019/125; and (iii) goods subject to EU regulations imposing trade restrictions to certain third countries.
Moreover, in 2023, the Italian Company for Foreign Businesses (Società italiana per le imprese all’estero SIMEST S.p.A – “SIMEST”) implemented the new “Fondo 394”, with the aim to invest in: (i) digital or green transition projects for the enhancement of companies’ competitiveness on international markets; (ii) internationalisation, digital and green transition projects realised through the exclusive support of consultant companies or aimed at obtaining product certifications, trademarks or environmental and digital certifications; and (iii) projects providing e-commerce in foreign countries. In this context, during the last few years, the Italian Customs Agency started a project aimed at digitalising procedures concerning cross-border trade. For one, the “fast corridor” procedure should be noted, which uses new digital technologies to allow the immediate forwarding of goods and customs clearance, replacing “document monitoring” with a telematic dialogue between all actors of the logistics chain. Since April 2025, further “fast corridor” deployments have been reported, including (inter alia) the activation of a new fast corridor between the Port of La Spezia and the Interporto of Padua (August 2025), based on real-time tracking and a shared digital platform between ADM and logistics nodes; and additional cooperation initiatives aimed at creating international “simplified corridors” (e.g., an Italy–Hungary cooperation project announced in March 2026 around Trieste–Central Europe flows), again relying on integrated digital surveillance/visibility and controlled custody infrastructures.
Another example is the “interoperability model for the digitisation of customs procedures in ports”, addressing technical aspects for the development of interoperability services between the AIDA customs information system and the port information systems (Port Community System), with the aim of making the operational procedures more homogeneous in ports and optimising the port logistics cycle. Moreover, there are plans to resort to IoT technologies to monitor goods entering or leaving the national customs territory and to electronically send and receive the documentation needed in order to import and/or export specific goods (e.g., dual-use goods).
In addition, the Italian Customs Agency has set up Permanent Working Groups composed of representatives of public institutions and relevant private stakeholders to share strategies and development plans in relation to the evolution of the EU and national regulatory trade framework.
Italy is therefore committed to digitalisation, and relevant stakeholders and public authorities are leading Italy toward a 4.0 national customs system.
7.2 What do you consider are the significant barriers to successful adoption of digital technologies for trade facilitation and how might these be addressed going forward?
Notwithstanding that Italian trade and customs are firmly moving toward digitalisation, there are unquestionable barriers hindering this process to some extent. On the one hand, certain obstacles depend on the nature of goods involved in trade and customs processes since they are tangible goods, which need to be materially inspected by “physical” operators. Thus, what can be digitalised are mainly the customs logistics and administrative procedures (e.g., port tracking), but for the time being, it is difficult to envisage any digitalisation of material inspections.
On the other hand, there are obstacles that can be overcome, but they require relevant efforts to succeed. Leaving aside the undeniable significant financial burden that these projects entail, public authorities need to engage staff with special expertise that is relevant to these specific activities.
Additionally, there are differences and peculiarities amongst customs that need to be taken into account. In this respect, a standardised approach would not be suitable for every situation; instead, a more tailored approach would be necessary in order to reach full digitalisation.
8. Tax Treatment for Digital Businesses
8.1 Please give a brief description of any relevant tax incentives for digital businesses in your jurisdiction. These could include investment reliefs, research and development credits and/or beneficial tax rules relating to intellectual property.
Under Italian tax legislation, a number of tax incentives are available to companies operating in the digital sector.
The Patent Box mechanism allows taxpayers to apply a 110% super-deduction on costs related to qualifying intangible assets. The taxpayer must exercise this option in the fiscal year in which the intangible asset obtains patent protection, copyright registration or other legal safeguards, and the deduction covers all relevant costs incurred during that year as well as in the preceding eight fiscal years. It is worth noting that trademarks are not included among the intangible assets that qualify for the Patent Box regime.
The Patent Box regime constitutes a fiscal incentive designed to foster the creation and exploitation of intellectual property, by offering tax advantages to both resident and non-resident entities engaged in R&D activities.
With respect to tax credits available for R&D as well as technological innovation investments, Italian law provides for a credit amounting to 5% of qualifying expenditure, subject to an annual cap of EUR 2 million. In the case of digital innovation initiatives, or projects pursuing ecological transition goals, a 5% tax credit applies for the tax period subsequent to those running from 31 December 2023 to 31 December 2025, up to a yearly ceiling of EUR 4 million.
8.2 What areas or points of tax law do you think are most likely to lead to disputes between digital businesses and the tax authorities, either domestically or cross-border?
The key areas of contention between digital companies and the Italian tax authorities revolve around the determination of a permanent establishment (“PE”) and the possible imposition of withholding taxes on specific categories of cross-border digital transactions.
The ongoing advancement of digital technologies, coupled with the diminishing requirement for a substantial physical footprint to conduct business within a given jurisdiction, gives rise to questions as to whether a PE may be deemed to exist in a particular country. In recent times, the Italian Revenue Agency has challenged, in such scenarios, the existence of a PE in Italy with respect to several enterprises conducting commercial activities via the Internet.
The emergence of novel digital products and innovative service delivery methods generates uncertainty regarding the appropriate characterisation of payments remitted by Italian-resident entities to foreign suppliers in exchange for digital services or intangible assets. In certain instances, the Italian Revenue Agency has disputed the applicability of withholding tax obligations on specific outbound payments (including those classified as royalties).
Another particularly active area of tax litigation concerns the R&D tax credit. The Italian tax authorities frequently challenge the qualification of business activities as research, development or technological innovation under the OECD Frascati Manual – a challenge that has triggered widespread litigation and led to the introduction of a “voluntary refund” procedure.
The typical objection raised by the tax authorities concerns the novelty of the product or process developed by the business, as such novelty must be assessed against the worldwide state of the art rather than at the level of the individual undertaking, which creates significant uncertainty for taxpayers, who often face material difficulties in establishing whether this threshold is actually met.
9. Employment Law Implications for an Agile Workforce
9.1 What legal and practical considerations should businesses take into account when deciding on the best way of resourcing work in your jurisdiction? In particular, please describe the advantages and disadvantages of the available employment status models.
Both from a legal and practical perspective, businesses which decide to recruit people in Italy should be focused on the way in which the working activities shall be carried out to match the business needs.
Companies should enter into employment agreements if the hired workers are part of the company’s organisation, carrying out their duties with continuity in the workplace, during specific working time and following specific instructions.
The standard model of employment relationship is the permanent employment agreement, usually governed by Italian law and by the applicable national collective bargaining agreement, whereas fixed-term employment agreements are permitted only within certain law restrictions (i.e., maximum duration, certain percentage of fixed-term employees, existence of specific reasons). If business needs allow people to carry out services in autonomy and with maximum flexibility (i.e., no working time, no workplace and no specific instructions), companies may execute self-employed agreements.
In conclusion, indeed any model of relationship has specific advantages and disadvantages; however, when deciding on the best way of resourcing work in Italy, in order to avoid possible risks of claims, businesses must execute the model of contract that better matches the most effective way of performing their activities/services.
9.2 Are there any specific regulations in place in your jurisdiction relating to carrying out work away from an organisation’s physical premises?
Italian law provides two different models to work away from a company’s physical premises.
The first one is so-called “smart working” (i.e., flexible working modality, based on which employees spend part of their working time out of the office, working from home or from different places). The other is so-called “teleworking” (i.e., work activities entirely carried out from a home-working station provided by the employer without physical company premises). Specific provisions must be provided by the parties to regulate these modalities when working away from the company’s physical premises.
Generally speaking, smart workers and teleworkers are subject to the same treatment as other employees, but employers must consider key topics to manage the above-mentioned models of work: (i) health and safety (ensuring that employees work in compliance with the relevant law measures and provisions); and (ii) data protection (avoiding intentional remote monitoring of employees’ working activity).
9.3 What long-term effects or changes are likely to result from the COVID-19 pandemic?
Smart working has now become part of everyday working life and is destined to remain so: at the end of the COVID-19 crisis, it is estimated that Italian agile workers, who work at least in part remotely, will total around 5.35 million. To adapt to this “new normal” of working, 70% of large companies will increase the number of remote working days, bringing them on average from one to 2.7 days per week. One in two companies will change their physical spaces as a result. From an employee perspective, smart working has blurred the boundaries between professional and personal life, raising important questions around the right to disconnect, work-life balance, and mental health in the workplace. Italian legislation has begun to address some of these concerns, though regulatory frameworks are still evolving to keep pace with the new reality. In the longer term, the widespread adoption of remote working is also expected to blur geographical boundaries, enabling workers to perform their roles from abroad while remaining employed by Italian companies, and vice versa. This opens new opportunities for talent acquisition on a global scale, but also raises complex legal and regulatory challenges around taxation, social security contributions, and employment law applicable to cross-border remote workers.
10. Top ‘Flags’ for Doing Business as a Digital Business in Different Jurisdictions
10.1 What are the key legal barriers faced by a digital business operating in your jurisdiction?
As already highlighted, the Italian public administration generally, and the Italian Government specifically, are strongly oriented toward full digitalisation, not only of public administrations themselves but also of private operators. In this regard, among others, companies interested in investing in their digitalisation can benefit from public funds and financial subsidies from the PNRR.
As the third largest EU economy, Italy has made significant strides in its digital transformation in recent years. According to the Digital Economy and Society Index (the “DESI”) 2025, the country was advancing at a remarkable pace. Indeed, the 2025 Digital Decade Country Report for Italy has confirmed strong progress in digital infrastructure and digital public services, while identifying persistent weaknesses in AI adoption by enterprises and in start-up/scale-up dynamics.
More specifically, as regards connectivity, in Italy the deployment of fibre-to-the-premises (“FTTP”) infrastructure reached 70.7% coverage, thereby matching the EU average. On the enterprise side, while the majority of Italian SMEs (70.2%) attained at least a basic level of digital intensity, the adoption of AI remained limited, with only 8.2% of Italian enterprises having integrated AI solutions into their operations. As regards digital public services, the digitalisation process continued to advance through the implementation of key measures aimed at enhancing interoperability and usability. However, significant challenges persist on the human capital front: only 45.8% of the population possesses basic digital skills, with gaps that disproportionately affect individuals with lower education levels as well as younger generations.
Giving continuity to the initiatives undertaken and leveraging Italy’s many assets would allow the country to further improve its performance. The Recovery and Resilience Plan, the largest in Europe, endows Italy with the necessary funds to accelerate its digital transformation. Moreover, the country has a strong industrial base and research communities in key areas such as AI, high-performance computing and quantum computing. These strengths should be leveraged to digitalise all areas of the economy.
10.2 Are there any notable advantages for a digital business operating in your jurisdiction?
The most notable advantage for a digital business operating in Italy is to benefit from the investments and economic aid offered by the PNRR, which has laid out an ambitious roadmap, with reforms and investments touching upon all aspects of the DESI.
To recall our answer to question 10.1, the DESI is intended to overcome the delays and close the digital and technological gaps between Italy and other European countries in order to drive digitalisation across the country.
In addition, from an economic standpoint, a digital business can benefit from wide cross-border or even globalised competitive markets compared to companies which have not yet embodied the “digital shift”.
Lastly, economic operators, especially SMEs, running a digital business and/or an online trade could be able to significantly overcome national non-digital competitors.
10.3 What are the key areas of focus of the regulator in your territory for those operating digital business in your territory?
In the context of the PNRR, the Italian Government is focused on many key areas to foster digitalisation – and, consequently, to bolster digital businesses operating in Italy.
First, the digital transition: the reforms and investments contributing to the digital transition cover: (a) the digital transformation of the public administration and justice system; (b) the strengthening of the healthcare system through digital technologies; (c) the modernisation of businesses through the uptake of advanced technologies; and (d) the deployment of gigabit connectivity across the country.
Second, human capital: the PNRR also addresses digital-skills development, with measures aimed at improving the basic digital skills of the general population, increasing the offer of training on advanced digital skills, and upskilling and reskilling the workforce. Moreover, the PNRR includes measures to tackle the digital divide by strengthening digital skills.
Investments in digital-skills development are also targeted at the public sector, e.g., public sector employees, through massive open online courses on key competences including digital skills, and doctors, in connection with measures to strengthen electronic health records.
Third, connectivity: ambitious investments support the deployment of ultra-fast broadband and 5G networks to reduce the digital divide, also targeting socio-economic drivers such as schools, hospitals and transport corridors.
Fourth, integration of digital technology: the PNRR allocates resources to support the digitalisation of businesses, the development and deployment of advanced technologies and ICT-related R&D. The PNRR addresses the digitalisation of businesses by focusing on stimulating the uptake of Industry 4.0 technologies.
Lastly, digital public services: the PNRR includes significant investments for the digitalisation of public administration, supporting the modernisation of the digital infrastructure, the reinforcement of cybersecurity, the interoperability of databases and the improvement of digital public services for the general public and businesses. In this regard, in recent years, Italy adopted different measures aimed at improving national e-Government infrastructures: (i) the Legislative Decree of March 31, 2023, No. 36 adopted the new Public Procurement Code, which digitalised the whole tendering proceeding: as of 1 January 2024, the “digitalization of the procurement lifecycle” has become fully effective, with mandatory use of certified digital procurement platforms and the Anticorruption Authority’s database (“BDNCP”) interoperability layer as a central backbone for the end-to-end cycle of public contracts; (ii) the Plan for Information Technologies in Public Administrations 2024–2026 (Piano Triennale per l’Informatica nella Pubblica Amministrazione 2024–2026), which aims at completing the digitalisation transformation of public entities (the Plan has been updated in 2026 to align the roadmap with evolving EU/national frameworks and explicitly incorporate themes such as the IT-Wallet, data quality and AI); and (iii) Law No. 132/2025 on AI, which aims at regulating the use of the AI in public administrations.
Finally (and specifically for businesses that develop/host/transfer technology), a structural compliance criticality stems from export controls and sanctions: Italy has implemented Directive (EU) 2024/1226 through Legislative Decree No. 211/2025 (in force since 24 January 2026), criminalising violations/evasion of EU restrictive measures and impacting corporate liability exposure (including under the Legislative Decree No. 231/2001 framework), making it essential for companies to assess whether cross-border (including intangible) technology transfers could trigger licensing/sanctions risks and related controls.
11. Online Payments
11.1 What regulations, if any, apply to the online payment sector in your jurisdiction?
From a financial supervision standpoint, the online payment sector is subject to the regulatory power of the BoI, which is competent for supervising both the retail and wholesale markets, and takes part as a national authority in the Single Euro Payment Area (“SEPA”).
Along with monitoring compliance with rules of conduct, transparency, sound and prudent management and anti-money laundering rules by payment service providers, the BoI is also granted the power to oversee local payment system infrastructures in order to ensure proper risk management measures (e.g., ICT, business continuity and disaster recovery) are implemented, including in relation to online transactions. Specific awareness of cyber-related risks associated with online transactions is constantly raised by the BoI (see, among others, the BoI’s Key Note Address – “Cyber Security: an ongoing Challenge for Economy and Society – February 2023). The continuing Russian-Ukrainian war has also brought to the attention of the BoI-specific risks associated with cyber-war and attacks, in relation to both critical infrastructures’ stress and money laundering. Moreover, the Italian Financial Regulators issued a joint warning to local financial providers to enhance their measures aimed at reducing the IT risks associated with cyber-attacks (see the BoI’s press release on the Russian-Ukrainian war of March 7, 2022).
The regulatory framework has been reviewed due to the PSD2 and relevant implementing regulatory and technical standards, being enacted locally as of the end of 2017. The PSD2 brought certain new business models and third-party services particularly relevant to online payment transactions (notably payment initiation and payment account information providers) into the regulatory scope of the BoI, which is keen on ensuring those new players have access to client interfaces held by banks and other incumbents, as set out by the EU rules.
The carrying out of online payments is mainly governed by the following acts and regulations, as amended and supplemented by the PSD2 implementing rules:
- the Italian Banking Act (Legislative Decree No. 385/1993), which sets out the overall requirements for providing banking/payment-related services, including those online;
- Legislative Decree No. 141/2010, which sets out specific rules on consumer financing and payment services tied in with other commercial services and activities, and on distributors of payment services; and
- the BoI’s Regulation of July 29, 2009, on transparency duties to customers (the “Transparency Regulation”).
EU payment providers who wish to carry out business in Italy are granted passporting rights under the Italian Financial Act, under both establishment and freedom of services, and are enrolled with the relevant BoI registers for EU payment institutions, pursuant to the Home Member State Authorisation principle.
The BoI launched research papers into the new payment framework that will be introduced by the PSD3 and PSR proposals; specifically, certain exemptions set out in the PSD2 framework (those for cash providers, for example), are looked at by the Italian Regulator as not being target for further clarification and implementing measures (see: BoI, “PSD2 Review and MiCAR coordination” – 29 October 2024, available on the BoI website).
11.2 What are the key legal issues for online payment providers in your jurisdiction to consider?
The payment sector is highly regulated in Italy and local competent authorities, including courts and the BoI, normally take a consumer-friendly approach.
As for compliance issues, consistent with the above, the Transparency Regulation is key when it comes to ensuring that information on online services, and related costs, are clearly disclosed and clients are being treated fairly. In that vein, specific attention is generally drawn by the BoI to the following: (i) signing of payment services contracts by both the provider and client (also via recognised e-signatures) and handing over of all contract documentation to the latter; (ii) proper and timely complaints handling; and (iii) avoiding the bundling of unrelated services. Data protection is also at the core of any compliance governance set by online service providers.
Also, the BoI is increasingly looking at the online payment sectors in order to monitor and detect consumer fraud, money laundering and terrorism financing risks.
12. Digital and the Green Economy
12.1 With the current global emphasis on the environment and sustainability, will current or anticipated legislation in that area affect digital business in your jurisdiction?
In Italy there is currently a strong focus of public opinion on entities, including those operating in the digital business sector, that build their marketing initiatives on misleading claims on sustainability and the environment. Such practice, commonly referred to as “greenwashing”, is addressed by Art. 12 of the Self-Regulatory Code on Commercial Communication – a voluntary code promoted by the Advertising Self-Regulatory Institute (Istituto di Autodisciplina Pubblicitaria), which is binding for companies that adhere to it directly or indirectly – which establishes that claims on environmental or ecological benefits must (i) be based on truthful, pertinent and scientifically verifiable evidence, and (ii) ensure a clear understanding of which aspect of the product or activity the claimed benefits refer to.
Furthermore, the AGCM has enforced the general provisions on unfair commercial practices to sanction the use of environmental claims that, for instance, provide misleading information on the actual scope of the claim, or are not strongly substantiated.
Moreover, Italy transposed Directive (EU) No. 2024/825 – regarding empowering consumers for the green transition – with Legislative Decree No. 30/2026, which amended the Consumer’s Code (Legislative Decree No. 206/2005) to introduce environment-related new definitions, additional information requirements and safeguards against unfair commercial practices.
The new provisions introduce new information obligations and two new unfair commercial practices. As for the transparency obligations, the Decree introduces a new notice of conformity, harmonised at EU level, specifically provided to inform the consumers about the legal guarantee of conformity. The notice must be clearly visible, meaning that for online sellers it is highly recommended to include it as a notice on the website. Additionally, an optional durability guarantee and a relevant harmonised label are introduced. As for the unfair commercial practices, they refer to misleading or generic information on the sustainability of the products, as outlined in the amended Arts 21 and 23 of the Consumer’s Code.
12.2 Are there any incentives for digital businesses to become ‘greener’?
There are no main incentives dedicated solely to digital businesses to encourage them to become “greener”. Nevertheless, there are projects aimed at encouraging businesses to become “greener”, but they usually have a broader scope, which does not directly affect digital businesses.
12.3 What do you see as the environmental and sustainability challenges facing digital businesses?
It is likely that digital business will face challenges in finding the right way to convey their environmental initiatives, ensuring transparent and truthful communication toward consumers and professionals, also in light of the recent implementation in Italy of the EU Directive on green transition (as mentioned in the answer to question 12.1). It is likely that in the future, digital businesses will need to work on internal procedures to ensure compliance with specific requirements on green claims substantiation, environmental labelling schemes and certification.
From a different perspective, digital businesses may find it difficult to balance the “green impetus” with the environmental impact deriving from the use of some technical infrastructures which are often essential to conduct such businesses, for instance antennas, servers and cooling facilities.
As a more general remark, the challenges in this regard are even greater when referring to businesses that by their nature are polluting, such as those in the transport sector.
Moreover, the customer return policy is a key element for e-commerce shops but, at the same time, it has a strong impact on sustainability. To be more sustainable, e-shops will have to manage their returns policy through the use of technologies that reduce environmental impact. The use of automatic parcel machines, for example, can decrease urban traffic and consequent CO2 emissions. Other advances will be able to identify practices of “social returns” that, through the circular economy, can give new life to products. Lastly, AI systems will likely be deployed to face environmental and sustainability challenges.
