Italy’s capital markets reform brings artificial intelligence into corporate governance

Italy’s latest capital markets reform, via Legislative Decree No. 47 (27 March 2026), integrates artificial intelligence into core corporate governance by amending the Financial Act 1998 (Testo Unico della Finanza (TUF)). Instead of establishing separate AI rules, the Decree requires listed companies to disclose policies for using and monitoring new technologies—especially AI—in their governance reports. Firms must also report management and oversight policies for IT risks, including cybersecurity and risks from new technology integration. “AI systems” are defined with reference to the AI ACT (Regulation (EU) 2024/1689), while “IT risks” encompass any threats to ICT and network systems that could affect digital or physical services. This reform positions AI as a governance and risk oversight issue, not just a business tool.

Further to the above, the Decree lays the foundations for what may be seen as an initial legislative recognition of CorpTech in Italy: a framework in which new technologies, and specially AI systems, become relevant not only as instruments of business activity, but also as objects of governance, disclosure and internal oversight. 

EDPB endorses Europrivacy certification criteria, Legance is a partner

On 16 April 2026, the European Data Protection Board (the “EDPB”) adopted Opinion 14/2026 and Opinion 15/2026 on the Europrivacy certification criteria, marking an important step in the progressive operationalization of certification mechanisms under the GDPR. Through Opinion 14/2026, the EDPB approved the updated Europrivacy criteria as a European Data Protection Seal pursuant to Article 42(5) GDPR. Through Opinion 15/2026, it approved an additional set of Europrivacy criteria as a European Data Protection Seal to be used as a tool for international data transfers pursuant to Articles 42 and 46 GDPR. The Board’s intervention is significant not only because it confirms the continued development of one of the best-known GDPR certification schemes, but also because it expressly recognizes certification as a more concrete compliance instrument within the broader architecture of EU data protection law.

The two opinions should be read together, but they serve distinct purposes. Opinion 14/2026 concerns the updated version of the Europrivacy seal for demonstrating compliance with the GDPR, while Opinion 15/2026 relates to an additional transfer-oriented extension of the scheme. In that respect, the EDPB clarified that the updated Article 42 seal extends, among other things, to applicants subject to Article 3(2) GDPR, whereas the transfer-focused criteria are intended to be used by certified data importers located outside the EEA and not directly subject to the GDPR. This distinction is particularly relevant for multinational groups and service providers operating across jurisdictions, because it confirms that certification is evolving both as an internal compliance benchmark and as a possible component of lawful transfer structures.

From a business perspective, the most noteworthy development lies in the EDPB’s confirmation that certification may play a role not only as a voluntary accountability mechanism, but also as an appropriate safeguard for transfers under Article 46(2)(f) GDPR, provided that the certified data importer undertakes binding and enforceable commitments and, where necessary, implements supplementary measures. The message for companies is therefore twofold: on the one hand, certification schemes are becoming more practical and strategically relevant in privacy governance; on the other hand, they cannot be treated as a shortcut or safe harbor: certification does not reduce the underlying GDPR responsibilities of controllers and processors, nor does it prevent supervisory authorities from exercising their investigative and corrective powers. Proper scoping, auditability and integration into a broader compliance framework remain essential.

Against this background, we recall that Legance is recognized as an official EuroprivacyTM/® partner and can deliver pre-certification assessments through some members of the Data Law Team. This is relevant in the light of the EDPB’s aforementioned latest opinions, which further confirm the practical significance of certification mechanisms under the GDPR.