ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Giulio Monga and Carmine Antonio Perri, ICT Legal Consulting
Decree No 196/2003 (the “Data Protection Code”), and provisions and guidelines from the Italian Supervisory Authority ( Garante per la protezione dei dati personali ); • cybersecurity legislation, in particular with regard to entities subject to NIS1 and the NI2 Directive or falling within the scope of the “National Perimeter of Cybersecurity”, established by Law-Decree No 105/2019; • AI governance and algorithmic transparency, in particular in light of Regulation EU 2024/1689 (the “AI Act”), complemented in Italy by Law No 132/2025; • cloud infrastructure, interoperability and data portability, especially in light of the Regulation EU 2023/2854 (the “Data Act”); • ESG and sustainability metrics, especially with regard to data protection and cybersecurity-related aspects; and • regulatory compliance with sector-specific frame- works (eg, medical devices, fintech, digital health and telecoms). 9.2 Technology Company Due Diligence In Italy, the scope of due diligence on a technology company is largely shaped by the company’s listing status and by confidentiality and market-disclosure rules. Unlisted targets may freely share information with pro- spective buyers, while listed companies must comply with the Regulation EU 596/2014 (the “Market Abuse Regulation”). Targets typically provide bidders with access to a virtual data room (VDR) under non-disclosure agree- ments (NDAs). In competing-bid situations, any non-public informa- tion released to one bidder must be made available to other bidders upon request, in accordance with the equal-treatment and fairness principles, and also in the light of Consob practice. In technology-driven operations, due diligence often includes a review of source code, algorithms, data- sets, or AI models. Overall, boards of listed technol- ogy companies generally allow a moderate level of
technical due diligence sufficient to enable valuation and risk assessment, while ensuring that disclosure remains proportionate, reversible and non-discrimi- natory. 9.3 Data Privacy No specific data privacy restrictions apply. However, the disclosure and processing of personal data within due diligence activities must be carried out in accord- ance with the applicable data protection legislation, namely the GDPR and Data Protection Code. Under Article 102 (1) TUF, a bidder intending to launch a takeover offer ( offerta pubblica di acquisto ) or an exchange offer ( offerta pubblica di scambio ) must immediately notify Consob and make its decision public – or, in the case of mandatory offers, the arising of the obligation – in order to proceed with the offer. Pursuant to Article 37 of Consob Regulation No 11971/1999, the initial communication through which the offer is made public must set out the essential features of the offer, including the identity of the bid- der, the type and object of the offer, the consideration offered, and the strategic rationale of the transaction. 10.2 Prospectus Requirements 10. Disclosure 10.1 Making a Bid Public A prospectus must be published under Regulation (EU) 2017/1129 (the “Prospectus Regulation”) when transferable securities are offered to the public or admitted to trading on a regulated market in the EU. In Italy, a draft of the prospectus must be submitted for approval to Consob according to Article 94 (1) TUF. Consob collaborates with the Borsa Italiana for the approval. However, no prospectus is required when: • the total consideration of the offer in the EU is below EUR8 million within 12 months (as stressed by Article 34-ter of Consob Regulation No 11971/1999);
170 CHAMBERS.COM
Powered by FlippingBook