ITALY Trends and Developments Contributed by: Paolo Balboni, Luca Bolognini, Giulio Monga and Carmine Antonio Perri, ICT Legal Consulting
rency service providers. These frameworks require stringent cybersecurity standards, data segregation, and capital adequacy obligations, often beyond the technological or organisational capacity of smaller operators. Consequently, many fintech companies have opted for strategic M&A – merging with larger, better-capitalised entities or acquiring niche compli- ance technology providers – to meet these require- ments and preserve business continuity. Similarly, data protection and cybersecurity have become central to M&A decision-making. The Italian Data Protection Authority ( Garante per la Protezione dei Dati Personali ) has intensified enforcement of the Regulation (EU) 2016/679 (the “GDPR”), particularly in the context of AI-driven data processing, profil- ing, and cross-border data transfers. The risk of non- compliance – including fines of up to 4% of global turnover – has made data protection compliance an essential part of due diligence and transaction struc- turing. Buyers now routinely seek assurances on data governance, security certifications (eg, ISO 27001), and internal data retention policies before completing acquisitions. The emerging Regulation (EU) 2024/1689 (the “Arti- ficial Intelligence Act” or AI Act) further reinforces this trend. Expected to become fully applicable by 2 August 2026 – except for a single provision that will become applicable by 2 August 2027 – the AI Act introduces a risk-based regulatory framework for AI systems, imposing strict obligations on “high-risk” applications such as biometric identification, financial scoring, and automated decision-making. Italian tech- nology companies developing or deploying AI solu- tions are therefore investing in acquiring compliance expertise and proprietary governance tools. M&A is being increasingly used as a strategic shortcut to integrate AI governance infrastructure – for instance, acquiring smaller AI-focused firms that already pos- sess risk classification models, audit mechanisms, or certified datasets aligned with EU standards. Finally, cloud and digital infrastructure regulation has also evolved. With the growth of Regulation (EU) 2022/868 (the “European Data Governance Act”) and Regulation (EU) 2019/881 (the “EU Cybersecurity Act”), there is increasing regulatory emphasis on data
localisation, interoperability, and cloud certification. Such emphasis has increased since Regulation (EU) 2023/2854 (the “Data Act”) became applicable on 12 September 2025. As a result, Italian corporates and public-sector service providers are now more willing to migrate to sovereign or EU-certified cloud provid- ers. This has spurred acquisitions of local data cen- tres, managed service providers, and cybersecurity specialists, allowing acquirers to secure compliance, enhance resilience, and meet public procurement standards. Taken together, these regulatory developments have driven a shift from compliance as a back-office func- tion to compliance as a strategic M&A driver. Compa- nies are now acquiring not just technology and market share, but also regulatory capability – integrating com- pliance expertise, licensed infrastructure, and certi- fied systems as key assets in maintaining operational continuity and investor confidence. Private capital mobilisation Another major driver is the availability of private capi- tal, which has supported both early-stage growth and strategic M&A. • Private equity (PE) funds, family offices, and sovereign-backed co-investment vehicles such as the National Innovation Fund ( Fondo Nazionale Innovazione or FNI) and CDP Venture Capital have deployed significant capital into technology com- panies, particularly those with defensible IP and recurring-revenue business models. • These investors provide not only financing but also strategic support, enabling acquisitions and market expansion. • PE involvement is especially prominent in mid- market transactions, where platform investments, bolt-on acquisitions, and club deals are increas- ingly common. Capital mobilisation has allowed VC-backed compa- nies to pursue partial or controlling-interest sales, giv- ing investors flexibility to exit or retain minority posi- tions for potential upside.
177 CHAMBERS.COM
Powered by FlippingBook