The relevant regulations for doing business online are:

Other applicable statutory provisions along with the sections of the Italian Civil Code (CC) on agreements in general are:

The following will also apply in Italy, as in the other EU member states:

The Italian Parliament and, in some cases, the Italian Government are responsible for passing national legislation.

The Ministry of Enterprises and Made in Italy (former Ministry of Economic Development) is directly responsible for the digital business sector.

The authorities that supervise compliance with the relevant regulations are the:

The steps required to set up a business online are:

Specific activities can require professional authorisations for practice (for example, in case of a jewellery business, the seller must obtain a public security licence).

The main categories of counterparties for an online business include:

The relevant laws that might affect the design of the website or app are:

To develop an app, the trader usually enters into a software development agreement with a professional provider. Alternatively, it could consider obtaining a licence under the relevant technology. If services of third parties are necessary for the use of the app (such as web services), the trader will enter into a supply of services agreement with a supplier.

If the app is to be sold on a third-party platform (such as App Store, Google Play Store, Amazon, Salesforce), the trader must accept the relevant terms and conditions (T&Cs).

The trader must also have clear terms of use for the app itself and such terms must be available to customers/consumers.

Where the collection and processing of personal data of users will be carried out through the app, the trader must put in place a privacy policy which must be accepted by the users.

Content. For both distance contracts and off-premises contracts, the seller must provide the consumer in a clear and comprehensible manner with the following information (among others):

(Article 49, Consumer Code.)

Before a consumer is bound by a distance contract, or by a corresponding offer on an online marketplace, the online marketplace provider must also indicate to the consumer (among other things):

The above information must be drafted clearly and unambiguously before the customer is bound by a distance contract or by off-premises contracts. All the information must be set out in the T&Cs and these must be available in Italian.

After the conclusion of the contract, the seller must acknowledge receipt of the order and send a confirmation (on a durable medium, such as email) including:

(Article 13, E-Commerce Law.)

Contract. The written form of the contract is required only when it is prescribed by law under the penalty of nullity (Article 1325, CC).

As a consequence, if the law does not require any specific form, a browse-wrap, shrink-wrap or click-wrap method can be used.

However, agreements and acts under Article 1350, first paragraph, (1-12) of the CC will be valid if executed with a qualified electronic signature (or digital signature, see Question 12) (Article 21, paragraph 2-bis, CAD).

Such agreements include, without limitation, contracts that:

(Article 1350, first paragraph, (1-12), CC.)

Acts and agreements under Article 1350 (13) of the CC (referring to "other acts specifically indicated by the law") are valid if executed with a qualified (or digital) and advanced electronic signature.

In addition, some onerous clauses are only valid if they are accepted with a separate and specific hand-written signature or with an advanced/qualified/digital electronic signature by the counterparty (Article 1341, paragraph 2, CC). The following types of clauses are considered burdensome if drafted by one party in advance and not negotiated with other party (either consumer or non-consumer):

Certain agreements cannot be concluded online due to legal requirements of specific forms or formalities. For example, a notary's presence is required to execute some agreements such as real estate purchase agreements.

In B2C contracts, all information intended for consumers and users must be provided in Italian (Article 9, Consumer Code). Where the terms are drafted in more than one language, the information must also be provided in Italian and with equal visibility and legibility to those used for the other languages.

The E-Commerce Law governs the execution of contracts on the internet both in B2B and B2C contracts.

The general contract provisions under the CC and the Consumer Code provisions also apply to B2C agreements.

The P2B Regulation applies to the T&Cs of online services providers and business users who use the online platform to sell their services/goods to consumers.

Providers of online intermediation services (such as providers of search engines, social media sites, e-commerce market places and software application services) (OISPs), must ensure that their T&Cs, among others, are drafted in plain and intelligible language and are easily available to business users at all stages of the commercial relationship, including in the precontractual stage. The T&Cs of OISPs must contain, among others, provisions on:

On 30 November 2022, AGCOM published the Guidelines for the adequate and effective application of Regulation (EU) 2019/1150 with the aim of providing detailed indications for the drafting of T&Cs by OISPs in line with the provisions of the P2B Regulation.

AGCOM has also published the Technical Table for the adequate and effective application of Regulation (EU) 2019/1150 to identify solutions regarding any critical application issues of the P2B Regulation, and to monitor the implementation of the P2B Regulation.

The retention of personal data collected and processed via electronic contracting must comply with the GDPR, including the principles set out by the Italian Privacy Code for data processing (see Question 14) such as lawfulness, fairness, proportionality and necessity of data processing.

Consumers' personal data related to electronic contracting can be retained for the time strictly necessary to perform the contractual obligations or to comply with relevant applicable laws (for example, tax obligations).

The DPA provides specific provisions related to data retention in particular business sectors (for example, mobile payments).

Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) states that the trust service providers can provide either:

We are not aware of any current qualified trust service provider in Italy that has implemented the above service.

A proposal to amend the eIDAS Regulation is currently being approved. The proposed amendments will strengthen the EU Single Digital Market by allowing citizens, other residents as defined by national law and businesses to identify online in a secure, convenient and uniform way across the EU.

Articles 1218 and 1453 of the CC cover the general principles concerning contractual liability.

Such provisions also apply to electronic contracts.

Under these provisions a party that is in breach of their obligations (that is failing to perform the contract, incomplete or delayed performance) is liable for damages unless they prove that the non-performance or delay was due to impossibility .

The measure of damages arising from non-performance or delay includes the loss sustained by the performing party and the lost profits in so far as they are a direct and immediate consequence of the non-performance or delay.

If the exact amount of damages cannot be proved , they are equitably liquidated by the court.

Any agreement which, in advance, excludes or limits the liability of the non-performing party for fraud or gross negligence is void.

Italian law recognises e-signatures as legally effective.

E-signatures are regulated by the CAD and by the eIDAS Regulation.

The CAD lists the following types of e-signatures:

Under Article 1 of Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 laying down specifications relating to formats of advanced electronic signatures and advanced seals, member states must recognise advanced signatures in XML, CMS, or PDF. The e-signatures must comply with one of the following ETSI technical specifications:

See Question 7.

The GDPR regulates collection and use of personal data. It applies both to the:

(Article 2, GDPR.)

The domestic data protection framework is completed by the Italian Privacy Code (as amended by Legislative Decree No. 101 of 2018 to align with GDPR).

Article 4 of the GDPR defines the following kinds of data:

The following rules must be complied with in relation to personal data:

(section 9, GDPR.)

Cloud services involved must comply with specific requirements for data protection and the storage of data. These include:

Government bodies and judicial authorities can ask for access to personal data held by a data controller. There are specific procedures to be followed and the inquiry must usually be in the form of an official and specific request.

The use of cookies is allowed as long as the requirements of the DPA decision (dated 8 May 2014) on simplified arrangements to provide information and obtain consent regarding cookies are duly applied by the data processor.

On 10 June 2021, the DPA adopted new guidelines on the use of cookies and other tracking tools, which supplement those adopted in 2014 and provide some clarifications about the use of "scrolling" for obtaining consent to the storage and use of cookies and other tracking tools and the use of so-called cookie walls, among others.

In particular, the DPA requires the data processor to provide the following information:

Internet providers must take into consideration technological innovations and adopt appropriate technical and organisational measures to ensure an adequate level of security.

The DPA decision of 4 April 2013 suggested using the following measures to apply the minimisation principle:

Whenever security of service or personal data makes it necessary to also take measures applying to the network, the provider of a publicly available electronic communications service must adopt those measures jointly with the provider of the public communications network.

Apart from data and incident security breach obligations set out under the GDPR, the following domestic and EU provisions apply:

If there is a significant risk of a breach of network security, the provider of a publicly available electronic communications service must inform contracting parties and, if possible, users of the risk and the measures taken by the provider.

Anyone who causes damage to another by the processing of personal data is liable to pay damages (Article 82, GDPR). Data controllers and data processors are liable to pay damages unless they can prove that they have taken all appropriate measures to avoid the damage.

Encryption is a suggested and appropriate technical measure aimed to ensure a level of security appropriate to the risk (Article 32, GDPR).

Electronic payments are regulated by:

In addition, the DPA Decision on Mobile Payments (No. 258 of 22 May 2014) states the following (among the other things):

'Italian authorities, especially the DPA, are particularly sensitive to children's privacy and protection, especially online and over the last couple of years have taken several steps to facilitate a ground for their protection online, working with children protection associations. Child protection online is therefore likely to be subject to more stringent domestic regulation in Italy in the future.

In September 2015, the DPA made public the results of the survey conducted by the Global Privacy Enforcement Network (GPEN) from which several critical issues emerged, in particular:

Italy has implemented the Digital Content and Digital Services Directive ((EU) 2019/770) by means of Legislative Decree No. 173 of 2021, which has accordingly integrated the Consumers' Code.

There are no limitations to linking, framing, caching, spidering, and the use of meta-tags, provided that intellectual property (IP) rights (including copyright and related rights, and trade marks) and advertising/marketing regulations are guaranteed.

There are no limitations on the use of metatags or advertising keywords provided IP rights and advertising/marketing regulations are guaranteed.

Under Article 22 of the Industrial Property Code, domain names are distinctive signs of a company as trade marks, and therefore licensing of domain names is regulated by the same rules that apply to trade marks.

Domain names have the same protection of other distinctive signs (Article 22, Industrial Property Code).

As a consequence, Article 2598 of the CC also protects domain names against acts of unfair competition, for example:

The business name is assigned to the company on request, which can be made once the company has been registered with the competent local Companies Register at the Chamber of Commerce.

Regulation (EU) 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (Recast Brussels Regulation) regulates internet transactions. Articles 4 to 6 contain the general criteria, under which disputes concerning e-commerce are based on the domicile of the defendant and the location of the registered office.

Further, under Article 7.1, in contractual disputes a person domiciled in a member state can be sued in another member state in the courts relevant for the place of performance of the obligation in question.

Unless otherwise agreed, the place of performance of the relevant obligation is:

In addition, under Article 18, in B2C contracts, a consumer can bring proceedings against the other party to a contract either in the courts of the member state where that party is domiciled or, regardless of the domicile of the other party, in the courts relevant to the consumer's domicile.

The will of the parties generally determines the governing law of the internet transaction. In the absence of the parties' agreement, the governing law is identified on the basis of the criteria provided in Rome I.

Further, where the consumer agreement is regulated by the law of another EU member state, consumers who are resident in Italy can enforce the rights granted by Consumer Code (Article 6, Rome I).

Regulation (EU) 524/2013 on online dispute resolution for consumer disputes (Online Dispute Resolution Regulation) introduced an online platform for disputes (ODR) arising between consumers and businesses who enter into an online agreement. This system was implemented on 15 February 2016 (www.ec.europa.eu/consumers/odr/main/?event=main.home2.show).

In addition, the Consumer Code provides for a voluntary procedure for out-of-court settlement of EU domestic and cross-border B2C disputes (Article 141(4)). Under this procedure, an ADR body offers a solution or brings the parties together to facilitate an amicable settlement.

Through an ADR/ODR procedure, the parties can agree on remedies for their dispute (such as substitution/repair of the claimed product), but no compensation or damages can be requested: damages can only be requested by means of judicial proceedings.

The relevant rules on advertising good/ services online are included in the:

Italian legislation provides restrictions applicable to the advertisement of certain types of products or services. These restrictions also apply to online advertising.

These restrictions are applicable to the following products:

The MC Code contains specific rules for the advertising of, among the others, alcoholic drinks, cosmetic products, medicinal treatments/products and personal hygiene products, food supplements and health foods.

The MC Code is binding on agencies, consultants, media, sales houses and others that accept its terms by entering into an agreement or by signing a contract for advertising.

The entities that adhere to the MC Code typically include an acceptance clause in their contracts or in those of their associates asking users to follow the Code and self-regulatory policies. Therefore, the majority of Italian commercial communications is bound by the MC Code.

Article 130 of the Privacy Code includes the opt-in rule for online commercial communication and advertising. This means that online communications for the purposes of direct marketing can only be made with the recipient's prior consent. However, if a data controller processes, for the purposes of direct sales of its products or services, the e-mail address provided by the data subject concerned in the context of the sale of a product or service, they do not need to collect the prior consent of the data subject for sending further e-mails concerning the same product or service ("soft spam" exception).

Language requirements are established in principle by the Consumer Code, which provides that information about safety, composition and quality of the products and services must be printed on the packaging or be otherwise provided together with the product. Any information intended for consumers must be provided in Italian.

Consumer information must be appropriate to the means of communication used and expressed in a clear and understandable manner to ensure consumer awareness. Similar principles apply to privacy notices, which must be in Italian to ensure full comprehension by the data subjects when services are directed at Italian-based individuals,

With effect from 1 January 2020, the new Italian DST was implemented by the Italian 2020 Budget Law. In January 2021, the Italian Revenue Agency issued the final operational guidelines for the implementation of the DST and related special accounting obligations, as well as a specific form to be used for filing the annual tax return.

The DST provisions contain a sunset clause which means they will be automatically repealed if and when internationally agreed provisions on digital economy taxation become applicable.

The DST applies to foreign and Italian businesses with a worldwide consolidated revenue of at least EUR750 million, out of which at least EUR5.5 million are revenues relating to digital services arising in Italy.

Revenues subject to DST include those deriving from:

DST also applies to transactions carried out in the marketplace, including the intermediation in the sales of goods, while transactions concluded directly with final consumers and pure e-commerce transactions seem to be still out of scope.

By contrast, DST does not apply to (among others):

Revenues subject to taxation are mainly linked to the location of the users of the services (taking into account the IP address). As a result, they are considered taxable if the user of a taxable service is located in Italy in a specific tax period.

DST applies at 3% on revenues (gross of related expenses and net of VAT) generated during the tax period. There is no indication of whether non-deductible costs include traffic acquisition costs.

DST computation is based on the ratio between the total amount of revenues deriving from digital services, wherever realised, and those connected with the Italian territory (specific rules apply to each of the different type of revenues) on a cash basis.

Non-resident entities without a permanent establishment (PE) in Italy or a VAT number, which in the course of a calendar year fulfil the conditions for the application of DST, must request an identification number for DST purposes from the Italian Revenue Agency.

If a non-resident has an affiliate company in Italy, the affiliate is jointly responsible for compliance with the group's DST obligations.

Payment of DST must be made on the 16 March following the relevant fiscal year. A return must be filed within six months of the end of the tax period (30 June of the following fiscal year).

Group companies can appoint a designated company to comply with all the DST formalities (payment and DST return) on behalf of the affiliate entities, based on the data and information provided by each entity.

Online sales made by a foreign company are, in principle, not subject to taxation in Italy, unless such sales are made through a PE in Italy.

The concept of a PE was reviewed by the Italian 2018 Budget Law in the context of the digital sector. A PE is deemed to exist in the case of a significant and continuous economic presence in the territory of the state, even if it does not have a physical presence in the country.

The above principle is in line with the content of the Base Erosion and Profit Shifting project (BEPS) which identifies certain points of connection of online businesses with the territory of the state (Action 1 (§ 7.6), BEPS):

B2B digital services. The VAT treatment of inbound B2B supplies of digital services generally follows the treatment of other inbound service supplies.

B2B sales are subject to VAT in Italy. The foreign seller is not required to register for VAT purposes in Italy and has no VAT obligations.

For direct e-commerce (online sales), VAT is settled by the Italian customer (that is, a taxable entity or taxable person) through the reverse-charge mechanism.

For indirect e-commerce (offline sales), the reverse-charge mechanism applies for goods that are transported from an EU state to Italy (intra-community transactions). For goods that come from a non-EU state, VAT is levied from the customs office together with customs duties (import transactions).

B2C digital services and e-commerce supplies. From 1 July 2021, the EU introduced its e-Commerce VAT Package, implemented in Italy by Legislative Decree No. 83/2021. The new VAT rules for e-commerce replaced the previous distance sales regime to simplify the registration and reporting requirements of foreign e-commerce providers for goods and services.

In particular, under the new rules, facilitators of electronic interfaces such as online marketplaces or platforms (online marketplace operators) (OMOs) are liable for VAT on certain low value "distance sales" of goods imported from outside the EU, or the supply of goods within the EU to non taxable persons by taxable persons not established in the EU.

The OMO is deemed to have received and supplied goods if it "facilitates":

"Facilitating" is using an electronic interface to allow a customer and a supplier offering goods for sale through the electronic interface to enter into contact, resulting in a supply of goods through that electronic interface.

The place of supply of goods dispatched or transported by a taxable OMO is the place where the operator supplied the goods.

An OMO subject to this rule is responsible for accounting for, collecting and remitting the VAT. It can register for the One Stop Shop (OSS) special regime (see below) to simplify its VAT obligations in multiple jurisdictions.

Under Article 6 of the VAT Law, as amended, if an electronic interface facilitator is treated as the supplier, tax liability arises at the end of the calendar month in which payment is accepted.

However, a taxable person is not treated as facilitating a supply of goods where that person:

These rules do not apply to a taxable person who only provides any of the following:

The delivery of goods to the OMO is treated as zero-rated transaction under Article 10 of the VAT Law.

By implementing the new e-commerce VAT package rules, Legislative Decree No. 83/2021 also transposed in Italy the OSS and Import One-Stop shop (IOSS) special regimes, replacing previous distance-selling rules.

The E-Commerce Law does not explicitly impose an obligation on internet service providers (ISPs) to undertake preventative monitoring of the information and content that users upload to platforms.

However, when requested to do so by a judicial authority or by AGCOM, ISPs must remove illegal content or information.

Where the website on which digital works in breach of copyright or related rights are made available is hosted on a server located in Italy, AGCOM must order the ISPs carrying out hosting activities to remove the digital works (clause 8, Regulation on the Protection of Copyright on Networks Communications (2013) (2013 Regulation)). For significant infringements, AGCOM can order ISPs to disable access to the digital works instead of selectively removing them.

Where the website on which digital works in breach of copyright or related rights are made available is hosted on a server located outside Italy, AGCOM can order ISPS acting as "mere conduits" to disable access to the site.

Under the 2013 Regulation, if AGCOM considers that a digital work has been made available on an internet page in violation of the Copyright Act, AGCOM notifies the identified ISPs and, where traceable, to the uploader and the operators of the page and of the website.

A website operator must provide the following information easily, directly and permanently accessible:

(Article 7, E-Commerce Law.)

The relevant information must be updated when necessary.

In addition to the information provided under the Consumer Code (see Question 7), according to Article 12, paragraph 1, of E-Commerce Law, the service provider must, unless otherwise agreed between B2B parties, provide in a clear, comprehensible and unambiguous manner, before the placing of the order by the recipient of the service, the following information:

When acting as a mere conduit, for example, providing caching and hosting services, ISPs are not under any obligation to monitor all the information which they store, or to investigate facts or circumstances indicating potential illegal activity (Article 17, E-Commerce Law).

However, in the case of hosting, the provider is not considered liable for the information stored at the request of the recipient as long as:

In this case, the service provider must:

The service provider bears civil liability for the content of services, where:

When requested by judicial authority or AGCOM, ISPs must remove illegal content or information.

Service providers are subject to the following liability rules:

Each online business is different and therefore the insurance policy should be tailored specifically to the requirements of the relevant business.

However, the following areas should be addressed by a standard insurance policy for any online business:

Directive (EU) 2555/2022 (NIS 2 Directive). The NIS 2 Directive entered into force on 17 January 2023 and must be implemented by member states by 17 October 2024. The NIS 2 Directive repeals, with effect from 18 October 2024, EU Directive 1148/2016 (NIS 1 Directive).

On 4 November 2021, Italy adopted Legislative Decree No. 173 of 2021, implementing Directive (EU) 2019/770 on contracts for the provision of digital content and digital services (see Question 23). This decree entered into force on 11 December 2021.

On 7 March 2023, the Italian Government adopted Legislative Decree No. 26 of 2023, implementing the Enforcement and Modernisation Directive ((EU) 2019/2161) (Omnibus Directive) as regards the better enforcement and modernisation of EU consumer protection rules. The decree was due to enter into force on 2 April 2023.