Oplon Secure Access is out.

 Update →

Request a demo

ARTICLE BLOG

Protection of Trade Secrets

Back to blog
  • April 23, 2026
  • Reading time: 10 min

Data Protection and Trade Secrets

In recent years, the GDPR has highlighted the need to protect personal data, requiring organizations to adopt adequate and demonstrable security measures. However, an equally important but less-discussed issue concerns the protection of trade secrets—such as know-how, processes, algorithms, and strategies—which constitute the true competitive advantage of businesses.

European legislation, in particular EU Directive 2016/943, transposed in Italy by Legislative Decree No. 63/2018, and Article 98 of the Industrial Property Code (CPI), recognizes the protection of trade secrets only if three cumulative conditions are met:

  • the information must be secret
  • it must have economic value by virtue of being secret
  • reasonable measures must be taken to keep it secret

It is not sufficient for the information to be confidential: it must be actively protected through concrete and verifiable controls. As also highlighted in case law, insufficient security measures can compromise the very legal protection of the trade secret.

Cybersecurity as a Legal Requirement

Cybersecurity regulations go beyond general principles or contractual tools such as NDAs and confidentiality clauses; they require the implementation of concrete technical and organizational measures.

  • The GDPR (Art. 32) requires the adoption of appropriate technical and organizational measures, including, as applicable, encryption, access control, and the ability to ensure data availability.
  • The NIS2 Directive requires advanced controls for critical and important entities, including segmentation, continuous monitoring, identity management, and activity logging.

 

Only by adopting these measures can organizations demonstrate, even in court, the adequacy of the protection implemented.

“If you don’t protect your secrets, you can’t defend them”

The problem: protection is not automatic

The protection of trade secrets is not automatic. Italian case law takes a strict approach: it is not sufficient to demonstrate the theft or unauthorized use of the information; rather, it is necessary to prove the existence of effective protective measures.

In the absence of such measures, even information of high economic value may lose the legal protection provided for in Articles 98 and 99 of the Industrial Property Code. The focus thus shifts from “data theft” to the quality of the protection system implemented.

When the measures are deemed adequate

In the absence of such measures, even information of high economic value may lose the legal protection provided for in Articles 98 and 99 of the Industrial Property Code. The focus therefore shifts from “data theft” to the quality of the protection system implemented.

For example, the Court of Bologna (Judgment No. 2140/2024) emphasized the importance of access tracking, user profiling, and archiving on company servers with individual authorizations.

Similarly, the Court of Brescia (Judgment No. 2247/2025) deemed measures such as strong authentication, access segmentation, and advanced protection of communication systems to be adequate.

In such cases, the integration of technical and organizational controls proved decisive for the recognition of trade secret protection.

When protection is denied

Conversely, protection was denied in cases where measures were insufficient or merely formal.

The Court of Turin (Judgment No. 3934/2025) highlighted how the ability to export data to external devices without tracking, the absence of access controls, and permissive practices precluded the existence of adequate protective measures.

In another case, the Turin Court of Appeals (judgment no. 1042/2024) denied protection due to a lack of documentary evidence, in the absence of signed NDAs, effectively enforced policies, and verifiable control systems.

The crux of the matter: proof of security

The real critical factor is not just the security measures implemented, but the ability to demonstrate them.

In court, the company must be able to accurately reconstruct who had access to what, when, and with what privileges. In this context, logs, authentication systems, and tracking mechanisms serve not only a technical function but also an evidentiary one.

In the absence of such evidence, even formally secure infrastructures prove ineffective from a legal standpoint.

The gap between claimed security and demonstrable security

Many organizations still rely on models based on VPNs or perimeter controls, which do not provide granular control over individual resources.

This creates a gap between perceived security and demonstrable security: the company may believe it is protected, but may not be able to prove it in the event of a dispute.

It is precisely this discrepancy that case law is increasingly highlighting, favoring models based on Zero Trust, identity, and continuous access control.

The sectors most at risk

All industries with sensitive information to protect, such as:

  • Advanced manufacturing: technical drawings and process specifications
  • Pharma and biotech: formulas and clinical protocols
  • Finance and private equity: M&A dossiers and valuation models
  • Automotive and aerospace: embedded software and supply chain mapping
  • Fashion and luxury: patterns and prototypes
  • Other sectors: energy, chemicals, food & beverage

 

The common criterion: if information is valuable precisely because competitors do not know it, it falls within the scope of trade secrets to be protected.

Oplon Networks' Solution: OSA Secret

OSA Secret is a use case of Oplon Secure Access, a Zero Trust platform for the secure management of access to corporate resources.

In this scenario, in addition to identity- and context-based controls, advanced features for the protection of trade secrets are introduced.

Before accessing resources, the user may be required to accept a digital NDA and a privacy notice, making the contractual agreement traceable. The system also applies watermarks and session identifiers, along with complete and tamper-proof activity logging.

In this way, OSA Secret extends the Zero Trust paradigm by integrating access security with the ability to protect and provide evidence of confidential information.

Legal Request Technology Request OSA Secret
Reasonable protective measures
Access Control
Confidentiality of information
No networks exposure
Traceability
Session audit
Access Restrictions
Least privilege

Tangible benefits

The solution significantly reduces the attack surface and provides a complete audit trail of operations.

Each session is tracked in detail through tamper-proof logs, providing full visibility into who accesses what and when. Oplon thus facilitates a comprehensive audit of access and privileges, an essential element for demonstrating the organizational due diligence required by regulations.

The platform’s official documentation also highlights its goal of supporting compliance with regulations such as GDPR and NIS2.

Conclusions

European and Italian regulations place a genuine burden of proof on companies: it is not enough to simply declare information as confidential; companies must demonstrate that they have adequately protected it.

In this context, cybersecurity solutions play both a technical and a legal role.

Oplon Secure Access integrates IAM, PAM, and ZTNA technologies to ensure that the security measures required by law are truly “adequate.” In this way, the platform helps bridge the gap between technical compliance and the legal protection of trade secrets, in accordance with Articles 98–99 of the Industrial Property Code.

Latest from the blog

Protection of Trade Secrets

The protection of trade secrets, such as know-how and strategies, is governed by EU Directive 2016/943 and the Industrial Property Code. To be protected, they must be secret, have economic value, and be adequately safeguarded through concrete measures. Formal confidentiality is not enough: demonstrable technical and organizational controls (e.g., access controls, encryption, tracking) are required, in line with GDPR and NIS2. Case law requires actual evidence of the security measures adopted: in the absence of such evidence, protection is denied. The focus therefore shifts from the theft of data to the ability to demonstrate the protection implemented.

Read More →
23 April 2026

VPN: The perfect solution or a loose cannon?

VPNs (Virtual Private Networks) are often hailed as essential tools for online security and anonymity, but are they really the perfect solution? In this article, we delve into the hidden risks and realities of VPN usage. From exposing corporate data to potential ransomware attacks, to the illusion of anonymity while browsing, the truth may surprise you. Discover the alternative technologies that can provide safer connections without the pitfalls of traditional VPNs. Join us as we explore the complexities of VPNs and what you need to know to protect your online presence effectively.

Read More →
23 January 2025

Human Centered Design e Design Thinking per Oplon Secure Access

Human-Centered Design (HCD) and Design Thinking are pivotal in creating products that truly resonate with users. By placing the end user at the heart of the design process, we can uncover their needs and preferences, leading to innovative solutions. At Oplon Networks, we leverage these principles in developing Oplon Secure Access, ensuring a seamless and intuitive user experience. Discover how methodologies like User Personas, Root Cause Analysis, and the iterative process of Pretotyping and Prototyping can transform your approach to design and enhance usability in an increasingly digital world. Dive into our insights and elevate your design strategy!

Read More →
18 June 2024

Protection of Trade Secrets

The protection of trade secrets, such as know-how and strategies, is governed by EU Directive 2016/943 and the Industrial Property Code. To be protected, they must be secret, have economic value, and be adequately safeguarded through concrete measures. Formal confidentiality is not enough: demonstrable technical and organizational controls (e.g., access controls, encryption, tracking) are required, in line with GDPR and NIS2. Case law requires actual evidence of the security measures adopted: in the absence of such evidence, protection is denied. The focus therefore shifts from the theft of data to the ability to demonstrate the protection implemented.

Read More →
23 April 2026

VPN: The perfect solution or a loose cannon?

VPNs (Virtual Private Networks) are often hailed as essential tools for online security and anonymity, but are they really the perfect solution? In this article, we delve into the hidden risks and realities of VPN usage. From exposing corporate data to potential ransomware attacks, to the illusion of anonymity while browsing, the truth may surprise you. Discover the alternative technologies that can provide safer connections without the pitfalls of traditional VPNs. Join us as we explore the complexities of VPNs and what you need to know to protect your online presence effectively.

Read More →
23 January 2025
.st0 { fill: #ec6b4f; }

Request a demo

Fill out the form to be contacted by one of our operators.