Table of contents
- What is a Smart City (and why the definition matters)
- Urban data and power: open data, reuse and data governance
- Privacy and public space: sensors, video surveillance and DPIA
- Interoperability and digital identity: the Smart City as a public ecosystem
- Cyber security and resilience: from urban IoT to continuity of essential services
- Urban algorithms and responsibility: from efficiency to legitimac
Smart Cities are often portrayed as more efficient, sustainable and technologically advanced cities. Smart sensors, digital platforms, real-time urban data and algorithms promise to improve mobility, security, environmental management and public services. Behind this positive narrative, however, lies a much deeper issue: a smart city is not only a technological project, but first and foremost a legal, political and social project.
Every infrastructural choice affects privacy, fundamental rights, data governance, cyber security and the legitimacy of public action.
In this article, we will maintain a critical and legal approach, aimed at an audience attentive to cyber security, data protection, and the digital transformation of Public Administration.
What is a Smart City (and why the definition matters)
A Smart City is commonly defined as a city that uses digital technologies to make traditional networks and services more efficient, improving the quality of life for citizens and businesses while promoting environmental sustainability. However, this apparently neutral definition is far from harmless.
Defining what a smart city is means deciding who makes decisions, which data are collected, for what purposes, and under which limits. It is not the city itself that is “smart”, but rather the relationship between digital infrastructures, data flows and decision-making processes.
From a technological perspective, the smart city is born from the integration of Internet of Things (IoT), artificial intelligence, advanced connectivity (5G and beyond), big data, cloud computing and predictive analytics systems. From a legal perspective, however, it immediately becomes a laboratory for fundamental rights, as it involves real-time data, smart mobility, video surveillance, digital identity and access to public services.
International standards such as ISO 37122 aim to measure “urban intelligence” through verifiable indicators. This aspect is crucial: every public innovation must be measurable, controllable and challengeable. This is where the law comes into play, transforming the smart city from a simple administrative efficiency project into a space for democratic experimentation.
Urban data and power: open data, reuse and data governance
The true core of smart cities is not hardware, but data. Sensors, platforms and applications generate massive volumes of urban data, raising a central question: who governs these data and under which rules?
European law has built a multi-level system that combines open data, trusted data sharing and the rebalancing of power relations between those who generate data and those who exploit them economically or administratively.
The Open Data Directive encourages Member States to enhance the value of public sector information by promoting reuse, API-based access and non-discriminatory conditions. Without clear and practically applicable technical rules, however, data openness risks remaining a purely declaratory principle. In this sense, open data become a tool for democratic accountability, strengthening transparency and efficiency in Public Administration.
Alongside open data, the European Union has introduced new data governance instruments. The Data Governance Act establishes legal frameworks for secure data sharing, regulating the reuse of data held by public authorities, data intermediation services and data altruism initiatives. The aim is to foster a European data economy based on trust, preventing data sharing from becoming a multiplier of risks and opacity.
The Data Act, on the other hand, addresses one of the most critical issues for smart cities: access to data generated by connected devices. If a city installs smart sensors but cannot access the data they produce, it effectively loses sovereignty over its digital infrastructure. The regulation seeks to counter vendor lock-in, promote data portability and rebalance relationships between technology providers and public authorities, although significant interpretative margins remain and will require consolidated implementation practices.
Privacy and public space: sensors, video surveillance and DPIA
When urban intelligence translates into systematic observation of public space, the issue is no longer merely technological but deeply constitutional. The Charter of Fundamental Rights of the European Union protects private life and data protection as autonomous rights, not negotiable in the name of innovation.
The GDPR remains the central reference framework. In smart cities, the notion of personal data naturally expands to include images, license plates, location data and behavioral patterns. For public authorities, the challenge is to apply the principles of lawfulness, data minimization, purpose limitation and storage limitation not ex post, but by design.
Technologies such as video surveillance, environmental sensors and smart meters must be designed according to privacy by design and privacy by default, limiting data collection to what is strictly necessary and adopting appropriate security measures such as encryption. The DPIA (Data Protection Impact Assessment) is not a formal requirement, but the space where authorities must explicitly address risks, alternatives and responsibilities, especially when deploying new or intrusive technologies.
The EDPB guidelines on video devices and the practice of the Italian Data Protection Authority highlight a key rule: as surveillance capabilities increase, legal justification and democratic oversight must increase accordingly.
Interoperability and digital identity: the Smart City as a public ecosystem
A smart city is not a collection of isolated projects, but a public ecosystem. In this context, interoperability and standards become substantive guarantees for citizens. Without interoperability, digital services fragment and operational continuity is compromised, directly affecting access to rights.
The Interoperable Europe Act provides a legal foundation for cooperation among public administrations, aiming at a fully interoperable system of European digital public services by 2030. In terms of access, eIDAS 2 strengthens the framework for a European digital identity, reducing technological barriers while increasing security and data protection.
At national level, the Digital Administration Code remains central: digitalization does not simply mean automating procedures, but ensuring that decision-making chains remain readable, transparent and legally challengeable, in line with principles of good administration and transparency.
Cyber security and resilience: from urban IoT to continuity of essential services
The smart city represents an extended attack surface. Every IoT device, platform and integration constitutes a potential vulnerability. For this reason, cyber security is not a marginal technical issue but a core component of urban security.
The NIS2 Directive raises risk management obligations for essential and important entities, directly affecting key smart city sectors such as energy, transport and digital services. This is complemented by the CER Directive, which focuses on the overall resilience of critical entities, and the Cyber Resilience Act, which introduces security requirements across the entire digital product supply chain.
In this framework, security does not end with the deployment of advanced technologies, but requires continuous updates, vulnerability management and clear responsibilities among manufacturers, suppliers and public authorities.
Urban algorithms and responsibility: from efficiency to legitimac
When a smart city uses algorithms and artificial intelligence systems to classify, predict or automate decisions, the central issue becomes the legitimacy of public action. Algorithms can influence urban policies, controls, priorities and resource allocation, with tangible effects on people’s lives.
The AI Act introduces a risk-based classification and strict obligations, including traceability, meaningful human oversight, data quality, documentation and security. In smart cities, these requirements are not mere regulatory compliance, but conditions for the democratic validity of public decisions. Algorithmic efficiency without responsibility and oversight risks eroding public trust and undermining fundamental rights.
Conclusion
Smart Cities are not simply more technological cities, but environments where data, infrastructure and fundamental rights are inextricably intertwined. Governing a smart city means governing the power generated by data, ensuring transparency, security, privacy and democratic accountability. Only under these conditions can urban innovation become not only efficient, but also legitimate and sustainable in the long term.
Legal and Regulatory Sources
Smart Cities and European Policies
- European Commission – Smart Cities
https://commission.europa.eu/eu-regional-and-urban-development/topics/cities-and-urban-development/city-initiatives/smart-cities_en - European Commission – Smart Cities and Communities
https://digital-strategy.ec.europa.eu/en/policies/smart-cities-and-communities - We Are Project – Guide to Urban Transformation
https://www.weareproject.com/tech-insight/smat_city_guida_alla_trasformazione_urbana/ - ISO 37122 – Indicators for Smart Cities
https://www.iso.org/obp/ui/en/#iso:std:iso:37122:ed-1:v1:en - INI Corbaf – Smart Cities and Surveillance
https://www.inicorbaf.it/index.php/dismissioni-del-patrimonio-immobiliare-dello-stato?view=article&id=315:smart-city-e-sorveglianza-creano-il-rischio-la-privacy-e-le-liberta-civili&catid=8
Open Data and Data Governance
- Directive (EU) 2019/1024 – Open Data Directive
https://eur-lex.europa.eu/eli/dir/2019/1024/ - Legislative Decree of 8 November 2021, No. 200 (Italy)
https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2021-11-08;200 - Forum PA – Open Data and Accountability
https://www.forumpa.it/pa-digitale/open-data-cosa-sono-come-sfruttarli-e-stato-dellarte-in-italia/ - Regulation (EU) 2022/868 – Data Governance Act
https://eur-lex.europa.eu/eli/reg/2022/868 - Agenda Digitale – Data Governance Act and the Data Economy
https://www.agendadigitale.eu/sicurezza/privacy/la-data-economy-alla-prova-del-data-governance-act-lo-scenario/ - Regulation (EU) 2023/2854 – Data Act
https://eur-lex.europa.eu/eli/reg/2023/2854 - Altalex – Analysis of the Data Act
https://www.altalex.com/documents/news/2025/10/31/nuovo-data-act-trasparenza-interoperabilita-servizi-trattamento-dati
Privacy, GDPR and Video Surveillance
- Charter of Fundamental Rights of the European Union
https://eur-lex.europa.eu/legal-content/IT/TXT/?uri=CELEX:12012P/TXT - Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR)
https://eur-lex.europa.eu/eli/reg/2016/679 - Kireti – Data Protection in Smart Cities
https://www.kireti.it/data-protection-nelle-smart-city-come-conciliare-uso-dei-dati-e-privacy/ - EDPB – Guidelines 3/2019 on Video Devices
https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en - Italian Data Protection Authority – General Video Surveillance Decision (8 April 2010)
https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/1712680
Interoperability and Digital Identity
- Regulation (EU) 2024/903 – Interoperable Europe Act
https://eur-lex.europa.eu/eli/reg/2024/903/ - IRPA – Interoperable Europe Act Overview
https://www.irpa.eu/interoperable-europe-act-lunione-europea-alla-sfida-dellinteroperabilita-per-il-miglioramento-dei-servizi-pubblici-digitali/ - Regulation (EU) 2024/1183 – eIDAS 2
https://eur-lex.europa.eu/legal-content/IT/TXT/?uri=CELEX:32024R1183 - Agenda Digitale – Guide to eIDAS 2
https://www.agendadigitale.eu/cittadinanza-digitale/identita-digitale/regolamento-eidas-2-0-la-guida-tutto-cio-che-bisogna-sapere/ - Legislative Decree of 7 March 2005, No. 82 – Digital Administration Code (Italy)
https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2005-03-07;82
Cyber security and Resilience
- Directive (EU) 2022/2555 – NIS2 Directive
https://eur-lex.europa.eu/legal-content/IT/TXT/HTML/?uri=CELEX:02022L2555-20221227 - Legislative Decree of 4 September 2024, No. 138 (NIS2 Transposition – Italy)
https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2024-09-04;138 - Italian Official Gazette – Legislative Decree No. 138/2024
https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG - Directive (EU) 2022/2557 – Critical Entities Resilience (CER) Directive
https://eur-lex.europa.eu/eli/dir/2022/2557/oj - Legislative Decree of 4 September 2024, No. 134 (CER Transposition – Italy)
https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2024-09-04;134 - Regulation (EU) 2024/2847 – Cyber Resilience Act
https://eur-lex.europa.eu/eli/reg/2024/2847 - Regulation (EU) 2019/881 – Cyber Security Act
https://eur-lex.europa.eu/eli/reg/2019/881/oj
Algorithms and Artificial Intelligence
- Regulation (EU) 2024/1689 – Artificial Intelligence Act (AI Act)
- https://eur-lex.europa.eu/legal-content/IT/TXT/?uri=OJ%3AL_202401689
