Italy: First NIS2 Fulfilments for Cybersecurity

The Legislative Decree 138/2024 , which was published in the Official Journal on October 1, 2024 and entered into force on October 18, 2024, implements EU Directive 2022/2555 (NIS2), introducing new cybersecurity obligations for medical device manufacturers. Compared to NIS1, which focused on essential service providers, NIS2 broadens the scope by imposing cyber security measures along the entire supply chain.

Registration and Other Formalities

While obligations may vary depending on the case and the organisation, the main general obligations are listed below.

  1. Registration with the National Cybersecurity Authority (ACN): Decree 138/2024 requires registration on the ACN platform to enable the census of those operating in vital sectors (first deadline: February 28, 2025).
    Failure to register results in administrative penalties of up to 0.1% of annual worldwide turnover. For manufacturers, registration is not just a formality, but the first step towards implementing appropriate cybersecurity measures.
  2. Risk management: within 18 months of the decree coming into force, manufacturers must take appropriate technical and organisational measures to mitigate cyber risks.
  3. Responsibilities of administrative and management bodies: IT security strategies must be supervised and approved, and appropriate staff training must be ensured.
  4. Notification obligations: in the case of incidents that have a significant impact on the provision of services, manufacturers are obliged to notify the incident in the manner and timeframe laid down in the decree.
  5. Updating information: there is an obligation to communicate and update on the digital platform of the competent authority NIS a list of its activities and services, ensuring that the information is always accurate and up-to-date.

The Safeguard Clause and Exemptions

The Prime Ministerial Decree No. 221 of December 9, 2024, introduced the possibility of requesting exemption from certain obligations through the safeguard clause, if they demonstrate that their information systems and services operate completely independently of any affiliated companies.

Cybersecurity and Business Management

NIS2 requires the integration of cybersecurity measures with existing regulations such as the GDPR and Decree 231/01, to ensure the protection of data and related Medical Devices. Cyber security is essential to prevent attacks that could compromise patient health and the continuity of healthcare services.

Applicability for SMEs

The directive generally applies to manufacturers of Medical Devices, but micro and small companies could benefit from exemptions under specific conditions to be verified on a case-by-case basis.  Companies must check their position against regulatory criteria to ensure compliance.

>>> With its strategic regulatory consulting services, Thema can assist you in complying with Italian and European regulatory requirements.

SOURCE:
https://www.acn.gov.it/portale/en/nis/ambito

03/19/2025