Insights

Italy has officially adopted EU Directive 2022/2555 (NIS2) through Legislative Decree No. 138/2024, enhancing cybersecurity for critical infrastructure. Notably, medical device and in vitro diagnostic manufacturers are now considered critical sector entities.

Medium and large-sized companies in this category are now required to comply with a series of cybersecurity obligations, such as:

• Implementation of technical and organizational measures proportionate to the associated risks;
• Registration on the National Cybersecurity Agency (Agenzia per la Cybersicurezza Nazionale, ACN) portal;
• Timely notification of significant incidents to the Computer Security Incident Response Team (CSIRT) Italia of the ACN;
• Cybersecurity training for both management and staff;
• Secure supply chain risk management;
• Use of strong authentication solutions and encryption protocols.

Annual registration windows are expected to be in January and February of each year.

Upcoming key deadlines:

• May 2025: Update company data on the ACN platform;
• January 2026: Mandatory incident notifications as per new ACN rules;
• October 2026: Full implementation of baseline cybersecurity measures.

Non-compliance with registration requirements may result in administrative fines of up to 0.1% of the global annual turnover for essential entities. The ACN will notify companies of their classification status by April 2025.

RPN will provide any further update and is available to provide full support for Medical Device cybersecurity compliance activities.