Monthly Archives: October 2024

NIS 2 ENTERS INTO FORCE IN ITALY: LEARN WHAT YOU NEED TO DO

Legal news

After a long wait, EU directive 2022/2555 (“NIS 2 Directive”), which aims at achieving a common level of cybersecurity across member states, has been finally implemented in Italy, with legislative decree 138/2024 (“Legislative decree”).

The Legislative decree will apply starting from today, October 18, 2024.

Who are the actors involved?

The new regulation applies to economic operators that:

      • exceed the thresholds provided for small enterprises (i.e., more than 50 employees and annual turnover/balance sheet of more than Euro 10 million);
      • are subject to Italian jurisdiction.

      It is important to note that certain operators identified as critical subjects (according to the decree 134/2024, implementing EU directive 2022/2557 on critical subjects) are subject to the Legislative decree, even if they do not exceed the dimensional limits mentioned above. Among them, there are several operators in the healthcare field, such as:

      • Healthcare providers;
      • Subjects carrying out research and development on medicines;
      • Manufacturers of basic pharmaceutical products and pharmaceutical preparations;
      • Manufactures of medical devices considered critical in case of a public health emergency;
      • Wholesale distributors of medicinal products.

      What are the deadlines at this early stage?

      • All operators active in Italy must carry out an assessment to understand whether they fall within the scope of the Legislative decree;
        • From 1 January to 28 February of each year (starting from 2025) the economic operators subject to the Legislative decree must register or update their registration on the digital platform managed by the National Cybersecurity Agency (“NCA”) providing a set of information such as the company mission, address, and contact information, etc;
        • Within 31 March of each year (starting from 2025), NCA will draft a list identifying the so-called “essential and important subjects” following the criteria of Article 6 of the Legislative decree;
        • From 15 April to 31 May of each year (starting from 2025) the subjects identified as essential or important should provide further information, such as the IP address, domain names, EU’s States where the service is carried out, name of the legal representative, etc.

        What will happen after this first phase?

        After this first phase, a new set of obligations will progressively come into force, such as:

        • The obligation of essential and important subjects to implement technical measures to ensure the security of information and network systems used by operators (within 18 months from the communication of being considered as an essential or important subject);
          • The duty for essential and important subjects to notify the Computer Security Incident Response Team – Italy (“CSIRT Italy”) of each accident that can impact service delivery (within 9 months from the communication of being considered as an essential or important subject).

          How to proceed in these first months?

          It is key for all economic operators operating in Italy, before February 28, 2025, to carry out an assessment and understand if they fall under the perimeter of the application of the Legislative decree and, if so, act accordingly.

          Substances of Human Origin (or SoHO): the New EU Regulation

          Legal news, , , ,

          PURPOSE OF THE NEW REGULATION. On June 13, 2024, the European Parliament and the Council adopted a new regulation on the substances of human origin (so-called SoHO), repealing Directives 2002/98/EC and 2004/23/EC. The new regulation:

          • was necessary because previous directives only partially managed to harmonize member states’ legislation on cells, tissues and blood; also, a new definition of SoHO was needed;
          • introduces mechanisms to grant continuity and resilience of SoHO supplies and to facilitate EU cross border exchanges and access to SoHO;
          • enhances safety of donors and recipients (included the offspring born from medical assisted procreation).

          WHAT IS A ‘SOHO’? A SoHO is now defined as “any substance collected from the human body, whether or not it contains cells and whether or not those cells are alive, including SoHO preparations resulting from the processing of the above-mentioned substance”. The definition has been expanded to include breast milk and gut microbiota, as well as blood preparations different from those used for transfusions. Any future SoHO will be automatically included in the regulation. The regulation also defines SoHO preparation as a SoHO subjected to processing, with a specific clinical indication, intended for human application on a recipient or for distribution.

          WHO DEALS WITH SOHO? The regulation also defines which will be the main actors in the organizational chain from SoHO donation to application. Specifically:

          • A SoHO entity is a legal entity established in the EU that carries out SoHO-related activities (e.g. collection, processing, control, storage, release, distribution, import, export, application on human beings,  clinical studies and outcomes recording on SoHO preparations)
          • A SoHO establishment is a SoHo entity that carries out one of the following SoHO-related activities: A) both processing and storage; B) release; C) import; D) export;
          • Competent authorities for SoHO are appointed by each member state and 1) maintain SoHO entities’ registry, 2) deal with authorization process for SoHO establishments and SoHO preparations 3) carry out inspections and evaluate plans for monitoring clinical outcomes.

          WHEN?  The regulation will be enforceable by mid-2027.

          TAKEAWAYS. Apparently, it is science-friendly as the definition of SoHO will be broader and more flexible than before. Also, in view of its structure, there is hope that it will succeed in ensuring more uniformity and granting an enhanced minimum level of safety across EU.