All posts by Jessica Riva

Unknown's avatar

About Jessica Riva

Jessica collaborates with the firm as a junior associate dealing mainly with issues related to companies operating in the health and life sciences sectors. She graduated cum laude in 2022 from the University of Trento with a dissertation entitled “Civil liability related to the organizational deficit of the health care system in dealing with the pandemic emergency: a comparison between Italy and Germany”, besides carring out a period of research in collaboration with the chair of health law at the Ludwig-Maximilians-Universität in Munich. She has worked in relevant law firms of the Italian scenario. Jessica speaks Italian, English, and German.

WHAT’S NEW IN THE UPDATED GUIDELINES ON MEDICAL DEVICE ADVERTISING?

Legal news

The Italian Ministry of Health has published new guidelines on advertising of medical devices (“Guidelines”), which replace all previous guidelines issued by the Ministry over the years.

  • WHAT’S NEW?
  • Advertising aimed at healthcare professionals

When advertising is directed at HCPs, the following requirements must be met:

  • A disclaimer must be included stating that the content is intended exclusively for HCPs; but also
  • a “pop-up” message and/or similar technologies must be implemented to require users to confirm that they are HCPs before accessing the advertising content.
  • Content of the advertising message

Each advertising message must include the following wording: “It is a CE medical device (including the notified body number, if applicable). Read the warnings or instructions for use carefully. Ministerial Authorization of dd/mm/yyyyy”.

  • Expanding use of social networks – including TikTok

The list of approved social networks for medical devices advertising now includes TikTok. However, the following features must be disabled:

  1. Comment function;
  2. Duet function (which allows the user to post his/her video side-by-side with a video from another creator);
  3. Stitch function (which allows a user to crop and integrate scenes from another user’s video into his/her own video).
  • ANY ADVANTAGES FOR COMPANIES?
  • Simplified compliance. Companies now benefit from a single, consolidated regulatory framework gathering all the regulations concerning medical devices’ advertising.
  • Broader digital scope. The inclusion of platforms like TikTok increases the scope of digital channels where advertisement of medical devices is regulated. Regrettably, rules on LinkedIn are lacking.
  • Other marketing channels. The Ministry of Health may admit the use of additional social networks (beyond Facebook, Instagram, YouTube, and TikTok), subject to prior authorization.

Bottom line: a consolidated document is certainly helpful, but we do not understand the choice not to regulate LinkedIn, the channel where the boundary between corporate communication and advertisement of medical devices is more problematic.

NIS2: new guidance for companies

Legal news

On April 14, 2025, the National Cybersecurity Agency (“NCA”) published measure no. 164179 (“Measure”) to further implement the decree 138 of 2024 (“NIS2 Decree”).

  • What’s new?

With this Measure, the NCA has identified:

  • Security measures that companies must guarantee in case they are identified as an important subject (annex 1) or an essential subject (annex 2);
  • Types of significant incidents that companies must report, depending on whether they are classified as an important (annex 3) or essential subject (annex 4).
  • Since when?

The Measure will enter into force on 30 April 2025. However, companies will have:

  • 18 months from the communication of their inclusion on the NIS subject list to comply with these new security measures;
  • 9 months from the communication of inclusion on the NIS subject list to activate mechanisms to ensure the notification of incidents identified as significant.
  • As a company, what do you have to do now?
  • Wait for the NCA’s communication to verify if your company has been included in the NIS list;
  • In case of a positive answer, your company will be required to provide further information (such as member states where the service is carried out; name and contact details of a substitute for the point of contact) by May 31, 2025;
  • Implement, within 9 months from the communication of the inclusion on the NIS subject list, mechanisms for the notification of incidents expressly identified by NCA as “significant incidents”;
  • Implement, within 18 months from the communication of the inclusion on the NIS subject list, the security measures expressly identified by the NCA.

A new decree (and new obligations) to tackle counterfeiting in the pharmaceutical sector

Legal news, ,

On January 28, 2025 the Italian government approved a legislative decree (“Decree”) implementing EU regulation 2016/161 through which the European Union has introduced specific measures aimed at fighting counterfeit medicines.

Packaging. Packaging of pharmaceutical products will have to include: (i) a two-dimensional bar code (i.e. “unique identifier”) able to guarantee the authenticity and the identification of the single individual pack of medicinal products; and (ii) an anti-tampering device.

Marketing authorization. Any new or existing marketing authorization (“MA”) requests must include information on the unique identifier and anti-tampering device when it has an impact on the primary packaging, the locking system or the label’s legibility. MA holders must update their MA to ensure full compliance with the new regulation.

Timeline.  The Decree should come into force on February 9, 2025, but its publication in the official Gazette is still awaited. However, the Decree has provided for a transition period between February 9, 2025, to February 8, 2027, where it will be possible to continue using the old “Bollino” system without incurring penalties.

Sanctions.  The manufacturer who does not apply and activate the unique identifier may be sanctioned with an administrative fine ranging from Euro 10,000 up to 60,000 for each batch. An MA holder may be sanctioned with a fine, ranging from Euro 10,000 up to 60,000 for each batch, for trading a medical product lacking an anti-tampering device. Manufacturers, wholesalers, and suppliers of medicines to the public who do not notify immediately to the competent authorities of any case of tampering or counterfeiting may be sanctioned with a fine starting from Euro 20,000 up to Euro 80,000 for each batch.

Can Corporate E-mail Accounts Be Used in Case of Litigation?

Legal news, ,

With an order of July 17, 2024, the Italian Data Protection Authority (“DPA”) has fined Selectra
S.p.A. Euro 80,000 for unlawful processing of personal data. The case originates from an
agent’s claim that Selectra (i) had maintained his email account active after the termination of
his collaboration with the company; (ii) had used a specific software (MailStore) to back up the
contents of his email account for three years; (iii) had used his data in a judicial proceeding, in
which he was accused, along with other individuals, of business secrets misappropriation and
further unlawful conduct.


The DPA reaffirmed various key principles, applicable to employees and self-employed
personnel:


– The DPA has offered some important guidelines concerning the balance between the right
to defense and the right to privacy. According to the DPA, it is admittable to access
personal data to protect one’s right in court, only if the process is already
pending before the court or there are realistic possibilities to start the claim.


Corporate email accounts cannot be used as archives. It is a company’s duty to
introduce suitable document management systems capable of archiving documents and
employees/collaborators’ email accounts cannot be used for such purposes.


Personnel must be provided with an information notice which clarifies what is
processed, on which basis and how. Selectra, instead, had backed up corporate email
accounts, with the possibility of retaining their contents for 3 years after termination of the
employment/collaboration contract, without offering any kind of information to its
employees and collaborators.


The DPA concludes that the right to privacy cannot be sacrificed in pursuit of abstract and
indeterminate protection purposes. Incidentally, the DPA emphasized again that it is
forbidden to use tools that carry out monitoring of employees’ activity in breach of
Article 4, L. 300/1970 (Italian Statute of Workers’ Rights), which admits the use of systems
for remote employee monitoring only for production, organizational, labour and safety needs
and after an agreement with trade unions. (Instead, Selectra, using the software MailStore,
was able to trace meticulously, and even after a long time, the activities carried out by
employees in breach of the Italian Statute of Workers’ Rights).

NIS 2 ENTERS INTO FORCE IN ITALY: LEARN WHAT YOU NEED TO DO

Legal news

After a long wait, EU directive 2022/2555 (“NIS 2 Directive”), which aims at achieving a common level of cybersecurity across member states, has been finally implemented in Italy, with legislative decree 138/2024 (“Legislative decree”).

The Legislative decree will apply starting from today, October 18, 2024.

Who are the actors involved?

The new regulation applies to economic operators that:

      • exceed the thresholds provided for small enterprises (i.e., more than 50 employees and annual turnover/balance sheet of more than Euro 10 million);
      • are subject to Italian jurisdiction.

      It is important to note that certain operators identified as critical subjects (according to the decree 134/2024, implementing EU directive 2022/2557 on critical subjects) are subject to the Legislative decree, even if they do not exceed the dimensional limits mentioned above. Among them, there are several operators in the healthcare field, such as:

      • Healthcare providers;
      • Subjects carrying out research and development on medicines;
      • Manufacturers of basic pharmaceutical products and pharmaceutical preparations;
      • Manufactures of medical devices considered critical in case of a public health emergency;
      • Wholesale distributors of medicinal products.

      What are the deadlines at this early stage?

      • All operators active in Italy must carry out an assessment to understand whether they fall within the scope of the Legislative decree;
        • From 1 January to 28 February of each year (starting from 2025) the economic operators subject to the Legislative decree must register or update their registration on the digital platform managed by the National Cybersecurity Agency (“NCA”) providing a set of information such as the company mission, address, and contact information, etc;
        • Within 31 March of each year (starting from 2025), NCA will draft a list identifying the so-called “essential and important subjects” following the criteria of Article 6 of the Legislative decree;
        • From 15 April to 31 May of each year (starting from 2025) the subjects identified as essential or important should provide further information, such as the IP address, domain names, EU’s States where the service is carried out, name of the legal representative, etc.

        What will happen after this first phase?

        After this first phase, a new set of obligations will progressively come into force, such as:

        • The obligation of essential and important subjects to implement technical measures to ensure the security of information and network systems used by operators (within 18 months from the communication of being considered as an essential or important subject);
          • The duty for essential and important subjects to notify the Computer Security Incident Response Team – Italy (“CSIRT Italy”) of each accident that can impact service delivery (within 9 months from the communication of being considered as an essential or important subject).

          How to proceed in these first months?

          It is key for all economic operators operating in Italy, before February 28, 2025, to carry out an assessment and understand if they fall under the perimeter of the application of the Legislative decree and, if so, act accordingly.

          AIFA Guidelines Regarding Observational Studies on Medicines: What’s New?

          Legal news, ,

          The Italian Medicines Authority (“AIFA”) has recently issued new guidelines for the classification and conduct of observational studies on medicines (“Guidelines”) repealing the previous version of 2008. Through such new Guidelines AIFA has given full implementation to what was provided for in Article 6, par. 3 of the Ministry of Health November 30, 2021 decree, which had mandated that AIFA issues new guidelines for the classification and conduct of observational studies on medicine.

          The new Guidelines have extended the perimeter of observational studies and now include:

          • Retrospective studies related to unauthorized uses;
          • Pharmacogenetics and pharmacogenomics studies;
          • Databases and other data on drug therapies collected through online platforms, wearables, or other devices when the following conditions are met:
            1. They pursue the aim of keeping track of the medicines used by patients;
            2. They follow a specific protocol;
            3. They are carried out in accordance with Guidelines’ indications.

          Other new elements introduced by the Guidelines are:

          • The duty for ethics committees, in case of non-profit observational studies, to verify the independence from commercial promoters;
          • The duty to insert a specific section on informed consent in the protocol;
          • The duty to publish the results of the research (even if they are negative) within 12 months from the end of the study;
          • The duty to retain documents on observational studies for 7 years;
          • The possibility for the territorial ethics committee to apply a fee on profit observational studies;
          • The inclusion of universities among facilities where observational studies can be carried out;
          • The inclusion of new documents that the promoters must submit to ethics committee, such as a cover letter with the precise identification of the competent ethics committee, a summary of the protocol, and investigators/coordinators’ curricula
          • The duty of the legal representative of the research centre to execute an administrative agreement prior to the start of the study.

          The Guidelines confirm that there is no mandatory AIFA assessment on observational studies, even though the ethics committee may decide to consult AIFA if necessary. The Guidelines also confirm the duty to transmit the information on the studies to the “Registry of observational studies” run by AIFA.

          The definition of observational studies has not changed, i.e., studies that meet the following conditions:

          • Medicines are prescribed and delivered according to the conditions of use authorized for marketing in Italy;
          • Medicines are prescribed in the normal clinical practice;
          • The decision to prescribe the medicine to the patient must precede and be independent with the decision to include the patient in the study;
          • Diagnostic and evaluative procedures correspond to the current clinical practice without leading to negative consequences for the patient or the National Healthcare System.