Cybersecurity 2025

ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting

Key Cybersecurity Obligations Under Healthcare Regulations GDPR: • healthcare providers and medical institutions must implement technical and organisa - tional security measures to protect sensitive personal health data (special category data under the GDPR); • mandatory encryption, access control and anonymisation for patient records; and • breach notification within 72 hours to the GPDP if a medical data breach occurs. NIS2: • hospitals, laboratories and digital healthcare services are classified as “essential entities” and must implement robust cybersecurity risk management; • 24-hour incident reporting requirement to ACN for cyber-attacks affecting healthcare operations; and • regular cybersecurity audits, resilience testing and supply chain security assessments are mandatory. Electronic Health Record (EHR) and telemedi - cine regulations: • digital medical records and e-prescription systems must comply with secure data stor - age and transmission standards; and • healthcare IoT devices and telemedicine platforms must include built-in cybersecurity protections to prevent remote hacking and patient data breaches.

Cybersecurity Compliance and Enforcement The Italian Ministry of Health and GPDP oversee compliance with health data security regulations. Non-compliance with healthcare cybersecurity laws can result in fines of up to EUR20 million or 4% of global turnover under the GDPR. The ACN enforces cybersecurity resilience for hospitals and digital health providers under NIS2. Conclusion Italy’s healthcare cybersecurity laws impose strict data protection, network security and incident-reporting requirements. Hospitals, medical institutions and digital health services must comply with the GDPR and NIS2 to ensure patient data confidentiality, system resilience and regulatory compliance.

157 CHAMBERS.COM

Powered by