menu

Article

The NIS2 Directive Involves Medical Device Manufacturers

CybersecurityDeadlines and exemptionsManufacturers' duties
Roberta Polisciano
Reading time: 7 minutes
TABLE OF CONTENTS
Context of the NIS2 Directive
Who it Applies To
Impact of the NIS2 Directive for Medical Device Manufacturers
Main Obligations of the NIS2 Directive
Past Deadlines
What are the Consequences of Failing to Register?
Will it be Possible to Register Late?
Future Deadlines
Next Actions by ACN
Upcoming Deadlines for Manufacturers

Context of the NIS2 Directive

With the publication of Legislative Decree No. 138/2024 (NIS decree) in the Official Gazette, Italy has adopted the provisions of the new NIS Directive (Directive (EU) 2022/2555 – NIS2), which came into force on October 16, 2024.

This regulation, which represents a fundamental step towards IT protection at the European level, aims to establish measures to ensure a common and high level of cybersecurity across all European Union Member States.
The primary objective of the NIS2 Directive is to strengthen the security of networks and information systems, reduce vulnerabilities, and increase the resilience of critical infrastructures, both public and private, against cyber attacks. All organizations involved are therefore required to adopt technical, organizational, and operational measures appropriate to their specific activities, in order to reduce the risk of incidents.

Who it Applies To

The NIS Directive distinguishes the impact of obligations based on the categorization of the organization involved, whether it is an important or essential entity, depending on whether it belongs to a high-criticality sector or a critical sector, and depending on the size of the company.

The high-criticality sectors, as indicated in Annex I of the Legislative Decree, are as follows:

  • Energy: electricity, oil, gas, hydrogen, heating and cooling;
  • Transport: air, rail, road, and water;
  • Banking: banks and financial institutions;
  • Healthcare: hospitals, laboratories, research centers, manufacturers of medicines and critical medical devices during a public health emergency (Article 22 of Regulation (EU) 2022/123);
  • Water: wastewater and drinking water;
  • Digital infrastructure: data centers, cloud computing, DNS providers, etc.;
  • ICT services (business-to-business): managed services and managed security services;
  • Public administration: central and regional government entities;
  • Space: operators of ground-based infrastructures.

The other critical sectors, as indicated in Annex II of the Legislative Decree, are as follows:

  • Postal and courier services;
  • Waste management: companies for waste collection, treatment, and recycling;
  • Chemicals: companies for the production and distribution of chemical substances;
  • Food: companies for the production, processing, and distribution of food products;
  • Manufacturing: manufacturers of medical devices and in vitro diagnostic medical devices, machinery, vehicles, and electrical/electronic devices;
  • Digital services: providers of search engines, online marketplaces, and social networking platforms;
  • Research: research organizations.

The distinction between essential and important entities is as follows:

  • Essential: large companies (with at least 250 employees) in one of the sectors listed in Annex I.
  • Important: medium-sized companies (with at least 50 employees) in one of the sectors listed in Annex I and large and medium-sized companies belonging to one of the sectors in Annex II.

This distinction is useful for the proportional application of obligations as well as the exercise of inspection and sanctioning powers by the NIS national competent authority.

Impact of the NIS2 Directive for Medical Device Manufacturers

Unlike the NIS1 adopted in 2016 (Directive (EU) 2016/1148), NIS2 also involves medical device manufacturers and in vitro diagnostic medical devices, which are among the entities operating in critical sectors listed in Annex II of the Legislative Decree.
This implies that companies operating in this field, which are medium or large enterprises, must comply with the obligations set out in the new Directive.

Only companies falling under the definition of small and micro enterprises are excluded unless they fall into the following categories:

  • Providers of public electronic communication networks;
  • Providers of publicly available electronic communication services;
  • Trust service providers;
  • Top-level domain name registry operators;
  • Domain name system service providers;
  • Domain name registration service providers;
  • Public administrations.

If there are doubts about which category your company belongs to, you can refer to Recommendation 2003/361/EC and the guideline User guide to the SME Definition, published by the European Commission in 2020.

Main Obligations of the NIS2 Directive

The following are the main obligations for organizations affected by the NIS2 Directive:

  • Greater involvement of administrative bodies in cybersecurity management;
  • Training obligations for management and staff on cybersecurity topics;
  • Notification to CSIRT Italia of any incident having a significant impact on service provision;
  • IT security measures in risk management including at least the following topics:
    • Risk analysis and information systems security policies;
    • Incident management, including procedures and tools for notifications;
    • Operational continuity of the organization in case of unforeseen events (e.g., backup management, disaster recovery, and crisis management);
    • Security along the supply chain, thus assessing potential risks from suppliers;
    • Security of the acquisition, development, and maintenance of information and network systems, including vulnerability management and disclosure;
    • Policies and procedures to assess the effectiveness of IT security risk management measures;
    • Basic hygiene practices and training in IT security;
    • Policies and procedures relating to the use of encryption and possibly ciphering;
    • Personnel security and reliability, access control policies, and asset management;
    • Use of multi-factor authentication or continuous authentication solutions, protected voice, video, and text communications, and protected emergency communication systems within the entity.

Past Deadlines

The first effective deadline set by the Directive was February 28, 2025, by which it was necessary to register on the portal of the National Cybersecurity Agency (ACN), designated as the national competent authority for the implementation and monitoring of the Directive in question. Subsequently, an extension until March 10, 2025 was granted only for those who had already started the registration process before February 28.

What are the Consequences of Failing to Register?

Failure to register within the established limits results in administrative monetary penalties up to a maximum of 0.07% of annual worldwide turnover for important entities and 0.1% for essential entities, calculated according to the methods provided by Recommendation 2003/361/EC.

Will it be Possible to Register Late?

Unfortunately, it will not be possible to register beyond the established deadlines. Portal registrations are scheduled annually, exclusively in January and February. Therefore, if registration was not completed by the end of February, it will no longer be possible to register in the current year, and it will be necessary to wait for the next period to complete the registration.

Future Deadlines

Next Actions by ACN

Once the registration phase on the platform is completed, each entity undergoes an analysis phase.

By March 31, 2025, it will communicate to each company their possible inclusion in the list of essential or important entities.
By April 2025, a notification will be sent to the company’s digital domicile with the result of the analysis, informing registrants about their inclusion or exclusion from the list of entities obligated by the Directive. This process also helps provide greater clarity regarding whether an entity is included in the scope of application of the NIS decree.
By April 2026, ACN will work on developing and defining the model for categorizing activities and services, along with the elaboration and definition of long-term obligations.

Upcoming Deadlines for Manufacturers

By May 2025, companies must update their data on the platform to complete the registration, according to any indications from ACN.
By January 2026, there will be an obligation to notify incidents according to the new measures indicated by ACN. It is therefore essential for the companies involved to develop effective incident response plans in order to promptly report any significant attack to CSIRT Italia.
By September 2026, companies must ensure the complete implementation of basic security measures.

Recent articles

Changes in the Management of Electronic IFUs

With Regulation (EU) 2025/1234, all devices intended for professional users can have electronic instructions for use.
Silvia Pozzi
Manufacturers' dutiesRegulations

Equivalent Spare Parts not from the Manufacturer: Article 23

The use of equivalent spare parts not produced by the original device manufacturer is acceptable. Rules for manufacturers.
Fabio Valtorta
DesignTechnical guide

MDCG 2025-4: Medical Apps on Online Platforms

The responsibilities of platforms (such as App Store and Google Play) and MDSW manufacturers for the online distribution of medical apps.
Roberta Polisciano
MDCGSoftware

Servizi

Services

Accedi alla tua area personale e ai vantaggi della membership.

Log in
Email *
Password *
Reimposta la password
User login/email