Life Sciences News in Italy: September 2025

Regulatory

Italy moves toward unified Pharmaceutical Code

On 18 September 2025, the Italian Council of Ministers approved the draft delegated law to create a unified code (Testo Unico) consolidating and modernising Italian pharmaceutical legislation.

Key proposed reforms include revising medicine distribution, reinforcing territorial pharmacies, and integrating health-data systems (eg Tessera Sanitaria, Fascicolo Sanitario Elettronico) to enable real-time visibility on prescriptions, dispensing, prices, consumption and stock levels. The delegated law will involve multiple ministries and mandates that implementing decrees be adopted by 31 December 2026.

Italian AI Bill published in the Official Gazette

On 25 September 2025, Law No. 132/2025 titled “Provisions and delegated powers to the Government regarding artificial intelligence” (Italian AI Bill), was published in the Official Gazette and will enter into force on 10 October 2025.

The Italian AI Bill complements the EU AI Act by introducing national rules to promote the ethical, transparent and responsible use of AI systems. The Bill is particularly relevant to the life sciences and healthcare sectors, where it prohibits the use of AI systems to select or influence access to healthcare services and requires transparency and ongoing monitoring. It also confirms that AI can only support, rather than replace, physicians in prevention, diagnosis and treatment, with ultimate responsibility remaining with the medical professional.

In the context of healthcare research, the Italian AI Bill recognises the development of AI systems by nonprofit entities, IRCCSs, or their partners as an activity of significant public interest under Article 9(2)(g) GDPR, allowing the processing and secondary use of health data without consent. But this processing must be notified in advance to the Italian Data Protection Authority, which retains the power to object.

MDCG updates Manual on borderline and classification for medical devices

On 4 September 2025, the Medical Device Coordination Group (MDCG) updated its Manual on borderline and classification for medical devices under Regulation (EU) 2017/745 on medical devices and Regulation (EU) 2017/746 on in vitro diagnostic medical devices.

The revision adds new examples and clarifications on products at the device/non-device interface and updates certain risk classification rationales. The guidance is non-binding, but it provides important insights into regulatory expectations and promotes consistency across member states. Manufacturers are expected to review the changes to assess potential reclassification risks, compliance obligations and market access implications, especially for innovative digital health and combination products.

 

Data, Privacy and Cybersecurity

EU Data Act becomes applicable

On 12 September 2025, Regulation (EU) 2023/2854 (Data Act) became applicable throughout the EU, with the exception of a limited number of provisions that will take effect at a later date.

The Data Act aims to promote innovation and strengthen the European data market. Although the Data Act is cross-sectoral, its impact will be especially pronounced in the medical device and wearable technology industries.

Manufacturers of connected devices must ensure users can access and share data generated by their products. Compliance programs should be reviewed and updated to meet these obligations, with attention to technical, contractual and operational measures.

CJEU issues important ruling on pseudonymized data

On 4 September 2025, the Court of Justice of the European Union (CJEU) issued an important ruling in Case C-413/23 P, providing key clarifications on whether pseudonymized data qualifies as personal data under the GDPR.

The CJEU held that pseudonymized data may be considered anonymous, and therefore outside the scope of the GDPR, if the entity processing the data doesn’t have means that are “reasonably likely” to re-identify the individual, provided that adequate safeguards are in place to prevent re-identification, including avoiding cross-checks with other data sources.

This ruling is especially significant as it clarifies the line between pseudonymization and true anonymization. It’s particularly relevant for clinical trials, where sponsors generally process patients’ coded data, while the ability to re-identify individuals remains exclusively with the study site.

ENISA publishes booklet on Cyber Hygiene in the Healthcare Sector

On 16 September 2025, the European Union Agency for Cybersecurity (ENISA) published the booklet Cyber Hygiene In the Healthcare Sector.

The booklet provides clear and targeted guidance with practical steps that healthcare operators should take to safeguard sensitive data; minimize exposure to common cyber threats; and strengthen overall cyber resilience.

The guidance is intended for both large hospitals and healthcare providers, as well as smaller entities, such as specialist clinics and general practitioners, which often lack the resources but remain equally vulnerable to cyber-attacks.

Italian DPA issues fines for mismanagement of electronic health records

On 25 September 2025, the Italian Data Protection Authority (Italian DPA) published a resolution in which it fined a University Hospital EUR80,000 for failing to properly configure its electronic health record system (Dossier Sanitario).

The investigation revealed that healthcare staff could access patients’ medical histories even when not involved in their care, without adequate access controls, security measures or logging of activities. Patients were also not informed about the existence of the health record system and were therefore unable to consent to its creation or restrict access to particular categories of personal data. In a separate resolution, the Italian DPA fined a private healthcare facility EUR12,000 for similar violations.

EDPB publishes Guidelines 3/2025 on the interplay between the DSA and the GDPR

On 11 September 2025, the European Data Protection Board (EDPB) published Guidelines 3/2025 on the interplay between the DSA and the GDPR (Guidelines). The Digital Services Act (DSA) applies to digital platforms and online intermediaries offering services in the EU.

While primarily focused on regulating online content and illegal activities, the DSA can also affect life sciences stakeholders operating online platforms, e-commerce sites, or apps, as they have to comply with DSA rules on content moderation, risk management, and transparency.

The guidelines aim to contribute to the consistent interpretation and application of the DSA and of the GDPR insofar as some provisions of the DSA concern processing personal data and include references to GDPR concepts and definitions. The guidelines are under public consultation until 31 October 2025.

 

Antitrust

European Commission carries out unannounced antitrust inspections in the vaccines sector

On 30 September 2025, the European Commission announced in a press release that it has conducted unannounced inspections at a company active in the vaccines sector to verify possible exclusionary practices that may amount to anticompetitive disparagement in violation of Article 102 TFUE.

European Commission launches a public consultation on the revision of technology transfer agreements

On 11 September 2025, the European Commission launched a public consultation on the revision of the Guidelines and the Block Exemption Regulation applicable to technology transfer agreements (TTBER). These instruments aim to facilitate the dissemination of technology and promote research and development.

The proposed amendments clarify the methodology for calculating market shares in technology markets and provide new guidance on data licensing, technology pools and licensing negotiation groups. All interested parties can provide feedback to the European Commission by 23 October 2025.

CJEU clarifies when the limitation period for follow-on actions starts

On 4 September 2025, the Court of Justice of the European Union (CJEU) delivered its judgment in the context of a preliminary ruling. The CJEU clarified that the limitation period applicable to follow-on actions for damages based on decisions issued by national competition authorities finding an infringement of antitrust rules only starts once the decision becomes final and it’s officially published, freely accessible to the public, and the date of its publication is clearly indicated.