Petri_Dishes_P_0032

4 December 2025

Life Sciences News in Italy: November 2025

Regulatory

EUDAMED four first modules mandatory from 28 May 2026

On 27 November 2025, Commission Decision (EU) 2025/2371 of 26 November 2025 declaring the functionality of the first four EUDAMED modules was published in the OJEU. This publication triggers a transition period of 6 months, meaning that as from 28 May 2026 the following four EUDAMED modules will be mandatory:

  • Actor registration
  • UDI/Devices registration
  • Notified Bodies and Certificates
  • Market Surveillance

MedTech comments on Digital Omnibus Regulation Proposal

On 20 November 2025, MedTech Europe (MedTech) published its response to the Digital Omnibus Regulation Proposal. While MedTech welcomed the intent to streamline digital legislation and expressed support for key elements of the Digital Omnibus Regulation Proposal, it also highlighted persistent concerns regarding several provisions that continue to hinder innovation and delay patient access to medical devices. MedTech argued that further postponing the full application date of the AI Act for high-risk systems to 2 August 2029 would more accurately reflect the readiness of the regulatory ecosystem. Read more on this topic here and below in the "Data, Privacy and Cybersecurity" section.

AIFA publishes company shares for hospital pharmaceutical payback for 2024

On 19 November 2025, the Italian Medicines Agency (AIFA) adopted Determination No. 1655 concerning the allocation of individual company shares for the recovery of pharmaceutical expenditure for direct purchases for 2024.

SCCS publishes preliminary opinion on CBD in cosmetics

On 19 November 2025, the Scientific Committee on Consumer Safety (SCCS) published its preliminary opinion concerning the use of Cannabidiol (CBD) in cosmetic products. In its opinion, the SCCS considered that:

  • CBD is safe when used at concentrations up to 0.19%; and
  • The presence of THC impurities is safe at concentrations up to 0.00025%.

The SCCS also launched a public consultation inviting comments. The deadline for submissions is 21 January 2026.

MedTech urges EC to delay changes to rules on border controls for products of animal origin

On 18 November 2025, MedTech Europe (MedTech) submitted a letter to the European Commission (EC) expressing concerns about proposed amendments to Annex I of Implementing Regulation (EU) 2021/632 on border controls for products of animal origin. The proposed changes would expand the range of life-science-related materials subject to border controls. According to MedTech, this expansion could significantly disrupt the EU life sciences ecosystem and affect the availability of safe medicinal products and critical medical devices. MedTech urged the EC to delay adoption of the amendments.

MedTech publishes FAQs on MDR/IVDR recertification

On 5 November 2025, MedTech Europe (MedTech) published its FAQs on recertification under the MDR and IVDR. The document – cosigned with AESGP, COCIR, eurom and Euromcontact – examines the challenges posed by the re-certification requirement under the MDR/IVDR, concluding that continuous monitoring, audits and post-market activities already achieve the intended safety objectives, making fixed-period re-certification largely redundant while adding significant administrative burden and cost.

 

Data, Privacy and Cybersecurity

EC publishes Digital Omnibus Regulation Proposal

On 19 November 2025, the European Commission published the Digital Omnibus Regulation Proposal (Proposal), a package of targeted technical amendments aimed at simplifying and modernizing the EU’s digital regulatory framework. The Proposal introduces updates to key EU legislation – including the GDPR, AI Act, Data Act, NIS2 Directive, and ePrivacy Directive – with the goal of reducing compliance burdens while maintaining the current level of fundamental rights protection. The Proposal aims to lower administrative costs, streamline procedures, and enhance legal certainty. It also extends simplifications for SMEs and small mid-caps.

The Proposal will undergo the full ordinary EU legislative procedure. Read more on this topic here.

Italian DPA fines company for accidental destruction of patients tissue sample

On 27 November 2025, the Italian Data Protection Authority (Italian DPA) published a resolution fining a company managing a hospital for the accidental destruction of a tissue sample taken from a patient during surgery. The sample, which was supposed to be sent to the pathology laboratory for histological analysis, was mistakenly disposed of, resulting in a violation of data protection rules and the company’s failure to notify the breach.

The Italian DPA found that the hospital had not implemented adequate measures to ensure the integrity and confidentiality of personal data, as the error resulted from a communication lapse between the surgeon and the operating room nurse. Given the seriousness of the event – which exposed the patient to health risks due to the non-replicable nature of the sample – the Italian DPA imposed a fine of EUR50,000, followed by an additional EUR20,000 sanction for the company’s failure to properly report the data breach.

Italian DPA issues opinion on ANAC whistleblowing guidelines

On 27 November 2025, the Italian Data Protection Authority (Italian DPA) published an opinion on two draft resolutions by the Italian Anticorruption Authority (ANAC) about whistleblowing guidelines – one for internal reports and one for external reports. The guidelines aim to standardize and improve reporting procedures, ensuring whistleblowers’ identities and report details are fully protected. For internal reporting, the Italian DPA highlighted the importance of secure channels, prior data protection impact assessments, proper data retention, and restricted access to reports. The guidelines also outline measures that employers can adopt to safeguard personal data and prevent whistleblower traceability in organizational networks.

EC launches a whistleblower tool for AI Act

On 24 November 2025, the European Commission announced the launch of a whistleblower tool for the Regulation (EU) 2024/1689 (AI Act). The tool will provide a secure and confidential channel for individuals to report suspected breaches of the AI Act directly to the EU AI Office. Whistleblowers will be able to provide relevant information in any of the EU official languages, and in any relevant format. The tool offers a secure way to report potential violations of the law that could endanger fundamental rights, health or public trust. The highest level of confidentiality and data protection are guaranteed through certified encryption mechanisms and the system will enable secure follow-up, allowing whistleblowers to receive updates on the progress of their report and the possibility to respond to additional questions from the AI Office, without compromising their anonymity.

EDPS publishes guidance for risk management of AI systems

On 11 November 2025, the European Data Protection Supervisor (EDPS) published the guidance for risk management of artificial intelligence systems. The document aims to provide valuable insights and practical recommendations to help identify and mitigate common technical risks associated with AI systems, helping to protect personal data. Although it is aimed at EU institutions, bodies, offices and agencies, it can also be a valuable tool for private entities. The guidance encompasses all types of AI systems, and it focuses on technical rather than legal mitigation strategies.

 

Antitrust

EC competition policy brief: No extension of legal privilege to in-house lawyers

On 10 November 2025, the European Commission published its competition policy brief discussing whether legal privilege (LP) should be extended to cover certain in-house lawyer correspondence. The current legal framework limits LP to correspondence with EU-qualified lawyers. Although national practices are evolving, the brief concluded that a change to the current framework would not be justified as an extension of LP to in-house counsels may imply risking abuse, hindering investigations and weakening enforcement without proven compliance gains.

 

Tax

Italy approves rules on global minimum tax

On 10 November 2025, Legislative Decree 209/2023 was published in the Official Gazette. The Decree introduces rules on global minimum tax (GMT), outlining compliance requirements for groups with Italian entities. The rules apply to multinational and domestic groups with consolidated revenue of at least EUR750 million and provide three top-up mechanisms:

  • Income Inclusion Rule (IIR)
  • Undertaxed Profit Rule (UTPR)
  • Qualified Domestic Minimum Top-up Tax (QDMTT)

Eligible groups have to file an annual GMT return electronically, even when no top-up tax arises. Any liability is payable in two instalments: 90% by the 11th month after fiscal year-end and 10% in the month following the return filing, using specific F24 payment codes. Penalties follow ordinary Italian tax law but, for the first three years, apply only in cases of wilful misconduct or gross negligence.

Print

Related capabilities

Life SciencesIntellectual PropertyData, Privacy and CybersecurityCybersecurityRegulatory and Government Affairs