Petri_Dishes_P_0032

12 February 2026

Life Sciences News in Italy: January 2026

Regulatory

EMA and FDA publish guiding principles of good AI practice in drug development

On 14 January 2026, the European Medicines Agency (EMA) and the US Food and Drug Administration (FDA) jointly published the Guiding principles of good AI practice in drug development. The document highlights the potential of AI to foster innovation, accelerate regulatory approval and support pharmacovigilance.

The ten guiding principles identify areas where the international regulators, international standards organizations and other collaborative bodies could work to advance good practice in drug development. Areas of collaboration include research, creating educational tools and resources, international harmonization and consensus standards, which may help inform regulatory policies and regulatory guidelines in different jurisdictions, in line with applicable legal and regulatory frameworks.

EC updates guidance on EUDAMED

In January 2026, the European Commission (EC) updated two key guidance documents on the use of EUDAMED. One concerns UDI Devices and the other addresses Legacy Devices. The updated EUDAMED user guides explain how manufacturers register, manage and link medical devices across the EU. They detail UDI requirements for regulation and legacy devices, step by step registration workflows, certificate handling, data updates and public search functions, ensuring consistent identification, traceability and compliance under MDR and IVDR.

EC updates MDR harmonized standards

On 28 January 2026, the European Commission (EC) adopted Implementing Decision (EU) 2026/193 updating harmonized standards under the MDR. It amends Implementing Decision 2021/1182 to reflect new and revised standards for neurosurgical implants, sterilization, clinical investigations and related areas, supporting conformity assessments and facilitating regulatory compliance across the EU.

 

WCC/Compliance

Legislative Decree 211/2025 expands criminal liability for EU Restrictive Measures

On 24 January 2026, Legislative Decree 211/2025 entered into force, implementing Directive (EU) 2024/1226 on the definition of criminal offences and penalties for the violation of EU restrictive measures and amending Directive (EU) 2018/1673. The reform aims to strengthen and harmonize the enforcement of EU sanctions across member states, addressing gaps and inconsistencies in national legal frameworks. The Decree introduces four new criminal offences:

  • Article 275-bis Italian Criminal Code (ICC) – “Violation of EU restrictive measures”;
  • Article 275-ter ICC – “Breach of information obligations imposed by EU restrictive measures”;
  • Article 275-quarter ICC – “Violation of the conditions of an authorisation to carry out activities subject to EU restrictive measures”;
  • Article 275-quinquies ICC – “Negligent violation of EU restrictive measures”.

The reform is complemented by a system of aggravating and mitigating circumstances, mandatory confiscation measures and enhanced whistleblowing protections, as the scope of the Italian “Whistleblowing Decree” is extended to cover reports concerning breaches of EU restrictive measures.

Ministry of Justice publishes report on Italian corporate criminal liability

On 24 January 2026, the Italian Ministry of Justice published the Final Report and draft legislative proposal of the “technical Working Group on the reform of the administrative liability of legal entities under Legislative Decree No. 231/2001.” The report gives statutory recognition to an essential core of the compliance program, emphasizing minimum components, such as:

  • the description of the internal control system;
  • risk mapping;
  • preventive protocols ensuring proper segregation of activities;
  • adequate information flows.

Specific attention is given to incentive-based mechanisms, including the extension to legal entities of the regime provided under Article 131-bis of the Italian Criminal Code for minor and sporadic offences, alongside a greater recognition of remediation efforts. The report also envisages the possibility for entities to be granted a term to remedy organisational shortcomings identified by the prosecuting authority, reinforcing a compliance-oriented and corrective approach to corporate criminal liability.

Italian Council of Ministers publishes draft Decree implementing EU Environmental Crime Directive

On 20 January 2026, the Italian Council of Ministers published the preliminary draft of the Legislative Decree implementing Directive (EU) 2024/1203 on the protection of the environment through criminal law. With 21 May 2026 set as the transposition deadline by the EU legislator, the draft introduces several amendments to the Italian Criminal Code (ICC), including:

  • Changes to the offence of “Environmental pollution” (Article 452-bis ICC);
  • The introduction of the offence of “Trading in pollution products” (Article 452-bis.1);
  • Amendments to the offence of “Death or personal injury resulting from environmental pollution” (Article 452-ter), also extended to the newly introduced offence under Article 452-bis.1

The draft criminalizes the production and trade of ozone-depleting substances and greenhouse gases. It also expands the list of predicate offences under Legislative Decree No. 231/2001, governing corporate criminal liability, to include the new environmental crimes and it strengthens the sanctioning framework for certain environmental offences.

The draft will now undergo parliamentary review and further consultation before final adoption and entry into force.

 

Data, Privacy and Cybersecurity

EDPB and EDPS issue Joint Opinion on the Digital Omnibus on AI

On 20 January 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a Joint Opinion on the Proposal for a Regulation as regards the simplification of the implementation of harmonised rules on artificial intelligence (Digital Omnibus on AI). The Joint Opinion supports the Proposal’s objective of simplifying implementation of the AI Act.

The EDPB and the EDPS generally welcome measures aimed at reducing administrative burdens, supporting AI regulatory sandboxes, and strengthening cooperation between authorities, but raise concerns about risks to accountability and fundamental rights. In particular, they call for strict limits on the processing of special categories of personal data for bias detection, the retention of registration obligations for certain AI systems, clearer supervisory competences, stronger involvement of data protection authorities, and caution regarding delays to the application of high-risk AI obligations.

Italian DPA fines a company for unlawful employee tracking

On 29 January 2026, the Italian Data Protection Authority (Italian DPA) published a resolution imposing a EUR120,000 fine on a company for unlawfully processing the personal data of five employees. The company had installed tracking devices on company vehicles, linked to individual drivers, which collected very detailed data on work-related and private journeys for behavioural scoring purposes. The Italian DPA found multiple violations, including unlawful monitoring of employees' activity without the safeguards required under labour law, insufficient transparency regarding purposes, legal bases and data recipients and unauthorized access to the data by other group companies.

Italian DPA fines a company for accessing an employee's emails

On 29 January 2026, the Italian Data Protection Authority (Italian DPA) published a resolution in which it fined a company EUR40,000 for violating the confidentiality of a former CEO’s corporate email account after the termination of his employment. Despite the former CEO's GDPR request to deactivate their email account, set up an auto-reply, and ensure the forwarding of any emails received to their personal inbox, the company continued to keep the account active and accessed the individual's emails. The Italian DPA found that the company unlawfully accessed and retained personal correspondence of the former CEO.

EDPB publishes FAQs on the EU-US Data Privacy Framework

On 15 January 2026, the European Data Protection Board (EDPB) published the EU-US Data Privacy Framework FAQ for European businesses. The FAQ clarify the scope and functioning of the Data Privacy Framework (DPF), the eligibility requirements for US companies under Federal Trade Commission (FTC) or the US Department of Transportation (DoT) jurisdiction, and the checks EU exporters have to carry out before transferring data, including verification of active certification and coverage of specific data types. The document also recalls that where DPF certification isn't available, alternative transfer mechanisms under the GDPR must be used and highlights specific obligations for transfers to US controllers and processors, and for US subsidiaries of European Economic Area (EEA) companies seeking certification.

European Commission publishes new version of FAQ on the Data Act

On 22 January 2026, the European Commission published an updated version of the Frequently Asked Questions on the Data Act (FAQ). The new version of the FAQ doesn't present substantial updates compared to the previous version. Although non-binding, the FAQ offer important clarifications on several aspects of the new legislation. Even though the Data Act is sector-neutral, it's expected to have a significant impact on the life sciences industry, given the sector's strong focus on innovation and extensive use of advanced technologies.

 

Antitrust

Commission publishes Guidelines on applying the Foreign Subsidies Regulation

On 9 January 2026, the European Commission released Guidelines on implementing Regulation (EU) 2022/2560 on foreign subsidies distorting the internal market. Aimed at improving predictability and transparency for businesses, the document clarifies key elements:

  • how to determine whether foreign subsidies cause distortions under Article 4(1);
  • how distortions are assessed specifically in public procurement procedures (Article 27);
  • how the “balancing test” is applied (Article 6); and
  • use of call-in mechanism for concentrations and public procurement procedures (Articles 21(5) and 29(8)).

 

Tax

OECD publishes Side-by-Side package on Pillar Two

On 5 January 2026, the Organisation for Economic Co-operation and Development (OECD) published the Side-by-Side package, marking a key step in stabilizing Pillar Two. The package introduces several measures aimed at simplifying compliance for multinational groups, including permanent safe harbours and an extended CbCR transitional safe harbour. For life sciences groups, these measures are particularly relevant as they reduce compliance complexity for reporting and documentation, offer more flexibility for reporting obligations during the transition period, and maintain protection of substance-based incentives, supporting R&D and manufacturing activities. Overall, these developments enhance tax certainty and may positively influence investment decisions and operating model choices across the sector.

OECD consultation on Global Mobility of Individuals

On 20 January 2026, the Organisation for Economic Co-operation and Development (OECD) concluded a consultation on Global Mobility of Individuals, focusing on the tax implications of remote work, cross-border employees, and digital nomads. For life sciences companies with globally mobile, highly specialized talent, the consultation addresses both employee and corporate tax risks, including permanent establishment exposure and potential transfer pricing challenges arising from mobile employees. The outcome may shape future mobility policies and workforce strategies in an increasingly flexible working environment.

Print

Related capabilities

Life SciencesData, Privacy and CybersecurityRegulatory and Government AffairsWhite Collar and Corporate CrimeTaxAntitrust and Competition