**”Cybersecurity in Medical Devices: The New Legislative Decree 138/2024 and Its Implications”**

Novembre 23, 2024 E-MAGAZINE ENG, News ENG
**"Cibersicurezza nei Dispositivi Medici: Il Nuovo Decreto Legislativo 138/2024 e le Sue Implicazioni"**

![Cybersecurity in Medical Devices: The Future is Now](https://example.com/image.jpg)

# The Impact of Legislative Decree 138/2024 on Cybersecurity for Medical Devices

In today’s context, characterized by a growing reliance on digital technologies, cybersecurity has become a fundamental priority, especially for the medical device sector. The recent Legislative Decree 138/2024, published in the Official Gazette on October 1, 2024, represents a significant step toward implementing cybersecurity measures at the European level, transposing EU Directive 2022/2555, known as NIS 2. This new regulatory framework establishes stringent obligations not only for public institutions but also for medical device manufacturers, with the aim of ensuring a high standard of cybersecurity throughout the European Union.

## Purpose of the Regulation and Objectives

The NIS 2 Directive aims to establish common standards that can enhance the functioning of the internal market through the implementation of effective cybersecurity measures. In particular, the decree sets forth:

– Obligations for member states to adopt appropriate national strategies and designate competent authorities.
– Measures for managing cybersecurity risks and procedures for reporting incidents.
– Rules for sharing information on cybersecurity.
– Oversight standards for the entities involved.

## Who is Covered by the Regulation?

The scope of the decree includes both public and private entities that meet specific criteria detailed in Annexes I and II. Specifically, entities manufacturing medical devices, which fall under the MDR (Medical Device Regulation), are explicitly included. To be subject to the obligations set out, entities must surpass the revenue limits established for small and medium-sized enterprises, as defined by recommendation 2003/361/EC. Operators are categorized into essential and important entities, depending on their size and type of services offered.

## Obligations of Medical Device Manufacturers

The decree establishes a series of specific obligations aimed at ensuring that medical device manufacturers maintain high cybersecurity standards. Among the main requirements:

1. **Registration on the National Platform:** By February 28, 2025, manufacturers must register on a digital platform made available by the national authority competent for NIS, providing the required information.

2. **Monitoring and Risk Management:** The administrative bodies and management are responsible for implementing cybersecurity risk management measures. They must approve appropriate policies and procedures, following a multi-risk approach and adopting technical and operational measures to mitigate risks.

3. **Security Training:** The administrative and management bodies must also undergo training in cybersecurity and ensure that employees receive adequate training on the subject.

## Responsibilities of Management

Decree 138/2024 clearly establishes that the administrative and management bodies are responsible for breaches of the obligations set out. Key responsibilities include:

– Implementing cybersecurity measures.
– Promptly notifying incidents that may impact the services offered.
– Regularly communicating and updating the list of activities and services on the national platform.

## Notification Obligations

Starting from Article 25 of the decree, strict requirements related to the notification of significant incidents are introduced. The notification obligations aim to ensure that any issues that may affect services are promptly reported to the competent authorities, ensuring a swift and targeted response.

## Penalties for Manufacturers

The decree does not take penalties lightly. The administrative bodies can be held accountable…

Share Button