Cybersecurity for the Healthcare Sector

Penalties: Sanzioni previste dal D.Lgs. 138/2024

Determina ACN 38565/2025

Soggetti essenziali e importanti registrati presso ACN. Authority: ACN - Agenzia per la Cybersicurezza Nazionale.

Authority: ACN - Agenzia per la Cybersicurezza Nazionale

Deadline: April 14, 2025

Penalties: Up to €35M or 7% of turnover (prohibited practices); €15M or 3% (other obligations); €7.5M or 1% (inaccurate information). SMEs: proportionate caps

AI Act

4 guides

EU Regulation 2024/1689

Regulation of artificial intelligence systems in the EU with a risk-based approach. Phased application: prohibited practices from Feb 2, 2025, GPAI obligations from Aug 2, 2025, high-risk systems from Aug 2, 2026

Authority: AI Office (EU Commission) + AgID (Italy)

Deadline: August 2, 2026

Critical Infrastructure Act

Penalties: HRK 50,000 to 500,000

NN 56/2013

Operatori kljucnih infrastruktura. Authority: Ministarstvo unutarnjih poslova.

Authority: Ministarstvo unutarnjih poslova

Deadline: May 18, 2013

Critical Infrastructure Act

Penalties: EUR 10,000 to 60,000

ZKI (Ur. l. RS 75/2017)

Operatorji kljucne infrastrukture. Authority: Ministrstvo za obrambo.

Authority: Ministrstvo za obrambo

Deadline: December 30, 2017

Penalties: Up to €20M or 4% of annual global turnover

GDPR

4 guides

EU Regulation 2016/679

Personal data protection in the European Union

Authority: Data Protection Authority (Garante per la Protezione dei Dati Personali)

General Security Policy for Health Information Systems

Penalties: Sanctions by ARS or administrative authorities

Art. L.1110-4-1 Code de la sante publique

Tous les acteurs du secteur sante manipulant des donnees de sante. Authority: ANS / Ministere de la Sante.

Authority: ANS / Ministere de la Sante

Deadline: February 1, 2013

Hebergement de Donnees de Sante (HDS Certification)

HDS

Organizations hosting health data. Authority: ANS / Ministere de la Sante.

Authority: ANS / Ministere de la Sante

Deadline: April 1, 2018

HSE Data Protection and Cybersecurity Framework

Penalties: Compliance enforcement through HSE governance

Health Act 2004 (as amended), HSE Policy

Healthcare organisations in the public health system. Authority: HSE (Health Service Executive).

Authority: HSE (Health Service Executive)

Deadline: June 1, 2021

Penalties: N/A (voluntary standard)

ISO 27001

2 guides

ISO/IEC 27001:2022 - International standard

Information Security Management System (ISMS)

Authority: Accredited certification bodies (Accredia in Italy)

KRITIS-Verordnung (BSI-KritisV)

KRITISV

Critical infrastructure operators above threshold values. Authority: BSI.

Authority: BSI

Deadline: May 3, 2016

Legislative Decree 138/2024 - NIS2 Transposition

Penalties: Fino a 10 milioni di euro o 2% del fatturato mondiale annuo

D.Lgs. 138/2024

Soggetti essenziali e importanti nei 18 settori NIS2 (50+ dipendenti o 10M+ fatturato). Authority: ACN - Agenzia per la Cybersicurezza Nazionale.

Authority: ACN - Agenzia per la Cybersicurezza Nazionale

Deadline: October 16, 2024

Ley 8/2011 de Proteccion de Infraestructuras Criticas

LPIC

Critical infrastructure operators (12 strategic sectors). Authority: CNPIC / Ministerio del Interior.

Authority: CNPIC / Ministerio del Interior

Deadline: April 29, 2011

Loi de Programmation Militaire (LPM 2024-2030) - Art. cyber OIV

LPM

Operateurs d'Importance Vitale (OIV). Authority: ANSSI / SGDSN.

Deadline: January 1, 2024

Authority: ANSSI / SGDSN

Loi du 1er juillet 2011 relative a la securite et la protection des infrastructures critiques

LSRI

Critical infrastructure operators. Authority: Centre de crise national.

Authority: Centre de crise national

Deadline: July 1, 2011

Penalties: Up to €10M or 2% of annual turnover

NIS2

4 guides

EU Directive 2022/2555 - Legislative Decree 138/2024

Network and information security for essential and important entities

Authority: ACN - National Cybersecurity Agency

Deadline: October 17, 2024

Ordinance on Minimum Network and Information Security Requirements

Penalties: BGN 5,000 to BGN 25,000 for first offence

Naredba za MMIS (prieta s PMS 186/2019)

Operators of essential services and digital service providers. Authority: State Agency for Cybersecurity.

Authority: State Agency for Cybersecurity

Deadline: August 2, 2019

Patient Data Act - Security Provisions

Penalties: Regulatory sanctions by IVO and IMY

SFS 2008:355

Vardgivare som behandlar patientdata. Authority: Socialstyrelsen / IMY.

Authority: Socialstyrelsen / IMY

Deadline: July 1, 2008

PSNC - Perimetro Sicurezza Nazionale Cibernetica (D.L. 105/2019)

2 guides

PSNC

National cybersecurity and compliance obligations for organizations within the scope of this regulation.

Authority: Presidenza del Consiglio dei Ministri

Deadline: November 21, 2019

Sakerhetsskyddslag (2018:585) - Security Protection Act

SAKERHETSSKYDDSLAGEN

Entities handling classified information, security-sensitive activities. Authority: Saekerhetspolisen (SAPO).

Authority: Saekerhetspolisen (SAPO)

Deadline: April 1, 2019

Sikkerhetsloven (Security Act)

SIKKHETSLOV

Entities handling classified info, critical infrastructure. Authority: NSM.

Deadline: January 1, 2019

Authority: NSM

Wet op de geneeskundige behandelingsovereenkomst + NEN 7510

WGS

Healthcare organizations, health data processors. Authority: Dutch Healthcare Authority.

Authority: Dutch Healthcare Authority

Deadline: January 1, 2017