Cybersecurity in pharma: from risk to resilience

SEA Vision has been officially classified as an “important entity” under Italy’s Legislative Decree 138/2024, which transposes the European NIS2 directive. This designation requires us to implement solid technical and organizational cybersecurity measures to increase resilience and comply with the new regulatory baseline.

The company has met the initial regulatory deadlines regarding information sharing with the National Cybersecurity Agency by defining responsibilities, completing gap analysis, training plan and updating its cybersecurity incident management procedure.
SEA Vision has launched a certification roadmap for ISO 27001:2022 and IEC 62443‑4‑1, with the goal of achieving both certifications by October 2026, in line with NIS2 deadlines.

The real risk: not knowing your risks

Ludwig Feuerbach once said, “We are what we eat".

But in today’s digital world — especially in 2026 — a more accurate version would be:

"We are the data we generate".

For individuals, losing control of personal data means identity theft, financial fraud and emotional distress.
For organizations the impact is exponentially greater:

• exposure of confidential information
• operational paralysis
• loss of client trust
• legal and regulatory consequences

And the more data you manage, the higher the stakes.

So the real question pharma software companies should ask is no longer:

“Could we be hacked?”

but rather:

“Do we truly understand the risks surrounding our data and are we prepared to manage them?”

The hidden risks behind every byte of data

NIS2: Europe’s new cybersecurity baseline

To address the growing threat landscape, the EU introduced Directive 2022/2555 (NIS2) — the most comprehensive cybersecurity legislation implemented in Europe to date.

What NIS2 aims to achieve

Effective at EU level since January 17, 2023, NIS2’s objectives are to:

• increase cybersecurity resilience
• harmonize cybersecurity rules across Member States
• ensure rapid incident response
• protect essential digital infrastructure

Italy’s implementation

Italy transposed the directive with:

• Legislative Decree No. 138
• Effective date: October 16, 2024
• Competent authority: ACN – Agenzia per la Cybersicurezza Nazionale

ACN is responsible for compliance, requirements and enforcement.

Who must comply?

NIS2 expands its perimeter significantly:

• 11 highly critical sectors (Annex I)
• 7 critical sectors (Annex II)
• 80 types of entities

Pharma stakeholders, including software providers supporting pharmaceutical processes, are fully included.
This means pharma software companies are officially recognized as essential or important entities.

What NIS2 requires: key obligations

NIS2 is not a checklist. It’s a strategic shift in how organizations manage cyber risk.

1. Risk management & security controls

Companies must implement robust frameworks and controls, including:

• asset management
• encryption
• secure authentication
• vulnerability management
• network segmentation

2. 24‑Hour incident reporting

Significant incidents must be reported to ACN within 24 hours, followed by ongoing updates. This demands real‑time monitoring capabilities.

3. Business continuity & disaster recovery

Organizations must be able to:

• maintain essential services during an incident
• restore operations quickly
• demonstrate resilience through documented procedures

4. Training & awareness

Cybersecurity is not only a technical issue — it is a cultural one.
NIS2 mandates:

• regular employee training
• awareness programs
• structured cybersecurity governance

Threat landscape: healthcare under pressure

In the healthcare sector, the data speaks for itself: in Q1 2025, nearly one‑third of all security incidents were linked to hacktivism.

Main attack techniques included:

• DDoS (33%) — distributed denial of service
• Malware (20%)
• Exploited vulnerabilities (6%)
• Phishing

This trend highlights how healthcare and pharma remain primary targets due to the criticality — and value — of the data they manage.