One of the steps leading up to SPS was held within the splendid setting of the Spazio Novecento in Rome How to transform a pharmaceutical factory into a Smart Factory.

So we talked about Pharma 4.0 and how the Digital transformation had an impact on a highly regulated sector such as the pharmaceutical one: after the interesting introductory speeches (digital market in Italy, Cyber ​​Security principles and very Italian case histories), we moved on to the Round Table where the our Francesco Tieghi addressed the delicate issue of Standards, Directives and Regulations that regulate production (and not only) in the Pharma sector.

The premise is that today it is no longer possible to think of plants (whose production is critical for various and obvious reasons) not covered by adequate protective measures in the field of Cyber ​​Security, so that European and global institutions are demanding ever higher standards for IT security in these areas: here is an extract of our speech.

  • WHAT ARE THE COMING REGULATIONS?
  • HOW MUCH TIME DO WE HAVE TO "GET IN ORDER"?

We try to answer these questions quickly and precisely.

When it comes to regulations in the pharmaceutical environment, the "sacred texts" are still the GAMPs.

Precisely for this reason it is important how in the GAMP 5 Second Edition for the first time you speak explicitly about elements concerning the Cybersecurity: it is done by mentioning the ISO 27000 standard and in particular thelist of controls in ISO 27001.

These are 93 controls (11 of which are completely new) that are present in the latest release of 2022 (there were 114 in the previous version): we recall that ISO 27000 concerns information management, the fact that today information is mostly digitized part makes it a full-fledged IT security standard.

In reality, this trick to the GAMP adds a brick to a ecosystem that is already regulated by various standards (see IEC 62443) and directives such as the Machinery Directive: the latter actually relates to safety in relation to the use of industrial machinery, but in a world where these machines are increasingly intelligent and interconnected, it is to be expected that the new release (expected by 2024) will reference to control and verification activities of the devices, applications and connections that concern the machinery itself.

But what will revolutionize the approach to Cyber ​​Security in the Pharmaceutical environment (and not only) is the arrival of a Regulation (Italian but what will be

Sectors impacted by the first release of the NIS2 European Directive

probably similar also in the other EU countries) deriving from the new version of the European Directive NIS2. NIS in its initial version is already applied in Italy but on a rather limited number of companies, since it only takes into consideration what are defined as critical infrastructures: therefore we are talking about aqueducts, transport, systems in the financial world and in the hospital sector

The new revision first of all it introduces a double category, raising the activities present in the original version to the wording of "highly critical" and inserting the category "critical" for all activities involving: postal service providers, including courier services, waste management, manufacturing, production and distribution of chemicals, food production, processing and distribution, manufacturing, digital service providers, research.

So certainly Pharmaceuticals is one of the sectors involved although it will be necessary for each EU member state to define what in NIS2 is indicated as “All companies, starting from the medium-sized operating in the aforementioned sectors, are subject to application of the directive.

The provisions could also be applied to small businesses, if they are considered essential for the economic and social life of a Member State."

Another interesting aspect to point out is that a further degree of criticality is added (critical at European level) when the activity is present in at least 6 EU countries.
But so… what will NIS2 ask you to consider?

Here is a small list:

  • Risk analysis and information systems security policies
  • Incident management (incident prevention, detection and response)
  • Business continuity and crisis management
  • Supply chain security: including security aspects of the relationship between each entity and its vendors or service providers (such as providers of data storage and processing services or providers of managed security services)
  • Safety in the acquisition, development and maintenance of networks and information systems, including vulnerability management and disclosure
  • Policies and procedures for evaluating the effectiveness of risk management measures of cyber security
  • The use of cryptography and encryption

That's a lot of activities, especially considering that the European Directive was approved and published in December 2022 and will have to be implemented, implemented as a Regulation and applied by October 2024.

Less than two years and there are many activities to be carried out. Good work.