Italy's Sunshine Act: a system ready but still not operational

More than three years after the entry into force of Law no. 62 of 31 May 2022 (the so called Sunshine Act), it has still not been fully implemented. The system envisaged by the legislator — aimed at ensuring transparency in the relationships between companies operating in the healthcare sector and healthcare professionals and healthcare organisations  — is not yet operational.

The law, in force since 26 June 2022, defines the architecture of the reporting obligations and the data disclosure model. From a technical administrative perspective, the Ministry of Health has drafted the implementing decree, collected the opinions of the competent authorities, and designed the dedicated IT platform. Nevertheless, the entire system is still not operational, as the notice of activation of the public online register — called “Sanità Trasparente”, to be hosted on the Ministry of Health’s website and freely accessible, searchable and downloadable in open format — has not yet been published in the Official Gazette. This register will host the reports submitted by companies in fulfilment of the obligations provided by the law.

The law makes the effective operability of the reporting obligations subject to the publication in the Official Gazette of the notice confirming that the register is up and running.

In this context, companies find themselves in a delicate position: on the one hand, the obligations are not yet legally enforceable; on the other, the technical and regulatory framework appears sufficiently defined to reasonably expect that the register will be activated soon. Consequently, a wait and see approach risks turning into a race against time when the decree is finally adopted.

Progress status

Law no. 62/2022 required the Ministry of Health to issue the implementing decree within six months of its entry into force. This deadline has long passed.

In August 2023, the ministry published a draft implementing decree and a technical specification, submitting both for public consultation. Since then, over the following years:

• opinions were obtained from the Agency for Digital Italy (AgID), the Italian National Anti Corruption Authority (ANAC), and the Italian Data Protection Authority;
• comments were submitted concerning the structure of the register, personal data management, IT security, and consistency with anti corruption rules;
• the online platform intended to host the Sanità Trasparente register was designed.

Recently, in response to an urgent parliamentary question (Chamber of Deputies, 7 November 2025, question no. 2-00708), the government confirmed that the decree establishing the register had been prepared and that the technical rules governing the system’s operation had been defined. The Ministry of Health highlighted the need to resolve certain interpretative issues that emerged during the drafting phase, including:

• the correct definition of “indirect benefits” subject to reporting;
• the identification of the tax regime applicable to disclosed payments;
• the classification of specific activities — such as market research — as potentially subject to disclosure obligations.

Finally, while confirming that the comments of the consulted authorities had been incorporated, the ministry clarified that an “additional round of consultations” with companies and healthcare professionals was under way, with the aim of ensuring a system launch that minimises operational issues and the risk of litigation.

Practical implications for businesses: a potential obligation requiring preparation today

Law  no. 62/2022 introduces a transparency system requiring public disclosure of transfers of value between “producing companies” and individuals operating in the healthcare sector, on the one hand, and healthcare organisations, on the other. A series of obligations is therefore imposed on producing companies.

The fact that the reporting obligations are not yet operational might lead some operators to postpone preparing the necessary internal adjustments. However, such an approach could be risky.

The completion of the technical process and the confirmation that the implementing decree has been drafted make a publication in the near future plausible, even if its precise timing remains uncertain. However , the complexity of the obligations and the volume of data to be handled mean that proper implementation will require time, resources, and careful planning, especially for companies.

For many businesses (especially small and medium sized ones) the greatest challenge will not be understanding the content of the obligation, but rather adequately structuring internal processes for the collection, validation and transmission of information.

It is therefore crucial for companies to organise themselves in advance by adopting an operational plan that includes a clear mapping of all situations in which the company makes transfers of value to healthcare professionals or healthcare organisations.

They will need to identify the corporate systems in which such information is currently recorded (accounting, customer relationship management, event databases, contracts, procurement systems) and assess the level of detail by which this data is tracked.

To properly manage reporting obligations, companies will need to clearly define roles and responsibilities, including the management of potential external intermediaries (event agencies, contract research organisations, academic societies), and should establish who must provide which data and under what contractual obligations.

It will also be necessary to adopt internal procedures governing how data is  collected, checked, and then transmitted, ensuring a coherent and traceable process.

The fact that data will be included in the Sanità Trasparente register will require companies to review contracts with healthcare professionals and organisations, for instance by introducing obligations to cooperate in the collection and verification of information.

Finally, privacy notices will need to be updated, and IT and organisational solutions verified for compliance with the principles of data minimisation, accuracy and security.

Osborne Clarke comments

Although the implementation of Law no. 62/2022 has been significantly delayed, the current regulatory and technical framework appears solid. It is therefore reasonable to believe that, once the remaining interpretative issues have been resolved and the final round of stakeholder consultations completed, the implementing decree will be issued without further structural changes.

In this scenario, a wait and see approach by companies appears risky: once the decree is published, the reporting deadlines will begin to run automatically, according to the schedule set by the law, and extensions are unlikely.

Adequate planning will allow companies not only to reduce the risk of non compliance and sanctions, but also to approach this new era of transparency in relations with healthcare professionals and organisations not merely as a bureaucratic requirement but rather as a way to strengthen integrity and responsibility within the business culture.