Chino.io

Recently one of our clients got an emergency inspection (😱) by the Garante (the Italian Data Protection Authority). Thankfully my team took it in their stride (great work team! 🙂) For early stage startups, DPO is just a checkbox you need to get your deals through. But once you have a couple of real deals, a good DPO who pushes you to do the work properly is a life-saving “insurance” for when the s**t hits the fan! Data breaches became the norm now, so it’s not if, but when they will happen. So, are you (and your DPO) ready to manage one? When the time comes, you will need all your GDPR documentation and a team of experts (lawyers and data protection experts) to help you manage the breach notification and any subsequent inspection. If you are unlucky enough to get inspected, you will find that accurate, complete, and auditable paperwork is KING! It is the most important thing helping you avoid potential fines, reputational damage, and loss of customers. Have you had any good or bad DPO experiences? I’d love to hear your stories! #dpo #gdpr #chinoio #dataprotection #startup #business #garante

I had lunch with a startup founder recently and a key question came up: when is data protection “good enough”? I often get asked this question. My advice: 1️⃣ Check your actual compliance requirements. Thinking here of things like GDPR, HIPAA, etc. 2️⃣ Create a compliance roadmap. Depending where you start from, this may be based on a gap assessment or it could be a blank canvas. 3️⃣ Implement the BARE MINIMUM to achieve your roadmap. There’s no point in chasing perfection until you proved your product market fit. 4️⃣ Be prepared for potential issues like data breaches. Documentation, disaster plans, and audit logs are your friend here. A word of warning: people often view data protection compliance as all or nothing! This is a real problem in B2B healthcare where unreasonable compliance requests can scupper deals. But it can also be an issue during any M&A, where missing pieces of the puzzle could see tens of thousands wiped off your asking price! Here, you need a friendly expert who is used to arguing with other experts about what is really needed. Something me and my team end up doing frequently! #gdpr #hipaa #digitalhealth #business #startup #chinoio

I’m heading to Digital Health Ljubljana on 9–10 Feb 2026! 🇸🇮 In my session, I’ll try to summarise everything startups should know about data protection and regulatory topics, while scaling their businesses globally: 🛡️ EU vs. US: Why your data protection strategy must evolve to scale. 🧬 Clinical trust: Proving your AI is secure enough for doctors. 🏎️ Business speed: Navigating audits without losing agility. Ljubljana is a very interesting and developing hub for health tech, and I can’t wait to connect with everyone attending the event. 🤝 #DigitalHealth #Ljubljana #GDPR #AIAct #HealthTech #ScaleUp #Chinoio

Are you ready for 2026? The EU was on a legislative roll recently, and 2026 will be a key year for compliance. 👉 ISO 27001: companies are desperate to demonstrate trust for clients. GDPR certificates have been promised for years but never delivered, so ISO 27001 is the key way to show compliance. In 2026, I expect several other standards will come to prominence including ISO 27017, SOC2, and ISO 42001. 👉 NIS2 Directive: This is shaping up to be a real mess of an EU law. It seems every country is implementing and enforcing it differently. As a result, it will be a major compliance headache, especially for multinational or trans-national companies. 👉 AI Act: This has been talked about ad nauseam, delayed, and there was even been talk of scrapping it or watering it down. But with the ever-growing significance of AI, I expect this to be a key topic to deal with by the end of 2026. There has also been a range of other EU laws that require action in 2026, like the Data Act, Critical Entities Resilience Directive, and the Cyber Resilience Act The way many of these laws were drafted leaves significant room for interpretation by national authorities. This leads to issues like the repeated failure to create a GDPR certification scheme. It also drives fragmentation and stifles innovation. We are already seeing this happening with NIS2, and I fear we will see the same pattern again and again. Protecting the single market requires a different, more coordinated approach. #NIS2 #DataAct #AIAct #Cybersecurity #DigitalHealth #Compliance #ISO27001

14 months late, Germany finally passed NIS2. But is NIS2 actually relevant for digital health companies? Long story short, in the German healthcare ecosystem NIS2 only applies to larger companies, or those with high turnover or generous balance sheets. It also only applies in sectors defined as strategically important. That means health providers, reference labs, pharma, and certain medical device companies. But for digital health in Germany, NIS2 could have an unintended impact. That’s because so many healthcare institutions and insurance companies will fall under the “particularly important” category for NIS2. In turn, that means they have to impose strict requirements on their suppliers. That is already true for larger hospitals under the KRITIS regulations. This is partly why so many hospitals now ask for C5 (a whole other story). But NIS2 extends this further, and, based on past experience, is likely to lead to a host of new compliance requirements! As a minimum, it makes ISO27001 a requirement rather than a nice-to-have. My biggest disappointment is that NIS2 is implemented and enforced differently in every EU state. For instance, there’s big differences between NIS2 in Italy and Germany. This means also that multinational companies must have different reporting procedures in place for every market they are in. This adds uncertainty, complexity, and risk when operating across multiple countries. So, once again, EU legislation is acting as a blocker for future innovation and cross-border trade. #NIS2 #cybersecurity #compliance #cyberresilience #chinoio

Digital health regulations and requirements in Germany are changing in 2026. 🇩🇪 Here’s a couple of changes to be aware of: 🔎 Germany’s BfARM streamlined the DiGA rules around security. Now you just need the obligatory BSI TR-03161 if you want to be listed in the DiGA directory. This is a significant change in security requirements and will definitely make it harder for apps to get listed. 🔎New standard BSI TR-03185 is in the pipeline. This is a German-specific secure software lifecycle standard similar to IEC 62304. It’s still early days but we will watch this one with interest. On the one hand, it will increase the regulatory burden. On the other, it removes some ambiguity. Meanwhile, BfARM (Bundesinstitut für Arzneimittel und Medizinprodukte) is still insisting that DiGAs need to have a GDPR certificate. But at the same time they admit there is no such certificate in existence! When a suitable certification finally comes out, they will allow a transition period for companies to get certified. My advice? Make sure you are complying with the long list of data protection criteria from BfARM. That way you should be ready if we finally see movement on GDPR certification. #dtx #compliance #dataprotection #diga #bsi #chinoio #business

I had lunch with a startup founder recently, and a key question came up: when is data protection “good enough”? I often get asked this question. My advice: 👉 Check your actual compliance requirements. Thinking here of things like GDPR, HIPAA, etc. 👉 Create a compliance roadmap. Depending where you start from, this may be based on a gap assessment or it could be a blank canvas. 👉 Implement the BARE MINIMUM to achieve your roadmap. There’s no point in chasing perfection until you proved your product market fit. Be prepared for potential issues like data breaches. Documentation, disaster plans, and audit logs are your friend here. ⚠️ A word of warning: people often view data protection compliance as all or nothing! This is a real problem in B2B healthcare, where unreasonable compliance requests can scupper deals. But it can also be an issue during any M&A, where missing pieces of the puzzle could see tens of thousands wiped off your asking price! Here, you need a friendly expert who is used to arguing with other experts about what is really needed. Something me and my team end up doing frequently! 😉 #gdpr #hipaa #digitalhealth #business #startup

“How much should I budget for ISO 27001?“ is one of the most common questions. The truth is there’s no single answer and costs vary hugely depending on your situation. There are 3 stages to getting ISO certification: 👉 Preparation: Here you will need to pay for consulting, internal work from your team, and any tools or platforms you or your consultant are using. 👉 Certification: This process involves getting audited by an ISO-approved certification body. If they are satisfied with all your documentation and evidence, you will receive your certificate. 👉 Maintenance. Getting the certificate is only the start. You need to put ongoing effort into maintaining your compliance. This means keeping your policies updated, documenting any changes, and preparing for annual surveillance audits (and renewal after 3 years). 🔍 We’ve put together a clear infographic that breaks these costs down so you can plan your ISO journey with confidence (and avoid nasty surprises later). Have you already gone through ISO 27001? How did your costs compare to expectations? #ISO27001 #CyberSecurity #Compliance #DataProtection #GDPR #StartupGrowth #Chinoio