Lessons for Italian Sunshine Act Compliance: What Global Audits Reveal
Table of content
Author
May Khan guida il team Compliance Services di Vector Health, società SaaS specializzata nella compliance per il settore life sciences. La sua esperienza include il reporting sulla trasparenza a livello globale, la strategia legata al Sunshine Act e il monitoraggio dei rischi relativi agli HCP. In Vector coordina team interfunzionali dedicati all’integrità dei dati, al servizio clienti e all’allineamento normativo.
Vector Health Compliance
Il principale partner in Italia per la conformità al Sunshine Act
Cerchi supporto per la compliance al Sunshine Act?
Hai domande pratiche?
Dai un’occhiata alla nostra sezione Domande Frequenti per risposte chiare su scadenze, obblighi e strategie.
In mid-2024, the Danish drug giant Novo Nordisk which is a global leader in diabetes care, was reprimanded by the UK’s Prescription Medicines Code of Practice Authority (PMCPA). After an internal investigation, it was revealed that approximately 500 transfers of value, worth £7.8 million and involving over 150 healthcare organisations, had not been disclosed between 2020 and 2022.
These omissions were traced back to inconsistent “tagging” in its financial systems—legacy errors that should have been captured but were not—causing the company to breach 10–14% of its total annual disclosures. The PMCPA described this as “extremely serious,” noting “fundamental governance failures,” and explicitly cited failures in training, process, and monitoring. Both the reprimand and the audit were public, and painful.
A similar story unfolded across the Atlantic. Under the US Open Payments program (CMS), regulators have repeatedly flagged companies reporting errors that are avoidable. Entire submissions were rejected because key identifiers like National Provider Identifiers (NPIs) or state license numbers were missing. One audit even revealed that companies had underreported because they didn’t aggregate small, repeated transfers across the year for each HCP, a technical oversight that created the appearance of concealment.
What these cases illustrate is a crucial point for Italy where the Sunshine Act is about to be enforced and this is the phase where life science companies are preparing their systems and processes to be fully ready and compliant before it’s time to report. One important step of being prepared is learning from transparency reporting mistakes and failures in other countries and knowing that they usually stem from weak systems, not bad intent. If you’re a manufacturer based in Italy, now is the time to learn from these global missteps before they become cautionary tales themselves.
What Italian Companies Must Learn from Global Audits
1. Data Integrity Is Non-Negotiable
The missteps in the US show that a single missing identifier (NPI, tax ID, or license number) can cause records to be rejected outright. For Italy, this means companies must prepare robust processes for validating HCP/HCO identifiers before submission. Internal QA steps, cross-checks against official registries, and early reconciliation between finance, compliance, and medical affairs data streams are essential.
2. Process Discipline Prevents Public Embarrassment
The Novo Nordisk case highlights the reputational impact of incomplete reporting and poor methodological notes. For Italy, companies should not treat methodological documentation as an afterthought. Clear, well-structured notes explaining methodology, assumptions, and data sources will be required, and will stand as a public record of your compliance culture.
Assigning roles across Legal, Compliance, and Finance is essential so that no department operates in isolation. A designated responsible party should have both the mandate and the authority to access the data they need, ensuring accountability is real rather than symbolic.
3. Categorization and Classification Must Be Systematic
Companies in Italy must apply threshold rules carefully and ensure that payments are reported under the right category (consulting, travel, meals, grants, etc.). Internal misclassification is one of the fastest ways to trigger an audit.
4. Documentation Is Your Audit Shield
In the US, companies are expected to keep supporting documentation for at least five years—something auditors actively verify. Though the Italian Sunshine Act does not yet define how long supporting documentation must be retained, based on EU best practice (e.g., France, Belgium), companies should prepare for at least several years of audit-readiness. Having well-organized supporting files will make the difference between a routine check and a prolonged investigation.
How Smart SaaS Solutions Can Help
These cases also highlight why many global life sciences companies rely on third-party transparency reporting platforms. A strong transparency reporting compliance tool can:
- Automate identifier validation against official registries, reducing rejections.
- Classify payments correctly with configurable business rules.
- Aggregate spends in real time, ensuring thresholds are applied correctly.
- Maintain a full audit trail with documentation linked to each record.
- Provide dashboards and alerts so compliance teams can spot errors before submission deadlines.
By embedding controls into the reporting process, SaaS platforms reduce the burden on compliance teams and help companies avoid the same pitfalls that led to Novo Nordisk’s reprimand in the UK and widespread rejections in the US.
Final Takeaway
Italy’s Sunshine Act is a practical compliance obligation that will soon expose company data to public and regulatory scrutiny. Learning from mistakes made elsewhere is the most efficient way to avoid costly missteps. By taking cues from Novo Nordisk’s public reprimand in the UK and the recurring audit issues seen in the US, Italian life sciences companies can strengthen their processes now, invest in smarter reporting systems, and ensure that when the spotlight of transparency falls on them, the story is one of preparedness, not of failure.
Table of content
In mid-2024, the Danish drug giant Novo Nordisk which is a global leader in diabetes care, was reprimanded by the UK’s Prescription Medicines Code of Practice Authority (PMCPA). After an internal investigation, it was revealed that approximately 500 transfers of value, worth £7.8 million and involving over 150 healthcare organisations, had not been disclosed between 2020 and 2022.
These omissions were traced back to inconsistent “tagging” in its financial systems—legacy errors that should have been captured but were not—causing the company to breach 10–14% of its total annual disclosures. The PMCPA described this as “extremely serious,” noting “fundamental governance failures,” and explicitly cited failures in training, process, and monitoring. Both the reprimand and the audit were public, and painful.
A similar story unfolded across the Atlantic. Under the US Open Payments program (CMS), regulators have repeatedly flagged companies reporting errors that are avoidable. Entire submissions were rejected because key identifiers like National Provider Identifiers (NPIs) or state license numbers were missing. One audit even revealed that companies had underreported because they didn’t aggregate small, repeated transfers across the year for each HCP, a technical oversight that created the appearance of concealment.
What these cases illustrate is a crucial point for Italy where the Sunshine Act is about to be enforced and this is the phase where life science companies are preparing their systems and processes to be fully ready and compliant before it’s time to report. One important step of being prepared is learning from transparency reporting mistakes and failures in other countries and knowing that they usually stem from weak systems, not bad intent. If you’re a manufacturer based in Italy, now is the time to learn from these global missteps before they become cautionary tales themselves.
What Italian Companies Must Learn from Global Audits
1. Data Integrity Is Non-Negotiable
The missteps in the US show that a single missing identifier (NPI, tax ID, or license number) can cause records to be rejected outright. For Italy, this means companies must prepare robust processes for validating HCP/HCO identifiers before submission. Internal QA steps, cross-checks against official registries, and early reconciliation between finance, compliance, and medical affairs data streams are essential.
2. Process Discipline Prevents Public Embarrassment
The Novo Nordisk case highlights the reputational impact of incomplete reporting and poor methodological notes. For Italy, companies should not treat methodological documentation as an afterthought. Clear, well-structured notes explaining methodology, assumptions, and data sources will be required, and will stand as a public record of your compliance culture.
Assigning roles across Legal, Compliance, and Finance is essential so that no department operates in isolation. A designated responsible party should have both the mandate and the authority to access the data they need, ensuring accountability is real rather than symbolic.
3. Categorization and Classification Must Be Systematic
Companies in Italy must apply threshold rules carefully and ensure that payments are reported under the right category (consulting, travel, meals, grants, etc.). Internal misclassification is one of the fastest ways to trigger an audit.
4. Documentation Is Your Audit Shield
In the US, companies are expected to keep supporting documentation for at least five years—something auditors actively verify. Though the Italian Sunshine Act does not yet define how long supporting documentation must be retained, based on EU best practice (e.g., France, Belgium), companies should prepare for at least several years of audit-readiness. Having well-organized supporting files will make the difference between a routine check and a prolonged investigation.
How Smart SaaS Solutions Can Help
These cases also highlight why many global life sciences companies rely on third-party transparency reporting platforms. A strong transparency reporting compliance tool can:
- Automate identifier validation against official registries, reducing rejections.
- Classify payments correctly with configurable business rules.
- Aggregate spends in real time, ensuring thresholds are applied correctly.
- Maintain a full audit trail with documentation linked to each record.
- Provide dashboards and alerts so compliance teams can spot errors before submission deadlines.
By embedding controls into the reporting process, SaaS platforms reduce the burden on compliance teams and help companies avoid the same pitfalls that led to Novo Nordisk’s reprimand in the UK and widespread rejections in the US.
Final Takeaway
Italy’s Sunshine Act is a practical compliance obligation that will soon expose company data to public and regulatory scrutiny. Learning from mistakes made elsewhere is the most efficient way to avoid costly missteps. By taking cues from Novo Nordisk’s public reprimand in the UK and the recurring audit issues seen in the US, Italian life sciences companies can strengthen their processes now, invest in smarter reporting systems, and ensure that when the spotlight of transparency falls on them, the story is one of preparedness, not of failure.
Author
May Khan guida il team Compliance Services di Vector Health, società SaaS specializzata nella compliance per il settore life sciences. La sua esperienza include il reporting sulla trasparenza a livello globale, la strategia legata al Sunshine Act e il monitoraggio dei rischi relativi agli HCP. In Vector coordina team interfunzionali dedicati all’integrità dei dati, al servizio clienti e all’allineamento normativo.
Vector Health Compliance
Il principale partner in Italia per la conformità al Sunshine Act
Cerchi supporto per la compliance al Sunshine Act?
Hai domande pratiche?
Dai un’occhiata alla nostra sezione Domande Frequenti per risposte chiare su scadenze, obblighi e strategie.