EU cybersecurity measures on medtech – what you need to know
Chris Whitehouse, a political consultant and expert on medical technology policy and regulation at Whitehouse Communications, chair of the Urology Trade Association, updates readers on key recent announcements impacting the medtech sector in the UK and EU.
Increasing digitisation and greater interconnection have seen a rising number of malicious cyber activities around the world. To respond to these increasing threats, the European Commission has introduced new legislation and regulation on cybersecurity that will impact the medtech sector.
On 17th January, the NIS 2 Directive entered into force - updating the EU’s rules on the security of network and information systems (NIS Directive). The new legislation covers medium and large entities from sectors considered critical for the economy and society. The scope of the NIS 2 Directive has been widened to cover manufacturers of medical devices and in vitro diagnostic medical devices (IVDs).
NIS 2 classifies businesses falling within its scope in two categories – ‘essential’ and ‘important’ entities. The manufacturers of medical devices and IVDs are classified as ‘important’ entities. The Directive also categorises businesses manufacturing medical devices that are considered to be critical during a public health emergency, as ‘essential’.
Different regulatory regimes apply to each of the two categories. ‘Important’ entities are not required systematically to document compliance with cybersecurity measures and competent authorities will act only if evidence is bought to their attention showing potential infringement of the Directive. But for ‘essential’ entities, NIS 2 foresees more proactive supervision, including the requirement for competent authorities to carry out on-site inspections and off-site supervision as well as targeted security audits and scans.
Both ‘essential’ and ‘important’ entities are subject to further requirements, including:
- detailed risk management measures covering businesses throughout the supply chain;
- obligations for senior management, such as requirements to supervise the implementation of the risk management measures on cybersecurity; and
- reporting of cybersecurity incidents within specific timeframes.
Beware, NIS 2 foresees administrative fines for failure to comply with risk management measures and reporting of up to €7 million for ‘important’ entities and up to €10 million for ‘essential’ entities.
Medtech companies also need to be aware of the Cyber Resilience Act (CRA). Medical devices and IVDs are not within the scope of the current legislative proposal. But, the European Data Protection Supervisor [EDPS] has pressed that the scope should be expanded to bring them within its provisions. In an opinion published in November last year, the EDPS holds that the security provisions of the Medical Devices Regulation (MDR) “are not always as detailed and concrete as the ones in CRA” and also argues that while the MDR introduces an obligation to “establish, implement, document and maintain a risk management system”, it is unclear if it will also cover cybersecurity and data protection related aspects.
As the medical devices industry in Europe sees continuous growth and development, EU decision makers are looking to issue additional regulations to ensure European patients’ safety while preserving the sector’s innovation. With the NIS 2 Directive imposing additional cybersecurity measures to those introduced by the MDR for the medtech industry and the upcoming CRA one thing is clear: policy monitoring and close engagement with decision makers are now more important than ever for medtech businesses to make sure they are fully compliant with the law and that legislation is fit for purpose.
Questions about or comments upon this article can be addressed to the author at chris.whitehouse@whitehousecomms.com.