What impact will the new EU law have on medical devices, accompanying apps and cloud services?

Digitalization in the healthcare sector is growing rapidly. More and more processes, devices and applications are being networked or moved to the cloud. At the same time, data protection and cyber security requirements are increasing. Not only patient data is particularly worth protecting – attacks on medical systems can also cause life-threatening situations.

Until now, medical devices in the EU have primarily been subject to the Medical Device Regulation (MDR) and (where relevant) other standards, such as IEC 81001-5-1, which specifically regulates cyber security requirements for medical software. With the new Cyber Resilience Act (CRA), the EU is now creating a further, far-reaching level of regulation. Interestingly, although medical devices themselves are exempt from the CRA because they are already regulated by the MDR and IVDR, the CRA applies to digital components, services and applications that are not medical devices as defined by the MDR/IVDR – and this increasingly affects the healthcare sector.

In this blog post, we take a look at what the Cyber Resilience Act regulates, why it has a significant impact on manufacturers in the healthcare market despite the exclusion of medical devices and how it interacts with other directives such as NIS2 or US requirements. In addition, we provide a compact checklist that shows what companies should pay attention to now.

The Cyber Resilience Act (CRA) is a planned EU law that aims to drastically increase the cyber security of products with digital elements. These include:

• Software (e.g. apps, operating systems, communication applications)

• IoT devices (e.g. smart wearables, networked household appliances)

• Industrial controllers that have direct or indirect Internet connections

The aim of the CRA is to define uniform minimum standards for IT security throughout the entire product life cycle: from development (“security by design”) to market launch and operation through to patch and update management. In concrete terms, this means for manufacturers:

The CRA is thus responding to the high number of cyberattacks associated with the increased use of digital technologies and networked devices. For manufacturers in all sectors – but especially in the healthcare sector – the law creates a binding framework for greater cyber security.

Although medical devices (e.g. certified surgical robots, implants, insulin pumps) are excluded per se from the scope of the CRA because they are already comprehensively regulated by the MDR, IVDR and standards such as IEC 81001-5-1, the new law nevertheless has a considerable pull effect on the healthcare sector. Why?

Medical devices (as defined by the MDR/IVDR) already have strict requirements for cyber security. IEC 81001-5-1 specifies these requirements for software by providing a standardized framework for risk management and technical protective measures. Manufacturers must therefore prove that their medical devices are secure and can be protected against tampering or data leaks, for example.

The Cyber Resilience Act comes into play when digital functions or systems do not fall within the scope of the MDR. Instead, the uniform requirements of the CRA now apply. In certain aspects, the CRA can even go beyond the MDR requirements, for example when it comes to reporting security vulnerabilities to authorities or regular patch management.

Practical example:

The NIS2 Directive, updated in 2023, strengthens cybersecurity in critical infrastructures (including the healthcare sector). Hospitals and other “operators of essential services” must now meet increased requirements for risk analysis, incident management and reporting obligations. To ensure that this works smoothly, manufacturers are required to design their products (whether medical devices or not) to be secure and to provide their customers with sufficient technical information.

In the USA, the FDA (Food and Drug Administration) is a leader in the regulation of cyber Security in the medical device sector. However, there is no direct counterpart to the Cyber Resilience Act. The “U.S. Cyber Trust Mark Act” relies more on voluntary measures and is more focused on the consumer market. International manufacturers must therefore comply with EU requirements (CRA, MDR, IVDR) and US standards (FDA Guidances), provided they operate in both markets.

Although the Cyber Resilience Act formally excludes medical devices that are already regulated by the MDR and IVDR, it is clear that networked software components in the healthcare sector can still fall within the scope of the CRA. Apps, cloud services and peripheral systems in particular, which are used in addition to medical devices, are subject to the strict requirements of the CRA.

This creates an extended regulatory framework that takes account of the increasing cyber threats and promotes a holistic approach to security in the healthcare sector. Companies operating in the healthcare sector should therefore take the following steps at an early stage:

• Identifywhich parts of their products fall under the CRA and which under MDR/IVDR.

• Merging requirements into a common compliance and security concept.

• Exchange with clinics and other operators who have to comply with NIS2 obligations.

With the CRA, the EU is sending a clear signal for more security in networked systems. In view of the transitional period, which is expected to last until 2027, there is still some time – but given the dynamic threat situation, it is worth starting implementation immediately. Only those who think “security by design” today and establish seamless processes will be able to survive in the long term in an environment characterized by an increasing number of guidelines and gain the trust of patients, users and institutions in the long term.

The experts at BAYOOMED and BAYOOCARE support you in the development of your digital health application – from regulatory consulting to post-market surveillance (PMS). Arrange an appointment for an initial consultation.