Cybersecurity in the EU Health Sector: A Critical Shift
The cybersecurity landscape in the European Union has become increasingly critical, prompting the European Commission to introduce regulations and directives, such as NIS2 (Network and Information Security Directive, which entered into force in 2023) [1], to address resilience needs across both private and public sectors. The health sector is now classified as ”Critical” under NIS2*, making cybersecurity paramount for product design, development, and sales, particularly for medical devices and in vitro diagnostic medical devices.
Medical device manufacturers marketing products in Europe must recognize that their systems will be integrated into critical infrastructure, potentially serving as access points for cybersecurity threats that could lead to safety risks, security breaches, and compromise of essential infrastructure assets.
MDR and IVDR Amendments: A Focus on Competitiveness and Security
It is recognized that the “EU is a world leader in medical devices and that in the Union, the sector employs close to one million people, mostly in small and medium-sized enterprises” (SMEs) [2]. In this context, the European Commission has proposed an “ambitious package of measures to improve the health of EU citizens, while ensuring the long-term resilience and competitiveness of the health sector” [2]. These include amendment proposals for the MDR (Medical Device Regulation) and IVDR (In Vitro Diagnostic Regulation). The policy areas concerned are explicitly laid down in the proposal document: “Competitiveness, prosperity and security”.
As the new amendment proposals focus on fostering market access for medical devices while reducing compliance burden and costs, the question is how these proposals would impact cybersecurity-related requirements for medical device manufacturers. Regarding cybersecurity, two important points are explicitly mentioned: the interplay between the Cyber Resilience Act (CRA) [3] and MDR/IVDR, and the explicit inclusion of cybersecurity in Annex I.
Interplay between the CRA and MDR/IVDR
Background for those unfamiliar: The CRA, a recently released horizontal regulation (entered into force in 2024), aims to strengthen security requirements for products with digital elements that connect to devices or networks, whether directly or indirectly. In the amendment proposal, cybersecurity-specific terms like “ENISA” (The European Union Agency for Cybersecurity), “CSIRT” (computer security incident response team) and “actively exploited vulnerabilities” now appear explicitly. These terms are defined in CRA and NIS2, but were previously absent from MDR/IVDR regulations.
Two substantially equivalent new Articles, 87a for MDR and 82a for IVDR, are proposed to address a critical cybersecurity vigilance gap between MDR/IVDR and CRA. The current rules require reporting of cybersecurity-related incidents only if they qualify as serious incidents affecting public health or patient safety, leaving other incidents unreported. Articles 87a and 82a would require manufacturers to report actively exploited vulnerabilities and severe incidents impacting device security, with notifications sent to CSIRTs and ENISA. This change would oblige medical device manufacturers to strengthen vigilance practices concerning operational cybersecurity and product security.
Cybersecurity in general safety and performance requirements
The amendment proposal states: “In Annex I MDR/IVDR, cybersecurity will be explicitly mentioned in the general safety and performance requirements”. Proposed measure:
Section 17.4. is replaced by the following: ‘17.4. Manufacturers shall set out minimum requirements concerning hardware, IT networks characteristics, IT security measures and cybersecurity, including protection against unauthorised access, necessary to run the software as intended.’
This makes the distinction between “IT security measures” and “cybersecurity” explicit in the MDR and IVDR texts, leaving no room for misinterpretation. How this difference should be interpreted is another regulatory question.
Why could this regulatory approach surprise those working in the sector?
This regulatory approach may surprise many professionals in the field because it creates a clear paradox. Modern medical devices rely heavily on connectivity, software, and cloud based functionalities, making them technologically similar to many products regulated under the CRA. Yet, despite this similarity in cybersecurity risk profile, products covered by the MDR and IVDR are explicitly placed outside of the CRA’s scope**. At first glance, this exclusion can lead cybersecurity experts, system integrators, product developers, and system engineers to a sense of perplexity.
The CRA is a 75 page horizontal regulation that introduces strict cybersecurity obligations across a wide variety of connected products. Given that today’s medical devices operate as IoT systems, include embedded and third-party software, and interact with digital infrastructures, one would reasonably expect them to fall under the same cybersecurity expectations.
However, MDR and IVDR do not directly contain cybersecurity requirements comparable to those in the CRA. While MDR/IVDR briefly mention information security or IT security, these references are only tangential. They do not provide the explicit, prescriptive cybersecurity framework that manufacturers would need, particularly those who consider MDR and IVDR the primary reference point for CE marking compliance. This absence naturally creates uncertainty about how to properly implement cybersecurity measures.
Lack of CRA Support Provisions for SMEs
Additionally, the situation is even more surprising when considering the role of SMEs. During the development of the CRA, SMEs and microenterprises were actively consulted, and the regulation includes Article 33, which provides dedicated support measures for them. These include, among the others, awareness raising, training and simplified documentation formats. Yet none of these support provisions explicitly appear in the MDR/IVDR amendment proposals. Since the CRA does not apply to MDR/IVDR regulated products, medical device manufacturers would not be eligible for Article 33’s support mechanisms.
This is particularly controversial given that the EU medical device industry is predominantly composed of SMEs, and implementing and maintaining cybersecurity requires substantial financial and operational investment. As a result, small medical device vendors and startups would need to rely solely on MDR/IVDR requirements, without the complementary support mechanisms that the CRA provides to other sectors.
Final Considerations and Recommendations
The new amendment proposals introduce higher expectations for cybersecurity across both medical devices and the Quality Management Systems supporting them. A CE marked product under MDR/IVDR does not automatically guarantee that it was developed using a structured security development lifecycle such as IEC 81001 5 1 (built on IEC 62304), as these are not yet harmonized. These frameworks ensure that cybersecurity practices are integrated from the earliest design phases rather than added as an afterthought.
Even manufacturers who already follow NIST (National Institute of Standards and Technology) processes and NVD (National Vulnerability Database), the KEV Catalog (Known Exploited Vulnerabilities), or maintain robust documentation should additionally consider ENISA’s guidelines and the EU Vulnerability Database. However, this is only part of the picture.
Looking Ahead: A Call to Action
Given the vastness of cyberspace and the complexity of modern threats, the MDCG (Medical Device Coordination Group) had already published a 46 page guidance document (MDCG 2019 16 Rev.1 [4]) to clarify how MDR/IVDR address security and to support manufacturers preparing devices for the EU market. This topic was already addressed in a previous article [5] for those interested, and it remains relevant with the new amendment proposals.
Familiarity with this guidance remains essential for understanding how cybersecurity should be implemented under MDR/IVDR, including expectations regarding vigilance mechanisms, supply chain security, and the distribution of responsibilities between manufacturers, system integrators, and healthcare providers.
The key question for all manufacturers remains: Do you have cybersecurity fully integrated into your QMS and your products?
If you’re unsure and would like some support, get in touch today.
*ANNEX I, SECTORS OF HIGH CRITICALITY [1]
** See Article 2, Scope, point 2 [3]
REFERENCES
[1] European Parliament & Council of the European Union. (2022). Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive). https://eur-lex.europa.eu/eli/dir/2022/2555/oj
[2] European Commission. (2025). New measures to make EU health sector more innovative, competitive and resilient. https://ec.europa.eu/commission/presscorner/detail/en/ip_25_3077
[3] European Parliament & Council of the European Union. (2024). Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act). https://eur-lex.europa.eu/eli/reg/2024/2847/oj
[4] Medical Device Coordination Group. (2020). MDCG 2019-16 Rev.1: Guidance on cybersecurity for medical devices. European Commission. Available at: https://health.ec.europa.eu/medical-devices-sector/new-regulations/guidance-mdcg-endorsed-documents-and-other-guidance_en#sec2
[5] https://plantvision.se/en/insights/articles/cybersakerhet-for-medicintekniska-produkter/
