Medical devices excluded from EU Cyber Resilience Act (for now)

Back in September, the European Commission published its proposal for a new Cyber Resilience Act which would strengthen the cybersecurity of products with digital elements on the EU market. The proposal aims to ensure that such products are placed on the EU market with fewer vulnerabilities and that manufacturers take security seriously throughout the life cycle of their goods. However, specifically excluded from the scope of the proposed Act are products which are already covered by sector-specific legislation, including medical devices and in vitro diagnostic devices. As a result, medical device manufacturers will not need to comply with the Cyber Resilience Act once it is negotiated and has entered into force.

Of course, this does not mean that there are no cybersecurity requirements for medical devices. Indeed, provisions can be found throughout the EU’s medical device regulations which are either directly or indirectly relevant to cybersecurity. In particular, the Annex I General Safety and Performance Requirements (GSPRs) state that manufacturers must take into account principles of risk management, including information security, when developing their devices. To this end, software is to be verified and validated through methods such as security feature testing, fuzz testing, vulnerability scanning and penetration testing.^[1]

Nevertheless, the exclusion of medical devices from the scope of the proposed Cyber Resilience Act will come as a relief to manufacturers worried about the prospect of new cybersecurity rules. Concerns over the expanding list of regulatory requirements in the EU initially arose in 2021 following the publication of a draft AI Act which is intended to apply on top of the medical device regulations.^[2] By specifically excluding goods already covered by sector-specific legislation (like medical devices) from the proposed Cyber Resilience Act, the Commission appears to be trying to limit the number of regulations that may apply to a single product.

However, medical device manufacturers are not yet in the clear when it comes to the Cyber Resilience Act. In its recently published opinion, the European Data Protection Supervisor (EDPS) argued that medical devices should in fact be included in the scope of the proposed Act. The EDPS claims that this is necessary as the cybersecurity provisions of the medical device regulations are not sufficiently clear and lack specific requirements that devices should be delivered without any known vulnerabilities and that the relevant data is encrypted. 

Ultimately, it remains to be seen whether the final version of the Cyber Resilience Act will be amended to include the EDPS’s suggestions or whether medical devices will remain excluded from its scope. We are keeping a close eye on these developments - subscribe to our newsletter to stay up-to-date!

[1] The MDCG has published a guidance document (MDCG 2019-16) which goes into further detail on the cybersecurity requirements in the MDR and IVDR

[2] For more information, see our blog – How the EU’s new AI laws will impact your medical device