What are the NIS 2 cybersecurity requirements for medical devices?

The new EU Network and Information Systems (NIS 2) Directive entered into force on 16 January 2023. NIS 2 is part of the EU’s 2nd Cybersecurity Strategy which aims to strengthen resilience to cyber threats and promote “trustworthy digital technologies”.^[1]

Member States now have 21 months to transpose the Directive into national law, at which point the NIS 2 will start applying to all covered entities. In this post we discuss the new NIS 2 cybersecurity requirements in relation to medical devices and how manufacturers can prepare for the transition.

The NIS 2 requirements

NIS 2 builds upon the original NIS Directive. In particular, it expands the scope of the regime to cover manufacturers of medical devices and IVDs. Under NIS 2, medical device manufacturers are generally classed as ‘important entities’. However, if the device is considered “critical during a public health emergency”^[2] then the manufacturer may qualify as an ‘essential entity’.

The difference between important and essential entities largely comes down to the degree of enforcement and oversight. National competent authorities may investigate essential entities at any time (this may include regular audits and random inspections). By comparison, investigations of important entities should only be carried out after a cybersecurity incident has occurred.

For both important and essential medical device manufacturers, the key NIS 2 obligations are as follows:

• Cybersecurity risk management measures – the minimum measures that must be implemented include risk analysis and information security policies, incident handling procedures, supply chain security and cybersecurity training.
• Reporting obligations – national authorities are to be notified of any significant^[3] cybersecurity incidents. Notification should happen in phases, with the submission of an ‘early warning’ 24 hours after the entity became aware of the incident, followed by a more comprehensive ‘incident notification’ within 72 hours. A ‘final report’ should then be submitted within one month of the initial notification.

Preparing for NIS 2

The deadline for EU Member States to transpose NIS 2 into national law is 18 October 2024. In preparation for this, manufacturers will need to determine whether they carry out any activities captured by the NIS 2 Directive. For health-related technology, this will generally be a question of whether the entity is specifically manufacturing medical devices (as defined in the MDR) or in vitro diagnostic devices (as defined in the IVDR).

If it is established that NIS 2 does apply, manufacturers should then start updating their cybersecurity risk management measures in accordance with the requirements of the Directive. Since NIS 2 creates a new requirement for manufacturers to ensure security throughout their supply chain, particular attention should be paid to these risks where relevant. It is also important that manufacturers fully document any updates made to their cybersecurity practices to help demonstrate compliance with NIS 2. 

Finally, manufacturers should keep an eye on other EU cybersecurity legislation. Last year, the Commission published its proposal for a new Cyber Resilience Act which will create cybersecurity requirements for hardware and software-based products placed on the market in the EU (this differs from NIS 2 which establishes obligations for certain entities rather than the products themselves). The Cyber Resilience Act is not currently expected to cover medical devices. However, it is possible that this may change with the publication of the final version of the Act.^[4]

How we can help

If you need help figuring out whether or not your product is a medical device, please consider registering your interest in Regtik – our healthcare regulatory explorer tool.

Regtik can help you navigate the legal maze by walking your product through a series of simple questions designed to determine its regulatory status and to provide guidance on which market rules apply. It is able to provide results for various jurisdictions (the US, EU, UK and Australia) in one single assessment and can be used multiple times on different versions of your product.

If you are interested in learning more about Regtik or would like to request a demo, please contact any member of our team or register your interest below.

[1]  European Commission Policy, The Cybersecurity Strategy

[2]  In the event of a public health emergency, the Medical Device Shortages Steering Group (MDSSG) will adopt a list of critical medical devices. Only manufacturers of devices on the public health emergency critical devices list are to be considered essential entities.

[3]  According to Article 23 of NIS 2, an incident shall be considered significant if: 

• it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;
• it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

[4]  For more information, see our blog – Medical devices excluded from EU Cyber Resilience Act (for now)