EU Cybersecurity laws for Medical devices are advancing, and the use of software medical devices is also increasing daily. The increased interconnection of medical devices to computer networks and technological convergence have made devices and software programmes vulnerable to mishaps.

The importance of protecting patient data from cyber-attacks is now well recognised. With the advancement of software as a medical device, proper regulations must be established to ensure the safety and security of medical devices.

Read our article on SaMD regulations in the EU and UK to understand software medical devices. This article discusses the cybersecurity aspects of medical devices.

Why is cybersecurity important for medical devices?

Medical devices contain crucial patient information. Healthcare data has been the most common target for data breaches for over a decade. These data breaches contribute to the data leak; even patient life can be in danger due to outdated software.

EU Cybersecurity Laws for medical devices

Within the EU, the following legislative acts apply concurrently to the Medical Devices Regulations. These are important to the cybersecurity of medical devices or operators dealing with the protection or processing of personal data held in medical devices:

  • NIS Directive  or Directive 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
  • GDPR (General Data Protection Regulation) or Regulation (EU) 2016/679 of the European Parliament and the Council on the protection of natural persons regarding the processing of personal data and the free movement of such data
  • EU Cybersecurity Regulation or Regulation (EU) 2019/881 of the European Parliament and the Council on ENISA (the European Union Agency for Cybersecurity) and information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)

NIS Directive  or Directive 2016/1148 aims to achieve cybersecurity in the EU by ensuring the following aspects:

  • Increase the preparedness of Member states by requiring them to be appropriately equipped
  • Setting up a cooperation group, there is cooperation among the Member States. This includes setting up of a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority
  • A custom of security in all vital economic sectors like banking, energy, transport, etc

GDPR (General Data Protection Regulation) or Regulation (EU) 2016/679 governs the processing of personal data belonging to individuals in the EU.  Personal data is any information used to identify or find a living person. Many parts of information that, when gathered, can lead to the identification of a specific person constitute personal information.

EU Cybersecurity Regulation or Regulation (EU) 2019/881 establishes European Cybersecurity Certification Framework for ICT products and services and specifies the tasks of the European Union Agency for Network and Information Security (ENISA) in the field of cybersecurity.

In addition to the above, it is imperative to follow the International Medical Device Regulators Forum IMDRF guidelines.  

EU MDR Requirements on Cybersecurity

Specific cybersecurity requirements for medical devices are mentioned in Annex I of EU MDR 2017/745. The following flowchart summarises the cybersecurity requirements mentioned in Annex I.

Source: MDCG Guidance on Cybersecurity

The following MDR provisions list is applicable for all medical devices. The list applies to software medical devices as well. The documentation requirement is the same for medical and software medical devices, but the document’s content varies.

  • Conformity assessment procedures: Article 52
  • Post-market surveillance (PMS) system, PMS plan and report: Article 83-85
  • Periodic safety update report: Article 86
  • Reporting of serious incidents and field safety corrective actions: Article 87
  • Trend reporting: Article 88
  • Analysis of serious incidents and field safety corrective actions: Article 89
  • Technical documentation: Annex II and Technical documentation on post-market surveillance: Annex III
  • Clinical evaluation and post-market follow-up: MDR Chapter VI and Annex XIV


Are labels required for software medical devices?

Yes, software medical devices are required to have appropriate labels. It is essential to convey to the end-user the relevant information. This is done by including labelled information on potential risks associated with the product, preventive measures to be taken and any other relevant information for the end user.
As per the IMDRF guidance document, labels should include the following information:
·         Device instructions and product specifications for the intended use environment
·         Description of backup features
·         Guidance to users regarding supporting infrastructure requirements for the device to operate as intended.
·         A description of how the device is protected or can be protected using a secure configuration. Secure configurations may include anti-malware
·         Complete list of network ports and other interfaces of the device
·         Detailed system diagrams for end-users.
·         Where appropriate, risks of using the medical device outside of the intended use environment
·         A description of procedures for download and installation of updates
Annex I Section 23.2 of EU MDR 2017/745specifies labelling requirements. Some of the EU MDR 2017/745 requirements include:
·         Trade name or product name
·         Manufacturer name
·         Address of registered place of business
·         Precaution or warnings that require the immediate attention of end-user
·         Any other relevant information regarding the product

Do software medical devices require an Authorised Representative?

Software medical devices are not exempt from this requirement. An AR must be appointed if the manufacturer is based out of the European Union. All obligations of AR mentioned in Article 11 of the EU MDR 2017/745 apply.

Disclaimer: Regulations/legislations are subjected to changes from time to time and the author claims no responsibility for the accuracy of information.