Effective June 27, 2019, Regulation (EU) 2019/881 better known as the European Cybersecurity Act, aims to establish a European reference framework for the cybersecurity certification of ICT products (information and communication technology) and digital services. The certifications already obtained and recognized so far only at national level will remain valid until their natural expiry.
Even manufacturers of electronic Medical Devices that use modern information technology (e.g. sensors, wearable devices, remote monitoring technologies, etc.) will have to comply to the requirements of the aforementioned Regulation. As a result, they will have to put in place cybersecurity measures aimed at reducing or eliminating any threats.
At European level, the cybersecurity regulatory framework is currently constituted by the (EU) 2016/1148 Directive (better known as the NIS Directive) and the European Regulations (EU) 2016/679 regarding the processing of personal data (GDPR) which entered into force May 25, 2019. With the new Cybersecurity Act, the circle closes.
On March 19, 2019, the European Parliament commissioned ENISA (the European Network and Information Security Agency) to establish European certification schemes in accordance with the aforementioned Cybersecurity Act. Once adopted by the European Commission, these schemes will go to replace national regulations.
It is important to emphasize that the new Cybersecurity Act does not impose a single certification at European level, but lays the foundations for standardizing the existing certifications (of services, processes and digital products) ensuring their recognition in all EU member states.