The topic of cybersecurity is increasingly important nowadays, especially in critical areas such as public health and the medical sector: for this reason, the European Union intends to strengthen IT systems to ensure that everyone can benefit from services and use digital tools in an increasingly secure and reliable manner.

Since 2020, the European Commission and the European External Action Service (EEAS) have been working on an EU cybersecurity strategy to strengthen Europe’s resilience against cyber threats, which was adopted in March 2021.

On 27 December 2022, Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity in the Union was published, which, after transposition by the Member States, will amend Regulation (EU) No. 910/2014 and Directive (EU) 2018/1972 as of 18 October 2024 and repeal Directive (EU) 2016/1148 (NIS 2 Directive).

Article 1 of Directive (EU) 2022/2555 establishes obligations for Member States to adopt national cyber security strategies and to designate or create National Competent Authorities, cyber crisis management authorities, single security contact points (single points of contact) and cyber security incident response teams.

The measure also defines cybersecurity risk management measures and reporting obligations for entities operating in highly critical sectors, including the medical sector, or otherwise critical, as well as cybersecurity information sharing and communication (vigilance) obligations.

The Directive also has a strong impact in the health and medical sector, as a high criticality sector according to Annex I Dir.2022/2555, and applies to several stakeholders including:

  • EU designated reference laboratories to support national laboratories (Article 15 Reg. (EU) 2022/2371.
  • Manufacturers of Medical Devices considered critical during a public health emergency. The list of critical devices for public health emergencies is established in Article 22 of Regulation (EU) 2022/123.
  • Manufacturers of Medical Devices (Article 2, point 1 MDR (EU) 2017/745) and in vitro diagnostic Medical Devices (Article 2, point 2 IVDR (EU) 2017/746) with the exception of manufacturers Medical Devices considered critical during a public health emergency.

The level of application of cybersecurity in the medical sector has already had an initial development with the MDR (EU) 2017/745 and IVDR (EU) 2017/746, which, in Annex I, define the need to handle personal data appropriately. Certainly, the publication of Directive 2022/2555 brings an important benchmark for demonstrating compliance with the regulatory requirements imposed for data security.

To stay informed about updates on requirements and regulatory changes in Europe and worldwide, subscribe to our Newsletter.

>>> Through our strategic-regulatory consulting services, CE certification support and, where necessary, European Authorised Representative, Thema can support you in fulfilling the requirements of the MDR (EU) 2017/745 Medical Device Regulations, including cybersecurity.

Contact us for more information.