Increasing digitization and interconnectedness has led to an increase in malicious cyber activities around the world. To  address  these  growing  threats, the European Commission has introduced new cybersecurity rules and regulations that will  affect the health technology sector. 

On the 17th January, NIS Directive 2 came into effect - updating EU legislatio n on network security and information systems (NIS Directive). The new law covers large companies  and sectors that are  considered very important for the economy and society. Part of the NIS 2 directive has been expanded to cover manufacturers of medical devices and in vitro diagnostic medical devices (IVD).

NIS 2 divides businesses within its scope into two categories - "essential"  and "necessary" businesses. Manufacturers of medical devices and IVDs are classified as "important" companies. 

The directive also classifies companies that manufacture medical devices that are considered essential during a public health  emergency as "essential". Different management systems apply to each of these  two types.

"Essential" companies are not routinely  required to document compliance with cyber security measures and competent authorities will only act if evidence comes to their attention that suggests a possible breach of the directive. But for "essential" companies, NIS 2 provides for  more detailed monitoring,  including  requirements for competent authorities to conduct on-site inspections and on-site inspections as well as targeted security  inspections and inspections.

"Essential" and "essential" companies  are subject to other requirements, including:

A comprehensive risk management  system covers all transactions in the supply chain;
advanced management functions, such as requirements for overseeing the implementation of cybersecurity risk management systems; And reporting of cybersecurity incidents within a specified period. Please note that NIS 2 provides administrative fines if risk management and reporting procedures are not accepted up to 7 bmillion  euros for "important" companies and up to 10 million euros for "important" companies.

Health technology companies should also be aware of the Cyber Resilience Act (CRA). Medical devices and IVDs fall outside of the current legislative  agenda. But the European Data Protection Supervisor [EDPS]  insisted  that the scope should be expanded to include  them in its system. 

In an opinion published in November last year, the EDPS considers that the protection of the Medical Devices Act (MDR) is "not as exhaustive as that of the CRA" and argues that if the MDR introduces a duty "to establish , implement, document and maintain a risk management system", it is not clear whether it will also cover aspects related to cybersecurity and data protection.

As the medical device industry in Europe continues to experience growth and development, European policy  makers are seeking to provide more  regulations to ensure the safety of  European patients and to protect innovation in the region. 

With the directive NIS 2 applying another cyber defense system to those introduced by the MDR for the health technology industry and the upcoming  ARC, one thing is clear: strategic management and close  relationships  with decision makers are now  important more than ever for health technology companies to ensure that they are fully compliant with the law and that the law is fit for purpose.