Cybersecurity for medical devices: new official guidance released

Cybersecurity for medical devices: new official guidance released

On 6 January, the Medical Device Coordination Group (a European Commission’s Expert Group) released a long-awaited guidance on cybersecurity for medical devices. This document follows the publication of similar (draft) guidelines by the French ANSM in July.

The 2017 Regulations: essential safety requirements for medical devices

Two Regulations (745/2017 and 746/2017) on medical devices were adopted and entered into force in 2017. These legislative texts will apply progressively until May 2020 for medical devices and May 2022 for in vitro diagnostic medical devices.

Among other things, these Regulations lay down safety requirements to ensure that devices placed on the EU market are fit for the new technological challenges linked to cybersecurity risks. Thus, manufacturers are required to set IT security measures for medical devices, including protection against unauthorised access. Cybersecurity requirements laid down by the Medical Devices Regulations deal both with pre-market and post-market aspects.

The recently-released guidance gives details to manufacturers on how they can fulfil the requirements set in the Regulations when it comes to cybersecurity. This document can also be of interest to other stakeholders.