A recent legislative development concerning cybersecurity is relevant for the medical technology industry. This is the update to Directive (EU) 2022/2555 on the Security of Network and Information Systems (“NIS 2 Directive”). The NIS 2 Directive forms part of the EU’s Cybersecurity Strategy and establishes cybersecurity risk management measures and reporting requirements for highly critical sectors. This includes the medical device industry.
Cybersecurity requirements for medical device and IVD manufacturers in the NIS 2 Directive
The NIS 2 Directive, in addition to the information technology security measures established in Regulation (EU) 2017/745 on medical devices (“MDR”) and Regulation (EU) 2017/746 2017 on in vitro diagnostic medical devices (“IVDR”) (“Regulations”), imposes on medical device and IVD manufacturers additional cybersecurity requirements established in the NIS 2 Directive. The Directive repeals and replaces the NIS Directive which entered into force in 2016. The NIS Directive established measures for a common high level of cybersecurity for critical infrastructures across the EU. Given the increasing number of cyberthreats and cyberattacks and the fragmented implementation of the NIS Directive across EU Member States, the European Parliament and the Council adopted the NIS 2 Directive in November 2022.
Among the key updates are:
- Expansion of the scope of application: The material scope of the NIS 2 Directive has been broadened to cover manufacturers of medical devices and IVDs. These manufacturers are classified as “important entities”. Moreover, manufacturers of a subset of devices considered “critical during a public health emergency” qualify as “essential entities”. The difference between the categories is that important entities are subject to ex post supervision regarding compliance with the requirements foreseen in the NIS 2 Directive whereas essential entities can be subject to both ex ante and ex post supervisory measures.
- Detailed risk management measures: Both essential and important entities must adopt the cybersecurity risk management measures provided in Article 21 of the Directive. This includes in relation to economic operators throughout the supply chain, i.e., direct suppliers and service providers, such as providers of data storage and processing services and managed security service providers.
- Obligations for senior management: “Management bodies” of important and essential entities are required to oversee implementation of cybersecurity risk-management measures and can be held liable for non-compliance. The NIS 2 Directive does not define the term “management bodies”, leaving it to the national legislation of individual EU Member States to provide a definition and determine the territorial scope of the term. However, Recital 76 suggests that the term refers to senior management and legal representatives.
- Staggered timeframe to report cybersecurity incidents: In accordance with the revised reporting obligations provided in the NIS 2 Directive, essential and important entities are required to:
- notify competent authorities in phases, initially through submission of an “early warning” within 24 hours of becoming aware of significant cybersecurity incidents, followed by an incident notification within 72 hours;
- prepare an interim report on request by the competent authority or computer security incident response teams (“CRISTs”); and
- submit a final report within 1 month of the incident notification. For comparison, incidents had to be notified “without undue delay” under the NIS Directive.
- Creation of a European vulnerability database: The European Union Agency for Cybersecurity (“ENISA”) is tasked with setting up and maintaining a database that will include information concerning publicly known vulnerabilities of products and services. Disclosure of information on the database is voluntary.
- Administrative fines: Article 34 of the NIS 2 Directive introduces administrative fines for essential and important entities that have not implemented risk management measures. Equivalent fines are introduced for failure to comply with reporting obligations. If a breach of these requirements is found national authorities may impose fines of:
- up to € 7 million or 1.4% of the total worldwide annual turnover on important entities; and
- up to €10 million or 2% of the total worldwide annual turnover on essential entities.
The NIS 2 Directive was published in the Official Journal on December 27 and will enter into force 20 days after its publication. EU Member States will then have 21 months to transpose the Directive into national law.
Medical device manufacturers should start considering the organisational, financial and technical measures that will be required to comply with the requirements established in the NIS 2 Directive.
This blog was authored by Elizabeth Anne Wright, Alexander Wenzel and Anastasia Vernikou.