The European Commission published a proposal for a Cyber Resilience Act (“CRA”). The aim of the proposed CRA is to strengthen cybersecurity for connected products. The proposed CRA would establish common cybersecurity standards for software and hardware products the foreseeable or intended use of which involves connection to a network.
While it is now certain that the medical device and IVD industry will be required to comply with the cybersecurity requirements in the NIS 2 Directive, as discussed in our previous blog post, whether or not it will be in scope of the CRA is still unknown. The proposed CRA which was published by the European Commission on September 15, 2022, excludes medical devices and IVDs governed by the Regulation (EU) 2017/745 on medical devices (“MDR”) and Regulation (EU) 2017/746 2017 on in vitro diagnostic medical devices (“IVDR”) (“Regulations”) from its scope of application. The draft CRA considers that the Regulations provide sufficient information technology security obligations for manufacturers of medical devices and IVDs throughout the life cycle of their products by establishing risk management principles and conformity assessment procedures listed in Annex I of the Regulations.
However, the European Data Protection Supervisor (“EDPS”) disagrees with this conclusion and the related justification. In its recently published opinion, the EDPS notes that the general safety measures established in sectoral legislation are not sufficiently concrete. Specifically, the EDPS considers that the MDR does not impose an obligation on medical device manufacturers to ensure that unknown vulnerabilities are not present in their final products and does not require data encryption for medical devices. Moreover, the EDPS suggests that while the MDR requires manufacturers to establish a risk management system, it is unclear whether cybersecurity and data protection are covered under this system.
The EDPS opinion does not, however, take into consideration the guidance of the Medical Device Coordination Group on cybersecurity. This guidance lays down requirements to support manufacturers in developing their products on the basis of principles of risk management, including information security. Although it is non-binding, experience suggests that the cybersecurity requirements foreseen in the guidance are respected by the med tech industry.
Unlike the EDPS, Med Tech Europe supports a sectoral approach to cybersecurity requirements for medical devices. Med Tech Europe’s response to the European Commission’s impact assessment for the CRA highlighted the need to avoid potential inconsistencies between cybersecurity obligations foreseen in the CRA and the Regulations that could cause legal uncertainty and create unnecessary burdens on manufacturers.
The proposed CRA will now be reviewed, and potentially amended, by the European Parliament and the Council of the European Union in accordance with the Ordinary Legislative Procedure. Although it is difficult to predict when the European Parliament and the Council will reach an agreement on the final text of the Act, it is estimated that this may take up to two or possibly three years. According to the proposed text, the CRA would apply two years after its date of adoption. There is an exception from this implementation date for cybersecurity incident and vulnerability reporting obligations which would enter into application one year after the CRA enters into force.
Main provisions of the proposed CRA
If the scope of the proposed CRA were extended to apply to medical devices and IVDs, it would establish minimum cybersecurity requirements for connected medical devices and IVDs and impose transparency obligations on manufacturers in relation to cybersecurity properties of devices.
Some key provisions of the proposed CRA are:
- products with digital elements will be required to meet “essential cybersecurity requirements” listed in Annex I to the proposed CRA to be placed and remain on the EU market. These requirements include technical standards and organizational measures;
- manufacturers will be required to conduct a risk assessment and consider the results of such assessment throughout all stages of the life cycle of their product;
- manufacturers will be required to perform due diligence on components supplied by third party economic operators and incorporated in their products;
- products will be accompanied by security information and instructions listed in Annex II to the proposed CRA, including the type of IT security support provided by the manufacturer, instructions detailing the installation of security-related updates, information on the impact of changes to the product on data security, etc.;
- products designated as “critical” will have to undergo a conformity assessment involving a third-party body. All other products will be subject to a self-assessment procedure to establish conformity;
- actively exploited vulnerabilities and incidents are to be reported to ENISA within 24 hours of awareness and users are to be informed of incidents and corrective measures available without undue delay; and
- national authorities are to impose administrative fines of a maximum of € 15 million or 2.5% of the total worldwide annual turnover for non-compliance with essential cybersecurity requirements.
This blog was authored by Elizabeth Anne Wright, Alexander Wenzel and Anastasia Vernikou.
 Article 42(1) of Regulation (EU) 2018/1725 establishing rules for processing of personal data by EU institutions provides that the European Commission is required to consult the EDPS upon the adoption of a proposed legislative act if “there is an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data”.