On Medical Device Cybersecurity Compliance in EU
This addresses compliance challenges for medical device manufacturers in the EU, but it is incremental as it reviews existing guidance and concepts.
The paper tackles the challenge of complying with new cybersecurity requirements under the EU's Medical Device Regulation (MDR) and In Vitro Diagnostic Medical Device Regulation (IVDR), resulting in the identification of four core concepts that form a foundation for cybersecurity compliance.
The medical device products at the European Union market must be safe and effective. To ensure this, medical device manufacturers must comply to the new regulatory requirements brought by the Medical Device Regulation (MDR) and the In Vitro Diagnostic Medical Device Regulation (IVDR). In general, the new regulations increase regulatory requirements and oversight, especially for medical software, and this is also true for requirements related to cybersecurity, which are now explicitly addressed in the legislation. The significant legislation changes currently underway, combined with increased cybersecurity requirements, create unique challenges for manufacturers to comply with the regulatory framework. In this paper, we review the new cybersecurity requirements in the light of currently available guidance documents, and pinpoint four core concepts around which cybersecurity compliance can be built. We argue that these core concepts form a foundations for cybersecurity compliance in the European Union regulatory framework.