Productwise
Legal insight for product manufacturers who are changing the world
Elizabeth Anne Wright and Alexander Wenzel
Cybersecurity requirements established in the NIS 2 Directive apply to medical device manufacturers
A recent legislative development concerning cybersecurity is relevant for the medical technology industry. This is the update to Directive (EU) 2022/2555 on the Security of Network and Information Systems (“NIS 2 Directive”). The NIS 2 Directive forms part of the EU’s Cybersecurity Strategy and establishes cybersecurity risk management measures and reporting requirements for highly critical sectors. This includes the medical device industry.
Cybersecurity requirements for medical device and IVD manufacturers in the NIS 2 Directive
The NIS 2 Directive, in addition to the information technology security measures established in Regulation (EU) 2017/745 on medical devices (“MDR”) and Regulation (EU) 2017/746 2017 on in vitro diagnostic medical devices (“IVDR”) (“Regulations”), imposes on medical device and IVD manufacturers additional cybersecurity requirements established in the NIS 2 Directive. The Directive repeals and replaces the NIS Directive which entered into force in 2016. The NIS Directive established measures for a common high level of cybersecurity for critical infrastructures across the EU. Given the increasing number of cyberthreats and cyberattacks and the fragmented implementation of the NIS Directive across EU Member States, the European Parliament and the Council adopted the NIS 2 Directive in November 2022.
Among the key updates are:
Next steps
The NIS 2 Directive was published in the Official Journal on December 27 and will enter into force 20 days after its publication. EU Member States will then have 21 months to transpose the Directive into national law.
Medical device manufacturers should start considering the organisational, financial and technical measures that will be required to comply with the requirements established in the NIS 2 Directive.
This blog was authored by Elizabeth Anne Wright, Alexander Wenzel and Anastasia Vernikou.
Follow this blog and receive emails with new posts and timely news from Cooley
Read more about our global practice
Disclaimer
This blog is provided for general informational purposes only and no attorney-client relationship with the law firm Cooley LLP and Cooley (UK) LLP is created with you when you use the blog. By using the blog, you agree that the information on this blog does not constitute legal or other professional advice. Do not send any confidential information through the blog or by email to Cooley LLP and Cooley (UK) LLP, neither of whom will have any duty to keep it confidential. The blog is not a substitute for obtaining legal advice from a qualified attorney licensed in your state. The information on the blog may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments. The opinions expressed on the blog are the opinions of the authors only and not those of Cooley LLP and Cooley (UK) LLP.
Attorney advertisement. Prior results do not guarantee a similar outcome. If you have any questions, for purposes of attorney advertising rules, please contact Cooley LLP, 3175 Hanover Street, Palo Alto, CA 94304, +1 650 843 5000
Legal notices & privacy policy
