Cybersecurity 2026: Requirements from the Cybersecurity Resilience Act and IEC 81001-5-1

Author:inside:

Sebastian Wittor Project Manager

Julia Schliesch Marketing Generalist at BAYOOMED

By 2026 at the latest, cybersecurity will be a central component of regulatory compliance and corporate strategy. New legal requirements, stricter conformity assessments and growing demands along the entire product life cycle are forcing companies to critically review and further develop their cybersecurity structures.

The focus is on two regulations in particular: the Cybersecurity Resilience Act and IEC 81001-5-1. The latter is given much greater consideration in audits and places stricter requirements on processes, organization and technical implementation.

Cybersecurity Resilience Act: New standards for product cybersecurity

The Cybersecurity Resilience Act (CRA) will become even more relevant in 2026 as additional stages of the regulation come into force. In medical technology, cybersecurity requirements have long been established in the development of medical devices. The Cybersecurity Resilience Act now transfers similar basic requirements to other areas, in particular to software and digital products in the healthcare sector that are not classified as medical devices.

The Cybersecurity Resilience Act requires that cybersecurity is systematically considered throughout the entire product life cycle. This includes, among other things:

  • Structured vulnerability management

  • Transparency of software components used through SBOM

  • Secure software development processes

  • Comprehensible response mechanisms to security incidents

IEC 81001-5-1: Anchoring cybersecurity in the development life cycle

The IEC 81001-5-1 standard has been published for several years, but is becoming increasingly important. Conformity assessment procedures are examining cybersecurity aspects in increasing detail, and many companies are finding that existing development processes do not fully meet these requirements.

IEC 81001-5-1 supports companies in establishing a secure development life cycle in which cybersecurity is taken into account from the outset. This includes risk analyses, security requirements, design decisions, tests and documentation.

Practical experience clearly shows that implementing cybersecurity directly in line with IEC 81001-5-1 is much more efficient than implementing security measures later. If cybersecurity is only addressed shortly before an audit, there is an increased risk that the measures will not be sufficient and rework will be necessary.

Cybersecurity in the post-market phase: duty and risk at the same time

One area that is often underestimated is the post-market phase. Cybersecurity activities are mandatory here under the MDR, among other things. Companies must establish processes to assess vulnerabilities, monitor security reports and implement suitable measures.

Missing or inadequate post-market cybersecurity processes can lead to exploitable vulnerabilities at any time. In addition to regulatory consequences, there is also the threat of reputational damage and negative public perception. At the same time, it has been shown that a clearly defined process is usually easier to implement than expected if responsibilities and procedures are clearly defined.

Software supply chain security: targeted risk management

Software supply chain security describes measures that companies use to ensure that software remains secure and traceable throughout its entire life cycle. The focus here is on external components, processes and dependencies.

Third-party libraries and dependencies can speed up development processes, but they can also entail risks. Unknown or outdated components can introduce vulnerabilities that compromise the security of the entire product.

Another factor is build, CI/CD and release processes. Insecure or insufficiently controlled processes can lead to manipulated software being delivered. Subsystems and integrations also increase the attack surface if security requirements and interfaces are not clearly defined.

It is crucial to keep an eye on risks throughout the entire life cycle. Software supply chain security does not end with the release, but requires continuous monitoring, vulnerability management and clear processes in the post-market phase.

Audits 2026: Why preparation is crucial

IEC 81001-5-1, post-market cybersecurity and supply chain security in particular will be subject to stricter audits in 2026 and can lead to unexpected deviations if insufficient preparation is made. Companies that take a strategic approach to cybersecurity at an early stage not only reduce audit risks, but also create long-term security and transparency.

Conclusion: Tackle cybersecurity strategically and early on

Cybersecurity will become a decisive success and risk factor for many companies in 2026. The Cybersecurity Resilience Act and IEC 81001-5-1 make it clear that cybersecurity can no longer be viewed in isolation. It must be firmly integrated into development processes, organizational structures and the entire product life cycle.

It is worth considering the implementation of cybersecurity at an early stage, as this is significantly more cost-efficient for the overall project in the medium term. The subsequent effort for cybersecurity documentation alone can reach a factor of 1.5 to 2, not including additional effort in requirements engineering and in architecture and development adaptation. Companies that systematically implement cybersecurity at an early stage not only reduce audit and liability risks, but also create long-term transparency and security.

It is particularly important not to see cybersecurity as a one-off measure or a mere documentation requirement. Sustainable processes, clear responsibilities and continuous monitoring in the post-market phase and along the supply chain are crucial in order to meet regulatory requirements and effectively manage security risks.