What impact will the new EU law have on medical devices, accompanying apps and cloud services?<\/span><\/span> <\/p>\n<\/div><\/div><\/div><\/div><\/div> Digitalization in the healthcare sector is growing rapidly. More and more processes, devices and applications are being networked or moved to the cloud. At the same time, data protection and cyber security requirements are increasing. Not only patient data is particularly worth protecting – attacks on medical systems can also cause life-threatening situations. <\/span><\/p>\n Until now, medical devices in the EU have primarily been subject to the Medical Device Regulation (MDR) and (where relevant) other standards, such as IEC 81001-5-1, which specifically regulates cyber security requirements for medical software. With the new Cyber Resilience Act (CRA), the EU is now creating a further, far-reaching level of regulation. Interestingly, although medical devices themselves are exempt from the CRA because they are already regulated by the MDR and IVDR, the CRA applies to digital components, services and applications that are not medical devices as defined by the MDR\/IVDR – and this increasingly affects the healthcare sector. <\/span><\/p>\n In this blog post, we take a look at what the Cyber Resilience Act regulates, why it has a significant impact on manufacturers in the healthcare market despite the exclusion of medical devices and how it interacts with other directives such as NIS2 or US requirements. In addition, we provide a compact checklist that shows what companies should pay attention to now. <\/span><\/p>\n<\/div><\/div><\/div><\/div><\/div> The Cyber Resilience Act (CRA) is a planned EU law that aims to drastically increase the cyber security of products with digital elements. These include:<\/p>\n The aim of the CRA is to define uniform minimum standards for IT security throughout the entire product life cycle: from development (“security by design”) to market launch and operation through to patch and update management. In concrete terms, this means for manufacturers:<\/p>\n<\/div> Products with digital elements must comply with certain basic standards, such as secure communication, encrypted data transmission and mechanisms to defend against typical threats (e.g. SQL- <\/span>injections<\/span>DDoS attacks).<\/span><\/p>\r\n<\/div> Processes must be established to promptly rectify identified vulnerabilities. Security vulnerabilities must be disclosed, e.g. to authorities and users. <\/span><\/span><\/p>\r\n<\/div> Compliance with the CRA requirements is integrated into the CE marking. Anyone who places their products on the market in the EU without meeting the CRA requirements risks severe penalties. <\/span><\/span><\/p>\r\n<\/div> The manufacturer’s responsibility does not end with the sale, but includes a defined period during which security updates must be provided. The transition phase after the CRA comes into force is expected to last several years. It is currently expected to come into force in 2024 and last around 36 months, which could mean full compliance from around 2027. <\/span><\/span><\/p>\r\n<\/div> The CRA is thus responding to the high number of cyberattacks associated with the increased use of digital technologies and networked devices. For manufacturers in all sectors – but especially in the healthcare sector – the law creates a binding framework for greater cyber security. <\/span><\/span><\/p>\n<\/div> Although medical devices (e.g. certified surgical robots, implants, insulin pumps) are excluded per se from the scope of the CRA because they are already comprehensively regulated by the MDR, IVDR and standards such as IEC 81001-5-1, the new law nevertheless has a considerable pull effect on the healthcare sector. Why?<\/span><\/span><\/p>\n<\/div> Many medical devices use additional apps or cloud components that are not themselves medical devices. It is precisely these parts that fall under the CRA because they are “products with digital elements” and are not already covered by the MDR within the meaning of the law.<\/p>\r\n Networked devices (e.g. telemedicine platforms, patient apps) can be covered by the CRA obligation if they are essential for operation but do not legally comply with medical device status.<\/span><\/span><\/p>\r\n<\/div> The revised <\/span><\/span>NIS2 Directive<\/span><\/span> forces operators of critical infrastructures (including the healthcare sector and hospitals) to meet higher security standards. Anyone supplying devices or software (under CRA) to such institutions must provide the required standards and documentation. This is the only way for hospitals to ensure their own NIS2 compliance. <\/span><\/span><\/p>\r\n<\/div> In view of the sensitive nature of healthcare data and the high risk of cyberattacks, it is essential for manufacturers and operators to work closely together and <\/span>exchange information on cybersecurity measures – regardless of whether the respective application is “only” covered by the CRA or “also” by the MDR.<\/span><\/span><\/p>\r\n<\/div> Medical devices (as defined by the MDR\/IVDR) already have strict requirements for <\/span><\/span>cyber security<\/span><\/span>. IEC 81001-5-1 specifies these requirements for software by providing a standardized framework for risk management and technical protective measures. Manufacturers must therefore prove that their medical devices are secure and can be protected against tampering or data leaks, for example. <\/span><\/span><\/p>\n<\/div><\/div><\/div><\/div><\/div> The Cyber Resilience Act comes into play when digital functions or systems do not fall within the scope of the MDR. Instead, the uniform requirements of the CRA now apply. In certain aspects, the CRA can even go beyond the MDR requirements, for example when it comes to reporting security vulnerabilities to authorities or regular patch management. <\/span> <\/p>\n Practical example:<\/span><\/p>\n<\/div> Subject to the CRA as it is not a medical device itself.<\/span><\/span><\/p>\r\n<\/div><\/div><\/div> Rather CRA-relevant if no medical device status exists.<\/span><\/p>\r\n <\/p>\r\n<\/div><\/div><\/div> The NIS2 Directive, updated in 2023, strengthens cybersecurity in critical infrastructures (including the healthcare sector). Hospitals and other “operators of essential services” must now meet increased requirements for risk analysis, incident management and reporting obligations. To ensure that this works smoothly, manufacturers are required to design their products (whether medical devices or not) to be secure and to provide their customers with sufficient technical information. <\/span><\/span><\/p>\n<\/div><\/div><\/div><\/div><\/div> In the USA, the FDA (Food and Drug Administration) is a leader in the regulation of <\/span>cyber<\/span> Security in the medical device sector. However, there is no direct counterpart to the <\/span>Cyber<\/span> Resilience<\/span> Act. The “U.S. <\/span>Cyber<\/span> Trust Mark Act” relies more on voluntary measures and is more focused on the consumer market. International manufacturers must therefore comply with EU requirements (CRA, MDR, IVDR) and US standards (FDA <\/span>Guidances<\/span>), provided they operate in both markets.<\/span><\/span><\/p>\n<\/div>Introduction<\/span><\/span><\/h2><\/div>
What is the <\/span>Cyber<\/span> Resilience<\/span> Act?<\/span><\/span><\/h2><\/div>
\n
\n
\n
Commitment to safety measures<\/h3><\/div>
Transparency about security gaps<\/h3><\/div>
Uniform CE marking for networked products<\/h3><\/div>
Life cycle approach<\/h3><\/div>
![\"BAYOOMED-Cyber_Resilience_Act\"](\"https:\/\/www.bayoomed.com\/wp-content\/uploads\/sites\/4\/2025\/04\/BAYOOMED-Cyber_Resilience_Act.jpg\" "\\"BAYOOMED-Cyber_Resilience_Act\\"")
<\/span><\/div><\/div><\/div><\/div><\/div>Significance for the healthcare sector<\/span><\/span><\/h2><\/div>
Companion apps and cloud services<\/h3><\/div>
\r\n
Devices used in the hospital environment<\/h3><\/div>
Link with NIS2<\/h3><\/div>
Data security and patient well-being<\/h3><\/div>
CRA: “Expansion” of the regulatory spectrum<\/span><\/span><\/h2><\/div>
Companion app for data evaluation on the smartphone:<\/h3><\/div>
Cloud backend for medical software<\/h3><\/div>
NIS2 for operators and manufacturers<\/span><\/span><\/h2><\/div>
A look at the USA: FDA and Co.<\/span><\/span><\/h2><\/div>
![\"BAYOOMED-Richtlinien\"](\"https:\/\/www.bayoomed.com\/wp-content\/uploads\/sites\/4\/2025\/04\/BAYOOMED-Richtlinien.jpg\" "\\"BAYOOMED-Richtlinien\\"")
<\/span><\/div><\/div><\/div><\/div><\/div>Consequences for manufacturers of healthcare software<\/span><\/span><\/h2><\/div>