NIS2 - With a focus on vitro diagnostic and medical devices

The NIS2 Directive broadens EU cybersecurity standards to include in vitro diagnostic and medical device manufacturers, imposing stricter compliance and reporting obligations to enhance cyber resilience.

The NIS (The Directive on Security of Network and Information Systems) aims to ensure a higher level of cybersecurity resilience within the socially critical entities in the EU. NIS2 (EU 2022/2555) broadens its cybersecurity resilience requirements and scope to encompass all healthcare organizations already subject to NIS1 (EU 2016/1148). The scope of NIS2 includes additional subsectors previously not covered by NIS1, such as manufacturers of medical devices, in vitrodiagnostic medical devices, and devices deemed critical during public health crises. Hence, these supplementary sectors within the healthcare industry must adhere to the new regulations. Manufacturers of medical devices and in vitro diagnostic medical devices were not covered by the scope of NIS1 and did not fall under the scope of the health sector in Annex I of NIS2. Instead, they are classified as ‘important’ entities and are found in Annex II of NIS2 under other critical sectors – subsector (a) Manufacture of medical devices and in vitro diagnostic medical devices.

The health sector is classified as an ‘essential’ entity under the NIS2 directive, subjecting it to the strictest requirements and obligations. Although its predecessor has already covered it, the NIS1 directive, more rigorous requirements, and obligations regarding, for example, incident reporting and sanctions for non-compliance will be implemented. Non-compliant essential entities (covering the healthsector, among others) will be fined 10M EUR or 2% of global annual turnover, whichever is higher. Important entities (covering manufacturers of medical devices and in vitrodiagnostic devices, among others) will be fined 7M EUR or 1.4% of global annual turnover, whichever is higher.

Newly added affected entities covered by subsector (a) in Annex II of NIS2 will be:

• Entities manufacturing medical devices as defined in Article 2, point (1), of Regulation (EU) 2017/745 of the European Parliament and of the Council (1).
• Entities manufacturing in vitro diagnostic medical devices as defined in Article 2, point (2), of Regulation (EU) 2017/746 of the European Parliament and of the Council (2).
• Except entities manufacturing medical devices referred to in Annex I, point 5, fifth indent of this Directive.

Since NIS1 has not previously covered these entities, some new obligations following their inclusion under NIS2 are risk management measures, notification obligations in the event of security incidents, notification and reporting obligations to the authority, and notifications to service recipients and the public.

To prepare for the requirements of NIS2, entities within the healthcare sector (both manufacturers of medical devices andin vitro diagnostic medical devices as well as entities falling under the healthsector) should start by taking the following measures:

• Identification and mapping of requirementsrelevant to the organization to get an understanding of the responsibility when it comes to cyber risk management and reporting of incidents.
• Gap analysisto identify whether your company is covered under the scope of NIS2.
• Enhance cybersecurity awarenessand educate employees on identifying and assessing cybersecurity risks.

Knightec has extensive competence and knowledge within MedTech and NIS2 and will be more than happy to offer guidance on the above mentioned measures, making your company thoroughly prepared for NIS2.

Contact Klara Wallenbro, our cybersecurity and artificial intelligence expert specializing in the MedTech industry at Knightec, for insights on NIS2’s impact, ensuring your company’s compliance, or any cybersecurity queries within MedTech.

Cybersecurity by Knightec

At Knightec, we provide comprehensive cybersecurity services to help companys identify risks and protect their products and manufacturing environments. Our expertise spans product cybersecurity, OT security, and secure development.

We pride ourselves on taking a holistic approach to security that covers risk management, implementation, and testing. Visit our website to learn more and get in touch.