EU introduces 3 new legislations for medical devices cybersecurity

Much has been written on cybersecurity generally and on medical device cybersecurity more specifically; however, the latter is a matter of relatively recent regulation in the EU. In some of our previous work, 2 we set out the existing legal framework on cybersecurity, noting that this framework consists of sector-specific cybersecurity-related requirements (set by the EU Medical Device Regulation [MDR]) and other horizontal (applying across different sectors) cybersecurity legislation (e.g., directives on the security of network and information systems (NIS) and the Cybersecurity Act [CSA]).

However, even more recently, three new legislative proposals – the Artificial Intelligence (AI) Act, the European Health Data Space (EHDS) proposed regulation and Data Act – have been introduced that would add to the cybersecurity requirements relevant to medical devices.

Few studies in the legal literature have analysed the potential effects of these pending legislative reforms on medical device cybersecurity or examined the challenges they could create from a legal standpoint. In this context, this article examines some of the understudied legal challenges that the forthcoming legislation may bring to medical device cybersecurity in the EU. To do so, in section two, we examine both the current and forthcoming EU laws applicable to medical device cybersecurity. This is followed, in section three, by a look at currently available interpretative guidance issued at the EU level about medical device cybersecurity. In section four, we outline some significant legal challenges stemming from the new legislative proposals (i.e., the AI Act, the EHDS Regulation and the Data Act). This examination reveals an incoherent approach of the EU legislature in relation to new cybersecurity-related requirements. In section five, we make recommendations to the EU lawmakers to help address these challenges, not only in relation to the aforementioned proposals, but also in relation to the drafting of future cybersecurity-related provisions more generally. Formiventos