Cybersecurity of Medical Devices: Regulatory Challenges in the EU

Abstract

This book chapter assesses the EU medical devices legal framework in light of the EU cybersecurity policy objectives and the complexity aspects inherently characterizing the healthcare sector. First, it outlines the core cybersecurity-related elements in the EU Medical Devices Regulation (MDR) and offers critical remarks on the Medical Device Coordination Group’s Guidance on medical device cybersecurity. Second, the chapter illustrates other relevant pieces of the EU legislation that become applicable in the context of medical devices’ cybersecurity, namely the NIS Directive, the Cybersecurity Act, the GDPR, the Radio Equipment Directive. Third, the chapter offers critical remarks concerning the possible regulatory challenges stemming from their interaction with the MDR. Here, the analysis finds that regulatory challenges persist due to regulatory specialization, possibly leading to regulatory overlapping, fragmentation risks, regulatory uncertainty and duplication. In its final section, the chapter provides recommendations for EU lawmakers dealing with the cybersecurity of medical devices in the EU.