This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

BioTalk

Powered by Bird & Bird

All Posts
| 7 minute read

The Impact of the NIS2 Directive and the CER Directive for Medical Device Manufacturers and the Healthcare Sector

featured image

Get in touch

Avatar
Deirdre Kilroy
Partner
Avatar
Georgina Parkinson
Associate

Get in touch

Avatar
Deirdre Kilroy
Partner
Avatar
Georgina Parkinson
Associate

The rise in the volume of cyber incidents, the war in Ukraine, and the recent pandemic, has increased focus on the risks for medical device manufacturers and healthcare providers inherent in the data they collect and hold, including the risks posed by the ongoing threat of cyber-attacks. This is where the NIS2 Directive and the CER Directive come in.

In this article we will consider the Network and Information Systems Directive (EU) 2022/0383 (“NIS2”) and the Directive on the Resilience of Critical Entities (EU) 2022/2557 (“CER Directive”) and the impact that they will have on medical device manufacturers and healthcare providers.

NIS2 is aimed at improving the resilience and incident response capacities of the public and private sectors across the European Union. In particular, NIS2 will:

  • Introduce stringent supervisory measures for national authorities and introduce stricter enforcement; and
  • Introduce accountability of senior level management for non-compliance with cybersecurity obligations.

The CER Directive repeals the European Critical Infrastructure Directive introducing more robust measures for the cyber and physical resilience of critical entities and networks.

What is the NIS2 Directive?

NIS2 replaces the current Network and Information Systems Directive known as the “NIS Directive”. The NIS Directive applied to certain life sciences businesses, but the NIS2 captures more businesses within its scope. NIS2 amends the rules on the security of network and information systems and aims to harmonise the current cybersecurity framework.

What is the CER Directive?

The CER Directive repeals the European Critical Infrastructure Directive (2008/114/EC). It requires Member States across the EEA to take proactive steps to protect services provided across 11 sectors regarded as critical to the operation of society and business in the EEA.

How are medical device manufacturers and healthcare providers affected?

The main aim of NIS2 is to ensure a high level of cybersecurity within the EEA. NIS2 modifies and expands the types of organisations which fell into scope of the previous NIS Directive. Annex I and II of NIS2 lists entity categories which fall into either essential or important sectors, with differing obligations applying depending on the categorisation. Whether a company with the sectors identified in the Annexes is in scope is subject to specific rules, and Member State can also designate additional categories. NIS2 lists ‘health’ and certain specific medical device manufacturers, within the ‘essential sectors’ category and ‘medical device manufacturers’ within the ‘important sectors’ category. The definitions set out in NIS2 of the sectors are broad, technical and cover a large variety of providers in the life sciences, medical devices and healthcare spaces.

NIS2 affects many different medical device manufacturers and healthcare providers including:

  • Any entity providing healthcare on the territory of a Member State;
  • Entities carrying out research and development activities of medicinal products;
  • Manufacturers of patient file management software;
  • Manufacturers of ventilators;
  • Entities manufacturing basic pharmaceutical products.

Additionally, entities manufacturing medical devices for the purposes of diagnosis, prevention, monitoring, prediction, prognosis, treatment, and alleviation of disease are captured within the definition of medical device manufacturing under NIS2.

Key NIS2 and CER Directive changes which medical device manufacturers and healthcare providers should be aware of:

Key Change

Impact of NIS2

Recommended Action

Broadening of Scope of Application:

Providers captured by NIS2 includes those manufacturing certain critical products in the pharmaceutical sector such as, medical devices. Entities providing software or research services can also be in scope.All providers of goods and services in the life sciences and healthcare space should determine whether their activities fall within the parameters of NIS2, and whether they are classified as an essential or important entity, or both.

Jurisdiction Tests and One Stop Shop Rule:

 

 

NIS2 has specific rules determining which Member State laws and competent authority has jurisdiction over an entity’s functions. Regard must be had to where the main establishment is. Depending on the facts it may also be necessary to take account of where certain decisions are predominantly taken, where cybersecurity operations are carried out, and which establishment has the highest number of employees in the EU.

 

 

 

Entities should:

 

  • consider the technical jurisdiction tests in NIS2 to determine the national laws relevant to the entity;
  • consider if the entity is able to avail of the ‘one stop shop’ mechanism, and so may be required to be registered in the ENISA registry;
  • some entities may wish to restructure cybersecurity or other functions to align with other relevant regulatory regimes (for example, GDPR which also has a one stop shop mechanism, and although not identical, it is similar);
  • consider if, the entity is not established in the EU, it is required to designate an EU representative;

 

Supply Chain Risk Management:

NIS2 includes detailed, strengthened security requirements for essential and important entities. Essential and important entities must put measures in place around (amongst others): risk analysis, system security policies, and supply security.

Entities must take account of new obligations by:

 

  • reviewing the security arrangements of their hardware and software suppliers;
  • evaluating the adequacy of the security obligations of providers of data storage or managed security services;
  • considering what use of cryptography and encryption is appropriate;
  • co-ordinating technical and organisation security efforts; it will make sense to have regard to arrangements dealing with other related legal obligations (such as the security requirements under GDPR, the Regulation (EU) 2017/745 on medical devices and Regulation (EU) 2017/746 2017 on in vitro diagnostic medical devices);
  • ensuring contracts are updated to take account of the new obligations; and
  • taking account of its governance framework and incident management processes when managing its supply network and related contracts.

Governance Requirements:

NIS2 includes governance obligations for management bodies of essential and important entities and specific training obligations for their members. Management bodies of such entities can be held liable for non-compliance.

Entities must:

 

  • conduct risk assessments having regard to their legal obligations;
  • put in place and implement crisis management plans;
  • update business continuity arrangements;
  • identify the “management body” to be accountable for compliance and non-compliance;
  • consider the employment position of management body members;
  • appropriately train impacted roles in the organisation, including management body members.

Incident Response Reporting:

NIS2 introduces detailed two-stage reporting requirements with respect to incidents having a significant impact on the provision of services and cyber threats. Notably, what is considered ‘significant impact’ has changed and the timelines and processes for making notifications to competent authorities have changed (the max 72-hour notification window has been reduced to 24 hours; however, an initial notification is only required within this timeframe).

Entities should:

 

  • review their processes, policies and procedures to take account of NIS2 requirements;
  • revise their cybersecurity risk management processes and incident reporting to take account of the new requirements;
  • co-ordinate incident compliance efforts with programmes dealing with notifications required by other laws, such as GDPR;
  • make appropriate plans to deal with communications and reports to the national Computer Security Incident Response Teams (“CSIRT”) / the competent authority, and, additionally, reports to services recipients;

 

Key Change

Impact of NIS2

Recommended Action

CER Directive

Member States will be required to identify the critical entities that provide essential services, including in the health sector.

If an entity is identified as a critical entities it must:

 

  • review its business and identify the relevant risks that may significantly disrupt the provision of the specified essential services;
  • take appropriate measures to ensure the resilience of essential services;
  • notify disruptive incidents impacting essential services to the competent authorities;
  • take account of requirements notified to it by competent authorities.

What actions should medical device manufacturers and healthcare providers take now?

Incidents, such as cyber-attacks and data breaches, can have a significant impact on pharmaceutical companies and healthcare providers. There is potential exposure of patient personal data, technical security data and business data due to cyber-attacks. This can lead to disruption of business and interrupted revenue generation, insurance claims, contract performance risk, as well as risk of damage to reputation for those in or working with the medical device and healthcare sectors. With this in mind, those impacted must introduce robust reporting mechanisms to ensure they comply with the timeframes set out in NIS2. In addition, strengthened security requirements must be put in place to cover system security as well as a cybersecurity risk and incident management process.

In terms of the CER Directive, certain entities should continually track developments at the Member States level, in order assess the likelihood of the CER Directive applying to them and react and plan accordingly.

What timelines should medical device manufacturers and healthcare providers be aware of?

The new rules will only take effect when the EU directives are transposed into law across the EU Member States.  For both the NIS2 and the CER Directive, Member States have until 17 October 2024, to publish these national laws, and the new laws must take effect from 18 October 2024.

In relation to the CER Directive, Member States from 2024 must adopt a strategy for reinforcing the resilience of critical entities. The strategy must address specified elements and they must communicate the strategies to the EU Commission. Member States must also establish a list of critical entities and are also required to notify the entities about their status and the obligations they will be required to adhere to as a result. The competent authorities in each Member State will establish a list of essential services. Regular assessments must be carried out of all relevant risks that may affect the provision of those essential services with a view to identifying critical entities.

Warning! Organisations are strongly recommended to start preparing for compliance with NIS2 and the CER Directive now, rather than waiting for the 2024 and 2025 deadlines. It will take time to plan for, implement, and to achieve compliance.

Who to contact?

If you have any questions or would like advice or assistance on any of the topics raised in this article, please do not hesitate to reach out to the authors, or your usual Bird & Bird contact.
 

Tags

eu, healthcare, medical devices, medtech

Get in touch

Avatar
Deirdre Kilroy
Partner
Avatar
Georgina Parkinson
Associate

Get in touch

Avatar
Deirdre Kilroy
Partner
Avatar
Georgina Parkinson
Associate

Latest Insights