MedTech Europe’s position on the review of EU rules on the security of network and information systems (NIS2)

We welcome the NIS 2 Directive proposal as an improvement over the current NIS Directive. Relevant sectoral guidance could promote further harmonisation and clarity on how to act when cyber incidents are putting healthcare and patient safety at risk.

RECOMMENDATIONS

• An adequate level of cybersecurity in healthcare is essential for ensuring the provision of medical care, patient safety and the protection of health data. Security of healthcare systems will also advance trust in the use of innovative healthcare solutions. The medtech industry is committed to delivering products and services that meet requirements that contribute to these goals.
• We acknowledge the references to Medical Device (MD) and in vitro Diagnostic (IVD) manufacturers in Annex I, point 5 (Essential Entities) and Annex II, point 5 (Important Entities) and the supervisory measures for Essential Entities and Important Entities, e.g., ex-ante and ex-post regime versus ex-post regime. Nevertheless, we want to highlight that the medical technology industry is already under rigorous supervisory, auditing and post-market surveillance regimes that include cybersecurity requirements under the new Medical Devices Regulations (MDR and IVDR) and accompanying guidance (including software as medical device and IT systems). We welcome strengthened coordination between the national Single Points Of Contact on cybersecurity (SPOC) and the national competent authorities responsible for medical devices and in vitro diagnostics. However, in the interest of legal consistency and respect for the Lex Specialis principle, we would strongly urge against any creation of duplicative or parallel certification requirements on top of the existing cybersecurity provisions of the MDR and IVDR.
• We emphasise the importance of consulting with the industry in drafting the list for “medical devices as critical during a public health emergency”, which would classify the manufacturers as Essential Entities. * We also note that the classification of medical devices’ manufacturers as “critical during a public health emergency” and “non-critical” in other circumstances could lead to two supervisory regimes under the current proposal for a given manufacturing facility.
• We stress the importance of uniform implementation of the NIS 2 Directive across the EU Member States to avoid fragmented regulatory requirements and procurement requirements as laid down in Article 5.2.(b) when operating in more than one EU Member State. Additionally, after the entry into force of this Directive, it will be necessary to clarify which ENISA channels will be employed to receive the information required to maintain the registry for Essential and Important Entities (as per Article 25).
• Cybersecurity is a shared responsibility of medical device manufacturers, healthcare providers, vendors, and patients. Accordingly, the scope of this Directive should consider the risks involved and apply the same provisions on all players in the supply chain, to ensure a fair and balanced approach. We therefore encourage efforts to improve cybersecurity awareness through programmes initiated by the Member States’ competent authorities under the proposed Directive.
• We support the risk management approach for both Essential Entities and Important Entities under the proposal but emphasise the leverage of current (sectoral) risk management standards and best practices that have international consensus.
• We disagree with setting fines based on “worldwide” annual turnover, which exceeds the Directive’s scope and jurisdiction, and which is considered punitive rather than effective, proportionate, and dissuasive.
• We welcome the requirements laid down in article 26 to improve cybersecurity information sharing, as long as this is realised among trusted partners and with proper sharing agreements.

We look forward to working with the EC, ENISA and stakeholders to advance cybersecurity in healthcare.

Full response attached.