The rise in the volume of cyber incidents, the war in Ukraine, and the recent pandemic, has increased focus on the risks for medical device manufacturers and healthcare providers inherent in the data they collect and hold, including the risks posed by the ongoing threat of cyber-attacks. This is where the NIS2 Directive and the CER Directive come in.
In this article we will consider the Network and Information Systems Directive (EU) 2022/0383 (“NIS2”) and the Directive on the Resilience of Critical Entities (EU) 2022/2557 (“CER Directive”) and the impact that they will have on medical device manufacturers and healthcare providers.
NIS2 is aimed at improving the resilience and incident response capacities of the public and private sectors across the European Union. In particular, NIS2 will:
- Introduce stringent supervisory measures for national authorities and introduce stricter enforcement; and
- Introduce accountability of senior level management for non-compliance with cybersecurity obligations.
The CER Directive repeals the European Critical Infrastructure Directive introducing more robust measures for the cyber and physical resilience of critical entities and networks.
What is the NIS2 Directive?
NIS2 replaces the current Network and Information Systems Directive known as the “NIS Directive”. The NIS Directive applied to certain life sciences businesses, but the NIS2 captures more businesses within its scope. NIS2 amends the rules on the security of network and information systems and aims to harmonise the current cybersecurity framework.
What is the CER Directive?
The CER Directive repeals the European Critical Infrastructure Directive (2008/114/EC). It requires Member States across the EEA to take proactive steps to protect services provided across 11 sectors regarded as critical to the operation of society and business in the EEA.
How are medical device manufacturers and healthcare providers affected?
The main aim of NIS2 is to ensure a high level of cybersecurity within the EEA. NIS2 modifies and expands the types of organisations which fell into scope of the previous NIS Directive. Annex I and II of NIS2 lists entity categories which fall into either essential or important sectors, with differing obligations applying depending on the categorisation. Whether a company with the sectors identified in the Annexes is in scope is subject to specific rules, and Member State can also designate additional categories. NIS2 lists ‘health’ and certain specific medical device manufacturers, within the ‘essential sectors’ category and ‘medical device manufacturers’ within the ‘important sectors’ category. The definitions set out in NIS2 of the sectors are broad, technical and cover a large variety of providers in the life sciences, medical devices and healthcare spaces.
NIS2 affects many different medical device manufacturers and healthcare providers including:
- Any entity providing healthcare on the territory of a Member State;
- Entities carrying out research and development activities of medicinal products;
- Manufacturers of patient file management software;
- Manufacturers of ventilators;
- Entities manufacturing basic pharmaceutical products.
Additionally, entities manufacturing medical devices for the purposes of diagnosis, prevention, monitoring, prediction, prognosis, treatment, and alleviation of disease are captured within the definition of medical device manufacturing under NIS2.
Key NIS2 and CER Directive changes which medical device manufacturers and healthcare providers should be aware of:
|Key Change||Impact of NIS2||Recommended Action|
|Broadening of Scope of Application:||Providers captured by NIS2 includes those manufacturing certain critical products in the pharmaceutical sector such as, medical devices. Entities providing software or research services can also be in scope.||All providers of goods and services in the life sciences and healthcare space should determine whether their activities fall within the parameters of NIS2, and whether they are classified as an essential or important entity, or both.|
|Jurisdiction Tests and One Stop Shop Rule:
|NIS2 has specific rules determining which Member State laws and competent authority has jurisdiction over an entity’s functions. Regard must be had to where the main establishment is. Depending on the facts it may also be necessary to take account of where certain decisions are predominantly taken, where cybersecurity operations are carried out, and which establishment has the highest number of employees in the EU.
|Supply Chain Risk Management:||NIS2 includes detailed, strengthened security requirements for essential and important entities. Essential and important entities must put measures in place around (amongst others): risk analysis, system security policies, and supply security.||Entities must take account of new obligations by:
|Governance Requirements:||NIS2 includes governance obligations for management bodies of essential and important entities and specific training obligations for their members. Management bodies of such entities can be held liable for non-compliance.||Entities must:
|Incident Response Reporting:||NIS2 introduces detailed two-stage reporting requirements with respect to incidents having a significant impact on the provision of services and cyber threats. Notably, what is considered ‘significant impact’ has changed and the timelines and processes for making notifications to competent authorities have changed (the max 72-hour notification window has been reduced to 24 hours; however, an initial notification is only required within this timeframe).||Entities should:
|Key Change||Impact of NIS2||Recommended Action|
|CER Directive||Member States will be required to identify the critical entities that provide essential services, including in the health sector.||If an entity is identified as a critical entities it must:
What actions should medical device manufacturers and healthcare providers take now?
Incidents, such as cyber-attacks and data breaches, can have a significant impact on pharmaceutical companies and healthcare providers. There is potential exposure of patient personal data, technical security data and business data due to cyber-attacks. This can lead to disruption of business and interrupted revenue generation, insurance claims, contract performance risk, as well as risk of damage to reputation for those in or working with the medical device and healthcare sectors. With this in mind, those impacted must introduce robust reporting mechanisms to ensure they comply with the timeframes set out in NIS2. In addition, strengthened security requirements must be put in place to cover system security as well as a cybersecurity risk and incident management process.
In terms of the CER Directive, certain entities should continually track developments at the Member States level, in order assess the likelihood of the CER Directive applying to them and react and plan accordingly.
What timelines should medical device manufacturers and healthcare providers be aware of?
The new rules will only take effect when the EU directives are transposed into law across the EU Member States. For both the NIS2 and the CER Directive, Member States have until 17 October 2024, to publish these national laws, and the new laws must take effect from 18 October 2024.
In relation to the CER Directive, Member States from 2024 must adopt a strategy for reinforcing the resilience of critical entities. The strategy must address specified elements and they must communicate the strategies to the EU Commission. Member States must also establish a list of critical entities and are also required to notify the entities about their status and the obligations they will be required to adhere to as a result. The competent authorities in each Member State will establish a list of essential services. Regular assessments must be carried out of all relevant risks that may affect the provision of those essential services with a view to identifying critical entities.
Warning! Organisations are strongly recommended to start preparing for compliance with NIS2 and the CER Directive now, rather than waiting for the 2024 and 2025 deadlines. It will take time to plan for, implement, and to achieve compliance.
Who to contact?
If you have any questions or would like advice or assistance on any of the topics raised in this article, please do not hesitate to reach out to the authors, or your usual Bird & Bird contact.