In an era of increasing cyber threats, the healthcare sector stands at the intersection of innovation and vulnerability. The European Commission’s recently published an Action Plan on cybersecurity for hospitals and healthcare providers, which highlights a critical issue:
Are we truly prepared to ensure the cybersecurity of connected medical devices?
From patient monitoring systems to implantable medical technologies, connected devices have revolutionized healthcare. However, this digital transformation comes with significant risks. Cyberattacks targeting hospitals and healthcare infrastructure have increased in recent years, putting patient safety, data privacy, and medical operations at risk.
As regulatory bodies worldwide tighten cybersecurity requirements, medical device manufacturers must proactively adapt to evolving standards. At Applus+ Laboratories, we believe cybersecurity should be a core component of medical device certification—not just for compliance but for the safety and trust of patients and healthcare providers.
The Cyber Resilience Act (CRA) aims to strengthen cybersecurity across all software and hardware products in the EU market. However, medical devices already fall under strict cybersecurity requirements within the Medical Device Regulation (MDR) and In Vitro Diagnostic Medical Device Regulation (IVDR), meaning that they are currently out of the CRA's direct scope.
Nevertheless, the European Commission’s Action Plan suggests a shift towards greater alignment between CRA and MDR/IVDR. The plan even encourages manufacturers of medical and in vitro diagnostic devices to voluntarily report cybersecurity vulnerabilities and incidents—a clear sign that regulators are considering future integration.
While CRA compliance is not yet a formal requirement for medical devices, adopting its principles early could provide a competitive advantage and future-proof products against upcoming regulations.
Another key regulation reshaping cybersecurity in healthcare is the NIS2 Directive. This European directive imposes stricter incident reporting and security measures on critical infrastructure, including healthcare providers.
For medical device manufacturers, this means:
While Europe refines its cybersecurity strategy, the U.S. Food and Drug Administration (FDA) has already intensified its enforcement of cybersecurity standards for medical devices. In March 2023, the FDA mandated that all new medical devices must include a comprehensive cybersecurity plan to be approved for the U.S. market.
For companies seeking global market approval, meeting FDA requirements now and aligning with upcoming EU changes is crucial.
At Applus+ Laboratories, we understand that cybersecurity is no longer an optional add-on—it is a regulatory and ethical necessity. That’s why we offer integrated cybersecurity evaluations to help manufacturers stay ahead of compliance requirements.
By taking a proactive approach, manufacturers can not only strengthen product security but also accelerate market entry and gain greater trust from regulatory bodies and healthcare providers.
With increasing cyber threats and evolving regulations, the message is clear:
At Applus+ Laboratories, we’re here to help you navigate these challenges with cutting-edge cybersecurity testing and certification solutions. Contact us today to learn more!
Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.
They allow the operation of the website, loading media content and its security. See the cookies we store in our Cookies Policy.
They allow us to know how you interact with the website, the number of visits in the different sections and to create statistics to improve our business practices. See the cookies we store in our Cookies Policy.