Cybersecurity of medical devices: new challenges arising from the AI Act and NIS 2 Directive proposals

Cyberattacks on the IT infrastructure of hospitals, electronic health records or medical devices that have taken place during the COVID-19 pandemic reaffirmed how crucial it is to ensure cybersecurity in the healthcare sector. Medical devices are regulated in the European Union (EU) through vertical product-specific legislation, such as the Medical Device Regulation (MDR), among others. The MDR foresees safety requirements implying cybersecurity obligations for medical device manufacturers. In 2021, the EU legislator put forward the Network and Information Security System Directive reform (NIS 2) and the Artificial Intelligence Act (AIA) proposal, containing additional cybersecurity requirements applicable to medical devices. This article analyses how the new reforms interact with the existing legislation from a cybersecurity perspective. The research finds that parallel provision of analogous cybersecurity requirements (especially on notification requirements) could lead to regulatory overlapping, fragmentation, and uneven levels of protection of individuals in the EU internal market. In the “Recommendations and conclusions”, the article provides policy recommendations to the EU legislator to help mitigate these risks.