NIS2 Directive: are you involved or concerned?
That’s the story of the pig and the hen for breakfast: the pig is involved (ham) and the hen is concerned (eggs). With the NIS2 directive in preparation, a medical device manufacturer will be in either situation.
A proposal for the NIS2 directive has been published in December 2020. Its goal is ensuring a high level of cybersecurity within the Union. Like any other regulation, it brings its own constraints and overhead to targeted organizations. Fortunately, it is not applicable to micro or small entreprises. However, some additional criteria exist. Let’s see how medical device manufacturers are involved or concerned.
NIS directive and NIS2 directive
By the way, subject matter experts call it the NIS2 directive. Its real official name is the directive on measures for a high common level of cybersecurity across the Union. It will replace the Directive on security of network and information systems (aka NIS directive, mentioned on this blog 6 years ago) in force since 2016. NIS2 is used as a nickname, reminder of the replacement of the NIS directive.
Essential Entities and Important Entities
The NIS2 directive defines two types of entities:
- Essential Entities: Medical Device manufacturers of critical medical devices, according to Annex I of the NIS2 directive. The annex references the regulation on European Medicines Agency in crisis preparedness. It is in draft state, and defines what “critical” medical devices are,
- Important Entities: All medical device manufacturers, according to annex II of the NIS2 directive.
We can conclude that all medical device manufacturers, other than small businesses, are at least in the scope of the NIS2 directive and categorized as Important Entities.
However, some other criteria exist at article 2. Like if the manufacturer is the sole provider of a service in the EU or if it is of importance at regional or national level. Especially, the NIS2 directive references yet another regulation in preparation, the Resilience and critical entities directive, which defines a list of critical entities.
If a manufacturer matches one of these criteria at article 2, it can be an Essential Entity or Important Entity. Small business or not.
Examples of medical devices manufacturers, that could be in scope of the NIS2 Directive:
- A manufacturer of telehealth / teleradiology solution when their software is deployed at regional or national level (criteria at article 2),
- A manufacturer of patient file management software, not a medical device but usually editors of such software have medical devices in their product portfolio, when their software is deployed at regional or national level (criteria at article 2),
- A manufacturer of a cloud-based SaMD with a large user base, where a potential disruption of the service provided by the entity could have an impact on public safety (criteria at article 2),
- A manufacturer of ventilators used to cure patients with covid-19, probably in the future list of critical devices of the EMA crisis preparedness regulation (criteria at annex I),
- Another manufacturer of medical devices, not small business (criteria at annex II).
To sum-up: to know if a manufacturer is an Essential Entity, or Important Entity, or none of these, it is necessary to read three documents:
- The NIS2 directive, with criteria defined at article 2,
- The EMA crisis preparedness regulation, referenced in annex I of the NIS2 directive,
- The Resilience of critical entities directive, referenced in article 2 of the NIS2 directive.
Piece of cake! Isn’t it?
One important thing: The list of entities matching the criteria found in article 2 will be established by Member States. Thus, small businesses won’t decide by themselves if they match these criteria. Such list isn’t defined on the back of an envelope. Member States will need to collaborate with presumed entities to establish the list. Such entities will know well in advance that they will be in the list!
This is also the case for the list of critical entities according to the EMA crisis preparedness regulation and the Resilience of critical entities directive.
You are Involved!
If your company is in the scope of the NIS2 directive, you are involved. Essential Entity or Important Entity, you have to establish (article 1):
- A cybersecurity risk management process,
- A reporting process,
- An information sharing process.
Article 18 defines the requirements on Cybersecurity risk management measures. Article 20, the Reporting obligations, and article 26 the Cybersecurity information sharing arrangements.
To do so, technical specifications or methodological specifications can be adopted by the European Commission. The European Union Agency for Cybersecurity (ENISA) can also publish guidelines. There is no mention of harmonized standards, though. Only a requirement for Member States to encourage the use of international or European standards. (articles 18 and 22).
This is going to consume a significant part of enterprises resources. It is wise to put non-critical small businesses out of scope!
These processes will be monitored by a Competent Authority, at Member State level. Obviously, different from the Competent Authority for MD/IVD. I don’t explain further the network of agencies in charge of cybersecurity and crisis management (ENISA, CSIRT, CyCLONe…).
It is important to note that the NIS2 directive has an impact on entities’ organization. The most straightforward (and expensive) compliance pathway is an Information Security Management System (ISMS) implemented according to ISO 27001.
MDR and IVDR target products with ISO 13485 and ISO 14971 (plus cybersecurity harmonized / recognized standards).
Thus, a solution for MD manufacturers in the scope of the NIS2 directive could be to have an integrated QMS, compliant to ISO 27001 and ISO 13845.
Difference between Essential Entities and Important Entities
Accustomed to MDR/IVDR rules, we can see Important Entities a bit like class I, and Essential Entities as Class II+. This is visible in articles 29 and 30, about supervision of Essential Entities and Important Entities, respectively.
Essential Entities are subject to regular audits and random checks (sort of unannounced audits). Important Entities can be subject to ex-post inspection by Competent Authorities, after a cyber adverse event occurred. No regular audit, then.
The NIS2 directive also leaves the possibility to impose certification schemes to Essential Entities and Important Entities (article 21). Hello ISO 27001! Hello, also, future certification schemes that ENISA could elaborate or adopt.
Curiously, the suspension of certification is a sanction only present for Essential Entities.
You are Concerned!
Even though a company doesn’t match any criteria of article 2 and isn’t in the scope of the NIS2 directive, it can be impacted by the supply chain. As a manufacturer, you are in the supply chain of healthcare providers, which be essential or important entities, according to article 2. Keep reading, you are concerned!
Article 18 requires to implement cybersecurity risk management measures in the supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers.
Thus, as a medical device manufacturer, hardware, or software, or software as a service, we have to implement such measures, either in the QMS (for non-active devices), or in the QMS and the devices (for active devices). MDR CE marked devices shall already be compliant to general requirements at annex I of MD / IVDR.
Article 18 also requires to implement policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures.
It means that our clients, who are happy to be Essential or Important Entities, will audit our QMS and/or our products. They will verify that cybersecurity provisions in the QMS and in the device design and post-market are appropriate.
Last, article 18 adds entities shall take into account the vulnerabilities specific to each supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.
Cherry on the cake, client’s audits will take into account vulnerabilities in products and the secure development process, like the one described in IEC 81001-5-1.
That’s a bit like a sterilization service supplier, who is audited by its clients. As a supplier of devices or ICT services considered as critical by your clients, you will be audited by your clients. Of course, with auditors qualified in cybersecurity management.
Here are some examples:
- A hospital, registered as Essential Entity, could audit their hardware MD suppliers, when these MD are considered as critical devices for patient care,
- A big pharma company, registered as Essential Entity, could audit their suppliers of companion apps (qualified as SaMDs), when these companions apps deliver a service considered as critical for patient management,
- A medical imaging manufacturer, registered as Important Entity, could audit their suppliers of medical imaging libraries (themselves MD or not), when these libraires are considered as a critical part of the integrated system.
So, we are concerned!
Consumer electronics is not left apart
A last proposal for regulation as been issued in September 2022. This is the Regulation on horizontal cybersecurity requirements for products with digital elements. Its scope is products with digital elements. It excludes MD and IVD who are already regulated by the MDR and IVDR.
However, the Annex I of this proposal contains a list of general requirements. It's worth reading them, to see what detailed requirements on cybersecurity could be for medical devices!
We see with this last proposal for regulation that the EU takes cybersecurity seriously, by putting some pressure on all electronic devices.
And the MDR?
Let's end with the running-gag of 2022 on this blog: some MDR-bashing!
As of today, the MDR is a dead-end. It drains all the energies of medical devices manufacturers towards poorly useful QMS updates, technical files updates, and endless Notified Bodies reviews.
But the geopolitical landscape has changed. Cybersecurity is a real concern. Probably a concern stronger than the safety and performance of medical devices.
Practically speaking, I feel like I'm doing something useful when I work on securing the design of medical devices. And I feel like I'm doing something useless (even sometimes pointless), when I work on filling some heavy MDR technical file template.
Fortunately, this is only sometimes true for new devices. Unfortunately, this is always true for legacy devices transitioning to the MDR.
What a waste of manufacturers' resources!
The MDR should be updated to alleviate the burden on MD manufacturers. Their resources shall be set in order of battle to strengthen the security of their products and processes. This is the purpose of a directive like NIS2. We’ve seen that it requires a lot of resources to do it right.
We shall not fight the wrong battle: more Cyber, less MDR
Edit 2022/12/28: the NIS2 directive, named Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union has been published the 2022/12/27. It shall be transposed in National law no later than September 2024. Articles of the draft version discussed above were shifted by 3 digits in the final version. E.g.: article 18 is now article 21.