When cybersecurity policy hits you

by 184yw8rhwhr
November 5, 2024

Die Richtline NIS-2 (network and information security). is a European directive (Directive (EU) 2022/2555) that establishes minimum standards for cybersecurity within the EU.

Does this directive also apply to manufacturers of IVDs and medical devices? If so, what does it require and what should manufacturers do? This specialist article will give you the answers.

1. What is NIS-2 about

a) Objective

Threats to IT infrastructures from cyber attacks are on the rise. As a result, legislators are increasingly establishing requirements that companies must comply with.

An example is NIS-2, the EU Directive 2022/2555, published by the EU on December 27, 2022. NIS stands for “Network and Information Security”. The number two indicates that an old cybersecurity guideline from 2016 already exists.

The main objectives of NIS2 are:

Increase cybersecurity by improving the security of networks and information systems
Better cooperation through increased communication and information exchange between EU Member States
Greater resilience of key sectors such as energy, transport and healthcare to cyber threats
Introduction of security incident reporting obligations for operators of critical services and digital service providers
Greater protection of the confidentiality and integrity of data, in particular personal data
Assist in detecting and responding to cyber attacks

b) National implementation

Like all EU directives, NIS-2 also forces EU member states to incorporate the requirements into national legislation. In this case, this must have occurred by October 2024.

At this time, the draft(!) of the NIS-2 Implementation Law (NIS2UmsuCG), approved on July 24, 2024, is available in Germany. This law in turn provides for the entry into force of the “BSI law” (BSIG) and the amendment of 32 other laws and regulations, including the telecommunications law and the DIGA law (see fig. 1).

Fig. 1: NIS-2 must be transposed into national law as an EU directive.

NIS-2 wants member states to adopt national security strategies and designate or establish national authorities responsible for managing cyber crises, as well as central contact points and cyber emergency response teams.

The above project shows that the Federal Office for Information Security (BSI) will be the responsible authority in Germany.

The NIS-2 Directive may be complemented by implementing acts.

2. Who is affected by NIS-2

Any IVD or medical device manufacturer that employs at least 50 people or has an annual turnover and balance sheet exceeding 10 million euros each falls within the scope of NIS-2.

NIS-2 defines its scope in Article 2. Important and particularly important installations are therefore affected. What this includes is determined for Germany by Section 28 BSIG. This paragraph refers to Annexes I and II.

a) Particularly important and important sectors of institutions

Definition according to Annex I and Annex II

Appendix I of the BSIG lists “particularly important and important institution sectors.” In the context of IVDs and medical devices he mentions:

Companies producing medical devices deemed critical during a public health emergency pursuant to Article 22 of Regulation (EU) 2022/123 of the European Parliament and of the Council of 25 January 2022 for an enhanced role of the European Medicines Agency in preparedness and crisis response in relation to medicines and medical devices (OJ L 20, 31.1.2022, p. 1) (“List of medical devices critical for public health emergencies”)

However, the aforementioned EU Regulation 2022/123 does not specify a list of critical medical devices. Rather, it forces you “High-Level Medical Device Shortage Steering Group” “Following a determination of a public health emergency.” a list of critical medical device categories “accept”. In English it means “to adopt”.

Exceptions

“Establishments” with fewer than 250 employees where the annual turnover is less than 50 million euros or the annual balance sheet total is less than 43 million euros are excluded.

Summary

IVD and MP manufacturers only fall within the definition if one or more of their products are included in the list of emergency critical products and count as at least medium-sized companies (according to the employee and financial data mentioned).

b) Sectors of important institutions

Definition according to Annex II

Appendix II of the BSIG lists “sectors of significant institutions”. This does not appear to overlap with Schedule I, but by definition it does.

In the field of medical devices and IVDs these are:

Companies supplying medical devices pursuant to Article 2 number 1 of Regulation (EU) 2017/745 of the European Parliament and of the Council on medical devices, amending Directive 2001/83/EC, Regulation (EC) No. 178/2002 and Regulation (EC) n. 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1),
and companies that produce in vitro diagnostic medical devices pursuant to article 2 number 2 of Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 relating to in vitro diagnostic medical devices and repealing Directive 98 /79/ Decision 2010/227/EU of the EC and the Commission (OJ L 117, 5.5.2017, p. 176),
with the exception of companies manufacturing medical devices deemed critical during a public health emergency pursuant to Article 22 of Regulation (EU) 2022/123 of the European Parliament and of the Council of 25 January 2022 on the strengthened role of the European Medicines Agency in crisis preparedness and response in relation to medicines and medical devices (OJ L 20, 31.1.2022, p. 1) (“List of critical medical devices for public health emergencies”)

Exceptions

“Establishments” with fewer than 50 employees whose annual turnover is less than 10 million euros or whose annual balance sheet total is less than 10 million euros are excluded.

Summary

All IVD and medical device manufacturers fall under this second definition if they are not small businesses (according to self-reported financial and employee data). Producers belonging to the first category are also excluded.

3. What are the main requirements

a) Overview

The BSIG requires that important and particularly important facilities protect themselves effectively through technical and organizational measures based on the state of the art. She requests one Risk management system (IT security focus), including risk analysis and assessment and (sometimes specified) risk minimization measures.

It continues to exist Reporting obligationsthe obligation to registration also at the BSI Implementation, monitoring and training obligations for management.

The annexes distinguish between “particularly important and important sectors of institutions” and “sectors of important institutions”. But the requirements make little distinction between “essential facilities and particularly important facilities.” This means that they apply to all IVD and medical device manufacturers starting from the sizes mentioned.

b) Summary

The requirements of the NIS 2 guideline or the requirements of the BSIG revised in NIS2UmsuCG have a high degree of overlap with the requirements of an information security management system (ISMS), for example according to ISO 27001:2022.

In other words: moving to NIS-2 compliance involves considerable effort for manufacturers who have not implemented an information security management system (ISMS).

In contrast, companies already working in accordance with ISO 27001:2022 already (largely) meet the requirements of NIS-2 or national laws. The BSI (here the British Standards Institute, not the German Federal Office) has developed a mapping tool that compares the requirements of NIS-2 with Annex A of ISO 27001:2022.

4. What are the next positive steps

Step 1: Clarify concerns

As soon as NIS2UmsuCG comes into force, manufacturers will need to have met the requirements. There is no transition period. This means that companies should promptly check whether they fall under NIS-2 or NIS2UmsuCG.

Step 2: Determine unmet requirements

In this case, you need to refer to the EU Directive or NIS2UmsuCG and determine the requirements that are not met.

This will be very simple for companies with an ISMS according to ISO 27001:2022. Because their information security officer (ISB) should easily understand what needs to be done and could identify deltas.

Phase 3: Establish/expand the ISMS

With this step, companies will also have more ease with an ISMS when it comes to filling gaps in the ISMS.

An ISMS is being prepared for other companies. Because the requirements of NIS-2 and German law amount to just that, even if compliance with a standard like ISO 27001 is not required.

In particular, certification according to ISO 27001 or BSI standards is optional.

Save unnecessary effort! In particular, implement together with the QMS NO(!) additional management system. Instead, aim for an integrated management system compliant with ISO 13485 and ISO 27001 (and other standards if necessary)!

5. Conclusion and summary

There is certainly no shortage of regulatory requirements for IVD and medical device manufacturers. It would therefore be completely understandable if they complained even more about guidelines, laws and regulations such as NIS-2 or NIS2UmsuCG or BSIG. It is certainly worth discussing why these producers are considered “important institutions”.

However, cyber threats have now become so massive that, from a management perspective, it would be irresponsible (and even illegal) to do nothing to counter these potentially existential threats.

Thus, the new law (with fines running into the millions) is a motivation for some to address what is now overdue.

The Johner Institute supports IVD and medical device manufacturers in implementing integrated management systems according to ISO 13485 and ISO 27001. Contact us, for example, via our contact page.