New Cybersecurity Requirements for Medical Devices in the EU: The Forthcoming European Health Data Space, Data Act, and Artificial Intelligence Act

Abstract

The regulation of cybersecurity for medical devices keeps evolving in the European Union (EU). In the past few years, new pieces of legislation have been added to the initial framework for medical device cybersecurity, including the Medical Device Regulation, the General Data Protection Regulation and the Cybersecurity Act. The Artificial Intelligence Act, the European Health Data Space Regulation and the Data Act are forthcoming laws that contain cybersecurity-related requirements applicable to medical devices. This article examines the requirements stemming from each of these, as well as their role vis-a-vis the existing legal framework. We observe that despite being comprehensive and wide ranging in their changes, these new regulations may be inadequate for the task of ensuring the cybersecurity of medical devices. In our view, this approach by the EU legislature is inadequate because it fails to foresee cybersecurity requirements in a way that is truly linked with the already existing cybersecurity laws. To help address this problem, the article offers a set of workable recommendations that EU legislators would be well advised to take on board in respect of specific regulations, as well as in general, when establishing cybersecurity-related requirements.