As medical devices increasingly rely on digital and AI-driven components, the European Union is enhancing its regulatory framework to address safety, cybersecurity and accountability.
Building upon the pioneering Medical Devices Regulation (MDR, EU 2017/745) and In Vitro Diagnostic Regulation (IVDR, EU 2017/746), the Cyber Resilience Act (CRA), Product Liability Directive (PLD) (Directive EU 2024/2853), EU’s NIS2 Directive (Directive EU 2002/2555), and Artificial Intelligence Act (AI Act) form a robust foundation for protecting patients and fostering innovation.
The EU’s regulatory journey in medical devices set a global precedent by incorporating software assurance into its legal framework early on. In 1993, the Medical Devices Directive (MDD, 93/42/EEC) became one of the first laws worldwide, if not the first, to classify standalone software as a medical device, recognising its critical role in patient safety.
This groundbreaking step paved the way for other jurisdictions to follow suit and laid the essential groundwork for today’s more comprehensive regulations.
Building on this foundation, the MDR introduced stringent requirements for software risk management, encompassing cybersecurity and lifecycle updates. It mandated that software undergo rigorous evaluation to mitigate risks associated with failures and evolving vulnerabilities.
These efforts, rooted in the MDD’s early focus on software safety, paved the way for the CRA, NIS2, PLD, and AI Act, which address the challenges of interconnected, AI-driven medical technologies in a more comprehensive manner.
Effective December 2026, the revised PLD expands the definition of ‘product’ to include digital elements such as software and AI, delivered via cloud (SaaS), embedded in hardware, or distributed on physical media. This ensures liability coverage for software integral to medical devices, such as diagnostic platforms and patient-monitoring systems, as well as 3D-printing files for medical components.
The PLD also tackles damages caused by data destruction or corruption, recognising data as a critical asset in healthcare. Manufacturers are now liable for harm caused by defective updates or evolving AI algorithms. For example, an inaccurate software update in a patient-monitoring device could lead to potential claims.
To ease the burden on claimants, the PLD simplifies evidence requirements. Courts may presume defectiveness in cases of clear malfunctions or non-compliance with safety standards, and manufacturers may be compelled to disclose relevant information. These measures align closely with the MDR’s patient safety objectives.
The CRA introduces horizontal cybersecurity requirements for products with digital elements, emphasising proactive risk management and resilience. Devices must have secure default configurations, robust encryption, and minimised attack surfaces. Comprehensive cybersecurity documentation, including secure operational and decommissioning instructions, is also mandated.
Additionally, the CRA requires mechanisms for prompt vulnerability identification, patching and disclosure. By mandating accountability for third-party components, the CRA complements the PLD’s emphasis on post-market safety and incident response.
The NIS2 Directive is a pivotal framework ensuring that entities address cybersecurity risks, implement robust risk-management measures, and establish incident-reporting protocols.
For medical devices, ranging from wearables to AI-powered diagnostic tools, NIS2 requires supply-chain security, accountability at the management level and enhanced operational resilience. Essential and important entities, including those producing critical devices, face tailored obligations.
The synergy between the MDR, IVDR, CRA, PLD, NIS2, and AI Act reflects the EU’s holistic approach to medical device regulation. Key integrations include:
Cybersecurity as a Core Component: The MDR and IVDR emphasise integrating
cybersecurity into risk management systems. The CRA reinforces these requirements by addressing cybersecurity vulnerabilities throughout the device lifecycle. NIS2 embeds robust governance and cybersecurity requirements on health entities and manufacturers.
Post-Market Surveillance: The MDR and IVDR mandate incident reporting and corrective actions. The CRA extends this by requiring immediate notification and remediation of cybersecurity incidents. NIS2 follows the same obligations and active monitoring.
AI Risk and Compliance: The AI Act regulates AI-powered medical devices, mandating transparency, bias mitigation and lifecycle monitoring. This aligns with the PLD’s liability provisions, ensuring accountability across evolving AI systems.
The EU’s comprehensive regulatory framework underscores its commitment to balancing safety with technological advancement. The integration of the CRA, PLD, NIS2, AI Act, MDR, and IVDR ensures patients are protected even as medical devices grow more complex. For manufacturers, this demands meticulous lifecycle management from design and development to decommissioning.
By adhering to these frameworks, the medical device industry not only ensures compliance but also builds trust in a rapidly evolving digital healthcare ecosystem. As the EU moves forward, resilience and accountability will remain the cornerstones of innovation in healthcare.
Ian Gauci is the managing partner of GTG, a technology-focused corporate and commercial law firm that has been at the forefront of major developments in fintech, cybersecurity, telecommunications, and technology-related legislation.
This article is not intended to impart legal advice, and readers are asked to seek verification of statements made before acting on them.