For audio summary click below
With the digitization of the healthcare industry, the risk of cybercrime has increased, exposing the industry’s inconsistent approach to medical device cybersecurity and its varying degrees of maturity. The wide attack surfaces and old legacy devices with exploitable bugs and vulnerabilities leave Health Delivery Organizations (HDOs) at risk.
As a result, a number of regulations – namely the Medical Device Regulation (MDR) and In Vitro Device Regulation (IVDR) – have been put in place to help fortify medical devices and their manufacturing lines against potential attack patterns.
The revised Directive on the Security of Network and Information Systems (NIS2 Directive) was recently published with the goal of further strengthening cybersecurity regulations in Europe and helping to form a better coordinated basis for medical device cybersecurity action.
What is the NIS2 Directive and why did it replace NIS?
The original Network and Information Security (NIS) Directive (EU 2016/1148) was approved in 2016 and served as the first EU-wide legislation, tasked with enhancing cybersecurity. The 27 member states adopted strategies and appointed authorities specific to cybersecurity to increase cooperation, facilitating the exchange of information.
While there was some difficulty in implementing the original NIS Directive, a second Directive was drafted to improve the deficiencies and strengthen the security requirements, as well as addressing the challenges within the supply chain. The NIS2 Directive (proposed in December 2020) aimed to streamline reports, introduce supervisory measures and tighten enforcement requirements across Europe.
In December 2022, NIS2 was published in the EU Office Journal and was brought into effect on January 16, 2023, applying to Operators of Essential Services (OESs) and Digital Service Providers (DSPs).
How are firms classified under NIS2?
Under the NIS2 Directive, OES and DSPs have been replaced and retitled as essential and important entities with the divide looking as follows:
- Large firms (250 employees or €50 million annual turnover) are essential entities, falling into Annex I.
- Medium firms of Annex I and all within Annex II are important entities.
All firms that carry out their activities within the EU will now have to abide by the specifications outlined in both Annex I and II of the NIS2 Directive. The classification of entities is also divided further into sectors and subsectors, each with a list of entity types.
For example, the top sector titles might be ‘healthcare’ and ‘manufacturing’, while the subsectors would be ‘medical device manufacturing’ and ‘in-vitro diagnostic medical devices’. If an entity holds an activity in any of these sectors and has more than 50 employees, or an annual turnover of €10 million, they will need to comply with the new Directive.
What does the adjustment timeframe for NIS2 look like?
As the NIS2 Directive entered into effect on January 16, 2023, there will be a 2-year transition period for MDMs and the membered states of the EU. The expectation is that MDMs adopt – and Member States, publish into national legislation – the compliance measures by October 17, 2024. Thereafter, the NIS2 Directive will replace the current Directive, compelling all classifications to comply with the new and stricter cybersecurity rules.