The NIS-2 (Network and Information Security) Directive is a European directive (Directive (EU) 2022/2555) that sets minimum standards for cybersecurity within the EU.
Does this directive also affect IVD and medical device manufacturers? If so, what does it require, and what should manufacturers do? This article provides answers.
- The NIS 2 Implementation Act has been in force since December 2025. It essentially contains amendments to the BSI Act and transposes the EU NIS 2 Directive into national law.
- Only “critical” medical device and IVD manufacturers are affected.
- Affected companies are subject to registration and reporting requirements as well as IT security risk management requirements.
- The Johner Institute supports companies in determining whether they are affected and in meeting the requirements.
- Additional IT security requirements (e.g., from the MDR, IVDR) exist independently of NIS-2.
1. What NIS-2 is about
a) Objective
The threats to IT infrastructures from cyber attacks are increasing. Accordingly, legislators are imposing more and more requirements that companies must comply with.
One example is NIS-2, the EU Directive 2022/2555, which the EU published on December 27, 2022. NIS stands for “Network and Information Security.” The number two indicates that there is already an older directive on cybersecurity from 2016.
The main objectives of NIS-2 are:
- Increasing cybersecurity by improving the security of network and information systems
- Better cooperation through increased communication and information sharing between EU member states
- Increasing the resilience of critical sectors such as energy, transport, and healthcare to cyber threats
- Introduction of a security incident reporting requirement for operators of critical services and digital service providers
- Enhanced protection of the confidentiality and integrity of data, in particular personal data
- Support for detecting and responding to cyber attacks
b) National implementation
Like all EU directives, the NIS-2 requires EU member states to transpose the requirements into national law. In this case, this must be done by October 2024.
In Germany, the NIS 2 Implementation Act did not come into force until December 5, 2025, which—as the name suggests—implements the provisions of the EU directive into national law. This implementation act in turn stipulates that the “BSI Act” (BSIG) and a total of 32 other laws and regulations, such as the Telecommunications Act and the DIGA Act, are to be amended (see Fig. 1). It also designates the BSI as the responsible national authority.
NIS 2 requires member states to adopt national security strategies and designate or establish competent national authorities for cyber crisis management, as well as central points of contact and computer emergency response teams.
The NIS 2 directive may be supplemented by implementing acts.
The BSI website lists the key obligations arising from the NIS 2 Implementation Act.
The NIS-2 Directive can be supplemented by implementing acts.
2. Who is affected by NIS-2
Article 30 of the NIS 2 Implementation Act and Annexes 1 and 2 referenced therein can be summarized as follows:
Any IVD or medical device manufacturer that employs at least 50 people or has an annual turnover and annual balance sheet total of more than EUR 10 million falls within the scope of NIS 2.
The NIS-2 defines its scope in Article 2. According to this, critical and particularly critical entities are affected. For Germany, §28 of the BSIG defines what is included in these categories. This paragraph refers to its Annexes I and II.
a) Sectors of high criticality
Definition according to Annex I and Annex II
Annex I of the BSIG lists the “sectors of particularly critical and critical entities.” In the context of IVD and medical devices, it mentions:
Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list) within the meaning of Article 22 of Regulation (EU) 2022/123 of the European Parliament and of the Council
However, the referenced EU Regulation 2022/123 does not define a list of critical medical devices. Instead, it requires an “executive steering group on shortages of medical devices” to “adopt” a list of categories of critical medical devices “immediately following the recognition of a public health emergency.”
Annex 1 (Section 4) also lists:
- Healthcare providers within the meaning of Directive 2011/24/EU
- EU reference laboratories pursuant to Article 15 of Regulation (EU) 2022/2371
Exceptions
An exception are entities with fewer than 250 employees, where either the annual turnover is less than EUR 50 million or the annual balance sheet total is less than EUR 43 million.
Summary
IVD and MP manufacturers only fall under the definition if one or more of their devices are included in the list of critical devices in the event of an emergency and count as at least medium-sized companies (according to the employee and financial figures mentioned).
b) Other critical sectors
Definition according to Annex II
Annex II of the BSIG lists the “other critical sectors.” This does not appear to overlap with Annex I, but by definition, it does.
In the context of medical devices and IVD, it concerns:
Companies that manufacture medical devices in accordance with Article 2(1) of Regulation (EU) 2017/745 and companies that manufacture in vitro diagnostic medical devices in accordance with Article 2(2) of Regulation (EU) 2017/746, with the exception of companies that manufacture medical devices that are classified as critical during a public health emergency in accordance with Article 22 of Regulation (EU) 2022/123 (“List of critical medical devices for public health emergencies”).
Exceptions
Exceptions are entities with fewer than 50 employees, where either the annual turnover is less than EUR 10 million or the annual balance sheet total is less than EUR 10 million.
Summary
All IVD and medical device manufacturers fall under this second definition if they are not small companies (according to the above employee and financial figures). Manufacturers in the first category are also excluded.
3. What the most important requirements are
a) Overview
The BSIG requires critical and particularly critical institutions to protect themselves effectively using technical and organizational measures that reflect the state of the art. It requires a risk management system (focusing on IT security), including risk analysis, risk evaluation, and (partly prescribed) risk-mitigating measures.
There are also reporting requirements, an obligation to register with the BSI, and implementation, monitoring, and training obligations for top management.
The annexes distinguish between “sectors of particularly critical and critical entities” and “sectors of critical entities.” However, the requirements hardly distinguish between “critical entities and particularly critical entities.” This means they apply to all IVD and medical device manufacturers above the mentioned sizes.
b) Summary
The requirements of the NIS-2 Directive and the BSIG revised in the NIS2UmsvCG have a high degree of overlap with the requirements of an Information Security Management System (ISMS), e.g., according to ISO 27001:2022.
In other words, achieving NIS-2 conformity will require a significant effort from manufacturers that have not implemented an Information Security Management System (ISMS).
Conversely, companies that already work in compliance with ISO 27001:2022 also already (largely) meet the requirements of NIS-2 and the national laws. The BSI (here the British Standards Institute, not the German Federal Office) has developed a mapping tool that compares the requirements of NIS-2 with Annex A of ISO 27001:2022.
4. What good next steps are
Step 1: Clarify the level of concern
As soon as the NIS2UmsvCG comes into force, manufacturers must comply with the requirements. A transition period is not expected. Companies should promptly check whether they fall under NIS-2 or NIS2UmsvCG.
Step 2: Identify non-compliant requirements
If so, they must examine the EU directive and the NIS2 Implementation Act and determine which requirements have not been met.
This will be very easy for companies with an ISMS according to ISO 27001:2022. This is because their Chief Information Security Officer (CISO) should easily understand what needs to be done and could identify the deltas.
Step 3: Establish/supplement ISMS
This step will also be easier for companies with an ISMS when it comes to closing the gaps in the ISMS. This also includes establishing a reporting process and supplementing risk management.
For other companies, the next step is to set up an ISMS. This is because the requirements of NIS-2 and German law are aimed precisely at this, even if they do not require conformity with a standard such as ISO 27001.
In particular, certification according to ISO 27001 or the BSI standards is optional.
Avoid unnecessary effort! In particular, do not implement any other(!) additional management system alongside the QMS. Instead, strive for an integrated management system according to ISO 13485 and ISO 27001 (and possibly other standards)!
Step 4: Complete registration
If you are affected, you must register your company.
5. Conclusion and summary
IVD and medical device manufacturers are certainly not short of regulatory requirements. It would, therefore, be completely understandable if they complained about even more guidelines, laws, and regulations such as NIS-2, the NIS2UmsuCG, or the BSIG. It is certainly also worth discussing why these manufacturers, in particular, are considered “critical entities.”
However, cyber threats have become so massive that it would be irresponsible (and even illegal) from the perspective of top management not to counter these potentially existential threats.
Therefore, the new law (with fines in the millions) motivates some to tackle what has been overdue for some time.
Johner Institute supports IVD and medical device manufacturers in implementing integrated management systems according to ISO 13485 and ISO 27001. You can contact us, for example, via our contact page.
Change history
- 2026-01-13: The German NIS 2 Implementation Act is in force. Therefore
- Introductory section amended
- Key takeaways added
- Sections 1.b) and 2. revised
- Paragraph 4. Step 3: Second sentence added
- Paragraph 4: Step 4 added
- 2024-11-05: First version published
Does this apply to foreign manufacturers placing their devices on the market?
Dear Hayley, The NIS-2 Directive applies to entities that provide their services or carry out their activities in the European Union. Device manufacturers placed outside the EU that do not provide services are out of the scope.
Best regards
Christian Rosenzweig