The NIS-2 (Network and Information Security) Directive is a European directive (Directive (EU) 2022/2555) that sets minimum standards for cybersecurity within the EU.
Does this directive also affect IVD and medical device manufacturers? If so, what does it require, and what should manufacturers do? This article provides answers.
1. What NIS-2 is about
a) Objective
The threats to IT infrastructures from cyber attacks are increasing. Accordingly, legislators are imposing more and more requirements that companies must comply with.
One example is NIS-2, the EU Directive 2022/2555, which the EU published on December 27, 2022. NIS stands for “Network and Information Security.” The number two indicates that there is already an older directive on cybersecurity from 2016.
The main objectives of NIS-2 are:
- Increasing cybersecurity by improving the security of network and information systems
- Better cooperation through increased communication and information sharing between EU member states
- Increasing the resilience of critical sectors such as energy, transport, and healthcare to cyber threats
- Introduction of a security incident reporting requirement for operators of critical services and digital service providers
- Enhanced protection of the confidentiality and integrity of data, in particular personal data
- Support for detecting and responding to cyber attacks
b) National implementation
Like all EU directives, the NIS-2 requires EU member states to transpose the requirements into national law. In this case, this must be done by October 2024.
In Germany, the draft (!) for the NIS-2 Implementation Act (NIS2UmsuCG) (German), passed on July 24, 2024, is available now. This law, in turn, stipulates that the “BSI Act” (BSIG) should be enacted, and a total of 32 other laws and ordinances, such as the Telecommunications Act and the DIGA Act, should be amended (see Fig. 1).
The NIS-2 requires member states to adopt national security strategies and designate or establish competent national authorities for cyber crisis management, central points of contact, and computer emergency response teams.
The draft mentioned above indicates that the Federal Office for Information Security (BSI) will be the responsible authority in Germany.
The NIS-2 Directive can be supplemented by implementing acts.
2. Who is affected by NIS-2
Any IVD or medical device manufacturer that employs at least 50 people or has an annual turnover and an annual balance sheet of more than EUR 10 million falls within the scope of NIS-2.
The NIS-2 defines its scope in Article 2. According to this, critical and particularly critical entities are affected. For Germany, §28 of the BSIG defines what is included in these categories. This paragraph refers to its Annexes I and II.
a) Sectors of high criticality
Definition according to Annex I and Annex II
Annex I of the BSIG lists the “sectors of particularly critical and critical entities.” In the context of IVD and medical devices, it mentions:
Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list) within the meaning of Article 22 of Regulation (EU) 2022/123 of the European Parliament and of the Council
However, the referenced EU Regulation 2022/123 does not define a list of critical medical devices. Instead, it requires an “executive steering group on shortages of medical devices” to “adopt” a list of categories of critical medical devices “immediately following the recognition of a public health emergency.”
Exceptions
An exception are entities with fewer than 250 employees, where either the annual turnover is less than EUR 50 million or the annual balance sheet total is less than EUR 43 million.
Summary
IVD and MP manufacturers only fall under the definition if one or more of their devices are included in the list of critical devices in the event of an emergency and count as at least medium-sized companies (according to the employee and financial figures mentioned).
b) Other critical sectors
Definition according to Annex II
Annex II of the BSIG lists the “other critical sectors.” This does not appear to overlap with Annex I, but by definition, it does.
In the context of medical devices and IVD, it concerns:
- Entities manufacturing medical devices as defined in Article 2, Point (1), of Regulation (EU) 2017/745 of the European Parliament and of the Council with the exception of entities manufacturing medical devices referred to in Annex I, Point 5, fifth indent, of this Directive,
- and entities manufacturing in vitro diagnostic medical devices as defined in Article 2, Point (2), of Regulation (EU) 2017/746 of the European Parliament and of the Council (5) with the exception of entities manufacturing medical devices referred to in Annex I, Point 5, fifth indent, of this Directive.
Exceptions
Exceptions are entities with fewer than 50 employees, where either the annual turnover is less than EUR 10 million or the annual balance sheet total is less than EUR 10 million.
Summary
All IVD and medical device manufacturers fall under this second definition if they are not small companies (according to the above employee and financial figures). Manufacturers in the first category are also excluded.
3. What the most important requirements are
a) Overview
The BSIG requires critical and particularly critical institutions to protect themselves effectively using technical and organizational measures that reflect the state of the art. It requires a risk management system (focusing on IT security), including risk analysis, risk evaluation, and (partly prescribed) risk-mitigating measures.
There are also reporting requirements, an obligation to register with the BSI, and implementation, monitoring, and training obligations for top management.
The annexes distinguish between “sectors of particularly critical and critical entities” and “sectors of critical entities.” However, the requirements hardly distinguish between “critical entities and particularly critical entities.” This means they apply to all IVD and medical device manufacturers above the mentioned sizes.
b) Summary
The requirements of the NIS-2 Directive and the BSIG revised in the NIS2UmsvCG have a high degree of overlap with the requirements of an Information Security Management System (ISMS), e.g., according to ISO 27001:2022.
In other words, achieving NIS-2 conformity will require a significant effort from manufacturers that have not implemented an Information Security Management System (ISMS).
Conversely, companies that already work in compliance with ISO 27001:2022 also already (largely) meet the requirements of NIS-2 and the national laws. The BSI (here the British Standards Institute, not the German Federal Office) has developed a mapping tool that compares the requirements of NIS-2 with Annex A of ISO 27001:2022.
4. What good next steps are
Step 1: Clarify the level of concern
As soon as the NIS2UmsvCG comes into force, manufacturers must comply with the requirements. A transition period is not expected. Companies should promptly check whether they fall under NIS-2 or NIS2UmsvCG.
Step 2: Identify non-compliant requirements
If so, they must examine the EU directive and the NIS2 Implementation Act and determine which requirements have not been met.
This will be very easy for companies with an ISMS according to ISO 27001:2022. This is because their Chief Information Security Officer (CISO) should easily understand what needs to be done and could identify the deltas.
Step 3: Establish/supplement ISMS
This step will also be easier for companies with an ISMS when it comes to closing the gaps in the ISMS.
For other companies, the next step is to set up an ISMS. This is because the requirements of NIS-2 and German law are aimed precisely at this, even if they do not require conformity with a standard such as ISO 27001.
In particular, certification according to ISO 27001 or the BSI standards is optional.
Avoid unnecessary effort! In particular, do not implement any other(!) additional management system alongside the QMS. Instead, strive for an integrated management system according to ISO 13485 and ISO 27001 (and possibly other standards)!
5. Conclusion and summary
IVD and medical device manufacturers are certainly not short of regulatory requirements. It would, therefore, be completely understandable if they complained about even more guidelines, laws, and regulations such as NIS-2, the NIS2UmsuCG, or the BSIG. It is certainly also worth discussing why these manufacturers, in particular, are considered “critical entities.”
However, cyber threats have become so massive that it would be irresponsible (and even illegal) from the perspective of top management not to counter these potentially existential threats.
Therefore, the new law (with fines in the millions) motivates some to tackle what has been overdue for some time.
Johner Institute supports IVD and medical device manufacturers in implementing integrated management systems according to ISO 13485 and ISO 27001. You can contact us, for example, via our contact page.
