Skip to main content

Health-ISAC Hacking Healthcare 1-26-2026

This week, Health-ISAC®‘s Hacking Healthcare® examines the European Commission’s open public feedback period for an initiative that seeks to simplify EU rules for medical devices and in vitro diagnostics.[i] Included in the newly published proposed regulation are noteworthy changes to cybersecurity provisions. Join us as we summarize the initiative and highlight the proposed cybersecurity elements.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

 

PDF Version:

 

Text Version:

Welcome back to Hacking Healthcare® !

Proposed E.U. Revision of Medical Device Regulations Include Cybersecurity Requirement Updates

In early September of last year, the European Commission published a call for evidence to elicit feedback on a “targeted revision of the EU rules for medical devices and in vitro diagnostics”.[i] [ii]The aim of the proposal would be to “streamline and future-proof the regulatory framework by reducing the administrative burden and enhancing predictability and cost-efficiency, while preserving a high level of public health and patient safety.”[iii]

After receiving nearly 450 responses, the European Commission has published their full proposal, including changes to cybersecurity provisions, and has opened a new round of feedback to inform upcoming legislative debates between the European Commission, European Parliament, and European Council. Let’s break down the proposal, focusing on the cybersecurity elements, and assess what Health-ISAC members should take away from this initiative.

What Regulations Are Being Targeted?

The proposal targets two existing regulations, (EU) 2017/745 on Medical Devices and Regulation (EU) 2017/746 on In vitro Diagnostic Medical Devices, which help to cover the more than 2 million medical technologies in Europe.[iv] As the European Commission’s evaluation stresses, the products covered by these regulations “have a fundamental role in saving lives by providing innovative healthcare solutions for the diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease.”[v] Both regulations were published on April 5, 2017, and came into force in May of that year, but while they have been in application since May 2021 and May 2022 respectively, the transitional period for full implementation has been considerably extended owing to a variety of challenges.

In terms of their coverage, (EU) 2017/745 on Medical Devices provides the “rules concerning the placing on the market, making available on the market or putting into service of medical devices for human use and accessories for such devices in the [European] Union. [The] Regulation also applies to clinical investigations concerning such medical devices and accessories conducted in the Union.”[vi] While (EU) 2017/746 on In vitro Diagnostic Medical Devices addresses the same but for in vitro devices.[vii]

Catalyst For The Proposal

In 2024, the European Commission began a target evaluation of Regulation (EU) 2017/745 on medical devices (MDR) and Regulation (EU) 2017/746 on in vitro diagnostic medical devices (IVDR) with the intent of assessing the effectiveness of the rules, the administrative and financial costs of the rules, and the benefits to patients and users.[viii] The evaluation was pushed ahead of schedule (technically not legally required before May 2027) and before the two regulations had been fully implemented due to a variety of implementation challenges.

According to the European Commission, the evaluation found that “while the EU Regulatory framework benefits from a more robust infrastructure for safe and performant medical devices, it is not always effective in achieving its objectives.”[ix] This included disproportionate and unevenly distributed compliance costs and the potential for contradictory or overlapping requirements or with other EU rules and regulations (such as the AI Act and NIS2).

Proposed Cybersecurity Updates

Issue: The European Commission has determined that the current state of medical devices and in vitro diagnostic medical devices falling outside of the Regulation (EU) 2024/2847 (Cyber Resilience Act) has created a cybersecurity gap that needs to be addressed. The current reporting requirements within Article 87 of the MDR and 82 in the IVDR (Vigilance Rules) do not require cybersecurity related incidents that do not concern public health or patient safety to be reported.

Proposal: MDR: new Article 87a, Annex I & IVDR: new Article 82a, Annex I.

“Serious incidents reported in accordance with the vigilance system established under the MDR or IVDR, which also qualify as actively exploited vulnerabilities and severe incidents as referred to in Regulation (EU) 2024/2847 on cyberresilience, will be made available to the relevant national computer security incident response teams (‘CSIRTs’) and to the European Union Agency for Cybersecurity (ENISA). In addition, manufacturers will have to report actively exploited vulnerabilities and severe incidents that do not qualify as serious incidents within the meaning of the MDR or IVDR to the CSIRTs and ENISA through Eudamed.”[x] Additionally, “In Annex I MDR/IVDR, cybersecurity will be explicitly mentioned in the general safety and performance requirements.”[xi]

The proposal would obligate a covered manufacturer to submit a required report not later than 30 days after it becomes aware of the actively exploited vulnerability or the severe incident.

 

Action & Analysis
**Included with Health-ISAC Membership**

 

[i] https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14808-Medical-devices-and-in-vitro-diagnostics-targeted-revision-of-EU-rules_en

[ii] Specifically, Regulation (EU) 2017/745 on medical devices (MDR), and Regulation (EU) 2017/746 on in vitro diagnostic medical devices (IVDR).

[iii] https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14808-Medical-devices-and-in-vitro-diagnostics-targeted-revision-of-EU-rules_en

[iv] https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14808-Medical-devices-and-in-vitro-diagnostics-targeted-revision-of-EU-rules_en

[v] Evaluation – SWD(2025) https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14808-Medical-devices-and-in-vitro-diagnostics-targeted-revision-of-EU-rules_en

[vi] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02017R0745-20260101

[vii] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02017R0746-20250110

[viii] https://ec.europa.eu/newsroom/sante/items/861619/

[ix] Executive Summary of the Evaluation. https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14808-Medical-devices-and-in-vitro-diagnostics-targeted-revision-of-EU-rules_en

[x] https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14808-Medical-devices-and-in-vitro-diagnostics-targeted-revision-of-EU-rules_en

[xi] https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14808-Medical-devices-and-in-vitro-diagnostics-targeted-revision-of-EU-rules_e

  • Related Resources & News
Monthly Newsletter – February 2026
Annual Threat Report – Health Sector 2026