Cybersecurity Becomes a GMP Priority Under the EU Cyber Resilience Act

The regulatory expectations for laboratories operating under GMP are evolving rapidly, driven by the upcoming implementation of the EU Cyber Resilience Act (CRA) and its growing alignment with existing quality frameworks. Cybersecurity is no longer viewed solely as an IT responsibility; it is increasingly recognised as a critical factor in ensuring data integrity and product quality.

For manufacturers, this shift introduces new operational and compliance considerations, particularly where laboratory systems support critical quality decisions such as batch release.

Connected Systems and Emerging Compliance Risks

Modern laboratories rely on a wide range of connected instruments, including HPLCs, spectrometers, and titrators. These systems, while essential for operations, can also represent potential cybersecurity vulnerabilities if not adequately secured.

Where system security is compromised, the reliability of generated data may be affected. In such cases, this can have direct implications for GMP compliance, particularly in relation to data integrity expectations.

Vulnerability Management and the Challenge of Maintaining Validation

A key development under the CRA is the introduction of obligations for manufacturers of products with digital elements to provide security updates and patching mechanisms.

For laboratories, this creates a dual challenge: implementing security updates in a timely manner while ensuring that systems remain in a validated state. This reinforces the need for stronger coordination between IT, Quality Assurance, and Computer System Validation (CSV) functions, as well as more agile change control processes.

Legacy Systems Under Increasing Scrutiny

Legacy equipment, particularly systems operating on unsupported or end-of-life operating systems such as older Windows versions, is becoming a growing concern.

Without access to security updates, these systems may no longer meet evolving expectations. As a result, manufacturers may need to consider mitigation strategies, including network segregation, restricted access, or long-term replacement planning.

Expanding Scope of Quality Risk Management

Cybersecurity is increasingly being considered within Quality Risk Management (QRM) frameworks, especially where risks to data integrity and product quality are identified.

In the event of a cybersecurity incident, manufacturers may need to assess the potential impact on data generated during the affected period and determine whether additional quality actions are required within the Quality Management System.

Increased Focus on Supplier and Vendor Oversight

The CRA also reinforces the importance of supplier engagement. Manufacturers are expected to obtain greater transparency from instrument vendors regarding their cybersecurity practices.

This may include information on:

• Availability of security patches

• Secure development practices

• Software composition, such as through Software Bills of Materials (SBOMs)

These elements are becoming increasingly relevant within supplier qualification and lifecycle management processes.

A Structured Approach to Cyber-Readiness

To support laboratories in adapting to these changes, structured approaches to cyber-readiness are emerging. These typically include establishing a comprehensive inventory of connected assets, assessing system criticality, and defining clear strategies for patch management and risk mitigation.

The “Lab Cyber-Readiness & GMP Checklist” provides a practical framework covering areas such as asset inventory, vendor management, data integrity controls, validation, and personnel awareness .

Looking Ahead: Preparing for CRA Implementation

The EU Cyber Resilience Act will introduce phased obligations ahead of its full application in 2027. For manufacturers placing products with digital elements on the EU market, early preparation will be essential.

Aligning laboratory practices with these evolving expectations will not only support compliance but also strengthen overall system resilience.

Conclusion

The convergence of cybersecurity and GMP reflects a broader shift in regulatory expectations. Data integrity can no longer be considered in isolation from system security.

For manufacturers, laboratories are now part of the wider digital risk landscape, requiring proactive assessment and integration of cybersecurity into existing quality systems.