MedTech Europe Responds to Consultation on the Revision of the EU Cybersecurity Act

MedTech Europe has published its response to the European Commission’s public consultation on the proposed revision of the Cybersecurity Act (CSA), outlining several recommendations aimed at ensuring that future cybersecurity measures remain aligned with existing regulatory frameworks governing medical devices and in vitro diagnostic medical devices (IVDs).

The association supports the overall objective of strengthening the EU’s cybersecurity resilience and welcomes the proposed reinforcement of the role of the European Union Agency for Cybersecurity (ENISA). However, it argues that the revised framework should avoid creating overlapping obligations for highly regulated sectors such as medical technologies.

Vulnerability handling

Among its recommendations, MedTech Europe calls for clarity regarding ENISA’s role in vulnerability handling. The association states that EU-level coordination and information-sharing activities should not result in additional or parallel vulnerability disclosure requirements for medical technologies.

According to the position paper, vulnerability management for medical devices and IVDs often requires coordination with healthcare providers, validation activities, user training, and maintenance planning, making flexibility essential in safety-critical healthcare environments.

Cybersecurity certification

MedTech Europe also addresses the proposed European Cybersecurity Certification Framework, recommending that cybersecurity certification schemes remain voluntary and aligned with existing EU and international regulatory frameworks.

The association notes that medical devices and IVDs are already subject to cybersecurity-related requirements under the MDR and IVDR, while additional obligations are being introduced through horizontal legislation such as the Cyber Resilience Act. It therefore calls for a clear presumption of conformity where equivalent requirements already apply, with the objective of reducing duplication of assessments, audits, and documentation obligations.

Sector-specific expertise

The paper further recommends that conformity assessment bodies involved in cybersecurity certification schemes for medical technologies demonstrate sector-specific expertise, including knowledge of medical device regulation and clinical risk management.

MedTech Europe also advocates for the reuse of technical documentation, risk management files, and post-market evidence already generated through MDR and IVDR conformity assessments whenever possible.

Supply chain considerations

Several recommendations focus on the proposed provisions relating to ICT supply chains.

MedTech Europe supports a coordinated European approach to supply chain security but argues that the revised Cybersecurity Act should avoid introducing overlapping or conflicting requirements for medical technologies already regulated under the MDR and IVDR.

The association also highlights the importance of ensuring that any supply-chain risk mitigation measures are risk-based, proportionate, and designed to safeguard patient safety and continuity of care. According to the paper, restrictions affecting suppliers, software, components, or maintenance activities could have consequences for healthcare delivery if not carefully implemented.

Stakeholder involvement

The response welcomes the proposed establishment of a European Cybersecurity Certification Assembly but recommends complementing it with a permanent expert-level mechanism to support continuous stakeholder engagement throughout the development and maintenance of cybersecurity certification schemes.

Why this matters for manufacturers

Although the Cybersecurity Act revision remains under discussion, the consultation response highlights several areas of interest for medical device and IVD manufacturers, including:

• Future vulnerability handling and disclosure processes;

• The interaction between cybersecurity certification schemes and MDR/IVDR requirements;

• Expectations for conformity assessment bodies involved in cybersecurity evaluations;

• International recognition of cybersecurity certifications;

• Potential supply chain security measures affecting medical technologies.

The European Commission will review stakeholder feedback as part of the legislative process for the revision of the Cybersecurity Act.

Read the full document below.