Background
We advise our clients to understand how the following regulations/directives apply to them:
-
Network & Information Systems Directive (NIS) (UK/EU)
-
Network & Information Systems Directive (NIS2) (EU)
-
EU Cyber Resilience Act (CRA) (EU)
-
EU Medical Device Regulations (MDR) (EU)
-
Medical Device Directive (UK)
-
DCB0129/0160 (UK Healthcare) (see the dedicated page here)
The clauses within these regulations/directives can be addressed in most cases through the implementation of a combination of different ISO standards within a business.
NIS defined a comprehensive series of cybersecurity requirements that applied to a range of sectors across all EU Member States. NIS also applies in the UK.
NIS requires organisations to address topics including:
-
Information security risk analysis
-
Incident response and management
-
Business continuity
-
Monitoring, auditing and testing
-
Compliance with international standards
-
System life cycle management
-
Supply chain security
Sectors that are included within the original NIS include healthcare, aviation, energy and digital infrastructure.
NIS2 which is live from 2024 in the EU not only expands the scope of security requirements it increases the number of entities classified as 'Essential' or 'Important' now including:
-
Managed Service / Managed Security Service Providers
-
Data centre service providers
-
Cloud computing service providers
-
Medical device manufacturers
-
Reference laboratories
-
Research organisations
-
Manufacturers
Almost all businesses can address the majority of requirements through the implementation of a range of ISO standards including ISO27001, ISO22301, ISO9001 and certain specialist ISO27000 series standards.
Non-compliance with NIS2 can lead to significant financial penalties of up to €10m or 2% of global annual revenue.
The EU CRA is a complementary regulation to NIS2 but focuses on products instead of businesses. The following product types will now need to demonstrate evidence of the implementation of significant security policies, processes, controls and documentation to receive CE marking:
-
Anti-malware software
-
Firewalls
-
Intrusion Detection / Intrusion Prevention Systems
-
Identity managements systems (inc. biometrics)
-
Network management systems
-
Switches, modems and routers
-
Security Information and Event Management (SIEM) systems
-
Hypervisors
-
Physical and virtual network interfaces
Non-compliance will lead to similar fines to NIS2 and a lack of CE certification which is essential for market access in the EU. Compliance can be addressed through a rcombination of ISO standards including ISO27001 as a foundation.
Both EU NIS2 and CRA are likely to have major elements transferred into UK law through the UK Cybersecurity and Resilience Bill.
Medical Devices & The EU AI Act
In the UK and EU, software solutions that influence or directly take clinical decisions are increasingly classified at a minimum as Class IIa medical devices. This category of products is called Software as a Medical Device (SaMD).
In the UK, these products are covered under the Medical Device Directive (MDD) and in the EU the Medical Device Regulation (MDR). Compliance with these regulations/directives are essential for UKCA / CE marking and market access.
Additionally, medical devices with a Class IIa rating or greater that have an AI component may be subject to the EU AI Act as a 'High Risk AI System' (HRAIS) which will require additional risk analysis and documentation as a part of its CE marking.
A combination of ISO standards implemented together will address the majority of the regulatory requirements for SaMD solutions and manufacturers - ISO14971, ISO13485, ISO42001 and ISO27001.
DCB0129 Clinical Risk Management
DCB0129 is a mandatory clinical risk management standard that applies to all health IT vendors and many medical device manufacturers and network infrastructure/cybersecurity suppliers operating in the NHS in England. To find out more visit this dedicated page.