Implementation of the NIS2 Directive | Umsetzung der NIS2-Richtlinie

Implementation of the NIS2 Directive – New Compliance Requirements for the Medical Technology Sector

1. Introduction
The digital transformation of healthcare is advancing rapidly. Medical technology companies are no longer merely device manufacturers but providers of highly interconnected systems that are often directly integrated into critical supply processes. This leads to increased dependence on secure IT infrastructures and a significant rise in cyberattack risks. Against this backdrop, the European Union has established a new legal framework through Directive (EU) 2022/2555 (NIS2) to ensure a high common level of cybersecurity.

Germany is now implementing these requirements through the NIS2 Implementation and Cybersecurity Strengthening Act. For medical technology companies – regardless of whether they operate critical infrastructures (CRITIS) or act as suppliers – this results in significant new obligations. This article outlines the key changes, analyzes their relevance for the medtech industry, and provides practical recommendations for action.

2. Expanded Scope – Focus on Medical Technology
2.1 New Categories of Entities
While the previous IT Security Act primarily targeted operators of critical infrastructures, NIS2 significantly broadens its scope. It now covers not only CRITIS operators but also essential and important entities. This includes many medical technology companies, even if they are not directly operating as hospitals or laboratories.

Example: A mid-sized manufacturer of imaging systems whose products are widely used in hospitals can be classified as an “essential entity” due to the potential supply risks posed by a failure.

2.2 Thresholds and Relevance
Classification depends mainly on company size (more than 50 employees or an annual turnover above €10 million) and sector. Since medical technology is explicitly included in the EU’s health sector catalog, many companies are now covered for the first time.

3. New Security Requirements
3.1 Minimum Security Measures
NIS2 obliges companies to implement a comprehensive Information Security Management System (ISMS). Article 21 NIS2 outlines a catalogue of measures, including:

• Risk analysis and security policies

• Incident response and recovery plans

• Supply chain security

• Cryptography and encryption of sensitive data

• Monitoring, audits, and penetration testing

For medtech companies, this means a significant expansion of existing quality and safety standards.

3.2 Proportionality
The extent of the measures depends on the category of the entity. However, even smaller companies classified as “important entities” must demonstrate substantial security measures.

4. Reporting Obligations for IT Security Incidents
4.1 New Three-Stage Reporting Regime
The previous single-stage reporting system is replaced by a three-stage procedure:

1. Early warning within 24 hours

2. Interim report within 72 hours

3. Final report with root cause analysis and mitigation measures

4.2 Relevance for Medical Technology Companies
As medical technology products become increasingly cloud-based and interconnected, the likelihood of reportable incidents rises. A cyberattack on a software platform for image diagnostics, for example, may trigger the reporting obligation—even if patient care is not yet directly affected.

5. Oversight and Sanctions
5.1 Expanded Powers of the BSI
The German Federal Office for Information Security (BSI) gains significantly expanded powers. It can now:

• Order security audits

• Issue binding instructions

• Conduct audits and demand evidence

5.2 Sanctions
Violations may result in fines of up to €10 million or 2% of global annual turnover, whichever is higher.

6. Interfaces with Medical Device Regulation
Medical technology is already subject to extensive regulation (MDR, ISO 13485, ISO 14971). Now, NIS2 adds another layer. This leads to both regulatory conflicts and synergies:

• Synergy: Many MDR requirements on risk management and post-market surveillance can be aligned with ISMS processes.

• Conflict: While MDR focuses on patient safety, NIS2 emphasizes IT security and resilience.

7. Recommendations for Medical Technology Companies

1. Conduct a gap analysis

2. Implement an ISMS

3. Ensure contractual safeguards

4. Provide training and raise awareness

5. Conduct emergency drills

6. Document everything thoroughly

8. Conclusion
With the NIS2 Implementation Act, a new binding legal framework for cybersecurity is being established for the medical technology sector. Companies must significantly enhance their compliance structures to meet the rising demands.