Summary
Cybersecurity has become a central topic across the European digital regulatory landscape. While medical device manufacturers have already been navigating cybersecurity requirements under the MDR and IVDR, the introduction of the Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) adds another layer of obligations that organisations developing digital products must understand.
In his LinkedIn article, Leon Doorn examines how the CRA interacts with existing healthcare regulations and why health software developers should start preparing now, even if they believe their products are already covered by medical device legislation.
One of the key clarifications highlighted in the article is the relationship between the CRA and the MDR/IVDR. Medical devices and in vitro diagnostic devices remain primarily governed by their respective sector-specific regulations. However, this does not automatically remove all healthcare-related software from the scope of the CRA. Organisations that develop software outside the medical device framework, including wellness applications, EHR systems, and other products containing digital elements, may still be directly affected by the regulation.
The article further explores how the CRA intersects with other major European legislation, including the European Health Data Space (EHDS) and the AI Act. In many situations, organisations will need to comply with multiple regulatory frameworks simultaneously. While certain assessments and documentation activities may overlap, compliance with one regulation does not automatically demonstrate compliance with another.
A significant portion of the article focuses on the practical obligations introduced by the CRA. Manufacturers are expected to integrate cybersecurity risk management throughout the entire product lifecycle, rather than treating cybersecurity as a one-time assessment. This includes identifying risks associated with intended use, implementing appropriate mitigations, documenting security controls, and maintaining evidence within technical documentation.
Leon also highlights several operational requirements that organisations may not yet have fully considered. These include preparing and maintaining a Software Bill of Materials (SBOM), managing vulnerabilities within software dependencies, defining support periods, and establishing processes for vulnerability reporting. The CRA introduces strict reporting timelines for actively exploited vulnerabilities, requiring organisations to act quickly when cybersecurity incidents occur.
Another important area covered in the article is conformity assessment and certification. Depending on the product category, manufacturers may need to demonstrate compliance through harmonised standards, internal control procedures, quality assurance systems, or future European cybersecurity certification schemes. The article discusses how emerging standards such as IEC 81001-5-1 and established frameworks like ISO 14971 may support organisations in demonstrating compliance.
The overall message is clear: cybersecurity is becoming an increasingly regulated discipline in Europe, extending well beyond traditional medical device requirements. Organisations developing healthcare software, digital health products, AI-enabled systems, or products with digital elements should begin evaluating how the CRA applies to their portfolio and prepare for its future applicability dates.
For a detailed analysis of the CRA, its interaction with MDR, IVDR, EHDS, and the AI Act, and the practical implications for health software manufacturers, read Leon Doorn’s original LinkedIn article: Cybersecurity Resilience Act (CRA, 2024/2847) and health software
