EU Cyber Resilience Act Guide for Home Health Monitoring Device Manufacturers

The CRA applies to home health monitoring devices regardless of whether they are regulated as medical devices under MDR 2017/745. The classification question for CRA purposes focuses on product function and risk profile: consumer wellness devices — such as smart scales, step counters, and general-purpose heart rate monitors — that make no medical claims and are not intended for clinical monitoring are likely Default-category products subject to standard CRA requirements. Devices that are regulated as medical devices under MDR, including connected blood pressure monitors used to support clinical decisions, blood glucose meters, and pulse oximeters used for patient self-monitoring under medical supervision, require classification analysis that considers both regulatory frameworks. Where an MDR-regulated device is also a network-connected product, the CRA applies in full. The intersection of consumer distribution channels and medical-grade function creates classification complexity that must be resolved product by product.

Home health devices deployed in consumer environments must meet Annex I security requirements in a context where users are not IT professionals and may include elderly or chronically ill individuals. Core obligations include: shipping devices without default shared credentials — each device must have a unique credential or require account creation before activation; implementing automatic software and firmware update mechanisms that operate without user intervention; encrypting all health data transmitted to cloud services; supporting account deletion and full data erasure when requested; and minimising data collection to what is clinically or functionally necessary. The SBOM requirement applies to both device firmware and companion smartphone applications. User-facing privacy notices must accurately describe what data is collected and how it is secured. Manufacturers must clearly state the security support period at point of sale — for consumer health devices, this should be a minimum of five years.

Article 13 requires manufacturers to publish a CVD policy with a dedicated security reporting channel. For consumer health device manufacturers, the CVD policy must be accessible to security researchers who discover vulnerabilities but also legible to patients and healthcare providers who may encounter unusual device behaviour. The policy should specify: a dedicated security email address and ideally a web-based reporting form; a commitment to acknowledge reports within 5 working days; and a process for notifying the manufacturer's medical device competent authority contact where a vulnerability has potential patient safety implications. Manufacturers should also maintain a public security advisory page documenting resolved vulnerabilities, firmware versions affected, and update availability. This transparency is both a regulatory expectation under the CRA and increasingly a consumer trust requirement in the health technology market.

Article 14 requires notification to the relevant national CSIRT within 24 hours of confirmed active exploitation. For consumer health device vendors, active exploitation typically manifests through cloud platform compromise — affecting account credentials, health data access, or device firmware delivery — rather than direct field device exploitation. Vendors must have monitoring in place at the cloud platform level to detect anomalous access patterns indicating potential exploitation. The 24-hour notification window requires a pre-established incident response team with clear authority to file regulatory notifications. Because health data is special category data under GDPR, a cloud platform breach affecting patient health records simultaneously triggers GDPR data breach notification obligations to the relevant data protection authority within 72 hours. Incident response plans must coordinate both notification obligations.

Consumer wellness devices and Default-category home health products may self-declare CRA conformity. Manufacturers should select applicable harmonised standards — ETSI EN 303 645 (IoT device security) is the most directly applicable standard for consumer home health devices and covers requirements including default credential elimination, update mechanisms, and vulnerability disclosure. The technical file must include: product architecture documentation; threat model; SBOM; evidence of security testing (penetration testing or structured security review); CVD policy documentation; and the declaration of conformity. MDR-regulated home health devices subject to notified body assessment under MDR should explore coordinated CRA assessment with the same notified body where the notified body holds dual accreditation. The CRA CE mark and MDR CE mark are distinct — both must appear on applicable products after September 2026.