EU Cyber Resilience Act Guide for Medical Device Manufacturers

The CRA applies to medical devices that qualify as 'products with digital elements' — hardware devices with software components and network interfaces, embedded systems, and Software as a Medical Device (SaMD). The MDR does not exempt devices from the CRA; the two regulations apply concurrently, with the CRA adding cybersecurity-specific obligations on top of MDR's general safety requirements.

Under Annex III, devices that process patient health data, interface with hospital networks, or perform diagnostic or therapeutic functions via software are classified as Important Class I. Devices integrated into hospital critical infrastructure or life-support systems may qualify as Critical Class II. Manufacturers should conduct a product-by-product classification assessment and document the rationale. A connected infusion pump with remote monitoring is Class I; a standalone single-use diagnostic reader with no network interface may remain Default Class.

Annex I Part I of the CRA imposes technical requirements that are directly relevant to medical device cybersecurity:

• Secure by default configuration: Devices must ship with only the minimum required services enabled. Default credentials are prohibited — a requirement that many legacy medical device platforms currently fail.
• Data confidentiality: Patient data transmitted over networks must be encrypted. Devices integrating HL7 FHIR or DICOM interfaces must protect those channels.
• Authenticated software updates: Firmware updates must be cryptographically signed and verified before installation. Remote update mechanisms must be tamper-resistant.
• Audit logging: Devices must maintain audit logs of security-relevant events accessible to authorised operators.
• SBOM maintenance: A software bill of materials covering all third-party libraries (including medical-specific stacks such as OpenSSL and FHIR libraries) must be maintained and updated throughout the product lifecycle.

MDR MDCG 2019-16 guidance on cybersecurity is closely aligned with these requirements, so manufacturers with mature MDR cybersecurity files will have a strong foundation for CRA conformity.

Article 13 requires all manufacturers of products with digital elements to establish and publish a coordinated vulnerability disclosure policy. For medical device manufacturers, this overlaps with FDA cybersecurity guidance in the US (where applicable) and MDCG 2019-16 incident handling requirements in the EU.

The Article 13 CVD policy must be publicly accessible — typically via a security.txt file and a disclosure page — and must cover all CRA-scoped products. The policy must define submission channels, acknowledgement timelines, and the manufacturer's commitment to remediation. Medical device manufacturers must also notify their Notified Body of significant post-market security findings under MDR Article 87, creating a parallel notification track alongside the CRA's ENISA reporting pathway.

CVD Portal provides a single intake platform that can route medical device disclosures to both the internal PSIRT and the relevant regulatory notification workflows, reducing coordination overhead for compliance teams managing both MDR and CRA obligations simultaneously.

Article 14 of the CRA requires manufacturers to notify ENISA within 24 hours of becoming aware of an actively exploited vulnerability. For medical devices, an exploited vulnerability affecting patient safety — such as unauthorised modification of infusion pump dosing parameters or compromise of a diagnostic algorithm — constitutes a particularly high-severity incident requiring parallel notifications:

1. ENISA under Article 14 CRA (24-hour initial notification)
2. National competent authority under MDR Article 87 (serious incident reporting)
3. CERT/national CSIRT as directed by the competent authority

Manufacturers must maintain internal procedures that can trigger all three tracks simultaneously. The CRA's 72-hour detailed report and 30-day final report timelines must be tracked separately from MDR's FSCA (Field Safety Corrective Action) and FSCA reporting timelines. CVD Portal's Article 14 timeline tool supports multi-track deadline tracking from a single incident record.

Class I medical devices with digital elements require third-party conformity assessment by a CRA-accredited notified body. Manufacturers who already engage a notified body for MDR assessment may be able to use the same organisation for CRA assessment, depending on that body's accreditation scope — though these are separate assessments under separate regulations.

1. Technical security architecture against Annex I Part I requirements
2. Vulnerability management process maturity (Annex I Part II)
3. CVD policy operational status
4. SBOM completeness and update process
5. Post-market surveillance integration with security monitoring

Manufacturers should initiate notified body engagement by Q4 2025 to allow sufficient time for gap assessment, remediation, and formal assessment before the September 2026 deadline. Evidence generated for MDR MDCG 2019-16 compliance — particularly the cybersecurity risk assessment and post-market surveillance plan — is directly reusable in the CRA technical file.