EU Cyber Resilience Act Guide for Point-of-Care Diagnostics & IVD Manufacturers

In vitro diagnostic instruments with digital interfaces — including connected blood gas analysers, haematology analysers with LIS (laboratory information system) interfaces, point-of-care PCR and lateral flow readers with data transmission capabilities, and diagnostic software platforms classified as IVDs under IVDR — are products with digital elements subject to the CRA. The IVDR already imposes cybersecurity requirements under its general safety and performance requirements (Annex I, Chapter I), but CRA obligations are additive rather than replaced by IVDR compliance. The CRA classification for IVD instruments should be assessed considering the instrument's role in clinical decision-making: high-complexity diagnostic instruments used in intensive care or oncology diagnostics carry higher consequence of data integrity failure and are stronger candidates for Class II Important Products. IVDR Class D IVDs (highest risk, such as HIV and blood group testing) are particularly likely to require Class II CRA classification.

Point-of-care diagnostic instruments are increasingly integrated into clinical networks — connected to LIS, EHR systems, and cloud-based result repositories. This connectivity creates attack surfaces that did not exist in standalone instrument generations. Annex I security requirements for IVD manufacturers include: encrypting all result data transmissions using current TLS standards; implementing authenticated access to instrument management interfaces, including local touchscreens and remote service ports; ensuring that diagnostic result integrity is maintained and any modification to transmitted results is detectable through cryptographic checksums or signing; eliminating default service credentials used by field engineers, replacing them with individual authenticated service accounts; and providing firmware update mechanisms that do not require instrument downtime during routine clinical use where operationally feasible. The SBOM must cover both the instrument firmware and any companion middleware used for result routing and LIS integration.

Article 13 mandates a published CVD policy. For IVD manufacturers, the CVD policy must interface with IVDR post-market surveillance obligations and the periodic safety update report (PSUR) requirement for Class C and D IVDs. A vulnerability discovered in a diagnostic instrument that could affect result accuracy or data integrity may simultaneously be a safety issue requiring notification under IVDR Article 82 (serious incidents) and a cybersecurity issue requiring CVD handling. The CVD policy must specify how these two reporting streams are coordinated, who has authority to make IVDR safety notifications versus CRA cybersecurity notifications, and how the manufacturer communicates security updates to laboratory customers without disrupting clinical operations. Healthcare-specific disclosure timelines may be longer than typical software CVD timelines due to the need to validate that security patches do not affect diagnostic performance.

Article 14 notification obligations require the manufacturer to notify the relevant national CSIRT within 24 hours of confirmed active exploitation. For diagnostic instruments, exploitation scenarios — result data tampering, unauthorised result access, instrument command injection — could affect patient diagnoses and treatment decisions. Manufacturers must maintain monitoring capabilities that can detect anomalous access to diagnostic instruments or unusual patterns in result transmission data. The 24-hour notification window requires pre-established incident response procedures. Concurrent with CRA notification, IVDR Article 82 may require notification to the competent authority for serious incidents — defined as events that could lead to patient harm — within 2 days (immediate threat) or 15 days (serious incident). Both notification obligations must be triggered simultaneously by the same incident response activation.

IVD manufacturers with Class C or D products already subject to notified body assessment under IVDR should explore coordinating CRA assessment with their existing notified body, where the notified body holds dual IVDR and CRA accreditation. The technical files for IVDR and CRA purposes overlap significantly in areas of risk management, security architecture, and post-market surveillance — a coordinated assessment approach can leverage shared documentation and reduce the overall assessment burden. For IVDR Class A and B IVDs (self-certification), the CRA assessment pathway is also self-declaration unless the CRA classification is Important Class II. Manufacturers should complete their CRA classification analysis before concluding their IVDR conformity approach, as the two assessments may interact in how technical documentation is structured.