EU Cyber Resilience Act Guide for Telemedicine & Remote Patient Monitoring Vendors

The CRA and MDR 2017/745 impose overlapping but distinct security obligations on telemedicine and RPM vendors. Medical devices that are also products with digital elements — which includes virtually all software-enabled telemedicine devices — are subject to both regulations simultaneously. MDR Annex I Chapter II already imposes cybersecurity requirements (GSPR 17) on medical devices, including requirements for IT security measures, authentication controls, and security updates. The CRA adds further obligations in terms of CVD policy, SBOM, and incident notification. ENISA guidance indicates that compliance with MDR cybersecurity requirements does not automatically satisfy CRA obligations — vendors must assess compliance with each regulation separately. Notably, MDR-regulated software (Software as a Medical Device, SaMD) that qualifies as Class IIa or above already requires notified body assessment, which may be coordinated with CRA assessment to reduce burden.

RPM devices transmitting patient physiological data from home environments present a challenging security profile: they must be simple enough for non-technical patients to operate, while securing sensitive health data in transit and at rest. Annex I requirements for RPM vendors include: encrypting all patient data transmissions using current TLS versions; implementing authentication that is accessible to elderly or technically inexperienced patients while preventing unauthorised access; ensuring device firmware updates are automatically available without requiring patient action; eliminating default credentials; implementing data minimisation — collecting only the physiological parameters required for clinical purpose; and providing documented procedures for data erasure when a device is returned or repurposed. The SBOM must cover firmware components in patient-side devices and server-side processing platforms. Vendors must also ensure cloud back-ends have appropriate access controls preventing data aggregation beyond clinical necessity.

Article 13 requires a published CVD policy. For telemedicine vendors, this policy must operate alongside MDR post-market surveillance obligations and the requirement under GDPR to report personal data breaches within 72 hours of discovery. The CVD policy should specify: a dedicated security reporting contact; coordination procedures with the relevant competent authority (e.g. national medical device authority) for vulnerabilities with patient safety implications; how vulnerability information is shared with healthcare provider customers using the platform; and how security updates are communicated to patients using home-based devices. Because RPM devices process special category health data under GDPR Article 9, the CVD policy should address the privacy implications of vulnerability reports and researcher access to test environments. Separate from the CVD policy, the vendor's post-market surveillance plan under MDR must incorporate cybersecurity monitoring.

Article 14 requires notification to the relevant national CSIRT within 24 hours of confirmed active exploitation. For RPM vendors, exploitation scenarios — unauthorised access to patient vitals data, manipulation of device readings that could affect clinical decisions, or denial-of-service attacks disrupting monitoring — may simultaneously require GDPR data breach notification to the data protection authority (within 72 hours), and serious incident reporting to the competent medical device authority under MDR Article 87 (within 15 days for serious incidents, or 2 days for immediate threats). Vendors must design their incident response plan to trigger all applicable notification streams simultaneously. The CRA notification, GDPR breach notification, and MDR serious incident report must be consistent and cross-referenced. Legal counsel should be engaged in drafting incident response playbooks to ensure multi-regulatory compliance.

Telemedicine and RPM vendors subject to both MDR and CRA notified body requirements should seek to coordinate assessments with a single notified body that holds accreditation under both regulations, where possible. The MDR notified body assessment already covers cybersecurity aspects under GSPR 17 — this evidence base can be leveraged for the CRA technical file. The CRA technical file must additionally cover: SBOM; CVD policy documentation; Article 14 notification procedures; and post-market vulnerability monitoring plans specific to CRA requirements. Vendors with MDR Class I software products that are not subject to notified body assessment under MDR may nonetheless require notified body assessment under the CRA if the product qualifies as Important Class II. Classification under the two regulations must be assessed independently.