We are medical device manufacturers – how should we address cybersecurity?

18. 7. 2025


If you develop or market medical devices with digital components, you are subject to MDR (EU 2017/745) and, in the near future, to the Cyber Resilience Act (CRA). CRA introduces cybersecurity obligations—including mandatory incident reporting from September 2026, and full applicability from December 2027.

We recommend developing your products in accordance with:

  • IEC 62443-4-1 (secure development)

  • IEC 81001-5-1 (for medical software)

  • IEC 62443-4-2 (security of technical components)

These standards define clear requirements for development processes, system architecture, updates, and resistance to vulnerabilities.

Additionally, manufacturers must understand the deployment environment of their products. Hospitals should inform you of which security zones your products will enter (e.g., high-trust zone, security perimeter, open network).
Based on this, you can determine the required security level—which influences configuration, logging, encryption, updates, or integration into the hospital’s SIEM system.