Medical Devices: The Complete NIS2 Guide

Medical device manufacturers with 50 or more employees or EUR 10 million in annual revenue fall under NIS2 Annex II No. 5 (Manufacturing) and simultaneously face MDR cybersecurity requirements and IEC 81001-5-1. These three frameworks overlap significantly - understanding all three helps avoid duplication. This guide is written for regulatory affairs teams, IT security managers, and managing directors in medical technology.

Who is affected?

Medical device manufacturers (NACE C.26.6, C.32.5) fall under NIS2 Annex II No. 5 when they exceed the SME thresholds: at least 50 employees or at least EUR 10 million in annual revenue (EU Recommendation 2003/361/EC Art. 2).

Manufacturers of Class IIb and III devices under MDR that are integrated into critical healthcare infrastructure (e.g., hospitals as KRITIS entities) are particularly in focus for supply chain obligations under § 30 Para. 2 No. 4 BSIG-new.

A manufacturer of networked medical devices with 150 employees, MDR Class IIb products, and a cloud platform for remote monitoring is an Important Entity under NIS2.

Obligations under § 30 BSIG-new

§ 30 BSIG-new requires seven obligation categories that are especially relevant for medical device manufacturers because of the triple regulatory burden:

1. Risk analysis and management: Product development IT (PLM), quality management system (QMS), post-market surveillance systems, and cloud infrastructure for connected devices must all be assessed.
2. Incident handling: A cybersecurity incident on a connected medical device is simultaneously reportable under NIS2 (BSI) and a vigilance event under MDR Art. 87 (EUDAMED/BfArM).
3. Business continuity: QMS and regulatory documentation must not be lost during IT failure. BCPs must ensure the integrity of MDR documentation.
4. Supply chain security: Suppliers of software components, cloud services, and hardware must be assessed under § 30 Para. 2 No. 4 BSIG-new.
5. Access control and MFA: Access to QMS, PLM, and cloud platforms for connected devices must be secured by MFA. Remote updates for medical devices require secure signing procedures.
6. Encryption: Patient data, clinical study data, and regulatory documentation must be stored encrypted.
7. Training and awareness: Developers, regulatory affairs, and quality management staff must receive regular cybersecurity training.

Deadlines and reporting obligations

BSI registration under § 33 BSIG-new within three months. For security incidents under § 32 BSIG-new: initial report within 24 hours, full report within 72 hours, final report within 30 days.

Special aspect: a cybersecurity incident on a connected medical device simultaneously triggers MDR vigilance obligations (notification to BfArM within 15 days, § 93 MDR). Both reporting paths must be coordinated.

Fines and personal liability

Important Entity (Annex II): up to EUR 7 million or 1.4% of turnover. § 38 BSIG-new establishes personal liability for management. Added to this are MDR sanctions and potential product liability for patient-damaging security incidents.

MDR Art. 5 Cybersecurity, IEC 81001-5-1, and ISO 13485: the triple compliance pyramid

The medical technology sector faces a triple compliance structure:

MDR Art. 5 Para. 5 (Cybersecurity): The EU Medical Device Regulation requires manufacturers of connected products to address cybersecurity risks in technical documentation and implement lifecycle measures. MDCG guidance 2019-16 specifies these requirements.

IEC 81001-5-1 (2021): This standard specifies cybersecurity requirements for the lifecycle of health software and connected medical devices. It is the preferred reference standard for MDR compliance in the cybersecurity dimension.

ISO 13485 (QMS): The quality management system under ISO 13485 forms the foundation for all regulatory processes. Cybersecurity measures under NIS2 and IEC 81001-5-1 must be documented in the ISO 13485 QMS.

NIS2 adds corporate IT security obligations to this structure. Those implementing IEC 81001-5-1 already fulfill substantial parts of § 30 BSIG-new requirements. A harmonized compliance strategy saves significant resources.

First steps

1. Clarify headcount and revenue. Over 50 employees or EUR 10 million: Important Entity.
2. Conduct a gap analysis: what requirements do IEC 81001-5-1 and ISO 13485 already cover? What is NIS2-specific?
3. Inventory all connected products and their associated cloud infrastructure.
4. Ensure your incident response plan triggers both NIS2 reporting AND MDR vigilance for product cybersecurity incidents.
5. Review remote update processes for medical devices for signature integrity.
6. Update supplier contracts for software components to reflect § 30 Para. 2 No. 4 BSIG-new.
7. Register with the BSI.

Common pitfalls

NIS2 treated as a separate compliance project: The biggest mistake would be addressing NIS2 independently of MDR and IEC 81001-5-1. All three are built on the same foundational principles.

Vigilance reporting and BSI reporting not coordinated: When a security incident on a medical device poses patient risks, both reporting paths must be served simultaneously.

Post-market surveillance not used as an IT security input: PMS data on cybersecurity vulnerabilities in field data are important inputs for the NIS2 risk analysis.

SBOM not created: MDR and IEC 81001-5-1 recommend, and NIS2 supports, creating a Software Bill of Materials (SBOM) for connected products. Without an SBOM, supply chain risk analysis is nearly impossible.

Use the industry-specific NIS2 calculator for medical devices to determine your obligations.