New Cybersecurity Requirements for Medical Devices in the EU: The Forthcoming European Health Data Space, Data Act, and Artificial Intelligence Act
-
KU Leuven
Belgium -
University of Hamburg Germany
-
KU Leuven Belgium
Abstract
The regulation of cybersecurity for medical devices keeps evolving in the European Union (EU). In the past few years, new pieces of legislation have been added to the initial framework for medical device cybersecurity, including the Medical Device Regulation, the General Data Protection Regulation and the Cybersecurity Act. The Artificial Intelligence Act, the European Health Data Space Regulation and the Data Act are forthcoming laws that contain cybersecurity-related requirements applicable to medical devices. This article examines the requirements stemming from each of these, as well as their role vis-a-vis the existing legal framework. We observe that despite being comprehensive and wide ranging in their changes, these new regulations may be inadequate for the task of ensuring the cybersecurity of medical devices. In our view, this approach by the EU legislature is inadequate because it fails to foresee cybersecurity requirements in a way that is truly linked with the already existing cybersecurity laws. To help address this problem, the article offers a set of workable recommendations that EU legislators would be well advised to take on board in respect of specific regulations, as well as in general, when establishing cybersecurity-related requirements.
Downloads
Author Biographies
BelgiumElisabetta Biasin is a doctoral researcher at the Centre for IT & IP Law (CiTiP) at KU Leuven. She has been a Fellow at the Stanford Law School Transatlantic Technology Law Forum and an External Collaborating Expert on Data Protection at the European Medicines Agency. Elisabetta’s doctoral project insists on re-conceptualising accuracy in data and AI law, with a focus on personalised healthcare. Her research interests include eHealth, data, AI, cybersecurity and medical products law.
Burcu Yaşar is a doctoral researcher and a fellow of Albrecht Mendelssohn Bartholdy Graduate School of Law (AMBSL), University of Hamburg. Between 2021 and 2023 Burcu worked as a researcher at the Centre for IT & IP Law (CiTiP), Faculty of Law and Criminology, KU Leuven, on various EU-funded interdisciplinary projects on privacy, data protection, cybersecurity, and the regulation of artificial intelligence. She holds an LL.M. degree in Transnational Law from King’s College London, and an LL.B. degree from Galatasaray University. Her doctoral research focuses on the nexus between emerging law enforcement technologies, automated data analytics and criminal evidence, and their intersection with fundamental rights.
BelgiumErik Kamenjašević is a doctoral researcher at the Centre for IT & IP Law (CiTiP) at KU Leuven. Erik’s doctoral thesis analyses the ethical and legal challenges of new human mood enhancement technologies in order to provide recommendations about feasible regulatory options to EU policymakers and lawmakers. Erik’s research also revolves around other eHealth topics dealing with AI, medical devices, open-source hardware, and cybersecurity.
