Regulation (EU) 2017/745 on Medical Devices and Regulation (EU) 2017/746 on In-Vitro Diagnosis Devices
Regulation 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/ECC
The Medical Devices Regulation (‘MDR’), which concerns medical devices in general, and the In-Vitro Diagnosis Devices Regulation (‘IVDR’), which focuses on in-vitro diagnosis devices, contain obligations for medical devices that must be met before they can be distributed or sold. They both have a long transition period: the MDR, with a transition period of three years, will fully apply on 26 of March 2020 and the IVDR, having a transition period of 5 years, will apply on 26 of March 2022. They will replace the currently applicable EU Directives on medical devices (93/42/EEC, 98/79/EC and 90/385/EEC), under which manufacturers can still place devices into the market. It is nevertheless advisable for manufacturers to comply with the obligations of the new Regulations because the requirements will become imperative after the transition period.
In addition, the MDR provides for cooperation in the field of medical devices between Member States and establishes a Medical Device Coordination Group (‘MDCG’) that will advise and assess the notified bodies that must assess the conformity of medical devices vis-à-vis the Regulation.
Obligations under the Regulation
As stated, several obligations are imposed. Medical devices will have to do a conformity assessment within an accredited notified body of a Member State within the EU (see: Link) after which they can put a Conformité Européenne mark (‘CE Mark’) on the medical device in question (Art. 117 Regulation 2017/745; European Medicines Agency, n.d.). There is an obligation for medical devices under the MDR to have the results of the conformity assessment from a notified body at least and if possible, a CE mark. On top of this, there are different requirements for different sorts of medical devices, depending on their potentially dangerous character. For an overview, see: Link (European Medicines Agency, n.d.).
If there is a use of artificial intelligence in medical devices (AI that is incorporated in software in a medical device that falls under the scope of application of the Regulation), companies/ manufacturers will also have to comply with the obligations of CE marking, information duties, etc. The Commission also recently published guidelines for trustworthy artificial intelligence (see: Link).
Link with the Cybersecurity Act
Furthermore, there is a link between medical devices and cybersecurity. The Cybersecurity Act (Regulation 2019/881) explicitly refers to electronic medical devices as a sector in which certification is already widely used (recital 65 Regulation 2019/881). There are indeed several standards issued by recognised Standard Developing Organisation bodies for ICT security certification for medical devices: the International Electrotechnical Commission currently have the series IEC 80001 on the application of risk management for IT-networks incorporating medical devices and are currently working on the second version of the series, that is planned to come out in December 2020; various technical committees within CEN-CENELEC are dealing with the ICT security of specific medical devices (mainly from a safety point of view: for example for in-vitro diagnostic medical devices; special workwear and occupational clothing; etc.) (CEN-CENELEC, 2019). The report of ENISA and the reference in recital 36 of the Cybersecurity Act imply that the existing standards on medical devices will be taken into consideration for the certification scheme of the healthcare sector (ENISA, 2018a).
The Internet of Medical Things
For the Internet of Medical Things there are standards related to the Internet of Things that could be extended to the medical domain. Nevertheless, the applicability of the Internet of Things is much wider than that of the Internet of Medical Things. Therefore, ENISA (cf. the European Agency for Cybersecurity who is responsible for the elaboration of the cybersecurity certification framework under the Cybersecurity Act) proposed different standards for ICT security certification of the Internet of Medical Things than the existing standards for the Internet of Things (ENISA, 2018a; ENISA, 2018b).
European Union, European Parliament and the Council. (2017). Regulation 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/ECC. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0745.
European Union, European Parliament and the Council. (2017). Regulation (EU) 2017/746 of the European Parliament and if the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0746&from=EN.
CEN-CENELEC. (n.d.). Work Programme 2019. Retrieved from https://www.cen.eu/news/brochures/brochures/CEN-CENELEC_WP_2019.pdf.
ENISA. (2018a, December). ICT Security Certification opportunities in the healthcare sector. Retrieved from: file:///C:/Users/User01/Downloads/WP2018%20O.2.1.1%20Healthcare%20certification.pdf.
ENISA. (2018b, December). IoT Security Gap Analysis. Retrieved from file:///C:/Users/User01/Downloads/WP2018%20O.1.3.1%20IoT%20standards.pdf.
European Medicines Agency. (n.d.). Human regulatory – Medical devices. Retrieved from https://www.ema.europa.eu/en/human-regulatory/overview/medical-devices.
MedTech Europe. (2017, December). Overview of Requirements under the Medical Devices Regulation. Retrieved from https://www.medtecheurope.org/wp-content/uploads/2018/01/EN_MTE_MDR_Flowchart_Dec2017.pdf.