Medical technology regulatory jungle: A compact overview of the AI Act, CRA, Data Act, NIS-2, MDR & Co.
In the field of cyber and data security in particular, it is crucial to maintain an overview: Which laws apply to your company? Which requirements must you meet for your products? And how do the individual regulations differ in their focus?
The compact overview table shows at a glance which EU regulations are relevant for companies and products in the medical technology sector, to whom they apply, and what key requirements they entail. This overview helps you identify the specifications that are important for your company and create a solid foundation for your compliance strategy.
| Regulatory framework | Company reference | Product reference | Affected companies (EU) | Requirements |
| EU MDR | o | o | Manufacturers of active and non-active medical devices, including software as a medical device (MDSW) | Legal requirements applicable to medical device manufacturers throughout the EU: QM system, requirements for economic operators, technical documentation, clinical evaluation/testing, PMS, etc. |
| EU IVDR | o | o | Manufacturer of in vitro diagnostic medical devices | Legal requirements applicable to medical device manufacturers throughout the EU: QM system, requirements for economic operators, technical documentation, clinical evaluation/testing, PMS, etc. |
| EU AI Act | o | o | All economic operators (including manufacturers, distributors, and operators) involved in software with or based on AI (components) – including medical device manufacturers | High legal requirements for low-risk AI applicable directly throughout the EU: data management, human oversight, reporting, technical documentation, conformity assessment, and CE marking, as well as additional requirements when high-risk AI components are involved (similar to MDR/IVD requirement level). |
| EU GDPR (DSGVO) | o | - | All companies that process personal data – including medical device manufacturers | Legal information, communication, documentation, and reporting requirements applicable throughout the EU, rules of conduct, implementation of the rights of data subjects, appointment of a data protection officer, etc. |
| EU NIS-2 | o | - | Companies involved in critical infrastructure (KRITIS) – under certain circumstances, also medical device manufacturers | EU-wide requirements that must be implemented through national legislation regarding corporate cybersecurity, such as cybersecurity governance and awareness, risk management and security measures, documentation and verification requirements, reporting requirements, etc. |
| EU CRA | - | o | Companies with products that have digital elements connected via a network (medical devices according to MDR and IIVDR are excluded) | Direct EU-wide legal requirements for the cybersecurity of products, such as safety by design and safety by default, vulnerability management and patching, conformity assessment and CE marking, documentation, information, and reporting requirements, etc. |
| EU Data Act | o | - | Companies with networked products and related services (only raw data is affected) – including medical device manufacturers | Direkt EU-weit geltende gesetzliche Anforderungen an den Zugang zu Gerätedaten, Datenweitergabe an Dritte, Transparenzpflichten, Datenschutz, Interoperabilität und Cloud-Portabilität, etc. |
The regulatory framework in medical technology and in the area of cyber and data security is constantly evolving. A structured overview helps you to identify the regulations relevant to your company at an early stage and implement them in a targeted manner. Use the SEQLY overview table as a starting point for your compliance strategy and feel free to share it with your network to bring more transparency to the regulatory jungle.
