UK Law and Practice Contributed by: Amélie Chollet, Hannah Curtis and David Dennis, CMS
Cybersecurity requirements The EU MDR includes cybersecurity considera- tions as part of GSPRs, requiring manufacturers to implement appropriate measures to ensure software integrity and protection against cyber- security threats. Across GB and NI, standards ensure secure data exchange and system compatibility. Personal data protection must comply with applicable data protection laws. International standards Supporting Technical Standards Interoperability and data security Both jurisdictions reference international stand- ards such as ISO 14155 (clinical investigations), ISO 13485 (quality management) and IEC 62304 (medical device software life cycle). 2.5 Issue-Specific Legal Framework Software as a Medical Device (SaMD) GB This is regulated under the Medical Devices Reg- ulations 2002 (as amended) and the Medicines and Medical Devices Act 2021. Software with a medical purpose must comply with essential requirements, post-market surveillance require- ments, and emerging cybersecurity standards. NI This is regulated under the EU MDR. Software must meet General Safety and Performance Requirements (GSPRs) and follow EU conform- ity assessment procedures. Both GB and NI The MHRA and relevant authorities provide guid- ance on software qualification and classification. Post-market incident reporting and vigilance requirements apply in both jurisdictions (though different frameworks apply).
cesses, risk management and clinical evaluation requirements. Conformity assessment Medical devices undergo conformity assess- ment procedures appropriate to their classifica- tion, which may involve UK Approved Bodies (formerly Notified Bodies). Assessment includes technical documentation review, quality man- agement systems and clinical evaluation. Cybersecurity standards Medical device software must incorporate appropriate cybersecurity measures to ensure device security and data integrity, as part of overall essential requirements. New regulations are introducing minimum cybersecurity require- ments for software as a medical device (SaMD). The MHRA’s proposed changes include require- ments for SaMD manufacturers to meet certain minimum cybersecurity standards. These stand- ards aim to protect against unauthorised access and ensure the integrity and security of health data. NI General Safety and Performance Requirements (GSPRs) Under the EU MDR, medical device software must meet GSPRs as set out in Annex I, includ- ing specific requirements for software used with mobile platforms and consideration of environ- mental factors. Conformity assessment Devices follow EU MDR conformity assessment procedures detailed in Annexes IX to XI, based on device classification and involving EU Noti- fied Bodies.
128 CHAMBERS.COM
Powered by FlippingBook