PORTUGAL Law and Practice Contributed by: Ricardo Henriques and Diogo Pereira Duarte, Abreu Advogados
ures. This guidance is intended to help manu - facturers comply with the essential cybersecurity requirements outlined in Annex I of the MDR and the In Vitro Diagnostic Medical Devices Regula - tion. The MDR does not define “IT security”, so the Medical Device Coordination Group document refers to the definition provided by ENISA. “IT security” is thus defined as the protection against threats to the technical infrastructure of a cyber system that could change its character - istics to perform unintended activities (Definition of Cybersecurity – Gaps and overlaps in stand - ardisation, December 2015, available here ). The same applies to the definitions of operational security and information security. In Portugal, Decree-Law No 29/2024 ensures the national implementation of the MDR and provides that healthcare entities deploying a medical device must report to the competent authority (ie, INFARMED, I.P) all security meas - ures implemented and their performance.
Also at the national level, Order No 8877/2017 establishes the governance model to be followed by the Shared Services of the Ministry of Health ( Serviços Partilhados do Ministério da Saúde, E. P. E. , or SPMS), in conjunction with the National Security Office and the CNCS. The same Order requires all health entities of the national health service to adopt a cybersecurity policy and a contingency plan for cybersecurity incidents. Overall, the health sector is covered by the gen - eral legal framework for cybersecurity as dis - cussed in this chapter.
214 CHAMBERS.COM
Powered by FlippingBook