New EU Directive Marks Cybersecurity Regulatory Paradigm Shift For Bio/Pharma & Medical Devices

By John Giantsidis, president, CyberActa, Inc.

The increasing degree of digitalization and interconnectedness, along with the rising number of cyber malicious activities at the global level, has effectively rendered cybersecurity an increasingly valued position on a business level. In the U.S., beyond the FDA’s efforts that address medical devices,¹ the Securities and Exchange Commission's agenda for 2023 includes the implementation of a new rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure requiring companies subject to the Securities Exchange Act of 1934 to report material cybersecurity incidents within a certain timeframe and make disclosures pertaining to the company's cybersecurity protocols and risk management strategies.²

In the European Union, however, the cybersecurity mandate is not limited to publicly traded organizations since a new cybersecurity directive was published and entered into force on Jan. 16, 2023. This new Directive (EU) 2022/2555 on the Security of Network and Information Systems³ (“NIS2”) mandates cybersecurity risk management measures and reporting requirements for all segments of our industry:

• laboratories,
• entities carrying out research and development activities of medicinal products (CROs and CDMOs), and
• manufacturers of medical products, including chemicals (APIs), pharmaceuticals, and medical devices.

You may consider NIS2 comparable to EU GDPR — NIS2 looks to protect economic data akin to GDPR protecting personal data. Together, let’s further explore the necessary requirements set by NIS2 that need to be addressed:

• Cybersecurity Risk Management and Governance
• Regulatory Oversight and Enforcement
• Incident Reporting
• Supply Chain

Cybersecurity Risk Management And Governance

NIS2 places increased demands on internal cybersecurity risk management. It is important that your organization carries out risk analyses, which act as preventive measures against security threats. Your organization must ensure that it has security measures in place that reduce the consequences and risks of cybersecurity incidents. As part of reducing the consequences of cyber incidents, you must also have a plan for how it will ensure business continuity if your organization is hit by a cyberattack. This includes a plan for the deployment of a crisis team, emergency procedures, and recovery of the affected systems. A NIS2 core requirement is that organizations take the appropriate and proportionate technical, operational, and organizational measures according to the state of the art. The expected starting point is the systematic analysis that considers and evaluates the human factor and the degree of dependency on network and information systems, and the following measures are the minimum requirements to be covered:

• Risk analysis
• Information system security policies
• Incident handling (prevention, detection, and response to incidents)
• Business continuity
• Crisis management
• Supply chain security that includes:
  • Subcontractors and service providers
  • Open-source or third-party libraries and software packages that are required for operations to function
  • Third-party infrastructure used
  • Third-party managed security services providers
  • Third-party engineering vendors that configure and maintain industrial equipment
• Security in network and information systems acquisition, development, and maintenance
• Vulnerability handling and disclosure, including vulnerabilities specific to each supplier and service provider, overall quality of products, and cybersecurity practices of their suppliers and service providers, including their secure development procedures.
• Auditing of policies and procedures to assess the effectiveness of cybersecurity risk management measures
• Use of cryptography and encryption for data protection

Regulatory Oversight And Enforcement

The overarching agency to oversee NIS2 is The European Union Agency for Cybersecurity (ENISA), but the enforcement will depend on each country. Who issues the fines, who files injunctions, who collects the fines, who removes management from their roles, etc., will be your local regulatory authority.

Covered entities, whether laboratories, CROs and CDMOs, or pharmaceutical or medical device manufacturers, will be subject to active supervision, akin to an FDA consent decree oversight. The supervision will be risk-based, and this can be done on-site, through audits, reporting, peer reviews and security scans, or remotely, and the regulatory agencies can request information and data from your systems to assess whether you have the appropriate security measures in place, or had them in place, to protect your data.

If the regulatory agency does not believe that your organization complies with NIS2 requirements, it can issue a court order requiring your organization to rectify the lack of security. If the lack of compliance is severe enough or the organization does not adequately or timely address the non-compliance, then fines would be levied.

Of interesting note, however, is that NIS2 presents a significant impact on management's responsibility to ensure companies meet its requirements. There is an explicit expectation for senior management to focus on and manage the company's cybersecurity risks, and executives could be deprived of their managerial powers in the event of non-compliance. In parallel, product certifications or approvals may be suspended.

Incident Reporting

Organizations must have in place procedures and mechanisms to ensure timely and accurate reporting of cybersecurity incidents to the relevant authorities within 24 hours, and a final incident written report is submitted within one month.  The importance of incident reporting is reflected in tight deadlines and an organization can be subject to sanctions if it does not comply. So, entities must report any incident that caused or has the potential to cause substantial operational disruption or financial losses for the entity concerned, has affected or has the potential to affect other natural or legal persons by causing considerable material or non-material losses, or for which there is an indication it was presumably caused by unlawful or malicious action.

Supply Chain

NIS2 obliges covered entities to adopt a risk-based approach to cybersecurity and extend it to your entire supply chain. As such, you must conduct a cybersecurity due diligence throughout your supply chain. This applies both to products (software bill of materials) and cybersecurity requirements that suppliers have. In essence, a covered entity is not only responsible for the cybersecurity of its own operations but also the suppliers it chooses to use.

Considerations

Most organizations often lack a management-based strategy for cybersecurity, a common frame of reference, and a general understanding of how cyber risks must be articulated and managed – technically, operationally, and organizationally as well as financially and contractually. It is expected that the task of raising the cybersecurity level within an organization will be difficult and expensive.

A robust cybersecurity strategy should protect your company’s assets and activities and ensure continuous compliance with NIS2. The assets and activities can be both physical and intangible assets, such as confidentiality, people, processes, reputation, regulation, contractual obligations, etc., and the basic prerequisite for drawing up the strategy is to have a clear picture of:

• overall strategy and business goals,
• assets and the consequences of these assets being compromised,
• organizational and technical structure and prerequisites,
• any established minimum cybersecurity requirements, and
• covered entities’ digital suppliers, outsourcing, and partners.

The aim of such a cybersecurity strategy is to frame the operational elements to identify, protect, detect, manage, and recover and, thereby, correspond to internationally recognized cybersecurity frameworks.

Summary

There is a regulatory paradigm shift underway to protect digital assets and data. Few laboratories, CROs and CDMOs, and pharmaceutical and medical device manufacturers can meet the NIS2 cybersecurity requirements today. The new cybersecurity rules requires us to increase our resilience to cyberattacks by giving prominence to people and processes, not only to technology, and seek to strengthen the governance framework by establishing responsibilities for senior management and provide new incentives such as reputational or security and resilience as a competitive advantage of regulated entities. Suppliers and subcontractors of covered entities may also be faced with contractual and commercial requirements for compliance with security requirements as a derived effect of NIS2.

References

1. https://www.meddeviceonline.com/doc/fda-releases-guidance-on-cybersecurity-in-medical-devices-0001
2. https://www.reginfo.gov/public/do/eAgendaMain?operation=OPERATION_GET_AGENCY_RULE_LIST¤tPub=true&agencyCode=&showStage
   =active&agencyCd=3235&csrf_token=57EAE6361828696D77A089ABEC320A1193B2BD5D273
   12F60466BF8BF333312C93FB346B2352B6C7619757176AE5CCB48D4B0
3. https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

About The Author:

John Giantsidis is the president of CyberActa, Inc., a boutique consultancy empowering medical device, digital health, and pharmaceutical companies in their cybersecurity, privacy, data integrity, risk, regulatory compliance, and commercialization endeavors. He is the vice chair of the Florida Bar’s Committee on Technology and a Cyber Aux with the U.S. Marine Corps. He holds a Bachelor of Science degree from Clark University, a Juris Doctor from the University of New Hampshire, and a Master of Engineering in cybersecurity policy and compliance from The George Washington University. He can be reached at john.giantsidis@cyberacta.com.