The EU Cyber Resilience Act (CRA) 2024/2847 introduces mandatory cybersecurity requirements for products with digital elements sold in the EU. Vulnerability reporting obligations take effect September 11, 2026, and full product conformity becomes mandatory December 11, 2027. While medical devices under MDR are exempt from the CRA's product requirements, many digital components in the healthcare ecosystem are not.
The medical device exemption and its limits
CRA Article 2(2) exempts products already covered by sector-specific EU harmonisation legislation that imposes equivalent cybersecurity requirements. Medical devices regulated under MDR 2017/745 and IVDs under IVDR 2017/746 fall within this exemption.
However, the exemption applies only to the medical device itself. Digital products that interact with, support, or connect to a medical device but are not themselves classified as medical devices are fully subject to the CRA:
| Product | CRA applies? | Rationale |
|---|---|---|
| SaMD classified under MDR | No | Covered by MDR cybersecurity requirements |
| Hospital information system interfacing with devices | Yes | Not a medical device under MDR |
| Mobile app classified as Class I accessory | No | Covered by MDR |
| Cloud platform hosting device data (not classified as SaMD) | Yes | Not a medical device |
| Firmware update tool for a medical device (not part of the device itself) | Yes | Standalone digital product |
| General-purpose operating system running on a medical device | Yes | Not covered by MDR as a standalone product |
If you manufacture both MDR-regulated devices and non-device digital products in the same ecosystem, you may need to comply with both MDR (for the device) and CRA (for the supporting software).
Vulnerability reporting: September 11, 2026
The CRA's vulnerability reporting obligations under Article 14 apply from September 11, 2026. Manufacturers of in-scope products must report actively exploited vulnerabilities and significant security incidents to their national Computer Security Incident Response Team (CSIRT) and to ENISA via a single reporting platform.
The reporting timeline is strict:
| Stage | Deadline | Content required |
|---|---|---|
| Early warning | Within 24 hours of awareness | Notification that a vulnerability is being actively exploited, or that a significant incident has occurred |
| Vulnerability notification | Within 72 hours | Detailed information on the vulnerability, exploitation activity, and any corrective measures taken or planned |
| Final report | Within 14 days of mitigation | Complete description of the vulnerability, root cause analysis, and corrective actions applied |
These reporting timelines apply even if a full fix is not yet available. The purpose is to enable coordinated response across the EU.
Product conformity requirements: December 11, 2027
Full CRA product conformity obligations take effect December 11, 2027. For in-scope products, this means:
Security by design (CRA Annex I, Part I): Products must be designed, developed, and produced to ensure an appropriate level of cybersecurity. This includes secure default configurations, protection against unauthorized access, and data confidentiality and integrity.
Vulnerability handling (CRA Annex I, Part II): Manufacturers must identify and document vulnerabilities, provide security updates for the expected product lifetime (minimum 5 years), and operate a coordinated vulnerability disclosure policy.
Software Bill of Materials (SBOM): Manufacturers must produce and maintain an SBOM listing all components, including open-source libraries and third-party dependencies. The SBOM is part of the technical documentation and must be made available to market surveillance authorities on request.
Conformity assessment: Most products follow a self-assessment route based on internal control (CRA Annex VI). Important and critical products (as defined in CRA Annexes III and IV) require third-party assessment.
Interaction with MDR cybersecurity requirements
MDR already requires manufacturers to address cybersecurity in their technical documentation. MDR Annex I, Section 17.4 requires that devices incorporating software or that are programmable electronic systems be designed to ensure repeatability, reliability, and performance. MDCG 2019-16 provides guidance on cybersecurity for medical devices.
For manufacturers with products straddling both regulations, the practical approach is:
- Apply MDR cybersecurity requirements to the medical device itself
- Apply CRA requirements to any non-device digital products in the ecosystem
- Use a common cybersecurity risk management framework (such as IEC 81001-5-1) across both
Key deadlines
| Date | Requirement |
|---|---|
| September 11, 2026 | Vulnerability reporting obligations begin for CRA-scope products |
| December 11, 2027 | Full product conformity required for CRA-scope products |
| Ongoing | Security updates must be provided for the product's expected lifetime (minimum 5 years) |
Looking for the right regulatory intelligence tool? Read our guide to evaluating regulatory intelligence platforms.
Key takeaways
- Medical devices under MDR are exempt from CRA product requirements, but many associated digital products are not
- Vulnerability reporting starts September 11, 2026: 24-hour initial notification, 72-hour detailed report, 14-day final report
- Full product conformity (security by design, SBOM, vulnerability handling) is required by December 11, 2027
- Manufacturers with mixed product portfolios need to determine which products fall under MDR and which under CRA
- CRA requires an SBOM for all in-scope products, maintained throughout the product lifecycle
- Coordinated vulnerability disclosure and security update processes are mandatory
How RegAid helps
RegAid covers MDR cybersecurity requirements including Annex I Section 17.4 and all MDCG guidance on cybersecurity for medical devices. Ask "What cybersecurity documentation do I need for my connected medical device?" and get cited answers linking MDR requirements to MDCG 2019-16 and the applicable harmonised standards.