The latest announcement of the European Commission aims to alleviate some of the legal uncertainty surrounding EU market access of Swiss medical devices after the date of application of the MDR in May 2021. To mitigate supply disruptions on the EU market, the EU proposes a limited modification to the current Mutual Recognition Agreement, which would grant certificates issued by a Swiss NB the same grace period the MDR grants to certificates issued in the EU.

Once accepted by both parties, this amendment could enter into force on 26 May 2021. The detailed wording of the amendment is not known yet, and the impact has to be analysed once the amendment is available. But the EU Commission emphasizes that this amendment does not include new certificates issued under the MDR. The MRA will only be updated to include the MDR once substantial progress is made on the Swiss side towards signing the Institutional Framework Agreement.

This proposed amendment to the MRA does not change the condition that third country requirements will apply as of 26 May 2021. Swiss manufacturers should continue their preparation to comply with third country requirements for products to be placed on the EU market, namely appoint an authorized representative in the EU or EEA and accordingly adapt the labelling of the products.

In a recently published guidance document, the MDCG aims to provide guidance to the Member States on handling certain MDR provisions applicable as of May 2021, even though Eudamed is not fully functional. To comply with the current Directives, legal manufacturers and authorised representatives of CE-marked medical devices have to register in the EU country where they have their place of business. The transitional provisions of the MDR state that if Eudamed is not fully functional on the date of application, the corresponding provisions of Directives 90/385/EEC and 93/42/EEC continue to apply. The MDR introduces a much larger Eudamed database than the one that currently exists under the Directives alongside a variety of new registration requirements regarding stakeholders and data exchange and a publicly accessible version to increase transparency. MDCG 2021-1 includes information on how to addresses cases where the exchange of information would be difficult, based on the corresponding provisions of the Directives.

Eudamed is composed of the following six interconnected modules:

• Actors registration
• UDI/Devices registration
• Notified Bodies and Certificates
• Clinical Investigations and performance studies
• Vigilance and post-market surveillance
• Market Surveillance

With the MDR fully applying on 26 May 2021, the actor registration module is the only and first of the Eudamed modules currently available. The European Commission launched the Eudamed actor registration module on a voluntary basis on 1 December 2020. This allows competent authorities to assign SRNs (single registration numbers) to each economic operator, which is a precursor to device registration (and plays a role in the documentation of a medical device under MDR). Device registration in Eudamed will not be possible until the UDI/Device Registration module goes live.

When launching the first module, the Commission made clear that it is not in the position to enforce the use of the actor registration module, but asked EU competent authorities to promote the registration process in Eudamed and avoid double registration at a national level. Owing to each country's need to maintain an oversight of the manufacturers on its market, some countries will extend national manufacturer registration to CE-marked products under the MDR and manufacturers, and authorised representatives are subject to double registration if they choose to make use of the available module.

The new MDCG guidance aims to provide a harmonised approach by outlining administrative practices and alternative technical solutions to exchange information until the database is ready. MDCG 2021-1 shows in tabular form how individual specifications in the MDR are to be implemented in the period until Eudamed is available. The document suggests that as soon as a functionality corresponding to a requirement is available in Eudamed, the system may be used even before the notice of full functionality of Eudamed has been published. It also includes relevant information on how to deal with regulatory requirements having no corresponding provision in the Directives, such as:

• Making publicly available of the summary of safety and clinical performance (SSCP):The SSCP shall be made available to the public upon request without undue delay or the manufacturer shall specify where it is made available to the public.
• Data exchange between notified bodies and expert panels during clinical evaluation consultation procedure: Notified bodies should notify the relevant parties by uploading the required information to a dedicated secure directory in CircaBC, using a pre-defined template as soon as it becomes available (organised by the Commission).
• Periodic safety update report (PSUR): For class III devices and for classes IIa, and IIb implantable devices, manufacturers should deliver the PSURs to the relevant notified bodies by appropriate means. Notified bodies should provide the PSURs evaluations to the manufacturers and make them available upon request to the competent authority.

Die Schweiz sagt Ja zum Freihandelsabkommen mit Indonesien. Nach der Ratifizierung des Abkommens werden viele Produkte von tieferen Handelsbarrieren und Zöllen profitieren. Planen sie als Hersteller diese Erleichterungen zu nutzen und ihre Medizinprodukte auf dem indonesischen Markt in Verkehr zu bringen? Oder möchten sie ihre bestehende Produktpalette auf dem indonesischen Markt erweitern und benötigen Unterstützung? Wir beraten und unterstützen sie gerne mit unserem umfassenden Regulierungs- und Zulassungs-Know-How.

Wie weltweit üblich, gelten auch in Indonesien für medizinisch-diagnostische Geräte spezifische Pflichten gegenüber den Gesundheitsbehörden um eine gute und medizinische Versorgung der indonesischen Bevölkerung sicherzustellen. Für konkrete Anfragen wenden Sie sich an: Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!

For a while now, cybersecurity incidents in the healthcare sector have been increasing and can no longer be dismissed as random incidents, vandalism by script kiddies or collateral damage of general malware campaigns. The healthcare sector, specifically health delivery organizations and their supply chain, have become a prime target for cybercrime and cyberwar actors. Legislators and regulators are reacting, as usual, by creating new legislation, guidelines and requirements, but focusing on health delivery organizations as operators of medical IT-networks (critical infrastructure). As security is only ever as strong as its weakest link, this also impacts medical device manufacturers. While the “what” is being defined by the regulators, figuring out the “how” remains with the operators and manufacturers.

So far, guidance and standardization have focused on (cyber)risk management in general (e.g. AAMI TIR 57) and left manufacturers with a lack of technical standards on how to actually mitigate identified risks. This lack of support on the technology side made many manufacturers turn to other industries, leading e.g. the IEC 62443 family to become a de facto standard for cybersecurity across multiple domains. While these standards have garnered widespread acceptance (e.g. some parts are listed as FDA recognized consensus standards) they don’t necessarily meet all the requirements of the healthcare sector. In recognition of this situation, the ISO and IEC started work on several new standards addressing the issue.

As part of that effort, the IEC has recently published IEC TR 60601-4-5:2021 Medical electrical equipment – Part 4-5: Guidance and interpretation – Safety-related technical security specifications.

The technical report reinforces the idea that security is a burden shared by the manufacturer and the operator of a medical device. It defines a scheme with which this burden can be assessed, documented and communicated between parties; it defines four security levels and a list of technical capabilities that need to be implemented by a medical device to reach a specific security level. The capabilities are based on those defined by IEC 62443-4-2:2019 (and IEC TR 80001-2-2:2012) and brought into alignment with the basic tenet of medical device development: patient safety.

As a member of the IEC 60601 standards family for electrical medical devices, it defines requirements to the medical device itself (product standard). But unlike the other standards in the family, the scope explicitly mentions that it can be applied to any medical device software, including SaMD.

The technical report's stated goal is to define testable security properties for a medical device; currently, no official test report form (TRF) exists. It is likely that one will be published in the near future, and that test labs will offer relevant tests.

The technical report is planned to be harmonized for the MDR.

For medical device manufacturers, the technical report thus provides guidance on how to address the security vs safety challenge when implementing the security mechanisms defined in IEC 62443-4-2:2019. It further helps assessing/attaining security levels of a device and identify the security measures external to the device to reach a specific target security level of an operator. It thus also defines information that needs to be provided to the operator for the secure use of the device. In that, it is expected to help the manufacturers meet the general safety and performance requirements (GSPR) 17.2, 17.4, 23.4 (ab) of the MDR.

Note that the report is essentially a wrapper around the IEC 62443-4-2:2019 standard, which is required reading for anyone trying to implement the security measures listed in the report. Also neither the report nor the standard go down to the “bits and bytes” level of engineering, which is left to the relevant technical standards or state-of-the-art knowledge of the engineer.

At the moment it is still too early to tell if the health delivery organizations/operators of medical IT-networks will apply a security-level scheme, as proposed by the IEC 60601-4-5 and IEC 62443-4-2 when purchasing medical devices. But with the relevant IEC and ISO committees collaborating on the topic, and the technical report being targeted for harmonization under the MDR, it seems likely that this might happen sooner or later.