Cyber Resilience Act and MDR Medical Software: Is It Applicable?

If a company develops medical device software under Regulation (EU) 2017/745 (MDR), does the Cyber Resilience Act, Regulation (EU) 2024/2847, apply, and should it be applied to that medical device software?

The short answer is no.

What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, sets horizontal cybersecurity requirements for products with digital elements that are placed on the EU market.

In simple words, it asks manufacturers to build and maintain cybersecurity throughout the product lifecycle.

For manufacturers in scope, the CRA requires a structured approach, including:

• secure-by-design and secure-by-default development
• cybersecurity risk assessment and risk reduction measures
• vulnerability handling processes
• security updates during a defined support period
• technical documentation and evidence of conformity
• reporting obligations for actively exploited vulnerabilities and serious incidents

This means cybersecurity is not a one-time activity. It becomes a continuous responsibility from design to post-market support.

Is it applicable to MDR medical software manufacturers?

For software that is a medical device under MDR, the CRA scope includes an exclusion.

Article 2 (Scope) of Regulation (EU) 2024/2847 states:

"This Regulation does not apply to products with digital elements to which the following Union legal acts apply: (a) Regulation (EU) 2017/745;"

So, if your product falls under Regulation (EU) 2017/745, the CRA does not apply to that product.

Practical note

Even though the CRA does not apply to MDR medical device software, cybersecurity obligations still exist under the MDR framework and related standards/guidance. Manufacturers should continue to maintain strong cybersecurity controls as part of their medical device compliance system.

If you need support to map your software obligations under MDR, our team can help.