CRA and AI Act – safety standards for digital health products

The CRA aims to harmonize IT security standards for products with digital elements and sets strict requirements for networked devices and software. Among other things, it requires security updates, compliance with a secure standard configuration level and detailed documentation, such as a software bill of materials (SBOM).

The AI Act supplements these safety requirements with specific specifications for AI-supported systems and products that are classified as “high-risk”, which applies to many applications in medicine.

The combination of these regulations is intended to ensure comprehensive risk management for digital health products, especially when AI is used for diagnoses or patient-specific therapies.

Integration into the requirements of the MDR and IVDR

Medical devices, especially those that are based on AI or are networked, are already subject to the MDR and IVDR. However, the CRA and the AI Act create additional standards and requirements that are particularly important for manufacturers of digital health products. These must integrate the following aspects:

  • Cybersecurity according to CRA

    The MDR already requires safety over the entire life cycle of medical devices. The CRA expands on this with detailed safety requirements for networked devices, which also apply to medical AI applications. Ongoing IT security checks and documentation are essential in order to avoid security gaps.

  • Risk management for AI in accordance with the AI Act

    The AI Act sets out strict requirements for the risk management and transparency of AI algorithms. Medical devices with AI components must therefore not only meet the medical safety requirements of the MDR, but also ensure that their algorithms are robust, fair and transparent. In addition, the AI Act requires that these AI systems are designed to be controllable and traceable, which is particularly important for use in critical medical applications.

Overlaps and synergies – an integrated approach to security

  • Standardized certification and CE marking

    Both the CRA and the AI Act require conformity assessments. CE marking will be required for many products, bringing together the requirements for cybersecurity and AI use.

  • Software Bill of Materials (SBOM)

    The obligation to maintain an SBOM is not only relevant for CRA compliance, but also makes sense for monitoring the components for AI applications. Especially with AI software, which often uses open source libraries, the documentation of all modules used is crucial for identifying security vulnerabilities.

  • Risk management and transparency

    The AI Act requires a comprehensible explanation and transparency of AI processes in cases of high risk. Combined with the CRA requirements, products in the healthcare industry must therefore carefully monitor and control both technical and ethical risks.

Conclusion

With the CRA and the AI Act, the EU is creating a vision for the future of digital health that combines innovation and safety. Manufacturers of connected and AI-supported medical devices are required to adapt their development processes and implement new standards for cybersecurity and AI.

In this way, products can be created that meet the highest safety requirements and at the same time fulfill the demand for innovation in the healthcare sector.

Contact us

Are you planning to place a medical device on the market and looking for an experienced legal manufacturer? Contact us for a non-binding consultation. Together we will develop the right strategy for your medical device.