Cyber regulation that affects the pharmaceutical industry and medical device manufacturers is now effective. The FDA requirement is a further piece of cybersecurity regulation that requires medical device manufacturers to submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, post market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures; Design, develop, and maintain processes and procedures to provide a reasonable assurance that devices and related systems are cybersecure, and make available post market updates and patches to the device and related systems to address; Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components, amongst other things. Irrespective of the size of the organisation if device manufacturers want to sell their products or services into the U.S, they are required to comply with FDA device cybersecurity requirements. The SEC released the cyber final rule requiring cyber reporting through 8K and 10K forms, informing market participants that includes investors, of the cybersecurity posture of registrants. EU NIS 2 will affect the pharmaceutical sector and medical device manufacturers from October 2024.
