Does the EU Cyber Resilience Act Apply to Your Medical Device? What the 11 September 2026 Deadline Really Means  

Few regulatory topics have generated as much confusion in MedTech this year as the EU Cyber Resilience Act (CRA). Some manufacturers believe every connected medical device must comply with the CRA by September 2026. Others assume the Act has no relevance to medical devices at all. Neither view is correct. Understanding where the CRA applies and where it does not, it is essential for any manufacturer selling connected products in Europe.

First, the headline: medical devices are from the scope of the CRA 

The Cyber Resilience Act, Regulation (EU) 2024/2847, sets a cybersecurity baseline for almost every product with digital elements on the EU market. It entered into force on 10 December 2024. Crucially, medical devices and in vitro diagnostics are excluded from the CRA because they are already covered by the sectoral MDR and IVDR rules. So if your product is a regulated medical device under MDR or IVDR, the CRA conformity and CE marking obligations do not apply directly to it.  

That is the part many manufacturers stop reading at. It is also where they make a mistake. 

Why you are not off the hook 

The exclusion applies to your medical device. It does not always cover everything around it. Three points matter.  

1. Non-device digital products in your portfolio, such as a general-purpose app, a Software development tool or connected hardware that is not itself a medical device, can still fall under the CRA.  
2. Your suppliers and components may be CRA-regulated, and from 11 September 2026, they must report actively exploited vulnerabilities. You need processes to receive and act on those reports.  
3. MDR Annex I Section 17.2 already requires software medical devices to be designed and developed according to the state of the art, including cybersecurity risk management, information security, and verification of security measures. 

What happens on 11 September 2026  

For CRA-regulated products, vulnerability and incident reporting obligations begin on 11 September 2026. Manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA and national CSIRTs through the ENISA Single Reporting Platform, with a timeline requirement 24-hours early warning, 72-hours incident notification, 14-days final report after remediation. These reporting duties apply even to products already on the market.  

Even though your medical device itself is excluded, your wider product family and your supply chain are not, so 11 September 2026 is a date your security team should plan around.  

The MDR revision is closing the gap  

The European Commission is consulting on targeted revisions to the MDR, including proposals intended to improve alignment with evolving EU cybersecurity legislation such as the Cyber Resilience Act. Although the legislative timeline remains subject to the EU legislative process, manufacturers should expect cybersecurity reporting obligations to become more closely aligned with the CRA over time. 

Even for MDR-regulated devices, manufacturers should already be implementing a secure development lifecycle consistent with IEC 81001-5-1, as this demonstrates state-of-the-art cybersecurity expected under MDR Annex I.  

Your action checklist for 2026  

• Map your portfolio. Separate true medical devices (MDR/IVDR) from products with digital elements – software or hardware with software/remote data processing, that may fall under the CRA. 
• Understand the cybersecurity obligations associated with open-source software components and third-party libraries included in their products. 
• Align your MDR Annex I 17.2 cybersecurity evidence with state-of-the-art practice now, ahead of the MDR revision. 
• Understand which third-party software components are present in their products through an up-to-date Software Bill of Materials (SBOM). 
• Track the MDR revision consultation so you are ready when CSIRT reporting reaches medical devices.  

The Cyber Resilience Act should not be viewed as someone else’s regulation. Even where medical devices are excluded from its direct scope, the CRA is reshaping cybersecurity expectations across software supply chains, connected products, and regulatory reporting. Organizations that strengthen their cybersecurity governance today will be better prepared for tomorrow’s MDR requirements.  

Why preparing now is smart  

The manufacturers who treat cybersecurity reporting as a 2027 problem will scramble. The ones who build the intake, SBOM and disclosure processes in 2026, while preparing for the MDR revision, will simply switch them on when the rules land. The work is the same either way. The difference is whether you do it under pressure or on your own schedule.  

Need help with medical device cybersecurity readiness? 

NexorTest supports manufacturers with cybersecurity testing, SBOM preparation, threat modelling, MDR Annex I 17.2 evidence and vulnerability management aligned with CRA and the upcoming MDR revision. 

Visit www.nexortest.com or our Cybersecurity and Software Lifecycle Testing service page to start the conversation.