Medical device cybersecurity
Medical device cybersecurity sits at the intersection of Trade and Geopolitical Risk in ways that compliance teams can no longer treat as a secondary concern. The U.S. Food and Drug Administration's 2023 refusal-to-accept policy for premarket submissions without a cybersecurity plan, combined with active scrutiny from the European Commission's Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs under the EU Medical Device Regulation, has created a dual-jurisdiction pressure point for any device with cross-border supply chains or foreign component sourcing. Firms with exposure to Asia-Pacific markets are also tracking the Pharmaceuticals and Medical Devices Agency of Japan as it tightens post-market cybersecurity expectations tied to software updates from foreign vendors.
Watch
- FDA's refusal-to-accept policy: premarket submissions require a Software Bill of Materials
- EU MDR Article 5 enforcement actions against devices with unpatched legacy software components
- PMDA draft guidance on foreign vendor software update disclosures, expected Q3 review cycle
- U.S. Commerce Department export controls potentially restricting dual-use cybersecurity tooling embedded in devices
Recent material activity in Trade & Geopolitical Risk
-
OFAC designates 14 entities linked to Russian defense procurement network
The Treasury Department's Office of Foreign Assets Control added 14 entities and 6 individuals to the Specially Designated Nationals list for their roles in procuring critical technology components for Russia's defense i…
Read a full sample brief → -
BIS adds 22 Chinese semiconductor entities to Entity List for advanced chip diversion
The Bureau of Industry and Security expanded export controls targeting Chinese semiconductor entities found to be diverting advanced computing chips through third-country intermediaries. New license requirements affect i…
Read a full sample brief →