EU Data Act - Security
A remote cardiac monitor is small enough to slip under the skin, but it changes the way a patient's heart is watched. Once in place it works quietly in the background, recording every beat and any irregular rhythm, sending that stream of information through a secure link to the manufacturer's systems. The doctor can check it without asking the patient to come in, which makes it seem like a simple, almost invisible piece of healthcare. In reality it is also a connected product, and that means in Europe it sits squarely in the middle of several different laws.
The first is the EU Data Act, which will be in force soon and has nothing to do with whether the device functions correctly or is medically safe, and everything to do with the patient's right to the information it produces. Every rhythm log and every technical reading the device generates belongs as much to the patient as it does to the manufacturer storing it.
The new Data Act says the patient must be able to see all of it, not just the neat graphs or alerts chosen for them. They can take it to their cardiologist, send it to another specialist in a different country, or even feed it into independent analysis tools. Unless there is a clear legal reason, such as protecting another person's data, the manufacturer has to make it available in full.
That right is not a formality. It can mean that a patient spots a pattern in their own readings that the system's automatic checks have missed, or that they can take part in research without waiting for the manufacturer to mediate. It can also mean more freedom for doctors, who can receive the data in a format they can actually work with rather than a fixed report that hides as much as it shows.
The second law is the Cyber Resilience Act, which comes into play long before the patient receives the device. This is about whether the monitor is secure from the start, whether it can withstand hacking, keep patient information private, and accept software updates without introducing new problems. It also requires a clear process for responding to vulnerabilities when they are discovered.
The risk is not theoretical. Past incidents have shown that weaknesses in connected medical devices can be exploited, and the consequences for both privacy and safety are serious. The CRA aims to raise the baseline for security across all connected products, not just those in healthcare.
Alongside both however sits the lex specialis, Medical Devices Regulation, the main EU law for anything used in patient care. It already sets detailed requirements on safety, performance, and how devices are monitored after they reach the market, including rules on technical security. The European Commission will decide whether those MDR rules are strong enough to count as meeting the CRA standard. If they are, the CRA will not duplicate them. Until then, most manufacturers will assume they must comply with both.
For a company making this kind of device, the overlap is not just a matter of ticking boxes. The design team needs to think about how to protect the software and the communications between device and server, how to monitor its performance once it is in use, and how to fix problems without risking the patient's health. At the same time they have to put in place a system that gives the patient their complete data quickly and in a format that can be used beyond the company's own platform. That might mean building secure online portals, agreeing to use open data standards, and providing help so the information can be understood and acted upon.
The work continues long after the launch. Post-market surveillance under the MDR requires manufacturers to keep track of how the device performs in the real world, feeding that experience back into design improvements.
The CRA's focus on vulnerability management adds pressure to act quickly when security issues arise, while the Data Act's requirements keep the data channel open for as long as the device is in service. This creates a continuous loop of responsibility: watch performance, maintain security, and honour the patient's right to their own information.
The two laws divide the task between them. The Cyber Resilience Act looks at whether the device is secure and can be trusted to protect the patient and their information. The Data Act focuses on the rights of the patient to see and use the data it produces. Both apply in different ways but neither can be ignored, because the device has to pass on both counts before it can truly be relied on.
For manufacturers this is not just a regulatory hurdle to clear. It means designing and producing something that is technically robust and secure, while also creating systems that make the data accessible and useful to the person wearing it. The same team has to think about encryption and server security alongside user portals and readable reports. It is a blend of engineering, legal compliance and patient service that has to work together from the start.
The approach is no longer confined to medical devices. The same logic is being applied to other connected products, from modern farm machinery to industrial equipment and even home appliances. These all have to meet the same combination of security and openness. The heart monitor is simply an easy example to grasp, because it makes the balance between safety and access so clear. It shows how the EU is trying to build public trust in technology by making sure people are protected and informed at the same time.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
