Life Science – technology-focused regulations that have an impact from 2025 onwards

Cybersecurity for research and pharmaceutical companies (the NIS 2 directive). Companies that are medium-sized or larger (i.e. that either have over 50 employees or that have an annual turnover and balance sheet total of over EUR 10 million) will be subject to new cybersecurity requirements, including greater responsibility for the board of directors, when the Swedish Cybersecurity Act is in place. No draft law has yet been issued and we do not expect a Swedish law until the third quarter of 2025 at the earliest. However, if you were covered by NIS-I, parts of the new requirements already apply now.

Requirements for connected products, etc. (Data Act). The regulations include extensive requirements for connected products and associated services, for example with regard to the design and manufacture of the products and making product data available. Unlike the Cyber Resilience Act (below), medical devices are also included as long as they fall within the scope of the Act. It begins to apply on 12/09/2025, though certain requirements only apply to products placed on the market after 12/09/2026.

Requirements for AI systems that are, or that form part of medical devices including in-vitro products (the AI Regulation). The regulation includes extensive requirements for AI systems, particularly those classified as “high risk”, with the regulations imposing requirements on both suppliers and users of those AI systems. These requirements must be applied in parallel with medical device regulations for AI systems that are used as a safety component in a product or that are themselves a product, subject to the third-party assessment requirements contained in the medical device regulations. The main part of the regulations begin to apply progressively from 01/02/2025 to 01/08/2027.

Cybersecurity in software or hardware products with digital elements (Cyber Resilience Act, CRA). It should be noted that medical devices are exempt from these regulations. That means that connected health and care products, which certainly fall outside the strict definition of medical devices, will nevertheless be subject to the CRA. All health products that fall within the scope of applicability will therefore need to apply detailed regulations in some form in future, regardless of whether or not they are classified as medical devices. The regulations begin to apply on 11/12/2027, though the reporting obligation begins to apply as early as 11/09/2026.

New rules for e-health data (the Health Data Regulation). The European Parliament and the Council have agreed on the regulations and the final legislative text is expected to be published shortly. The regulations introduce new rules for primary and secondary use of e-health data. In health and medical care, the regulations include new requirements for access to and control of e-health data. For industry, it will form a basis for secondary use of health data for research, health apps and electronic medical record systems. The regulations begin to apply successively from two years after publication in the Official Journal of the European Union. Publication this year means that they will enter into force in the period from 2027 to 2037.

Do you want to know more about how this will affect your business? You are welcome to contact us using the contact details below.