Skip to main content

Cybersecurity in Switzerland

Overviewโ€‹

Cybersecurity is a safety requirement for medical devices that contain software or are connected to other systems. This page provides an overview of Swiss cybersecurity requirements for medical devices. For the pre-market technical documentation requirements in detail, see Cybersecurity Requirements.

Regulatory Basisโ€‹

MedDO Annex I ยง 17.2 requires that devices with software or connectivity achieve a level of IT security appropriate to their intended purpose, protect against unauthorised access affecting device operation or safety, and have documented minimum security requirements.

MDCG 2019-16 (Guidance on cybersecurity for medical devices) is the primary interpretive guidance, applicable in Switzerland.

IEC 81001-5-1:2021 is the primary harmonised standard for medical device cybersecurity lifecycle management.

Pre-Market Cybersecurity Requirements Summaryโ€‹

Technical documentation must include:

  • Cybersecurity risk assessment integrated with the ISO 14971 risk management file
  • Threat model (assets, threats, attack surfaces, mitigations)
  • Security architecture documentation
  • Minimum hardware/software IT environment specification
  • Security testing results (including penetration testing for connected devices)
  • Software Bill of Materials (SBOM) for third-party components
  • Documented security update/patch management process

Post-Market Cybersecurity Obligationsโ€‹

  • Vulnerability monitoring: Continuous monitoring of CVE databases and third-party component vendor advisories for vulnerabilities in components used in the device
  • Patch management: Timely assessment and deployment of security patches as part of the PMS process
  • Incident reporting: Cybersecurity incidents that result in or could result in patient harm are reportable to Swissmedic via eVigilance as serious incidents
  • SBOM maintenance: The SBOM must be maintained and updated as the software evolves

Connection to nFADPโ€‹

Connected medical devices that process personal health data must comply with both MedDO cybersecurity requirements and the Swiss Federal Data Protection Act (nFADP, SR 235.1). Health data is classified as particularly sensitive personal data under nFADP, attracting heightened protection obligations including: appropriate technical and organisational security measures; data breach notification to the Federal Data Protection and Information Commissioner (FDPIC) and affected individuals.

Official Sourcesโ€‹

Disclaimer

AI-assisted navigation aid only. Always verify against official Swissmedic and Fedlex sources. Not legal or regulatory advice.