15th June 2026 Special Edition Update

Key Artificial Intelligence Regulation 

Europe

1.EU AI Act

Companies operating in the EU must comply with the EU AI Act, a risk-based framework that entered into force in August 2024 with a phased application through 2028. The EU AI Act applies to providers, developers, importers, distributors, and deployers of AI systems within the EU, regardless of whether they are based inside or outside the union. It covers both public and private entities, including those based outside the EU if their AI system’s output is used within the EU.

 

a. Key Entities Covered:

• Providers: Organizations/individuals developing and placing AI systems on the market (or general-purpose AI models).
• Deployers: Entities using AI systems in a professional context (e.g., businesses, public authorities).
• Importers & Distributors: Those placing AI systems from outside the EU onto the EU market.

 

b. Key Scope Details:

• Extraterritorial Reach: UK, US or other foreign-based companies whose AI systems affect individuals in the EU are included. The Act applies based on where the AI system is used or if the output impacts people in the EU, not just where the entity is located.
• High-Risk Focus: Strict requirements apply to AI systems in high-risk categories (e.g., education, employment, critical infrastructure).
• Exemptions: It generally does not apply to AI used for non-professional personal activities, scientific research and development, or military/defence/national security purposes

 

c. Key Obligations Include:

Banning specific AI practices (Article 5), implementing strict governance for high-risk systems, harmonised transparency rules for certain AI systems and promoting AI literacy among staff, harmonised rules for placing general-purpose AI models on the market. Fines can be significant (for breaches of Article 5 up to EUR 35 million or up to 7% of total worldwide annual turnover; for other breaches up to EUR 15 million or up to 3% of total worldwide turnover).

 

d. Key Compliance Requirements Are:

• Prohibited AI Practices (Article 5) banned since February 2025. Companies must not develop, place on the market, or use AI systems that pose an unacceptable risk. See Commission Guidelines for further information. Prohibitions include:
  • Manipulative/Deceptive Techniques: AI that uses subliminal techniques to distort behaviour by impairing the ability of an individual or group to make an informed decision and thereby causing significant harm.
  • Exploitation of Vulnerabilities: AI which exploits vulnerabilities due to age, disability or social/economic situation to distort behaviour and thereby causes significant harm.
  • Social Scoring: Evaluating individuals based on social behaviour leading to detrimental or unfavourable treatment.
  • Predictive Policing: The assessment of criminal risk based solely on profiling.
  • Biometric Identification: Real-time remote biometric identification in public spaces for law enforcement (with limited exceptions).
  • Emotion Recognition: Using AI to infer emotions in workplaces and educational institutions.
  • "Nudifier" Apps: AI that generates non-consensual sexual content (intimate images/audio) (as part of the Digital Omnibus on AI amendment package)
• General - Purpose AI Systems (GPAI) rules (Chapter V) applicable as of August 2025. See Commission Guidelines and The GPAI Code of Practice for further information. The Commission and the AI Board have confirmed that The GPAI Code of Practice is an adequate voluntary tool for providers of GPAI models to demonstrate compliance with the AI Act.
  
  Providers of GPAI models (e.g., LLMs) must:
  
  • Technical Documentation: Create and maintain documentation for the AI Office.
  • Information for Providers: Make available up-to-date information and documentation to providers who intend to integrate the GPAI model into their AI system.
  • Transparency: Publish a summary of content used for training.
  • Copyright Compliance: Respect EU copyright law.
  • Systemic Risk Evaluation: If the model presents systemic risks, providers must conduct evaluations, mitigate risk, adversarial testing, and report incidents.
• High-Risk AI Systems (Annex I and III). The deadline for Annex III high-risk systems is now delayed to December 2, 2027, and for embedded high-risk systems (Annex I) to August 2, 2028. The European Commission has published draft guidelines on the classification of high-risk AI systems. The Commission is seeking stakeholder feedback on the draft guidelines. The consultation is open until 23 June 2026. See here for further information on the consultation.
  
  If a system is categorized as high-risk, providers must ensure it complies with the requirements for high-risk AI systems set out in Section 2 of Chapter III, including:
  • Risk Management: Establish a continuous, iterative risk management system throughout the AI lifecycle.
  • Data Governance: Use high-quality, representative datasets to train and test systems to minimize bias.
  • Technical Documentation: Maintain detailed documentation, including system design, development process, and risk assessments.
  • Record-Keeping (Logging): Ensure automatic generation of logs for traceability.
  • Transparency & Instructions: Provide clear, actionable information to deployers.
  • Human Oversight: Design systems to allow effective human monitoring and intervention.
  • Accuracy & Cybersecurity: Ensure a high level of robustness against errors and external attacks.
  • Registration: Register high-risk systems in the EU database.
    

     

Obligations of providers and deployers of high-risk AI systems and other parties are set out in Section 3 of Chapter III.

• Transparency Rules (Article 50): Apply by August 2, 2026, with a special deadline of December 2, 2026, for watermarking AI-generated content. The Commission is currently consulting on the guidelines on the implementation of the transparency obligations under Article 50. The consultation closes on 3 June 2026. See here for draft guidelines and how to contribute to the consultation. The guidelines, once final, will complement the Code of Practice on Marking and Labelling of AI-generated Content.
  
  

  Transparency obligations include:

  
  
  • AI Interaction: Users must be informed at the time of first interaction or exposure they are interacting with an AI system (e.g., chatbots).
  • Content Identification: AI-generated content (including deepfakes) must be labelled as artificially generated.
  
  
  
• Organisational and General Requirements:
  • AI Literacy (Article 4): Companies should ensure their staff, who are responsible for AI operation and use, have sufficient AI literacy. Following provisional agreement on the Digital Omnibus Package at the beginning of May 2026 this obligation has been downgraded to an obligation to encourage sufficient AI literacy.
  • Governance Lead: Appointing a lead to oversee AI Act compliance is advised

e. Digital Omnibus Package

The EU Digital Omnibus Package, updated through provisional agreements in May 2026, aims to simplify and streamline key EU regulations (AI Act, GDPR, ePrivacy Directive, and cybersecurity laws (e.g., NIS2)) with the aim of reducing administrative burdens on companies. Regarding AI it aims to simplify the implementation of the AI Act by postponing key deadlines, reducing administrative burdens, and introducing new prohibitions on high-risk practices. Provisional agreement was reached on 7^th May (see here for further information). Based on this, here are the key proposed obligations and changes to the AI Act:

• New Prohibitions (Effective Dec 2, 2026)
  • "Nudifier" and NCII Bans: AI systems that generate non-consensual sexual and intimate content (e.g., deepfakes) or Child Sexual Abuse Material (CSAM) are prohibited.
  • Safe Generation: Providers must ensure reasonable safety measures to prevent the creation of such content, not just prevent its intentional creation.
• Postponed High-Risk AI Obligations. The Omnibus delays the enforcement of rules for high-risk AI systems:
  • Stand-alone High-Risk Systems: The deadline is postponed to December 2, 2027.
  • AI Embedded in Products: High-risk systems embedded in machinery, toys, or medical devices are postponed to August 2, 2028.
• Transparency Obligations for Generative AI
  • Delayed Compliance: The deadline for marking AI-generated content (watermarking) in accordance with Art. 50(2) is delayed to December 2, 2026, for systems already on the market before August 2, 2026.
  • Transparency Rule: Despite the delay, the 2 August 2026 date remains for some, while others have a grace period to comply.
• Administrative Simplifications & Eased Rules
  • SME/SMC Relief: Relaxed requirements for small and medium-sized enterprises (SMEs) are extended to "small mid-cap" enterprises (SMCs).
  • Registration Exemption: Providers of high-risk AI systems that they consider exempt from classification do not need to register them in the EU database.
  • AI Literacy: The obligation for providers and deployers to ensure staff training in AI literacy is downgraded to an encouragement of such training.
  • Machinery Sector Carve-out: The machinery regulation is carved out of the direct applicability of the AI Act for one sector, relying instead on bridging standards.
• Data Processing for Bias Correction
  • Sensitive Data Access: The Omnibus allows providers and deployers to process special categories of personal data (as defined in the GDPR) specifically for bias detection and correction, subject to strict necessity and safeguards.
• Centralized Enforcement
  • Strengthened AI Office: The EU AI Office’s powers are reinforced to oversee systems integrated into very large online platforms (VLOPs) or GPAI models

f. Available Resources

The European Commission has a single information platform containing significant resources and all the latest information on the EU AI Act. See here for further information.

Key AI Guidelines and Standards For Drug Development

Europe

The use of AI in drug development is governed by the EU AI Act with the following guidelines and frameworks:

1. European Medicines Agency (EMA) – US Food and Drug Administration Guiding Principles of good AI practice in drug development – these principles outline global best practices across all phases of drug development. They set out ten foundational principles for the safe, ethical and reliable use of AI across the medicine's lifecycle. See here for further information.

2. Reflection paper on the use of Artificial Intelligence in the medicinal product lifecycle– this is the EMA foundational framework and covers principles relevant to the application of AI and machine learning at each stage of the medicine's lifecycle. See here for further information.

3. Additional resources which are available include:

(a) EMA/Heads of Medicines Agency AI Workplan to 2028 - See here for further information.

(b) EMA Large Language Model Guiding Principles - See here for further information.

(c) See also other EMA AI resources here 

 

Key AI Guidelines and Standards for Medical Devices 

Europe

AI used in medical devices must comply with the EU AI Act. It must simultaneously comply with the Medical Device Regulation or the In Vitro Diagnostic Regulation. Detailed guidelines on the interplay between these frameworks is available here.

Additional guidance is available on the qualification and classification of software MDCG 2019-11 Rev.1 and clinical evaluation/performance of medical device software MDCG 2020-1. See also here for further guidance on new technologies related to medical devices and in vitro medical devices.

 

Key Cybersecurity Regulation and Policy

Europe

(see here for further information)

 

1.The Cybersecurity Act

The EU Cybersecurity Act establishes a comprehensive legal framework, primarily focusing on enhancing cybersecurity via a voluntary certification scheme and strengthening the EU Agency for Cybersecurity (ENISA). It sets the foundation for certifying products, services and processes ensuring secure design, lifecycle vulnerability management and enhanced incident reporting for manufacturers.

In January 2026, the Commission proposed a new Cybersecurity Act to further strengthen the EU's cybersecurity resilience and capabilities, including amendments to the NIS2 Directive. Under the proposal, ENISA will further support companies and stakeholders operating in the EU by issuing early alerts of cyber threats and incidents. The measures aim to simplify compliance with EU cybersecurity rules and risk-management requirements for companies operating in the EU. The amendments will simplify jurisdictional rules, streamline the collection of data on ransomware attacks and facilitate the supervision of cross-border entities with ENISA's re-enforced coordinating role.

The revised Cybersecurity Act also aims to reduce risks in the EU’s ICT supply chain from third-country suppliers with cybersecurity concerns. It sets a trusted ICT supply chain security framework using a harmonised, proportionate and risk-based approach. Recent cybersecurity incidents have highlighted the major risks of vulnerabilities in the ICT supply chains, which are essential for critical services and infrastructure.

 

2. The Cyber Resilience Act

The Cyber Resilience Act entered into force on 10 December 2024. It establishes common standards for products with digital elements, including hardware and software. Such products must meet specific cybersecurity requirements throughout their lifecycle, including automatic security updates and incident reporting. The Act also introduces a duty of care for manufacturers, ensuring that products are secure by design and by default. Manufacturers must report actively exploited vulnerabilities within 24 hours (starting Sept 2026) and must provide free security updates and patches for at least 5 years. This regulation protects consumers and businesses from cyber threats by enabling a safer digital environment.

 

3. NIS2 Directive (Network and Information Systems)

The NIS2 Directive (applicable from October 18, 2024) expands cybersecurity obligations across eighteen critical sectors and applies to medium and large entities operating in these sectors. Its goal is to establish a harmonized level of cybersecurity and resilience across EU critical infrastructure and supply chains. Key requirements include mandatory management approval of cybersecurity measures, strict 24-hour incident reporting, and enhanced supply chain due diligence, with severe penalties for non-compliance, including personal liability for management.

• Scope: It covers key sectors, including energy, transport, banking, financial markets, health etc. The following entities are considered “essential”: i) manufacturers of basic pharmaceutical products and pharmaceutical preparations; ii) providers engaged in research and development of medicinal products; and iii) manufactures of medical devices considered critical during public health emergencies. Manufacturers of medical devices and manufacturers of in vitro diagnostic (IVD) medical devices are considered “important”. Compliance is mandatory for both “essential” and “important” entities, though different levels of enforcement activity will apply to each category.
• Incident Reporting: Strict 3-stage reporting: early warning within 24 hours of awareness, a comprehensive report within 72 hours, and a final report within one month.
• Management Liability: Management bodies must approve and oversee cybersecurity measures, attend specialized training, and can be held personally liable for breaches.
• Security Measures: Companies must implement measures covering risk analysis, information system security policies, incident handling, business continuity (backup management/disaster recovery), and supply chain security. Companies must address security risks within their supply chains, particularly regarding API suppliers, distributors, and logistics partners.
• Security Practices: Implementation of cryptographic controls, multi-factor authentication, and human resources security.
• Fines: can be up to Euros 10 million or 2% of global annual turnover

Key Deadlines

• October 18, 2024: Member states transpose NIS2, and the directive applies.
• 2025-2026: Specific national reporting mechanisms and security implementations are phased in.

For further reading on NIS2 Directive see here

Key Cybersecurity Regulation, Guidelines and Standards for Drug Development and Medical Devices

Europe

Key regulations include the NIS2 Directive, the Cyber Resilience Act (CRA), Medical Device Regulation and the General Data Protection Regulation (GDPR)

 

1. NIS2 Directive (Network and Information Systems): Most pharmaceutical manufacturers and medical device manufacturers, particularly those deemed essential for critical medicines, fall under NIS2 as "essential" or "important" entities with mandatory compliance requiring supply-chain security, risk management and mandatory rapid incident reporting.

 

2. Cyber Resilience Act (CRA): Entering into force gradually, with reporting obligations starting September 11, 2026, for products with digital elements (including software-enabled devices). Manufacturers must report actively exploited vulnerabilities and severe incidents within 24 hours of awareness. There are also mandatory cybersecurity requirements for the planning, design, and development of digital products.

 

3. Medical Device Regulation integrates cybersecurity into the Annex I general safety and performance requirements for any drug delivery systems or software as a medical device.

 

4. GDPR and Health Data: Stricter enforcement applies to the processing of sensitive patient data in clinical trials, requiring robust data protection, explicit consent, and security-by-design.

 

5. EMA Guideline on Computerised Systems and Electronic Data in Clinical Trials governs the electronic systems used in clinical trials.

 

6. MDCG 2019-16 Rev.1 Guidance on Cybersecurity for Medical Devices acts as the primary European framework for pre- and post-market cybersecurity risk management.

 

7. International Medical Device Regulators Forum Medical Device Cybersecurity Guide provides a global baseline for security capabilities, governance and incident response, requiring manufacturers to integrate eight foundational principles in the medical device lifecycle.

 

Key AI and Cybersecurity Standards

Global

1.Global AI Governance Standards are evolving with ISO/IEC 42001:2023 serving as the premier international standard. ISO/IEC 42001 defines requirements for an AI management system, including:

• leadership and organizational context.
• AI policy and objectives.
• risk management for AI systems.
• data governance and system lifecycle controls.
• transparency and information provision.
• performance evaluation and monitoring.
• continual improvement.

 

2. Global Cybersecurity Standards provide essential frameworks to manage digital risks, with the ISO/IEC 27000 family (especially 27001) serving as the primary international benchmark for Information Security Management Systems (ISMS). These standards define best practices for protecting data integrity, confidentiality, and availability across various sectors. Key global cybersecurity standards include:

• ISO/IEC 27001:2022: Sets the requirements for an ISMS, focusing on risk management, people, processes, and technology.
• ISO/IEC 27002:2022: Provides a code of practice for implementing security controls, including access control and incident response.
• NIST Cybersecurity Framework (CSF) 2.0: A highly adopted framework for reducing risk, now designed for all organizations (not just critical infrastructure) to improve cybersecurity communication and management.
• ISO/IEC 27032:2023: Offers guidelines for cybersecurity, focusing on risks related to internet connectivity and collaboration.
• IEC 62443: Specifically aimed at industrial automation and control systems (OT security).
• EN IEC 81001-5-1: 2022: The primary cybersecurity standard for health software and medical devices security.
• ISO 14971:2019 This is the internationally recognised framework for the application of risk management to medical devices.
• IEC 62304: This is the primary international standard defining the lifecycle requirements for medical device software.
• IEC 62443 (Series): used to address industrial and pharmaceutical manufacturing process security, as well as communication network security between the drug development environment and devices.

Key Artificial Intelligence Regulation

UK

The UK does not have a single, overarching AI law. Instead, it uses a sector specific approach where existing regulators (such as the MHRA for medicines and medical devices, the ICO for data) apply current laws to AI systems, guided by five central principles: safety, transparency, fairness, accountability and redress.

The government has focused on a 'pro-innovation' approach, avoiding heavy upfront regulation. An AI Regulation White Paper sets out the principles for regulators. A dedicated, comprehensive AI Bill is expected to address safety, security and potential risks, especially for foundation models, but nothing has been published to date. A dedicated AI regulation bill was noticeably absent from the legislative agenda in the 2026 King’s Speech. See here and here for further information on the UK approach.

The UK has signed the Council of Europe's Framework Convention on AI, which is a treaty focusing on AI safety, human rights and democratic principles.

1. MHRA AI Regulation

The UK's Medicines and Healthcare products Regulatory Agency (MHRA) is the primary regulator of AI in healthcare, applying the five government pillars of safety, transparency, fairness, governance and accountability. It is primarily focused on developing a specialized, proportionate regulatory framework for Artificial Intelligence as a Medical Device (AIaMD). The Medical Device Regulations 2002 regulate AI and other forms of software which have a medical purpose and fall within the current definition of a medical device. The current regulatory regime is in the process of an overhaul, with the new legislation expected to be adopted later in 2026 and enacted in 2027. See here for the latest on the reform of the regulations for medical devices. AI used for purely administrative purposes in health settings (not diagnosing or treating patients) is not regulated by the MHRA, but rather by other frameworks like UK GDPR and the NHS Digital Technologies Assessment Criteria (DTAC).

 

Key Aspects of MHRA AI Regulation:

• Impact of AI on the Regulation of Medicinal Products: Published in April 2024, this sets out the MHRA’s strategic approach to AI in healthcare, detailing its framework for implementing the AI White Paper principles.
• National Commission into the Regulation of AI in Healthcare: Launched in September 2025, this commission brings together experts to advise the MHRA on a new, comprehensive AI regulatory framework, with recommendations expected in 2026.
• AI Airlock Program: The MHRA's regulatory sandbox, which allows manufacturers to test AI medical devices in a controlled, safe environment to identify regulatory bottlenecks before market release. Funding for this program was expanded to £3.6 million in April 2026 to support long-term testing.
• Software and artificial intelligence as a medical device: The government has published guidance which it is updating through its Software and AI as a Medical Device Change Programme Roadmap.
• Up-classification of AI Risk: Under a proposed major overhaul of the Medical Device Regulations, many AI products currently in low-risk categories will be "up-classified," requiring greater scrutiny throughout their lifecycle to ensure safety.
• Focus on Post-Market Surveillance: A core component of the new framework is robust, ongoing monitoring of AI tools once they are deployed in real-world clinical settings, such as the NHS.
• Global Collaboration: The MHRA chairs international working groups (e.g., IMDRF) to harmonize AI regulation, including key partnerships with the US FDA and Health Canada. Together they have published five guiding principles for the development of PCCPs for machine-learning-enabled medical device manufacturers, which builds on the earlier good machine learning practice for medical device development: guiding principles. They have also published Transparency for machine-learning –enabled medical devices guiding principles.

 

2. ICO Code of Practice on Artificial Intelligence and Automated Decision-Making (SI 2026/425) comes into force on 12 May 2026.

The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 enter into force on 12 May 2026, mandating a statutory code of practice on AI and Automated Decision-Making (ADM). This legally binding code, a result of the Data (Use and Access) Act 2025, will guide on transparency, bias mitigation, and individual rights.

Key Aspects of the 2026 Code and Guidance

• Mandatory Status: The regulations require the Information Commissioner’s Office (ICO) to produce this code, which will be laid before Parliament.
• Focus Areas: The code provides practical guidance on the processing of personal data in the development and use of AI systems, including transparency, bias, discrimination, and rights.
• Individual Rights: It reinforces rights to human intervention, the ability to express a point of view, and the right to contest decisions, particularly in recruitment and high-risk scenarios.
• Transparency Requirements: Organizations must provide "decision-specific information" rather than generic privacy notices, enabling users to understand the specific factors influencing a decision.

The ICO is separately consulting on draft guidance on automated decision-making with responses due 29 May 2026. See here for further information.

See also ICO Artificial Intelligence hub for further information on artificial intelligence and data protection.

 

Key Cybersecurity Regulation and Guidance

UK

Legislation centres on data protection, critical infrastructure security, and consumer device safety. The core frameworks include the UK-GDPR/Data Protection Act 2018, the NIS Regulations 2018 (being updated by the 2025/2026 Cyber Security and Resilience Bill), the Computer Misuse Act 1990, and the Product Security and Telecommunications Infrastructure Act 2022 for IoT devices.

Key Legislation Overview

• Data Protection Act 2018 (incorporating UK-GDPR): Governs personal data processing, requiring organizations to implement "appropriate technical and organisational measures" to ensure security.
• Network and Information Systems (NIS) Regulations 2018: Enforces security standards for "Operators of Essential Services" (water, energy, health) and digital service providers.
• Cyber Security and Resilience (Network and Information Systems) Bill 2025/26: Introduced in late 2025 to reform the 2018 NIS Regulations, expanding scope to more digital services (e.g., managed service providers) and increasing penalties. This Bill is designed to modernize the UK's defences against ransomware and state-level threats by creating stronger regulatory powers for critical infrastructure. For further information see here
• Product Security and Telecommunications Infrastructure (PSTI) Act 2022: Introduces mandatory security requirements for internet-connectable products, banning default passwords and forcing better vulnerability reporting.
• Computer Misuse Act 1990: Criminalizes unauthorized access to computer systems (hacking) and related offenses.
• Privacy and Electronic Communications Regulations (PECR) 2003: Focuses on privacy in electronic communications, including data breach notification obligations
• Raise Awareness of AI Security Threats and Risks: Understanding that AI threats are constantly evolving.
• Design AI Systems for Security: Prioritizing security alongside functionality and performance from the start.
• Evaluate Threats and Manage Risks: Addressing risks like data manipulation and model poisoning.
• Enable Human Responsibility: Ensuring meaningful human control, oversight, and accountability, particularly for critical decisions.
• Identify, Track and Protect Assets: Securing AI-related assets like models, data, and APIs.
• Secure Infrastructure: Protecting the underlying infrastructure hosting the AI.
• Secure the Supply Chain: Managing risks from third-party suppliers and components.
• Document Data, Models and Prompts: Maintaining detailed records of training data, model versions, and prompts.
• Conduct Testing and Evaluation: Rigorously testing AI systems before and during deployment.
• Communication and Processes for End-Users: Transparently communicating with users about risks and system behaviour.
• Maintain Security Updates and Patches: Ensuring ongoing maintenance, including patching vulnerabilities.
• Monitor System Behaviour: Keeping track of how the system operates in real-time to detect anomalies.
• Ensure Proper Data and Model Disposal: Securely deleting data and retiring models at end-of-life

 

AI Cybersecurity Code of Practice

The Code of Practice sets out baseline cybersecurity principles to help secure AI systems and the organisations which develop and deploy them. The Code is voluntary, but the government is conducting evaluation surveys on its uptake through 2026. The Code sets out 13 key principles:

• Raise Awareness of AI Security Threats and Risks: Understanding that AI threats are constantly evolving.
• Design AI Systems for Security: Prioritizing security alongside functionality and performance from the start.
• Evaluate Threats and Manage Risks: Addressing risks like data manipulation and model poisoning.
• Enable Human Responsibility: Ensuring meaningful human control, oversight, and accountability, particularly for critical decisions.
• Identify, Track and Protect Assets: Securing AI-related assets like models, data, and APIs.
• Secure Infrastructure: Protecting the underlying infrastructure hosting the AI.
• Secure the Supply Chain: Managing risks from third-party suppliers and components.
• Document Data, Models and Prompts: Maintaining detailed records of training data, model versions, and prompts.
• Conduct Testing and Evaluation: Rigorously testing AI systems before and during deployment.
• Communication and Processes for End-Users: Transparently communicating with users about risks and system behaviour.
• Maintain Security Updates and Patches: Ensuring ongoing maintenance, including patching vulnerabilities.
• Monitor System Behaviour: Keeping track of how the system operates in real-time to detect anomalies.
• Ensure Proper Data and Model Disposal: Securely deleting data and retiring models at end-of-life

Key Cybersecurity Regulation, Guidelines and Standards for Drug Development and Medical Devices

UK

UK pharmaceutical companies must comply with stringent cybersecurity regulations, primarily the UK GDPR and Data Protection Act 2018, which mandates strict patient data protection. Additional key requirements include MHRA GxP compliance (Annex 11) for computer systems, adopting Cyber Essentials/Cyber Essentials Plus for supply chain security, and upcoming NIS2-aligned regulations for "essential" entities.

• Data Protection (UK GDPR): Ensuring confidentiality, integrity, and availability of patient data, with mandatory reporting of breaches to the ICO within 72 hours.
• MHRA & GxP Compliance: Systems managing clinical trials or manufacturing must meet Annex 11 requirements, ensuring digital systems are validated. The MHRA enforces Annex 11 For all GxP-regulated computerised systems. See also MHRA GXP Data Integrity Guidance and Definitions.
• Cyber Essentials Plus: Increasingly required for NHS suppliers, demanding annual external audits of firewalls, secure configurations, and access controls.
• NIS Regulations 2018: These form the backbone of UK critical infrastructure cybersecurity. They apply directly to “operators of essential services”. Large-scale pharmaceutical manufacturers and critical healthcare providers are mandated to implement robust risk management systems to protect their supply chains.
• NIS2 Regulation Alignment: Anticipated regulations may require incident reporting within 24 hours for "significant" incidents, with potentially large fines (up to €10 million or 2% of global turnover).
• Medical Device Security: Manufacturers must integrate cybersecurity into Quality Management Systems (QMS), including post-market surveillance of threats.
• NHS Digital Technology Assessment Criteria (DTAC): Digital health technologies and software as a medical device must meet NHS DTAC prior to being deployed.