%20(1)%20(1).png?width=309&height=69&name=image-001%20(2)%20(1)%20(1).png "periculo")
EN 18031-2 Compliance: What Medical Device Companies Must Do
By
Craig Pepper
·
5 minute read
The deadline has passed. As of August 1, 2025, EN 18031-2 cybersecurity compliance is now mandatory for all connected medical devices sold in the European Union. There are no grace periods, no extensions, and no exceptions.
If your medical device connects to the internet and handles patient data, it must now meet these strict cybersecurity rules to remain on the EU market. Devices that don't comply are being removed from sale immediately.
Medical device companies across Europe are now operating under the new cybersecurity requirements of the Radio Equipment Directive. Some companies prepared well and are continuing business as usual. Others are scrambling to understand what they need to do.
If you're reading this and wondering whether your devices comply with EN 18031-2, you're not alone. Many companies are still working to understand these rules and what they mean for their products.
This blog aims to help you understand what EN 18031-2 compliance means now that it's mandatory, what to do if your devices aren't compliant yet, and how to protect your business moving forward.
The New Reality: EN 18031-2 is Now Law
Since August 1, 2025, the European Union has been enforcing new cybersecurity rules for connected devices. These rules, called EN 18031-2, are part of the Radio Equipment Directive (RED). They are now legally required, not optional.
What This Means Right Now
Any connected medical device placed on the EU market must meet EN 18031-2 cybersecurity requirements, which include:
- New devices are being launched for the first time
- Existing devices that are being restocked or resupplied
- Updated versions of current devices
- Any device that connects to WiFi, Bluetooth, or cellular networks and handles personal data
The enforcement is immediate and strict. EU market surveillance authorities are actively checking devices for compliance. Non-compliant devices are being removed from the market as they are discovered.
No Transitional Period
Unlike some regulations that have grace periods, EN 18031-2 enforcement began immediately on August 1, 2025. There was no transitional period to give companies extra time.
This means that if your device was non-compliant on July 31, 2025, it became illegal to sell in the EU on August 1, 2025. The change happened overnight.
Understanding EN 18031-2: The Personal Data Protection Standard
EN 18031-2 is a cybersecurity standard that tells companies how to protect patient information on connected devices. Now that it's mandatory, every connected medical device must follow these rules.
Which Medical Devices Must Comply Right Now
The rules apply to any medical device that:
- Connects to the internet (WiFi, Bluetooth, cellular)
- Collects, stores, or sends personal information
- Sold in the European Union
This includes many common devices:
- Heart rate monitors that send data to phones
- Blood sugar monitors that track glucose levels
- Smart watches that monitor health
- Connected insulin pens and pumps
- Fitness trackers that collect health data
- Sleep monitoring devices
- Any medical device with wireless connectivity
If your device fits these criteria and is being sold in the EU, it must comply with EN 18031-2 right now.
What Personal Information Means
Personal information includes more than just names and addresses. For medical devices, it covers:
- Health measurements (heart rate, blood pressure, weight)
- Medical conditions or history
- Location data (where someone goes)
- Usage patterns (when and how someone uses the device)
- Any data that could identify a specific person
Even data that seems anonymous might count as personal information if someone could figure out who it belongs to.
The Current Compliance Requirements
Now that EN 18031-2 is mandatory, all covered devices must meet specific cybersecurity requirements. These aren't suggestions anymore, they're legal obligations.
Requirement 1: Strong Data Encryption
All personal data must be encrypted, both when stored on the device and when sent over the internet. The encryption must be strong enough that hackers can't easily break it. This applies to:
- Data saved on the device
- Data sent to phones or computers
- Data stored in the cloud
- Data shared with healthcare providers
Requirement 2: Secure Access Controls
Only authorized people should be able to access patient information. Devices must have strong security to make sure only the right users can see data. This means:
- Strong passwords or other ways to prove identity
- Different access levels for different types of users
- Logs that track who accesses what information and when
- Automatic logout after periods of inactivity
Requirement 3: Privacy by Design
Privacy protection must be built into devices from the beginning, not added later. This is called "privacy by design." This requires:
- Collecting only the data you need
- Deleting data when it's no longer needed
- Giving users control over their information
- Making privacy settings easy to understand and use
Requirement 4: Complete Data Protection
Data must be protected throughout its entire life cycle, from collection to deletion.
This includes:
- Safe collection (getting data securely)
- Safe storage (keeping data protected)
- Safe transmission (sending data securely)
- Safe deletion (completely removing data when done)
What Happens to Non-Compliant Devices Now
Since August 1, 2025, the consequences for non-compliance have been actively enforced. Companies with non-compliant devices are facing immediate action.
Immediate Market Removal
Non-compliant devices are being removed from the EU market immediately when discovered. This means:
- Online retailers are removing non-compliant products
- Physical stores are pulling products from shelves
- Distributors are stopping sales of non-compliant devices
- Import authorities are blocking non-compliant shipments
Product Recalls
Companies with non-compliant devices already in the market may be required to:
- Issue immediate product recalls
- Stop all sales and distribution
- Notify customers about compliance issues
- Provide software updates or device replacements
Financial Penalties
EU authorities can impose significant fines on companies that continue to sell non-compliant devices. These penalties can be substantial and increase for repeat violations.
Reputational Damage
News of compliance failures spreads quickly in the medical device industry. Non-compliance can damage relationships with:
- Healthcare providers who rely on your devices
- Patients who trust you with their health data
- Business partners and distributors
- Investors and stakeholders
If Your Devices Aren't Compliant Yet: Urgent Action Steps
If you discover that your devices don't meet EN 18031-2 requirements, you need to act immediately. Every day of non-compliance increases your risk.
Step 1: Stop Sales Immediately
If you know your devices don't comply with EN 18031-2, stop selling them in the EU right away. Continuing to sell non-compliant devices will only make the situation worse.
This might be painful in the short term, but it's better than facing larger penalties and more serious enforcement action later.
Step 2: Assess Your Compliance Status
Quickly evaluate which of your devices need to comply with EN 18031-2 and how far they are from meeting the requirements.
Step 3: Develop an Emergency Compliance Plan
Create a plan to bring your devices into compliance as quickly as possible. Prioritise the devices that generate the most revenue or are most critical to your business.
Step 4: Communicate with Stakeholders
Be proactive in communicating with stakeholders. Honest, transparent communication is better than trying to hide compliance issues.
Step 5: Get Expert Help
EN 18031-2 compliance is complex, especially under time pressure. Consider getting help from experts who understand both the technical requirements and the regulatory process.
Long-Term Compliance Approach
Cybersecurity is a continuous obligation, not a one-time fix. You must regularly monitor for new threats, conduct routine vulnerability assessments, and rapidly address any security gaps in your medical devices. Keep your security features up to date to protect patient data and ensure compliance.
Stay informed about regulatory changes, like updates to EN 18031-2, and promptly adjust your practices to maintain compliance. Ongoing vigilance is key to minimising risk and safeguarding your devices and business.
Supply Chain Assurance
Every part of your device ecosystem, including suppliers and third parties, must meet strict security requirements. Always verify that your suppliers follow robust cybersecurity practices and hold them to the same standards as your own organisation.
Regularly audit suppliers for compliance and maintain backup plans to address any security issues that could impact your devices. Ongoing oversight is essential to protect both your products and your customers.
Team Capability and Training
Ongoing compliance depends on a well-trained, informed team. Development and engineering staff need regular technical training in secure coding, encryption, and vulnerability testing. Sales and commercial teams should understand compliance requirements and be able to explain device security features to customers.
Keep your workforce updated on regulatory and threat changes. Establish clear procedures for handling compliance issues to ensure quick, effective responses when problems arise.
Comprehensive Documentation
Adapting to the New Compliance Reality
For medical device companies, this represents both a challenge and an opportunity. Companies that quickly adapt to the new requirements can continue serving the valuable EU market and build competitive advantages. Those who struggle with compliance face serious business risks.
But compliance isn't just about avoiding penalties; it's about building better, more secure products that protect patients and earn the trust of healthcare providers. In an increasingly connected world, cybersecurity is becoming a fundamental requirement for medical devices.
The companies that succeed will be those that view cybersecurity not as a burden, but as an opportunity to build better products and stronger businesses.
Don't let non-compliance put your business at risk. Take action and ensure your devices meet EN 18031-2 requirements and position your company for success in the new cybersecurity landscape.
