The EU Horizon Project CYMEDSEC, which commenced in November 2023, aims to advance the cybersecurity of connected medical devices (MDs) and in vitro diagnostic devices (IVDs). As the digital transformation of healthcare accelerates, the project addresses the increasing need for secure and resilient technologies. CYMEDSEC integrates regulatory science, technical innovation, and real-world validation. The project responds to a swiftly evolving Internet of Medical Things (IoMT) landscape, where regulatory frameworks struggle to keep pace with innovation. Existing guidance—such as MDCG 2019-16—fails to adequately address secure software development, authentication, and access control. There is minimal support for incorporating cybersecurity into benefit-risk analyses or for managing dynamic threats in home-based care settings. Legal and ethical concerns, including data protection and digital equity, remain insufficiently addressed.
To tackle these gaps, CYMEDSEC pursues three core objectives: (1) reviewing and revising relevant standards and guidance documents, (2) developing a cybersecurity-focused benefit-risk analysis toolbox, and (3) validating security-by-design methodologies in complex infrastructures such as 5G and cloud computing. These objectives are supported by real-time monitoring and OTA update mechanisms to enhance resilience. CYMEDSEC’s interdisciplinary consortium encompasses legal, clinical, industrial, and academic expertise. Its Open Science approach ensures early dissemination through preprints, publications, open-source tools, and FAIR datasets. The project’s early results include regulatory gap analyses, a STRIDE-based general attack model, a secure system architecture for IoMT, and technology demonstrators that are rigorously tested.
Beyond academic impact, CYMEDSEC aims to streamline regulatory pathways and accelerate innovation in the EU digital health industry. Its tools are being integrated into product pipelines and standardisation efforts, including a CEN Workshop Agreement. Case studies conducted in real-world clinical environments generate evidence to inform future regulatory guidance. With strong legal oversight and adaptive risk management, the project remains agile in a shifting policy landscape. It contributes directly to Europe’s digital sovereignty by aligning innovation with regulatory and societal needs.