IEC 62368-1 Edition 3 (2018) and EU NIS2 Directive (2022/2555): Critical Technical Compliance Requirements for Manufacturers of Connected Medical Devices, Telecommunication Equipment, and IT.

1. IEC 62368-1:2018 (Edition 3) – Hazard-Based Safety Engineering Standard

Since the official date of withdrawal of conflicting standards (20 December 2020, published in the EU Official Journal), IEC 62368-1 Edition 3 is the only safety standard that grants presumption of conformity with the Low Voltage Directive (2014/35/EU) for audio/video, information and communication technology equipment. IEC 60950-1 and IEC 60065 are no longer accepted.

Key technical changes that still generate the majority of Major non-conformities in 2025:

• Safety philosophy

Legacy: prescriptive rules based primarily on voltage

Edition 3: complete Hazard-Based Safety Engineering (HBSE) – six energy source classes (ES1/ES2/ES3) and required safeguard strength (Basic, Supplementary, Reinforced)

• Clearances and creepage distances

Now determined by safeguard level, overvoltage category, pollution degree, material group, and specific environmental conditions (e.g., oxygen-enriched locations – Clause B.2.5).

Consequence: in hospital areas with enriched oxygen, required distances can be significantly larger than legacy 60950-1 values, even for moderate voltages.

• Fire enclosure requirements

– 50 W test flame, 30 s application at 96 mm height (Clause G.15)

– Glow-Wire Flammability Index (GWFI) ≥ 750 °C or Glow-Wire Ignition Temperature (GWIT) ≥ 775 °C on **all** internal and external polymeric materials capable of contributing to fire propagation

→ A simple UL94 V-0 rating is no longer sufficient. Internal supports, connectors, cable insulation, and even PCB solder mask must pass glow-wire or be justified as non-ignition sources via HBSE analysis.

• Transient / surge immunity for ports connected to outdoor or long wiring

Legacy: typically ±1 kV to ±2 kV

Edition 3: ±6 kV contact / ±8 kV air** (Table 39, ES3 level) for any line that may leave the building

→ Directly affects hospital Ethernet switches, 5G small cells, outdoor PoE injectors, remote patient monitoring gateways, etc.

• Test documentation and traceability

Manual test records are systematically rejected by Notified Bodies and NIS2 auditors. Automated hipot (leakage ≤ 5 µA), ESD guns, and surge generators must capture waveforms, timestamp, and store results in an audit-ready format.

Most frequent non-conformities still observed in audits (2025):

– Continued use of 60950-1 clearance tables

– Glow-wire testing omitted on internal plastic parts

– 2 kV surge tests on hospital-grade or outdoor network equipment

2. EU NIS2 Directive – Directive (EU) 2022/2555

Confirmed timeline:

– Transposition deadline: 17 October 2024

– Full application: 18 October 2024

– Active supply-chain enforcement in most Member States: January–March 2025 onward

Scope for hardware manufacturers

Although manufacturers are not directly listed as “essential” or “important” entities, they are fully captured via **Article 21 – supply-chain cybersecurity obligations**. Any connected product that ends up in networks of Annex I sectors (healthcare, digital infrastructure, telecom) is in scope.

Minimum mandatory technical controls (2025 baseline):

– Cryptographic signing of all firmware and updates

– Secure boot with key revocation capability

– AES-256 (or stronger/equivalent standardised algorithm) for data at rest and in transit

– Authenticated, integrity-protected remote update mechanism with rollback protection

– Machine-readable Software Bill of Materials (SBOM) – CycloneDX or SPDX format

– Formal coordinated vulnerability disclosure process and patch management policy

– Incident reporting: 24-hour early warning + 72-hour full report to national CSIRT

EU Declaration of Conformity

Remains a single document, but must now explicitly demonstrate that cybersecurity risks have been addressed in accordance with NIS2 Article 21 when the equipment is intended for essential/important entity networks. Practical implementation: reference to harmonised standards (ETSI EN 303 645, EN 18031 series) + dedicated cybersecurity annex or statement.

Maximum administrative fines

Higher of €10 000 000 or **2 % of total worldwide annual turnover** of the preceding financial year.

Most common (and most expensive) misinterpretations still seen in 2025:

– “MDR/IVDR cybersecurity requirements are enough” → false; NIS2 adds supply-chain liability and far higher fines

– “NIS2 only applies to operators, not manufacturers” → incorrect for any connected critical product

– Certifying hospital switches or 5G infrastructure with only 2 kV surge → simultaneously violates IEC 62368-1 and NIS2 resilience requirements

Compliance roadmap 2025–2026

1. Complete migration of all active product lines to full IEC 62368-1 Edition 3 (6/8 kV surge + comprehensive glow-wire + HBSE documentation)

2. Implement cryptographic firmware signing, secure boot, AES-256-grade encryption, and authenticated remote update as the non-negotiable baseline

3. Update the EU Declaration of Conformity and technical file to explicitly cover NIS2 Article 21 supply-chain cybersecurity obligations

4. Establish and maintain SBOM + coordinated vulnerability disclosure programme

Non-compliance with both frameworks at the same time now results in immediate loss of CE marking, exclusion from EU public tenders, and real exposure to fines of up to 2 % of global annual turnover under the NIS2 Directive.