Data and Digital

Key points

  • The Digital Omnibus on AI created an opportunity to further refine the application of Regulation (EU) 2024/1689 (“AI Act”), as well as its application to medical and in vitro devices, and to provide much needed space to make key guidance available.
  • The European Parliament and the Council of the EU are examining legislative proposals in the European Commission’s new Cybersecurity Package, to include targeted amendments to the NIS2 Directive. However, the NIS2 Directive has not yet been transposed into Irish law.
  • Ireland has taken its first legislative step towards fully implementing the European Health Data Space Regulation in Ireland, with the enactment of the Health Information Act. Further legislation is planned.
  • Focus at an EU level remains on unlocking opportunities in the use of data. For the life sciences sector, the proposed changes in the Digital Omnibus Regulation Proposal to facilitate research and innovation in the Union will be particularly welcome.
kaleidosope
Manufacturers of medical devices that are deemed to be high-risk under the AI Act and that process health data will also welcome joint guidelines on the interplay between the AI Act and the GDPR which are expected to be issued by the Commission and European Data Protection Board (“EDPB”) in 2026.

Implementing the AI Act

CHALLENGES

Delays in designating national competent authorities and conformity assessment bodies, and a lack of harmonised standards for the AI Act’s high-risk requirements, guidance, and compliance tools, were among the challenges to the effective implementation of the AI Act identified in the European Commission’s Digital Omnibus to simplify the implementation of the AI Act (PDF 543 KB) published in November 2025 (“Digital Omnibus on AI”).

HIGH-RISK AI IMPLEMENTATION DATES, INTERPLAY WITH MDR AND IVDR AND CLARIFICATION OF THE CONCEPT OF A SAFETY COMPONENT

The final text of the Digital Omnibus on AI has now been formally adopted by the European Parliament (“Parliament”) and the Council of the EU (“Council”) and will be published in the Official Journal of the European Union, entering into force on the third day after its publication. Key points of interest are discussed below:

  • The implementation dates for the rules governing high-risk AI systems will be pushed out to facilitate compliance. For AI systems caught by Article 6(2) and Annex III of the AI Act, high-risk AI rules will apply from 2 December 2027.
  • For AI systems caught by Article 6(1) and Annex I of the AI Act, high-risk AI rules will apply from 2 August 2028. This means that manufacturers of medical devices that are also AI systems, or that use an AI system as a safety component, and which are subject to a third-party conformity assessment by a notified body in accordance with the MDR/IVDR now have a further 12 months to bring their processes into compliance.
  • To address overlaps with the MDR/ IVDR (and other harmonisation legislation listed in Section A of Annex I), the Digital Omnibus on AI limits the application of certain specific requirements in the AI Act where and to the extent that there is an “equivalent or higher level of protection of health, safety or fundamental rights” in the MDR/IVDR and where that limitation does not reduce the overall level of protection provided for by the AI Act. The Commission must adopt delegated acts by 2 August 2027 setting out specifics for this.
  • The definition of a safety component, as set out in set out in Article 3(14) of the AI Act, and its treatment under Article 6 AI Act, will be amended to provide welcome clarity on the concept of a safety function, narrowing its scope to where its intended purpose, as determined by the provider, is to prevent or mitigate risks to health and safety of persons. The recitals confirm that this does ‘not include AI systems which are intended to solely fulfil functions related to user assistance, performance optimisation, service efficiency, automation, convenience, or quality control operations of non-safety related aspects’.

GUIDELINES

In tandem with the extended compliance timeframe, throughout the course of 2026, the Commission will develop a number of guidelines to assist in applying the AI Act. The draft guidelines on the classification of high-risk AI systems under the AI Act are discussed in our briefing; EU AI Act: Draft Guidelines on High-Risk AI Classification. Manufacturers of medical devices that are deemed to be high-risk under the AI Act and that process health data will also welcome joint guidelines on the interplay between the AI Act and the GDPR which are expected to be issued by the Commission and European Data Protection Board (“EDPB”) in 2026.

Preparation in Ireland

In Ireland, the national AI Office (Oifig Intleachta Shaorga na hÉireann) is due to be established by August 2026. It will act as a central and coordinating authority for the implementation of the AI Act. The Health and Safety Authority, the Health Products Regulatory Authority and the Health Services Executive are among the 15 Competent Authorities designated, or due to be designated, for oversight and enforcement of the AI Act within their respective sectors. More detail on their potential powers and responsibilities is set out in the Regulation of Artificial Intelligence Bill 2026 which, when enacted, will provide for implementation of the AI Act in Ireland.

For medical device manufacturers subject to MDR or IVDR, the Artificial Intelligence Board and the Medical Device Coordination Group Medical Device Coordination Group has endorsed document MDCG 2025-6 on the Interplay between the MDR and IVDR and the AI Act, which poses and responds to frequently asked questions on the joint application of those acts.

The new EU Cybersecurity Package and implementation of NIS2

LIFE SCIENCES IN NIS2

Entities within the health sector will have already assessed the finer detail in Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (“NIS2”) to determine whether they are caught by the Directive, and if so, whether they are ‘important entities’ subject to an ex post supervisory regime, or ‘essential entities’ subject to both ex ante and ex poste supervisory measures under NIS2.

  • Broadly speaking, two criteria are used to determine whether an entity is within scope and the extent of their obligations; (i) the sector within which the entity operates; and (ii) the size of the entity.
  • The health sector is an in-scope sector of ‘High Criticality’ under Annex I of NIS2, meaning that the types of entity more particularly identified in Annex I, such as those manufacturing basic pharmaceutical products, will be considered to be either essential or important entities depending on their size. Manufacturing of medical devices and in vitro diagnostic medical devices are listed within Annex II as ‘Other Critical Sectors’, meaning that those entities will be considered to be important entities, if they meet the size threshold.
  • In each case, a Member State may separately identify an Annex I or Annex II entity as an ‘essential entity’ regardless of size, if certain criteria apply.

CHANGES TO NIS2

With the changes envisaged in the European Commission’s January 2026 Cybersecurity Package (“the Cybersecurity Package”), those within the new category of small mid-cap enterprises will be monitoring the proposed Directive to amend NIS2 to see if the proposal to designate them as important entities is adopted, as moving from the category of an ‘essential’ to an ‘important’ entity would reduce their compliance burden.

CYBERSECURITY RISK MANAGEMENT MEASURES

Until transposition, life sciences organisations within the scope of NIS2, may look to Ireland’s National Cyber Security Centre ("NCSC") for guidance. It recommends the Cyber Fundamentals Framework as the preferred method to demonstrate compliance, but also recognises other internationally accepted standards for compliance, e.g. ISO 27001 for information security. The NCSC has also published Risk Management Measures providing detailed guidance on the measures which are the minimum required to meet the obligations of NIS2.

For medical device manufacturers subject to MDR or IVDR, the Medical Device Coordination Group has endorsed Guidance on Cybersecurity for medical devices on (MDCG 2019-16 rev.1) (PDF 1.8 MB) on how to fulfil all the relevant essential requirements of Annex I to the MDR and IVDR with regard to cybersecurity.

European Health Data Space Regulation – implementation in Ireland

PRIMARY USE OF HEALTH DATA - HEALTH INFORMATION ACT 2026

On 30 April 2026, Ireland enacted the Health Information Act 2026 (PDF 498 KB) (“Act”) with the express objective of giving further effect to the European Health Data Space Regulation (“EHDS Regulation”) in Ireland. The Irish Data Protection Commission, HIQA and the HSE will all play key roles in the EHDS implementation domestically.

The Act provides for a duty for health services providers to share a patient’s personal health data with other health services providers. It sees the creation in respect of every patient of an Electronic Health Record (“EHR”) containing a range of information, which will include where available, information on medical devices and implants, current and relevant past medicines, prescriptions and dispensations, and will use personal public service numbers as an identifier. The HSE alone will have the right to use EHRs for among other purposes, a public interest purpose for activities ensuring high levels of quality and safety of medicinal products or medical devices. Otherwise, the EHR may only be used for patient care and treatment by a health services provider, unless the patient consents to another use. The Act has not yet been commenced.

Secondary use of health data

The Department of Health has indicated that further legislative provisions will be required regarding the secondary use of health data, including provisions for a national health data access body and a permit-system for wider secondary use. This aligns with the timing for the application of Chapter IV of the EHDS Regulation, which provides for the secondary use of health data and which comes into force between March 2027 and March 2035, with the majority of its provisions applying from March 2029.

Digital Omnibus Regulation Proposal

SIMPLIFICATION

Framed as a simplification exercise to bolster the EU’s competitiveness, the European Commission’s Digital Omnibus Regulation Proposal (“Proposal”) was announced on 19 November 2025, alongside the Digital Omnibus on AI. The proposed changes include consolidation and reform of existing data legislation and targeted amendments to the GDPR and the ePrivacy Directive. These are discussed in our publication entitled ‘Digital Package on Simplification’.

While feedback has been collected from the public, negotiating positions have not yet been reached by the Parliament and Council on the Proposal, which could be substantially modified during the EU legislative process, making it difficult to predict the tangible impact it will have on digital regulation.

Facilitating GDPR compliance

In their Joint Opinion, the EDPB and EDPS comment that the Digital Omnibus Regulation Proposal echoes the EDPB’s commitments in its Helsinki Statement to take up initiatives to facilitate GDPR compliance and strengthen consistency. While welcoming some parts of the Proposal, the Board urges co-legislators not to adopt the proposed change to the definition of personal data.

Easing compliance is a theme in the EDPB’s 2026-2027 work programme. The programme includes the development of guidelines on the processing of data for scientific research purposes, which have been published in a draft version for consultation. Further, the EDPB recently adopted, in draft form for public consultation, a common template Data Protection Impact Assessment and a common template for data breach notifications.

POINTS TO WATCH

For MedTech and other life sciences organisations subject to two or more reporting regimes when a data or cyber breach occurs, the Digital Omnibus Regulation Proposal introduces a single entry point (“SEP”) for submitting incident notifications across NIS2, GDPR, Digital Operational Resilience Act and the Critical Entities Resilience Directive (“CER Directive”), which aims to ease the administrative burden. EU-wide reporting templates for the GDPR and the CER Directive, as well as common templates for the NIS2 Directive are also envisaged, although key concepts, reporting thresholds and reporting times for incident notification are not aligned in the Proposal, which, critics suggest, may limit the usefulness of the SEP.

Among the proposed changes to the Data Act, the proposal to narrow the scope of business‑to‑government data access in Chapter V of the Data Act to clearly defined "public emergencies" and the reinforced trade secret protections, are of significance for the life sciences sector. Similarly, the proposal to revise the definitions of personal data and scientific research and the treatment of scientific research under the GDPR, as well to changes around processing of biometric data, are also points to watch.

What's next?

Publication of the Bill to transpose the NIS2 Directive into Irish law continues to be a priority for the Government. The General Scheme of the National Cyber Security Bill completed pre-legislative scrutiny in February 2026. Industry will also be monitoring the progress of the Cybersecurity Package, in particular, the targeted amendments to NIS2. The proposal to adopt implementing acts at an EU level on cybersecurity risk-management measures pursuant to Article 21(5) of NIS2 on a maximum harmonization basis and the potential designation of small mid-caps enterprises as ‘important entities’, will have a significant impact for compliance plans for in-scope entities. NIS2 and the Scheme is discussed in our article; Are you cyber ready? Key points of the NIS2 Directive.

While the Digital Omnibus Regulation Proposal progresses through the EU legislative process, manufacturers and users of connected products, for example, connected medical devices, will also be monitoring the progress of the General Scheme of the Data Bill, published in February 2026 which will give further effect to the Data Act (Regulation (EU) 2023/2854) in Ireland. For the life sciences sector, mapping the interplay between their Data Act obligations and the requirements of the GDPR and the EHDS Regulation will be an important exercise. In doing so, account will need to be taken of the impact of the proposed changes in the Digital Omnibus Regulation.

Further information on Ireland’s preparations for the EHDS Regulation is set out in the guidance for data holders on preparing for the establishment of a health data access body services in Ireland published in April 2025 by HealthData@IE, the national project supporting the setting up of health data access body services in Ireland.

Authors

Colin Rooney
Olivia Mullooly
Rachel Benson

Review our cookie policy

Review your cookie settings


The material contained in this bulletin is for general information purposes only and does not constitute legal or other professional advice. No liability whatsoever is accepted by Arthur Cox LLP for any action taken in reliance on the information in this bulletin. No links to this bulletin may be included in any other publication/website without our express written authorisation. Arthur Cox LLP is not responsible for the content of external Internet sites that link to this site or which are linked to from it.

Published by Arthur Cox LLP © 2026 Arthur Cox LLP. All rights reserved.