The new Medical Devices Operator Ordinance has come into force – New requirements for software and IT security

Since 20 February 2025, stricter regulations have applied to operators and users of medical devices in Germany: The new Medical Devices Operator Ordinance (MPBetreibV) has come into force, accompanied by adjustments to the Medical Devices Dispensing Ordinance (MPAV). The aim of the new version of the MPBetreibV is to further increase patient safety and to adapt the regulations to current technological and regulatory developments.

A central driver of the changes is the advancing digitization in the healthcare sector. With the growing use of networked medical technology and specialized medical device software, the requirements for IT security, maintenance and responsibilities are also increasing. Operators and manufacturers are now faced with the task of adapting their processes according to the new regulations in order to meet the legal requirements.

The most important innovations at a glance:

1. Expanding the scope of application

The scope of the MPBetreibV has been extended: The regulation now also applies to the operation and use of Annex XVI products. These are products without a medical purpose according to Annex XVI of Regulation (EU) 2017/745 (MDR), such as bodyforming devices or IPL devices for hair removal or skin rejuvenation.

These products were previously expressly excluded from the scope of the MPBetreibV. Operators and users should therefore check whether their devices are now covered by the new regulations and ensure that the necessary requirements are met.

2. Amendment of definitions

Some changes in terms of terms have been made:

The previous term "Anwender" has been replaced by "Benutzer". According to § 2 para. 3 MPBetreibV, a user is someone who uses a product on patients within the scope of application of the regulation.

The term "Versorgender" was newly introduced. According to § 2 para. 5 MPBetreibV, this is "anyone who has to provide products to the patient on the basis of a legal or contractual obligation" – e. g. health or nursing care insurance companies.

It is now important to adapt the internal documentation and training materials accordingly in order to use the new terms correctly.

3. New requirements for software and IT security

Until now, the MPBetreibV did not contain any explicit rules for software, but was primarily aimed at physically existing products. The regulations for the operation and maintenance of medical device software have been significantly specified in the new version:

• Instructions after software updates: Instruction in the handling of products was already mandatory. What is new is that a new instruction is required as soon as a software update entails significant changes in operation (§ 4 para. 3 MPBetreibV).
• Safety precautions: Before using a product, the user must ensure that the product is functional and in proper condition and must observe the instructions for use and the other enclosed safety-related information and maintenance instructions. For networked products, the manufacturer's requirements with regard to the digital infrastructure with regard to the information security of its products must be observed when connecting to a network (§ 4 para. 6 MPBetreibV).
• Maintenance of software: The obligation to maintain now explicitly includes the installation of safety-relevant software updates (Section 7 (2) MPBetreibV). This requires a regular check of the software for any security vulnerabilities, which must then be corrected accordingly.
• IT security tests for "high-risk software": The operator may only operate or have software used as a class IIb or III medical device or as an in vitro diagnostic device of classes C or D if the manufacturer or an authorised person has previously checked the proper installation of the software and has been instructed in the use and operation of the software (Section 17 (1) MPBetreibV). If "high-risk software" is operated and used in healthcare facilities, the operator must regularly carry out IT security checks (Section 17 (3) MPBetreibV). The exact scope of the IT security audits is not defined in more detail in the MPBetriebV. Instead, reference is made to the generally accepted rules of technology as a yardstick. Depending on the type of software, this may include performing source code analysis, configuration checks, vulnerability scans, and penetration testing. In case of doubt, however, the operator is dependent on the cooperation of the manufacturer. The IT security checks may only be carried out by specially qualified persons within the meaning of Sv. § 5 para. 1 MPBetreibV and violations can even be punished as an administrative offence (§ 19 no. 3 MPBetreibV)

Operators should therefore establish and document clear processes for checking and installing software updates. The same applies with regard to the implementation of IT security checks. In this context, it is particularly important to specify and document the generally accepted rules of technology. Manufacturers must ensure that they inform users in good time about relevant updates and, if necessary, offer new training. This, in turn, requires appropriate processes for dealing with security vulnerabilities and resolving them.

4. Prohibition of use of single-use products reprocessed in accordance with Art. 17 para. Abs. 2 MDR

One of the most controversial changes is the ban on the use of single-use products prepared in accordance with Art. 17 para. 2 MDR (§ 9 para. 1 MPBetreibV).

Background: The reprocessing of single-use products is generally permissible under certain conditions under Art. 17 MDR. There are two variants. The first variant is the so-called CE preparation according to Art. 17 para. 2 MDR. After that, the refurbished product (like new products) receives a new CE certificate, confirming that the product meets all legal requirements. The reprocessor bears the same obligations as the manufacturer. The second variant is the so-called CS processing according to Art. 17 paras. 3 and 4 MDR. Here, reprocessing takes place without the complete manufacturer obligations. The requirements are based on Common Specifications set out in Implementing Regulation (EU) 2020/1207. However, this only applies to healthcare facilities that process their products themselves or to external processors who return the products to the same healthcare facility.

For a long time, it was unclear which processing processes were possible in Germany. It is now clear that only CS processing is permitted. This is justified by patient protection. This was not sufficiently guaranteed in the event of the possible opening of a secondary market for products that were previously in use by another operator.

With the new MPBetreibV, it has now been clarified: In Germany, only CS processing is permitted. The legislator sees a risk to patient safety if reprocessed single-use products are freely traded and reused by different operators. Facilities that have previously used reprocessed single-use products will need to rethink their procurement strategy and, if necessary, switch to alternatives.

Conclusion

The new Medical Devices Operator Ordinance (MPBetreibV) and the amendments to the Medical Devices Dispensing Ordinance (MPAV) raise safety standards to a higher level, but also entail additional bureaucracy. Manufacturers and operators are required to analyse the new regulations in detail and adapt their processes accordingly to ensure compliance with legal requirements.

For medical device operators, this means familiarizing themselves with the changes at an early stage, revising service instructions and ensuring that all processes are compliant. The topics of software updates and IT security are particularly important – both central aspects that should not be underestimated.

Software manufacturers, in turn, have the responsibility to inform operators about updates in good time and, if necessary, to carry out necessary training or instruction. If they place software on the market as a class IIb or III medical device or as an in vitro diagnostic device of classes C or D, they are also responsible for the professional installation and proper instruction.

In view of the increased requirements, both manufacturers and operators should critically review their processes and ensure that they comply with the new regulations. In complex or unclear cases, it may make sense to seek legal advice in order to avoid liability risks and to ensure that the requirements are implemented in a legally secure manner.