Recital 112

This Regulation complements the essential cybersecurity requirements laid down in Regulation (EU) 2024/2847. EHR systems which are products with digital elements within the meaning of Regulation (EU) 2024/2847 should therefore also comply with the essential cybersecurity requirements set out in that Regulation. The manufacturers of those EHR systems should demonstrate conformity as required by this Regulation. To facilitate that conformity, manufacturers should be allowed to draw up a single set of technical documents containing the elements required by both legal acts. It should be possible to demonstrate conformity of EHR systems with essential cybersecurity requirements laid down in Regulation (EU) 2024/2847 through the assessment framework under this Regulation. However, the parts of the conformity assessment procedure under this Regulation which relate to the use of testing environments should not be applied, since those testing environments do not allow for an assessment of conformity with the essential cybersecurity requirements. As Regulation (EU) 2024/2847 does not cover Software as a Service (SaaS) directly as such, EHR systems offered through the SaaS licensing and delivery model do not fall within the scope of that Regulation. Similarly, EHR systems that are developed and used in-house do not fall within the scope of that Regulation, as they are not placed on the market.