Digitalization of the health care sector is being implemented at high speed, and has consequences for both safety and cyber security. The European Union have decided on two new regulations (MDR and IVDR) with the purpose of improving safety of medical devices. These two new EU regulations influence the work with certifications and with reporting medical device problems. In this study, representatives of care providers (operated by regional councils), authorities, manufacturers, and notified bodies were interviewed. The results of the interviews confirms the presumption that the legal framework has impact on cyber security. Sometimes both safety and cyber security are improved, and sometimes the legal framework counteracts cyber security. MDR classifies healthcare information systems as medical device. Biomedical engineers therefore must work closer to information security departments. There is a need for personnel with proper competence from manufacturers, care providers and notified bodies. The competence needed comprises safety, cyber security, legal framework and certification work. There is a lack of notified bodies in Sweden, and without personnel and proper competence there is a risk that the notified bodies are not being able to certify enough products for the market. The reporting of medical device problems must improve, especially to the national database reidarMTP. Reporting to reidarMTP is time consuming and other assignments are prioritized.