Internal Quality Certificates

Quality in our activity sector means Responsibility: Vircell fulfills it from the very beginning of the production process, as it is one of the main pillars on which our business idea is based.

At present, the quality of our products is guaranteed by the fulfillment of an exhaustive quality management system, based on a modern and global regulation: ISO 9001. All activities of R&D, Production, Sales and After-sales are audited and certified according to this directive. However and undoubtedly, our biggest satisfaction is the confidence that laboratories from any part in the world put in us every day. 

Since 2022, in vitro diagnostic reagents must incorporate the CE marking by complying with REGULATION (EU) 2017/746 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 5, 2017 on medical devices for in vitro diagnostics. Vircell works continuously to comply with this regulation. In 2023, Vircell was granted the ISO 13485 certification by the notified body TÜV SÜD, which certifies our quality assurance system.

Moreover, the company is implementing a global adaptation system to GMP regulation, necessary to obtain the FDA approval.

External Quality Controls

Since 2004 Vircell takes part in several External Quality Control Programs as an additional tool to ensure the quality of our products.

Samples with unknown results are distributed to the participating laboratories. Once the participants analyze the samples and send the results back, these results are processed in order to establish the possible deviation of each laboratory. The results are returned to the participants, so they can asses its systematic error and lack of precision of the group.

Vircell’s results for these programs are available upon request. Please do not hesitate to contact us at info@vircell.com

External Quality Assurance Programs

Corporate Policy

We are aware that to continuously improve both our system and the products manufactured and services rendered, we must consider patient safety, the expectations of our customers and their needs as well as legal and regulatory requirements, being our main commitments:

  • Comply with the requirements of the UNE-EN ISO 13485:2016/A11:2021, UNE-EN-ISO 9001:2015, and UNE- EN- ISO 14001:2015, IVDR, MDSAP-CMDR and MDSAP-FDA.
  • Identify and provide necessary resources to implement and maintain the Quality and Environment Management System, rationally using all resources.
  • Routing our Quality Management System and Environmental Management System to guarantee patient safety, to meet the legal and regulatory requirements of the different Regulatory Authorities that form part of our context, to meet the needs and expectations of our Customers and to prevent and reduce the Environmental Impacts generated by the activity of the organization, as the central task of our environmental policy.
  • Improving the quality of life of patients through innovation.
  • To consider patient care and safety as the heart of what we do.
  • Strive to achieve the highest quality standards in our products to ensure that our customers can rely on accurate information for the best patient care.
  • Protect the environment including the prevention of pollution and the sustainable use of resources.
  • Identify and assess risks, determine necessary improvement actions in processes and evaluate the effectiveness of these to mitigate those risks.
  • Establish annual strategic objectives of the organization and goals that are measurable and consistent with the policy of the organization.
  • To orientate the company's management towards the reduction, elimination and prevention of management deficiencies and, most importantly, towards continuous improvement of the system that meets legal and regulatory requirements, as well as customer requirements and patient safety as effectively as possible.
  • Record, assess and regularly monitor the environmental effects of our processes.
  • Promote awareness of all staff and partner companies, so that this quality and environmental policy is understood and accepted.

In the organization we believe that environmental protection is not only legal issue, but is a social obligation for the entire company that develops and progresses together and parallel to the community to which it belongs. This requires the commitment and participation of all staff of the organization, based on knowledge of this policy and the proper implementation of the Manual Integrated Management, General Procedures and all documentation is part of the Integrated Management System.

The objectives include a commitment to compliance with applicable laws and regulations by evaluating their interactions with the environment and the application of best available technologies economically viable.

The management is committed and requests the commitment of all employees of the company, to the extent they are concerned to develop, refine and implement quality criteria and environmental respect defined in the documents of the Integrated Management System and compliance of targets set for the corresponding periods.

The management,

Information Security Policy

1. INTRODUCTION

This document sets out VIRCELL’s policy on information handling and on the security of its information systems.

This Security Policy also follows the requirements of the Esquema Nacional de Seguridad (ENS) and the CCN-STIC-805 guideline issued by the Centro Criptológico Nacional (CCN), part of the Centro Nacional de Inteligencia (CNI) in Spain.

The ENS aims to build the necessary trust for the use of electronic means through measures that guarantee the security of systems, data, communications and electronic services, enabling citizens and Public Administrations to exercise their rights and fulfil their obligations through these channels.

This implies applying the minimum security measures required by the ENS, continuously monitoring service levels, tracking and analysing reported vulnerabilities, and preparing an effective incident response to ensure service continuity.

VIRCELL shall ensure that ICT security is an integral part of every stage of the system life cycle—from conception to decommissioning—including build/buy decisions and operations. Security requirements and the related budget needs must be identified and included in planning, requests for quotation and tender specifications for ICT projects.

1.1 Prevention

VIRCELL shall avoid—or at least prevent as far as possible—any harm to information or services caused by security incidents. To that end it will implement the minimum ENS security measures and any additional controls identified through threat and risk assessment.

These controls, and the security roles and responsibilities of all personnel, will be clearly defined and documented.

To ensure compliance with this policy, the organisation shall:

  • Authorise systems before going live.

  • Regularly assess security, including routine reviews of configuration changes.

  • Request periodic third-party reviews to obtain an independent assessment.

1.2 Detection

Because services can quickly degrade due to incidents—from slow-downs to complete outages—operations must be continuously monitored to detect anomalies in service levels and act accordingly.

Monitoring is especially relevant where multiple lines of defence are in place. Detection, analysis and reporting mechanisms will be established to inform those responsible on a regular basis and whenever there is a significant deviation from pre-defined normal parameters.

1.3 Response

VIRCELL will:

  • Establish mechanisms to respond effectively to security incidents.

  • Designate a contact point for communications regarding incidents detected in other departments or organisations.

  • Establish protocols for information exchange related to incidents, including two-way communications with Computer Emergency Response Teams (CERTs).

1.4 Recovery

To guarantee the availability of critical services, VIRCELL will maintain ICT continuity plans as part of its overall business continuity plan and recovery activities.


2. MISSION

VIRCELL’s mission is to provide high-quality diagnostic solutions for infectious diseases, ensuring the safety and reliability of its products, complying with applicable regulations and meeting customer expectations in a dynamic, competitive environment.

With over 30 years of experience, VIRCELL develops and manufactures ready-to-use reagents for human infectious-disease diagnostics, offering 500+ references for the detection of bacteria, viruses, parasites and fungi using various techniques, and is present in laboratories in more than 90 countries.

In short, VIRCELL’s mission is to lead the development of reliable, safe diagnostic solutions for infectious diseases, with a strong commitment to quality, customer satisfaction and environmental sustainability.


3. SCOPE

This policy applies to all ICT systems and to all members of VIRCELL S.L. (hereinafter, VIRCELL) that support the provision of services to Spanish public administrations and their suppliers.

3.1 ENS certification scope

Information system supporting the services of:

VIRCELL, S.L.:

  • Design, Development, Production and Distribution of in-vitro diagnostic reagents for infectious diseases and of generic consumables for in-vitro diagnostics.

  • Design, Development, Production, Installation, Service (including technical support) and Distribution of in-vitro diagnostic instruments for infectious diseases, installed on-premises at customer facilities.

VIRCELL SPAIN, S.L.U.:

  • Installation, maintenance management and technical support for equipment used in in-vitro diagnostic and Biotechnology techniques.

  • Commercialisation and distribution of in-vitro diagnostic reagents and Biotechnology products.


4. REGULATORY FRAMEWORK

  • Real Decreto 311/2022, of 3 May, regulating the Esquema Nacional de Seguridad (ENS).

  • Ley Orgánica 3/2018 (LOPDGDD), on Personal Data Protection and digital rights.

  • Regulation (EU) 2016/679 (GDPR).

  • Real Decreto Legislativo 1/1996, Ley de Propiedad Intelectual (Intellectual Property Law).

  • Ley 34/2002 (LSSI), on Information Society Services and Electronic Commerce.


5. SECURITY ORGANISATION

The Security Committee coordinates information security at VIRCELL and is composed of:

  • Information Owner.

  • Service Owner.

  • Security Officer.

  • System Owner.

Committee members are listed in document SGSI-00002 – Committee Members.

The following sections describe the functions assigned to each role.

5.1 Information Owner

Responsibilities:

  • Owner of essential information assets and decision-making regarding information.

  • Ensures proper use and protection of information.

  • Ultimately responsible for any error or negligence leading to a confidentiality or integrity incident.

  • Sets information security requirements.

  • Defines the security levels for information.

5.2 Service Owner

Responsibilities:

  • Owner of essential service assets and decision-making regarding services.

  • Sets service security requirements, including interoperability, accessibility and availability.

  • Defines the security levels for services.

5.3 Security Officer

  • Acts as the Information Security Officer in accordance with the ENS.

  • Ensures management-system processes are established, implemented and maintained per applicable standards.

  • Reports to Management on the system’s performance and effectiveness for management review and continual improvement.

  • Promotes awareness of customer requirements on Information Security at all organisational levels.

  • Supports Management in defining and implementing policies and standards aligned with company strategy.

  • Plans, schedules and, where appropriate, participates in internal and external audits.

  • Controls the creation, update, approval and distribution of management-system documentation.

  • Acts as liaison with external parties (customers, suppliers, authorities and other interested parties).

  • Oversees actions to prevent and manage non-conformities and evaluates actions after improvement suggestions are reported.

5.4 System Owner

Responsibilities:

  • Owner of non-essential assets: responsible for decisions regarding all elements of VIRCELL’s information system except essential services and information.

  • Develops, operates and maintains the Information System throughout its life cycle, including specifications, installation and verification of correct operation.

  • Defines the topology and management model of the Information System, establishing usage criteria and available services.

  • Ensures that specific security measures are properly integrated into the overall security framework.

  • Administers and manages user accounts.

  • Ensures that only authorised persons have access.

  • Ensures that systems meet the availability levels required by the organisation.

  • Includes applicable security requirements in new developments.

5.5 Appointment procedure

The fulfilment of the responsibilities defined in this Security Policy depends on the positions to which they are linked. If any of these positions disappears or changes name, it is the responsibility of VIRCELL’s CEO to assign the role to the appropriate new position.

5.6 Conflict-resolution procedures

In the event of conflict between roles, it will be resolved by their hierarchical superior. Failing that, the decision of the Security Committee will prevail.


6. DOCUMENTED INFORMATION

To implement this Management System, the following documentation structure is maintained:

  • Security Policy (this document): establishes the basis of the company’s Management System.

  • Standards/Norms: define permitted and prohibited uses within the organisation.

  • Procedures: describe activities required to implement the Management System and meet applicable requirements.

  • Technical Instructions/Work Instructions: detail specific steps for activities that require precise guidance to meet objectives.

Documents are as extensive as needed to ensure effective operation and process control, depending on process complexity, interactions and staff competence.

6.1 Document control for the Management System

VIRCELL has established and maintains procedure PSGSI-00010 – ISMS Management, which describes document control for the system, including criteria and responsibilities for controlling the documents required for the Management System.


7. DEVELOPMENT OF THE INFORMATION SECURITY POLICY

7.1 Minimum security requirements

The basic principles related to information security (Article 11 ENS) that govern the organisation’s policy are:

  • Conflict resolution – see section “Conflict-resolution procedures”.

  • Security organisation and implementation – see section “Security Organisation”.

  • Risk analysis and management – see section “Risk Management”.

  • Personnel management – see section “Staff Obligations”.

  • Professionalism – see section “Staff Obligations”.

  • Access authorisation and control – see section “Access Control”.

  • Facilities protection – see section “Physical and Environmental Security”.

  • Acquisition of products – see section “Third Parties”.

  • Least privilege – see section “Configuration Management”.

  • System integrity and updates – see section “System Integrity and Updates”.

  • Protection of information at rest and in transit – see “Access Control”.

  • Protection against interconnected systems – see “Communications Management”.

  • Activity logging – see “Monitoring and Logging”.

  • Security incidents – see “Security Incident Management”.

  • Business continuity – see “Continuity Management”.

  • Continual improvement – as specified in this policy, the Security Committee and the responsible roles will promote continual improvement by planning and carrying out objectives and improvement actions (see “Security Organisation”).

7.2 Data classification policy

The data classification system applies to all information held by VIRCELL. Consistent application is essential to properly protect information and information systems.

Four classification levels are defined: Public, Internal Use, Confidential, Sensitive.

7.3 Risk management

All systems subject to this Security Policy will carry out a risk analysis, assessing threats and risks. This analysis will be repeated:

  • Regularly, at least annually.

  • When the information handled changes.

  • When the services provided change.

  • When a serious security incident occurs.

  • When serious vulnerabilities are reported.

To harmonise risk analysis, the Security Committee will establish a baseline assessment for the different types of information managed and services provided.

7.4 Staff obligations

All VIRCELL personnel must know and comply with this Information Security Policy and other security standards developed by VIRCELL. The Security Committee is responsible for ensuring the information reaches those affected.

All personnel within the ENS scope will receive security awareness and training. Where specific training is required for secure system management, those responsible for operating or administering information systems will receive it as needed.

Within the employment or contractual relationship, employees must always perform their assigned duties with professionalism—that is, with capability and effectiveness.

7.5 Access control

Information must be protected against unauthorised access; only the information necessary for the job shall be accessible. No user may access the network, systems, applications or information without formal authorisation.

Visitors or unauthorised personnel on premises must be accompanied by a responsible staff member at all times, ensuring resources remain protected.

Where service providers or external companies need access to facilities or information for justified reasons, they must sign confidentiality agreements to maintain the same level of security as organisation employees.

7.6 Physical and environmental security

Logical security is only effective if physical security is in place to prevent unauthorised access and other damage or interference. VIRCELL takes the necessary steps to ensure only authorised individuals can access its facilities.

All offices have the required physical barriers to safeguard resources. Premises are equipped with fire-extinguishing devices as required by law and with properly signposted emergency exits.

7.7 Third parties

When VIRCELL provides services to, or handles information from, other organisations, they will be made aware of this Information Security Policy. Reporting and coordination channels will be set between the respective Security Committees, and procedures will be established to react to security incidents.

When VIRCELL uses third-party services or shares information with third parties, they will be made aware of the security requirements to be met. Providers must ensure their staff are adequately trained in security according to VIRCELL’s requirements.

A specific procedure has been developed for supplier management, documenting information-security considerations for acquiring new components, engaging suppliers and managing those contracts.

7.8 Configuration management

Management, configuration and updating of the hardware and software underpinning the security mechanisms and services of the Information System shall always follow secure-by-default and minimal functionality principles.

7.9 System integrity and updates

Any physical or logical component requires formal authorisation prior to installation; a specific authorisation policy is in place.

Systems must be kept up to date with vendor specifications, vulnerability advisories and updates. A policy defines how equipment maintenance, patching and vulnerability management are to be performed.

7.10 Protection of stored information

VIRCELL will implement physical and logical measures to protect information wherever it is stored, whether on physical or digital media. Backups will be made to ensure recovery in case of incident.

7.11 Communications management

VIRCELL will control access to services on internal and external networks and ensure users do not put those services at risk. Appropriate interfaces between the organisation’s network and other networks will be established, along with suitable authentication mechanisms for users and devices, and access permissions for each user of the information system.

Corporate networks will be protected against threats originating from public networks such as the Internet.

7.12 Monitoring and logging

A global monitoring strategy will be defined for systems and activities, identifying the most critical systems and establishing appropriate controls to record any event that must be detected (unauthorised activities or improper system behaviour). Logs must be stored protected against modification or deletion.

Where necessary, mechanisms will be established to detect unauthorised information-processing activities. This includes performing controls and inspections of system logs and activities to test the effectiveness of data-security measures and integrity procedures, to ensure compliance with policy and to recommend any necessary changes.

7.13 Security incident management

Any employee who suspects or observes a security incident—physical (fire, water, etc.), software or systems (malware, data loss, etc.) or support services (communications, power, etc.)—must report it immediately so that appropriate measures can be taken and the incident recorded.

Responsibilities and procedures for incident management will be established to ensure a rapid, effective and orderly response. Procedures will cover all possible incident types.

7.14 Continuity management

Systems will have backups and the mechanisms necessary to guarantee continuity of operations in the event of loss of normal working conditions.

VIRCELL ensures that services are not interrupted. To achieve this, appropriate analyses and plans have been developed.

Environmental policy

Vircell, S.L

Vircell Spain, S.L.U., in its vocation and commitment to the Environment, annually performs an Environmental Performance evaluation and, through this evaluation, measures are established, some of which become environmental objectives.

This report aims to announce the activities that have been carried out, the results of the environmental objectives proposed for that year and identify possible areas for improvement for the future.

Next, the points that we will discuss during this report:

  • Review of compliance with environmental legislation
  • Environmental objectives. Year 2025
  • Environmental aspects
  • Internal training
  • Planning and response to environmental emergencies
  • Final comment

Review of compliance with environmental legislation 

At least twice a year, a review of the fulfillment of legal requirements regarding the environment is performed. This process serves to check that the previously identified requirements continue to be met and that the new legislation enacted in this matter is taken into account.

Environmental objectives. Year 2025

The environmental objective defined for 2025 regarding a 1% reduction in diesel consumption (liters) per thousand units manufactured has not been achieved.

Diesel consumption is linked to auxiliary services, particularly the heating and air conditioning systems of the facilities. In 2025, two new rooms were put into operation, which led to a normal and expected increase in diesel consumption due to the need to climatize these additional spaces. These rooms were equipped with new equipment, all of which require controlled thermal comfort conditions. In addition, during the period analyzed, more demanding climatic conditions and longer operating times of the climate control systems had a significant influence on consumption.

Environmental aspects 

An identification and evaluation of environmental aspects is carried out.

This identification of aspects has been reviewed on January 28th, 2026 and the evaluation of its impacts has been recalculated. As a result, all aspects except seven were determined to be non-significant, mainly due to the level of control in place and the awareness achieved.

The aspect that has been significant is the following:

  • Obsolete fluorescent and ultraviolet tubes (200121)
  • Contaminated absorbents, filters, and rags (150202)
  • Other engine, transmission, and lubricating oils (130208)
  • Batteries containing mercury
  • Paper consumption
  • Diesel consumption

The environmental aspects that stand out for having experienced an improvement over the previous year:

  • Sodium hypochlorite consumption
  • Water consumption
  • Obsolete IT equipment (computers, printers, etc.) (200135)

Internal training

All personnel newly incorporated to Vircell, S.L. receives specific training related to the environment. The courses are the following:

-Environmental management

On the other hand, specific personnel are trained with particular courses for the Transfer of hazardous waste and for General guidelines for waste disposal.

Planning and response to environmental emergencies

Annually, and in order to validate the planning and response to environmental emergencies and to ensure their adequate knowledge by the personnel, a practical simulation is carried out so that the staff knows first-hand how to act in case of environmental emergencies.

Final comment

As explained in this report, the main environmental processes that affect our activities are being effectively applied and controlled.

And for the record and for the appropriate purposes the environmental performance is publicly communicated through the company's website.