Technology is advancing rapidly, and the EU has already needed to adjust the MDR and IVDR regulations. For manufacturers, this means increased requirements to build cybersecurity in from the start, document processes, and follow up on security throughout the entire product lifecycle.
Pacemakers, insulin pumps, sensors, and analytical equipment are now dependent on digital systems. To be sold within the EU, they must meet clear cybersecurity requirements and be proven reliable for both patients and healthcare providers. This is where the MDR and IVDR regulations come into play – and in other markets, the FDA plays a similar role.
How MDR and IVDR govern cybersecurity
MDR and IVDR make cybersecurity part of the overall quality of medical devices, on the same level as functionality and safe use. They cover the entire lifecycle, from design and development to documentation, monitoring, and IT environment considerations.
- MDR (Medical Device Regulation – EU 2017/745) applies to most medical devices and software used directly on humans – everything from electronic prosthetics and pacemakers to logging apps, measurement equipment, and treatment systems.
- IVDR (In Vitro Diagnostic Medical Device Regulation EU 2017/746) applies to diagnostic products that analyze samples outside the body, such as blood tests, genetic tests, and infection tests.
To clarify the requirements further, the EU plans to harmonize ISO 81001-5-1 in mid-2028, which explains how manufacturers can move from risk analysis to technical controls and documentation. But even today, Notified Bodies have already started to apply parts of it during their assessments.
Security must be built in from the beginning
Cybersecurity cannot be postponed until the end of development. Processes must be established from the start and followed throughout the entire lifecycle. For companies that take the issue seriously, the experience becomes an asset that makes the next cycle smoother and faster, while those who wait risk significant costs and severe delays.
“It can be the difference between being first to market with a new product or watching a competitor get there first,” says Albin Eldstål-Ahrens, PhD and Security Specialist at Assured.
The regulations make this clear. MDR and IVDR require, among other things, that:
- Risk assessments must be documented
- Post-Market Surveillance (PMS) must be in place – meaning continuous monitoring and reporting of faults and incidents when the product is used in real-world settings
- Serious incidents must be reported within as little as two days
- Documentation of security measures and testing is required for CE marking
For most product classes, a review by a Notified Body is also required – an EU-accredited, independent organization that approves the product before it can be sold.
Both the FDA and Notified Bodies emphasize that it is difficult for a manufacturer to objectively assess their own product. This is why independent testing is written into guidelines and standards. Regular penetration testing by an external party is now considered essential to ensure that security remains robust over time.
Read more about how we work with penetration testing hereFDA and international requirements
The EU is not alone in imposing strict requirements. The U.S. Food and Drug Administration (FDA) has long issued its own guidance requiring cybersecurity to be both verified and validated throughout the product lifecycle.
This means that the same product may require different types of documentation depending on the market. Manufacturers may therefore need to account for both EU and U.S. requirements early in the design and development stages. In practice, companies often arrive at a comprehensive security solution that covers both markets.
What does risk mean in practice?
In the regulations, risk is defined as the combination of likelihood and severity. A blood glucose meter illustrates the difference:
- A missed measurement – less severe, but still a risk.
- Unauthorized data access – sensitive information ends up in the wrong hands, a more serious risk.
- Manipulated values – may lead to incorrect treatment and become life-threatening.
Risks can never be eliminated entirely. Instead, the regulations require that they be reduced to an acceptable level, with evidence showing how this has been achieved.
Mistakes, weaknesses, and follow-up
Risks are not only technical vulnerabilities but also foreseeable misuse – user errors that can reasonably be anticipated. This might involve unclear instructions or interfaces where new users receive higher privileges than intended. The result is an increased attack surface even when the user acted correctly.
“In MDR and IVDR, foreseeable misuse is treated similarly to actual vulnerabilities – it must be addressed in the same way,” says Albin. Vulnerabilities change over time; new issues emerge in existing components and lead to foreseeable misuse that must be included in the risk analysis.
According to the regulations, the work does not end at launch. When the product is used in healthcare environments, manufacturers must quickly report discovered issues to relevant authorities or their Notified Body – sometimes within just two days. Another challenge is that the data collected for product monitoring is often sensitive personal data and therefore also subject to GDPR.
Finally, application security is critical. Although not explicitly regulated in MDR, in practice it is factors such as access control, privilege management, and preventing data leakage that determine how secure a product really is.
Read more about our services
Deadlines to keep in mind
The implementation of MDR and IVDR is phased depending on product class. Some products have been covered since 2021, while others have transition periods lasting until 2027-2028. Those who wait too long risk bottlenecks, long review delays – or in the worst case, a blocked product launch.
How can organizations prepare now?
- Identify whether and how your products are covered by MDR or IVDR – classification determines the requirements.
- Review internal processes. Processes, documentation, routines, and technical measures must be in place to avoid delays and additional costs.
- Get help if needed. Specialists can guide you through the entire process while helping build the right internal competence.
“Security is not really a feature – it is a process. This is especially clear in MDR, which explicitly places a responsibility on manufacturers to continuously follow up,” Albin concludes.
Contact us or fill in the form below to discuss how we can help you meet cybersecurity requirements and secure your products.