Head to head
FDA 524Bvs
EU MDRUnited States and European Union medical-device cybersecurity, compared.
Bottom line
The FDA's §524B regime and the EU MDR cybersecurity expectations (MDCG 2019-16 + GSPR Annex I §17) share a common backbone — SPDF-style lifecycle, SBOM, threat modelling, post-market monitoring. The biggest gaps are evidence format (FDA wants a single eSTAR cybersecurity section; the EU wants the same content threaded through the technical documentation and reviewed by a Notified Body), the role of harmonised standards (EU pushes IEC 81001-5-1 + IEC 62443-4-1 conformity), and the incoming EU Cyber Resilience Act overlay from December 2027.
Who this is for · Manufacturers cleared in the US planning a CE-mark expansion (or vice versa).
Legal hook
FDA 524B
FD&C §524B (statutory, since March 2023) + Feb 2026 Final Guidance.
EU MDR
MDR Annex I GSPR §17 + MDCG 2019-16 Rev.1 (2019) + CRA from Dec 2027.
Takeaway
Both are mandatory; EU stacks more documents and adds a Notified Body reviewer.
SBOM
FDA 524B
Mandatory, machine-readable (SPDX or CycloneDX), with known vulns and support level per component.
EU MDR
Strongly expected by Notified Bodies today; becomes mandatory under CRA from Dec 2027.
Takeaway
Generate one CycloneDX file at release time — it satisfies both with no rework.
Threat modelling
FDA 524B
Required in eSTAR §14; STRIDE accepted; must include architecture views.
EU MDR
Expected per MDCG 2019-16 §3.3; same content, different filing structure.
Takeaway
Author once in your DHF; cross-reference into both submissions.
Vulnerability disclosure
FDA 524B
CVD plan must be filed pre-market; updates must be free of charge.
EU MDR
PSUR + vigilance reporting; serious incident in 15 days (immediate if public-health threat).
Takeaway
A single global CVD policy works — but EU needs faster serious-incident reporting.
Post-market
FDA 524B
21 CFR 806; uncontrolled risk = 30-day report.
EU MDR
Continuous PMS + PSUR + EUDAMED vigilance + CRA's 24-hour active-exploit notice to ENISA from 2027.
Takeaway
EU is moving faster on incident timelines; treat CRA as the floor.
Standards leverage
FDA 524B
AAMI TIR57, AAMI SW96, IEC 81001-5-1 referenced; SPDF acceptable.
EU MDR
Harmonised: IEC 81001-5-1, IEC 62443-4-1 (parent), ISO 14971; IEC 62304 for SOUP.
Takeaway
Build to IEC 81001-5-1 + IEC 62443-4-1 and you cover both.
Full profile
United StatesFDA Premarket Cybersecurity Guidance & FD&C §524B
Open profileFull profile
European UnionMDR 2017/745 + MDCG 2019-16 Cybersecurity Guidance
Open profileAbout 70–75% of it lifts cleanly — threat model, SBOM, security risk assessment, pen-test report, CVD policy. You'll re-paginate it into the EU technical documentation structure, add IEC 81001-5-1 / 62443-4-1 conformity statements, and brief your Notified Body reviewer.
No — they stack. From Dec 2027 a connected medical device must satisfy MDR + MDCG 2019-16 AND the CRA essential requirements. Expect the harmonised list to evolve; treat CRA as the floor and MDCG 2019-16 as the device-specific overlay.
FDA 510(k) with a clean cybersecurity package typically clears in 4–6 months. CE marking under MDR adds Notified Body queue time (often 12+ months for Class IIb/III) — cybersecurity is rarely the bottleneck, but a missing SBOM or threat model will park your file in major nonconformities.