EC / MDCG

European Union — EC / MDCG

MandatoryLast updated · MDCG 2019-16 Rev.1 (2020); CRA finalized Oct 2024Verified · 2026-05-28

MDR 2017/745 + MDCG 2019-16 Cybersecurity Guidance

Authority

European Commission, Medical Device Coordination Group (with national Competent Authorities)

Enforced

May 2021

Legal framework

MDR Annex I GSPR 17.2 + NIS2 Directive (CRA explicitly excludes products covered by MDR/IVDR)

FDA package reuse

~60%

Editorial estimate · how →

Scope

All medical devices placed on the EU market with electronic programmable systems or software. IVDR mirrors the same expectations.

Pre-market

Risk management per ISO 14971, IT security in technical documentation, IEC 81001-5-1, minimum IT requirements in IFU, verification & validation evidence reviewed by Notified Body.

Post-market

PMS plan, PSUR, vigilance reporting within 15 days for serious incidents (2 days for serious public health threats).

SBOM

Recommended

Not yet mandated by MDR but expected by many Notified Bodies. Note: medical devices are excluded from the Cyber Resilience Act under Art. 2 — CRA SBOM rules do not apply.

Vulnerability disclosure

Required under NIS2 for essential/important entities; encouraged for all manufacturers.

Penalty

MDR: market removal + national fines. NIS2: up to €10M or 2% global turnover (where the manufacturer is in scope as an essential/important entity).

Unique requirements

01Minimum IT requirements stated in the IFU
02Notified Body conformity assessment for Class IIa+
03EUDAMED registration and UDI

Highlights

Aligned to IEC 81001-5-1
Overlaps with NIS2 for in-scope entities (CRA carve-out)
Heavy Notified Body scrutiny of evidence

Aligns with

IMDRF N60 IEC 81001-5-1 IEC 62443-4-1 ISO 14971

Timeline

May 2021

MDR fully applicable
Jan 2023

NIS2 enters into force
Dec 10 2024

CRA enters into force (medical devices excluded under Art. 2)

Key documents

MDCG 2019-16 Rev.1 Guidance on Cybersecurity

https://health.ec.europa.eu/system/files/2022-01/md_cybersecurity_en.pdf

Regulation (EU) 2017/745, MDR

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32017R0745

Cyber Resilience Act

https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act

EU MDR head-to-head

Compare

EU MDRvsFDA 524B

Open comparison

Compare

EU MDRvsMHRA

Open comparison

Compare

EU MDRvsPMDA

Open comparison

Compare

EU MDRvsHealth Canada

Open comparison

Related markets

Brazil

~60% FDA reuse

Norway

~60% FDA reuse

South Korea

~65% FDA reuse

Switzerland

~55% FDA reuse

Frequently asked about European Union

Is SBOM required for medical devices in European Union?

Recommended. Not yet mandated by MDR but expected by many Notified Bodies. Note: medical devices are excluded from the Cyber Resilience Act under Art. 2 — CRA SBOM rules do not apply.

What does EC / MDCG require for pre-market cybersecurity?

Risk management per ISO 14971, IT security in technical documentation, IEC 81001-5-1, minimum IT requirements in IFU, verification & validation evidence reviewed by Notified Body.

What are the post-market cybersecurity obligations under EC / MDCG?

PMS plan, PSUR, vigilance reporting within 15 days for serious incidents (2 days for serious public health threats).

What is the penalty for non-compliance with EC / MDCG cybersecurity rules?

MDR: market removal + national fines. NIS2: up to €10M or 2% global turnover (where the manufacturer is in scope as an essential/important entity).

How much of my FDA cybersecurity package is reusable in European Union?

Roughly 60% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).