Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Blog · FDA

    Medical Device Pen Testing: FDA vs EU MDR 2026

    Medical device pen testing under FDA vs EU MDR: the 5 FDA report elements, MDR Annex I §17.2/17.4, and how one report serves both submissions.

    Hero illustration for the article: Medical Device Pen Testing: FDA vs EU MDR 2026
    On this page
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Published: July 10, 2026

    Published July 10, 2026

    Direct answer

    No, medical device penetration testing requirements are not the same across the FDA and EU MDR. The FDA's February 3, 2026 final premarket cybersecurity guidance (§V.C) names penetration testing directly and prescribes five report elements: independence and expertise of testers, scope, duration, methods, and results. The EU MDR never uses the phrase "penetration test." It arrives indirectly, through Annex I General Safety and Performance Requirements §17.2 and §17.4, interpreted by notified bodies against EN IEC 81001-5-1:2022 and MDCG 2019-16 §3.7. The evidence overlaps; the obligations do not. A single report written to the FDA's five-element format satisfies both regimes when it is mapped, not rewritten.

    Key Takeaways

    • The FDA prescribes exactly five report elements for pen testing under the Feb 3, 2026 guidance §V.C; the EU MDR prescribes zero.
    • MDR reaches pen testing through Annex I §17.2 (IT security measures) and §17.4 (state-of-the-art) plus MDCG 2019-16 §3.7, with notified bodies treating EN IEC 81001-5-1:2022 as the working evidence standard.
    • Independence expectations differ: the FDA expects documented third-party or organizationally-separated testers; the MDR route accepts graded independence under IEC 62443-4-1 practice SVV-3.
    • FDA evidence lives in the eSTAR cybersecurity attachment; MDR evidence is distributed across Annex II technical documentation and referenced from the risk management file.
    • Applicability triggers differ. The FDA applies to a "cyber device" as defined in Section 524B(c); the MDR applies to any device with software or a data interface.
    • One pen test report can serve both submissions when written to the FDA's stricter five-element format and cross-mapped to §17.2/§17.4 and EN IEC 81001-5-1.

    At-a-glance comparison

    Dimension FDA (Feb 3, 2026 guidance) EU MDR (2017/745)
    Report content 5 prescribed elements: independence, scope, duration, methods, results (§V.C) Not prescribed; technique unnamed. Notified bodies expect EN IEC 81001-5-1 clause 5.7 evidence
    Independence Documented third-party, or internal team with documented org separation Graded per ANSI/ISA IEC 62443-4-1 SVV-3; internal red teams accepted if independent of design/implementation
    Evidence location Single eSTAR cybersecurity attachment (STED §5.4, eSTAR v7) Distributed across Annex II technical documentation, ISO 14971 risk management file, and IEC 62304 / 81001-5-1 lifecycle documentation
    Applicability trigger "Cyber device" per Section 524B(c) - software + internet-connection capability + vulnerable characteristics Any device with software or programmable electronics (Annex I §17.2), regardless of connectivity

    Table of Contents

    Why this matters

    Manufacturers selling into both the United States and the European Union routinely treat penetration testing as a single deliverable that "covers both." It does, but only when it is written to the stricter of the two formats and explicitly cross-referenced to the other. Written the other way around, submissions get pushed back on both sides for different reasons.

    The FDA's Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (Feb 3, 2026, final) is prescriptive. It names penetration testing in §V.C and lists five required report elements. The EU MDR (Regulation (EU) 2017/745) never mentions penetration testing, but Annex I §17.2 requires manufacturers to adopt "measures to ensure IT security," §17.4 sets a state-of-the-art bar, and MDCG 2019-16 (Guidance on Cybersecurity for medical devices, rev. 1 July 2020) §3.7 tells notified bodies to expect verification and validation of security controls. Notified bodies now treat EN IEC 81001-5-1:2022 as the working evidence standard for that verification.

    What the FDA prescribes: the five report elements

    The Feb 3, 2026 guidance §V.C is explicit. A penetration test report submitted with a 510(k), De Novo, PMA, PDP, or HDE for a "cyber device" (defined in Section 524B(c) of the FD&C Act) must document:

    1. Independence and technical expertise of testers - named individuals with credentials, and a statement that testers have no development relationship with the manufacturer.
    2. Scope - every interface tested, every interface excluded, and rationale for exclusions traced back to the threat model.
    3. Duration - actual tester-days, broken out by phase.
    4. Methods - named frameworks and tools (OWASP MASTG, PTES, NIST SP 800-115) and the technique used per interface.
    5. Results - findings with severity, reproduction steps, evidence, retest status, and residual risk statement.

    Missing any of the five is a first-cycle Additional Information request. For a deeper walkthrough of what belongs inside a compliant engagement, see the FDA penetration testing requirements guide.

    How EU MDR reaches penetration testing

    The MDR never says "penetration test." The obligation is inferred from three linked instruments:

    • Annex I §17.2 requires software devices to be developed and manufactured in accordance with the state of the art, including "measures to ensure IT security."
    • Annex I §17.4 requires the manufacturer to "set out minimum requirements concerning hardware, IT networks characteristics and IT security measures."
    • MDCG 2019-16 §3.7 tells notified bodies to expect verification of security requirements and testing of controls, without naming a specific technique.

    Notified bodies fill in the technique with EN IEC 81001-5-1:2022 (harmonised under the MDR, OJ 2024/1878). Clause 5.7 requires security testing activities including vulnerability testing; the process standard behind it is ANSI/ISA IEC 62443-4-1 practice SVV-3 (Vulnerability Testing) and SVV-4 (Penetration Testing). That is where penetration testing enters the MDR technical file, not through the regulation text itself.

    Independence: documented third-party vs graded

    The FDA expects a named, credentialed third party, or an internal team that is organizationally separated from the development team with the separation documented. The bar is binary: independence is either shown or it is not.

    EN IEC 81001-5-1 and IEC 62443-4-1 treat independence as graded per practice - the tester must be independent of the design and implementation of the item under test, but the standard tolerates internal test teams that meet that criterion. Notified bodies routinely accept internal red teams that satisfy 62443-4-1 SVV-3 role separation. For an FDA submission, err toward the stricter interpretation: name external testers and their credentials in the report front matter.

    Where the evidence lives in each submission

    For the FDA, the penetration test report is a discrete attachment in the eSTAR cybersecurity section (STED §5.4 under eSTAR v7). Reviewers open one file and expect to find all five required elements in the executive summary. Fragmenting the evidence across multiple documents is a common cause of "cannot locate" deficiencies.

    For the MDR, evidence is distributed. The pen test report is referenced from:

    • Annex II §6.1 (verification and validation) in the technical documentation,
    • The risk management file under ISO 14971 (with security risks per AAMI TIR57 or the emerging ISO 14971 amendment),
    • The software lifecycle documentation under IEC 62304, cross-referenced to IEC 81001-5-1 clause 5.7 evidence.

    The report itself does not need to change. The table of references does.

    Applicability triggers: cyber device vs any device with software

    See also: FDA Penetration Testing Requirements, FDA Pen Test Timing: How Recent Must Your, and DAST vs Penetration Testing: What the FDA.

    Section 524B(c) applies to devices that (1) include software validated, installed, or authorized by the sponsor, (2) have the ability to connect to the internet, and (3) contain any technological characteristics that could be vulnerable to cybersecurity threats. Devices that fail any of the three prongs are outside 524B, though the FDA still applies cybersecurity expectations to IDEs and to non-cyber devices through general controls.

    The MDR has no equivalent gate. Annex I §17.2 applies to any device that incorporates electronic programmable systems or software that is a device in itself. A standalone medical device with a wired serial port and no network stack is inside §17.2's scope for the EU and outside 524B's scope for the FDA.

    One report, both regimes: the mapping approach

    The working pattern for dual-market manufacturers:

    1. Write the penetration test report to the FDA's five-element format (§V.C). It is the stricter of the two, so anything a notified body needs will be present.
    2. Add an annex titled "MDR/IEC 81001-5-1 mapping" that cross-references each section of the report to Annex I §17.2, §17.4, MDCG 2019-16 §3.7, and EN IEC 81001-5-1 clause 5.7.
    3. Reference the same report from the risk management file (ISO 14971) and the software lifecycle plan (IEC 62304 / 81001-5-1) in the EU technical documentation.

    The mapping annex is what turns a single deliverable into evidence for both regimes. Without it, notified bodies read a US-format report and ask for a European one; with it, they check the crosswalk and move on.

    Side-by-side comparison

    Dimension FDA (Feb 3, 2026 guidance) EU MDR (2017/745)
    Named in regulation? Yes, guidance §V.C No, inferred from Annex I §17.2/§17.4
    Prescribed report elements 5 (independence, scope, duration, methods, results) 0 (technique unnamed)
    Working evidence standard AAMI SW96, IEC 81001-5-1, ISO 14971 EN IEC 81001-5-1:2022, IEC 62443-4-1 SVV-3/4
    Independence bar Documented third-party or org-separated Graded per 62443-4-1 practice
    Where evidence lives eSTAR cybersecurity attachment Distributed across Annex II, ISO 14971 file, IEC 62304 documentation
    Applicability trigger Section 524B(c) "cyber device" Any device with software or programmable electronics
    Postmarket obligation 524B(b) postmarket plan + CVD Article 83 PMS + MDCG 2019-16 §5 postmarket security

    How Blue Goat approaches this

    Blue Goat Cyber's medical device practice is led by engineers with CISSP, OSCP, and prior military red-team backgrounds. We write every penetration test report to the FDA's five-element format because it is the stricter of the two, then map it in a dedicated annex to Annex I §17.2/§17.4, MDCG 2019-16 §3.7, and EN IEC 81001-5-1:2022 clause 5.7. The result is one engagement, one report, and two clean submissions. See our medical device penetration testing services and the EU Cyber Resilience Act for medical devices service page. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost.

    FAQ

    Are FDA and EU MDR penetration testing requirements the same?

    No. The FDA prescribes five report elements under the Feb 3, 2026 guidance §V.C and names penetration testing directly. The EU MDR never mentions penetration testing; it arrives through Annex I §17.2, §17.4, MDCG 2019-16 §3.7, and EN IEC 81001-5-1:2022 clause 5.7. The evidence overlaps but the obligations, format, and location in the submission differ.

    Can one penetration test report serve both an FDA submission and an EU MDR technical file?

    Yes, when it is written to the FDA's five-element format and includes an MDR/IEC 81001-5-1 mapping annex that cross-references each section to Annex I §17.2/§17.4, MDCG 2019-16 §3.7, and EN IEC 81001-5-1 clause 5.7. Write it the other way around and notified bodies accept it; the FDA reviewer asks for the missing elements.

    Does the EU MDR require an independent third-party tester?

    Not explicitly. EN IEC 81001-5-1 and ANSI/ISA IEC 62443-4-1 treat independence as graded per practice - the tester must be independent of the design and implementation, but internal red teams that meet the SVV-3 role-separation criterion qualify. Notified bodies routinely accept them. For an FDA submission, use an external tester or a documented organizationally-separated internal team.

    Where does the penetration test report go in an eSTAR submission?

    The Feb 2026 guidance places the report in the cybersecurity attachment, STED §5.4 in eSTAR v7. Reviewers open one file and expect all five required elements (independence, scope, duration, methods, results) in the executive summary. Fragmenting the evidence across attachments is a common source of "cannot locate" deficiencies.

    Is my device inside scope for FDA cybersecurity requirements if it has no network connection?

    Not under Section 524B, which applies only to "cyber devices" as defined in 524B(c) - devices with software, internet-connection capability, and vulnerable technological characteristics. Non-cyber devices are still subject to general FDA cybersecurity expectations under the Feb 2026 guidance's applicability discussion, but not to 524B's specific documentation gates. Under the EU MDR, Annex I §17.2 applies to any device with software regardless of connectivity.

    What standards do notified bodies cite for EU pen testing evidence?

    EN IEC 81001-5-1:2022 (harmonised under the MDR, OJ 2024/1878) is the working evidence standard. Its clause 5.7 requires security testing including vulnerability testing, and the referenced process standard is ANSI/ISA IEC 62443-4-1 practices SVV-3 (vulnerability testing) and SVV-4 (penetration testing). MDCG 2019-16 §3.7 is the notified body guidance that ties the two together.

    Final thoughts

    The temptation for dual-market manufacturers is to commission "an EU pen test" and "a US pen test" as separate engagements. That doubles the cost and produces two reports that will need to be reconciled anyway. The shorter path is one engagement, written to the FDA's five-element format, with an MDR/IEC 81001-5-1 mapping annex bolted on. The five FDA elements are a superset of what a notified body asks for; the annex is the crosswalk that lets both reviewers find what they need in the same document.

    Need a gap check? Our Medical Device Pen Test Requirements gap check returns a one-business-day written analysis against Section 524B, the Feb 2026 guidance, EN IEC 81001-5-1, and MDCG 2019-16 - free.

    Related reading: FDA penetration testing requirements for medical devices, EU MDR vs FDA cybersecurity crosswalk, IEC 81001-5-1 security risk assessment guide, Penetration testing for medical devices guide, and DAST vs penetration testing for FDA medical devices.

    About the author

    Christian Espinosa, CISSP, Founder, Blue Goat Cyber. Christian leads a team focused exclusively on medical device cybersecurity for FDA premarket submissions, EU MDR technical documentation, and postmarket compliance. Read more about Christian.

    Related 524B & eSTAR resources

    Keep going: the 524B and eSTAR working set

    Start with the walkthrough hub, then drill into the statute, the eSTAR field map, SBOM monitoring, postmarket planning, and deficiency response. Use these as the playbook behind every cyber device submission.

    Hub
    FDA Section 524B & eSTAR Cybersecurity Walkthrough

    Start here: the hub that ties the statute, the February 2026 guidance, and the eSTAR fields together in the order a submission team works through them.

    Related services

    Put this into practice on your device

    Every Blue Goat Cyber engagement maps directly to FDA Section 524B and the SPDF - so the evidence you need lands in your submission, not in a separate report.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.