SBOM Services for EU Medical Devices

What's included

• Build-time SBOM generation (SPDX or CycloneDX)
• Component-source verification and licence review
• VEX statements for known vulnerabilities
• Cross-references into the EU technical file
• Quarterly SBOM refresh and drift detection

EU case context (anonymised)

Recent EU engagements include a German Class IIb monitoring device cleared with TÜV SÜD review feedback in two cycles, an Irish Class IIa SaMD that satisfied an MDCG 2019-16 gap report from BSI in a single resubmission, and a Swiss Class III implant programme aligned to IEC 81001-5-1 from architecture forward. Project names withheld under client NDA.

Blue Goat Cyber serves EU MedTech remotely from our US HQ. EU clients work with the same senior engineers that have shipped 250+ MedTech cybersecurity packages. EU enquiries: [email protected].