MDCG 2019-16 Rev. 2 - cybersecurity expectations for MDR/IVDR submissions

Revised MDCG cybersecurity guidance details security risk management, IT environment assumptions, and basic UDI/postmarket cybersecurity expectations for Notified Body review.

What changed

Clarifies the split between safety risk (ISO 14971) and security risk (IEC 81001-5-1).
Spells out IT environment assumptions manufacturers must document and validate.

Action for manufacturers

Cross-reference your MDR technical documentation against Rev. 2's checklist; many 2023-era submissions still cite Rev. 1.

Primary sources

MDCG guidance index

Related Blue Goat Cyber resources

Security risk assessment under IEC 81001-5-1

Entry metadata

Date: Jul 1, 2025
Agency: MDCG (EU)
Type: Guidance
Status: Active
Impact: High
Last reviewed: Jun 5, 2026

Applies to

EU MDR
EU IVDR

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.

Book strategy session Explore services