Playbook · EU Market Access

The EU MDR & IVDR Cybersecurity Guide

Plain-English guide to the cybersecurity expectations of EU MDR Annex I, IVDR Annex I, MDCG 2019-16, and the upcoming Cyber Resilience Act - plus how to harmonize an FDA + EU package.

All playbooks

Updated May 2026 7 pages 16-min read Download PDF

Why this matters

EU MDR (2017/745) and IVDR (2017/746) embed cybersecurity directly into the General Safety and Performance Requirements. MDCG 2019-16 Rev.1 is the de-facto guidance Notified Bodies use, and the Cyber Resilience Act adds horizontal cybersecurity requirements for products with digital elements. If you're filing FDA + CE in parallel, you can build one evidence package that satisfies both - if you plan it that way.

Key takeaway: Notified Bodies are increasingly asking for the same artifacts FDA reviewers want - SBOM, threat model, pen test, postmarket plan. A harmonized package saves months of duplicated work.

MDR Annex I §17.2 + IVDR Annex I §16.4 - what they actually require

Devices with software must be designed against the state of the art for IT security
Minimum requirements for IT environment (hardware, networks, security)
Protection against unauthorized access required by design
Repeatable, verifiable risk management for cybersecurity throughout lifecycle

MDCG 2019-16 Rev.1 - the operative guidance

Security risk management integrated with ISO 14971
Secure design and manufacture (analogous to FDA's SPDF)
Security verification and validation expectations
Postmarket surveillance, incident reporting, and updates
IT security capabilities to communicate to operators

Cyber Resilience Act - what's coming

Horizontal cybersecurity requirements for products with digital elements
Mandatory vulnerability handling and disclosure
Security update obligations through expected lifetime
Conformity assessment for important / critical product classes
Sectoral lex specialis: MDR/IVDR carve-outs still being clarified

Notified Body evidence - what to bring

Cybersecurity risk assessment integrated with ISO 14971 risk file
SBOM (CycloneDX 1.5 + VEX preferred)
Threat model with mitigations traced to design controls
Penetration test report (manual, exploit-driven)
Postmarket surveillance plan with vulnerability monitoring + CVD
User-facing security documentation (analogous to MDS2)

What's in the full PDF

Side-by-side FDA vs. EU evidence requirements table
MDCG 2019-16 Rev.1 clause-by-clause checklist
Cyber Resilience Act timeline and overlap analysis
Harmonized submission package architecture (one set of artifacts, two filings)
Common Notified Body deficiency themes

Want the full 7-page playbook?

Includes every checklist, table, and template - formatted for printing and sharing.

Download PDF

What's inside

MDR Annex I §17.2 + IVDR Annex I §16.4 decoded
MDCG 2019-16 Rev.1 requirements walkthrough
Cyber Resilience Act overlap and timing
Notified Body evidence expectations
Harmonized FDA + EU submission package

Get the next playbook

Subscribe to The Monthly Pulse for new playbooks, FDA updates, and field notes.

Other playbooks

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.

Book strategy session Explore services