MDCG 2019-16 Guidande on Cybersecurity for medical devices (MDR / IVDR)
The two new Regulations on medical devices 745/2017 (MDR) and 746/2017 (IVDR) (hereafter called the Medical Devices Regulations) have been adopted and entered into force on 25 May 2017. The two Regulations, which are to replace three EU Directives1 , apply progressively until May 2020 for medical devices and May 2022 for in vitro diagnostic medical devices.
Among the many novelties introduced, the two Regulations enhance the focus of legislators on ensuring that devices placed on the EU market are fit for the new technological challenges linked to cybersecurity risks. In this respect, the new texts lay down certain new essential safety requirements for all medical devices that incorporate electronic programmable systems and software that are medical devices in themselves. They require manufacturers to develop and manufacture their products in accordance with the state of the art taking into account the principles of risk management, including information security, as well as to set out minimum requirements concerning IT security measures, including protection against unauthorised access.