The European Commission published today a new MDCG Guidance, which is 16th in line, and has the purpose to help medical device manufacturers and other actors to fulfill cybersecurity requirements in accordance with the Annex I of the EU MDR/IVDR.
47 pages long Guidance document is divided in several sections and two Annexes that address both pre-market and post-market aspects:
- Basic Cybersecurity Concepts
- Secure Design and Manufacture
- Documentation and Instructions for use
- Information to be provided to healthcare providers
- Post-Market Surveillance and Vigilance
- Other Legislation and guidance: EU and International
- Mapping of IT security requirements to NIS Directive Cooperation Group measures in its Annex I (Page 36 of the Guidance)
- Examples of cybersecurity incidents/serious incidents in its Annex II (Page 40 of the Guidance)
Cybersecurity activities as listed by the MDCG across the life cycle of medical devices according to the Medical Devices Regulations:
The Guidance is applicable for all medical devices that incorporate electronic programmable systems and software that are medical devices in themselves.
The MDCG notes that a manufacturer shall develop and manufacture their products in accordance with the state of the art taking into account the principles of risk management, including information security, as well as to set out minimum requirements concerning IT security measures, including protection against unauthorised access.