Connected medical technologies—from implantables and bedside devices to SaMD mobile apps and cloud platforms—are transforming patient care. That same connectivity introduces new attack surfaces that can jeopardize safety, performance, data integrity, and privacy if not addressed systematically. The European Association of Notified Bodies (Team-NB) issued a consensus position paper on cybersecurity to clarify expectations for manufacturers and help convergence across the EU market. The paper underscores that cybersecurity is integral to compliance under the MDR/IVDR and should be engineered across the device lifecycle, not appended at the end.
Team-NB’s position aligns with the MDCG 2019-16 Rev.1 Guidance on Cybersecurity for Medical Devices, which frames security as a prerequisite for safety and as part of risk management and software lifecycle processes (e.g., secure design, verification/validation, vulnerability handling, and post-market monitoring). Manufacturers are expected to demonstrate “state-of-the-art” controls proportionate to the device’s intended purpose, clinical context, and connectivity profile.
Why this matters now is clear in the data. The ENISA Health Threat Landscape reports that healthcare has faced a sustained wave of cyber incidents, with ransomware representing 54% of observed threats during the January 2021–March 2023 period. Attackers increasingly target hospitals and providers, but connected devices and digital diagnostics sit within the same ecosystem and must be designed to operate safely under adversarial conditions. Building to recognized frameworks—and proving it in technical documentation and post-market processes—has become a market access requirement, not just good practice.
What Team-NB emphasizes for manufacturers
Team-NB calls for coherent, harmonised expectations to avoid fragmentation from diverging national rules and guidance. Practically, that means embedding security by design within the established regulatory toolset: risk management tied to clinical harm, secure software lifecycle practices, configuration management, SBOM and patching strategies, coordinated vulnerability disclosure, and field monitoring that feeds back into PMS/PMCF. Notified Bodies will evaluate whether these controls are commensurate with the device’s risk, evidence is traceable, and responsibilities across manufacturers and health-care organisations are clearly defined.
The paper also recognises resource constraints across industry and authorities and encourages approaches that streamline conformity assessment without lowering the bar—for example, leveraging existing international standards and clearly mapping them to EU requirements. In parallel, broader policy work and sector threat intelligence (e.g., ENISA’s updates) should inform manufacturers’ threat models and maintenance plans over the full device lifetime.
How MDx CRO can help
Cybersecurity is now inseparable from regulatory success. MDx CRO integrates security expectations into regulatory strategy, clinical and post-market plans, and technical documentation so your submission is consistent end-to-end. We align your files with MDCG 2019-16 Rev.1 and Team-NB’s position, operationalise secure-by-design practices in your development lifecycle, and set up vulnerability monitoring and response that fit your PMS system. Explore our support for Regulatory Affairs and Clinical Research, or contact us to discuss a cybersecurity-ready roadmap for your device portfolio.
