European CE Medical Device Cybersecurity Regulatory

This post introduces Wise Company’s strategy for addressing European CE medical device cybersecurity regulatory compliance based on MDR, IEC 81001-5-1, and ISO 14971.

European (CE) Medical Device Cybersecurity

A Practical Guide Based on MDR, IEC 81001-5-1, and ISO 14971

Wise Company Inc. supports manufacturers in effectively responding to EU medical device cybersecurity regulatory requirements (CE marking).

European Union

1. Security Is Not “Technology” – It Is a Regulatory Requirement

MDR Annex I GSPR 17.1-17.2

Under MDR Annex I GSPR 17.1-17.2, medical devices incorporating electronic and programmable systems must ensure reliability and performance in accordance with their intended purpose.

In addition, software must be developed according to the state of the art, following principles of risk management, verification, and information security.

MDR’s Cybersecurity Perspective

MDR treats cybersecurity as an essential patient safety requirement. Products without adequate security are considered unsafe.

Therefore, cybersecurity is a key evaluation item in the CE conformity assessment process.

2. Security Starts at the Design Stage

IEC 81001-5-1 Security Requirements

Manufacturer Security Activity Requirements

✓

Document Security Functional Requirements

Establish activities to document security functional requirements covering installation, operation, maintenance, and end-of-life

✓

Review Security Requirements Consistency

Review whether security requirements are consistent with product requirements and risk controls, clearly defined, and expressed in a way that allows test criteria to be established

IEC 81001-5-1:2021 Clauses 5.2.1-5.2.2 require manufacturers to document security requirements during the design input phase and to ensure they are consistent with risk controls and verifiable.

This means that security is not a post-development checklist item, but a regulatory requirement incorporated from the design stage.

3. Security Risks Are Managed as Safety Risks

ISO 14971 and AAMI TIR57 Risk Management

Risk Management Requirements

Identify and Analyze Hazards Throughout the Lifecycle

Manufacturers shall identify and analyze all hazards throughout the entire lifecycle of the medical device, including harms resulting from software, system, or data security failures.

Assess CIA Loss Impact

For each identified asset, the impact of any loss of confidentiality, integrity, or availability (CIA) on safety, effectiveness, and system or data security shall be assessed.

Key Standard Requirements

ISO 14971:2019 Clause 4.1 – Requires management of all risks throughout the device lifecycle, including those caused by software and data security failures
AAMI TIR57:2016 Clause 4.3.4 – Requires assessment of how CIA losses affect safety and effectiveness

These standards clearly establish that cybersecurity risks are not merely IT issues, but safety risks that may cause patient harm.

4. A Security Framework Proven by Documentation

MDR Annex II Technical Documentation

Technical Documentation

Technical Documentation Requirements

✓

MDR Annex II – Security Requirements and Verification Results

Technical documentation must include security requirements and verification results demonstrating compliance with Annex I (GSPR)

✓

MDCG 2019-16 Rev.1 Section 4.1 – Solution Justification and Verification

Justification, verification, and results for solutions addressing security risks must be documented

In short, security is not proven by implementation alone – it is proven through documentation for regulatory approval.

European CE Cybersecurity Key Summary

Key Principle	Main Content	Related Standards
Regulatory Requirement	Security is a patient safety requirement Key item in CE conformity assessment	MDR Annex I GSPR 17.1-17.2
Design Integration	Document security requirements from design input phase Ensure consistency with risk controls	IEC 81001-5-1:2021 Clauses 5.2.1-5.2.2
Risk Management	Manage security risks as safety risks Assess CIA loss impact on safety	ISO 14971:2019 AAMI TIR57:2016
Documentation	Document security requirements and verification Document solution justification and verification	MDR Annex II MDCG 2019-16 Rev.1

Conclusion

European CE medical device cybersecurity is not merely a technical implementation, but a regulatory requirement.

MDR, IEC 81001-5-1, and ISO 14971 define security as a core element of patient safety and require a systematic approach from design stage through documentation.

Wise Company Inc. supports manufacturers in achieving CE conformity through cybersecurity strategies based on these international standards.

European CE Cybersecurity Preparation Checklist

Understand MDR Annex I GSPR 17.1-17.2 requirements
Document security requirements at design input stage
Ensure consistency between security requirements and risk controls
Establish verifiable test criteria
Identify and analyze hazards throughout entire lifecycle
Assess safety impact of CIA losses
Perform ISO 14971-based risk management
Include security requirements and verification results in technical documentation
Comply with MDCG 2019-16 Rev.1 guidelines
Document security solution justification and verification