Revised EU medtech regulations proposal sharpens software and cybersecurity rules for digital health

Medical device software and connected devices sit at the intersection of two major regulatory initiatives: the dual Medical Devices Regulation (MDR)-In Vitro Diagnostic Medical Devices Regulation (IVDR) framework and the EU's broader digital and cybersecurity agenda including the Cyber Resilience Act.

The proposed revision of the MDR and IVDR published in December 2025 refines this interface by adjusting software classification rules, extending the "well‑established technology" (WET) concept to digital products and explicitly integrating cybersecurity into the medtech regulations' general safety and performance requirements (GSPRs). At the same time, the European Commission's draft suggests new obligations to report actively exploited vulnerabilities and severe cyber incidents to computer security incident response teams (CSIRTs) and the EU Agency for Cybersecurity (ENISA). 

Digital risks in the medtech framework

From the outset, the MDR and IVDR have recognised software as a medical device and introduced dedicated classification rules, notably implementing rule 3.3 and classification rule 11 in annex VIII (classification rules) to the MDR. In practice, however, the broad wording of rule 11 has meant that many software products have been classified at a higher risk level than anticipated, often driving them into class IIa or IIb and requiring full notified body involvement.

The recent EU-led targeted evaluation of the regulations confirmed that these software rules have sometimes resulted in "unnecessary up‑classification", particularly where the digital tool's contribution to clinical decision‑making is indirect or where impact on patient outcomes is limited. At the same time, cybersecurity incidents and vulnerabilities affecting connected devices have highlighted the need for clearer, more proactive obligations on manufacturers to design for cyber resilience and to coordinate responses with cybersecurity authorities.

In parallel, the EU has adopted the Cyber Resilience Act (regulation (EU) 2024/2847), which imposes horizontal cybersecurity requirements and vulnerability reporting obligations for digital products. The amending MDR and IVDR proposal helps ensure that medical devices and IVDs that are already subject to sector‑specific safety rules are not over regulated. It attempts to do so while providing that medical technology should still be meeting core cyber expectations of the applicable EU legal framework.

Down‑classification 

The proposal addresses software classification through targeted amendments to annex VIII MDR and accompanying empowerment of the Commission to adapt the classification rules by delegated acts. The explanatory memorandum indicates that certain classification rules are being adjusted to result in lower-risk classes for specific device categories, including reusable surgical instruments, accessories to active implantable devices and software.

A core policy direction is to better distinguish software whose incorrect output may directly cause death or irreversible deterioration of health (which will remain in higher classes) from software with more limited impact, which may be down‑classified. This is consistent with the risk‑based approach and is designed to ensure that not all clinical decision‑support software is treated as inherently high risk.

For IVD software, similar considerations apply under annex VIII of the IVDR, and the Commission is empowered the regulation to adopt delegated acts adapting the classification rules to technical or scientific progress and developments regarding classification at international level.

In practice, manufacturers of standalone software may find that updated medical-device coordination group (MDCG) guidance and future delegated acts provide scope to justify lower classifications for certain products, subject to clear documentation of intended purpose and risk control measures. However, as the proposal has not yet completed the EU legislative process, the final requirements remain subject to change.

Applying WET concept to software

The proposal's introduction of a WET category is not limited to hardware. The proposed definition in the article 2 (definitions) of the MDR, as amended, is technology neutral and refers to devices with a well‑known technology and a long history of safe clinical use, supported by consistent clinical evidence and established risk profiles.

This new development  opens the door for certain categories of software to be recognised as WET, for example where algorithms have been in use for many years, failure modes are well understood and the software operates in controlled environments (such as basic signal processing or image reconstruction tools that do not themselves conclude diagnoses). Once designated as WET, such software may benefit from the streamlined conformity assessment routes available to WET devices under the MDR.

As the draft law currently stands, software that incorporates adaptive or learning AI, or that is used in novel clinical pathways, is less likely to qualify as WET in the short term given the evolving nature of performance and the continuing need for robust clinical validation.

Cybersecurity in GSPRs

Both the MDR and IVDR already contain references to protection against unauthorised access and interference in annex I (general safety and performance requirements) to the two regulations. The proposal strengthens and clarifies these expectations. It adds more detailed cybersecurity‑related obligations, requiring manufacturers to design and develop devices so as to minimise risks related to data integrity, confidentiality and availability, including in connection with software updates and network connectivity.

The Commission's explanatory memorandum emphasises that cybersecurity is to be regarded as an integral part of the GSPRs, rather than an adjunct consideration. For software and connected devices, the expectation is that cyber risk management should be fully integrated into the technical documentation required under annex II (technical documentation) to the regulations, including risk management files, design documentation and verification and/or validation reports.

Manufacturers will be expected to demonstrate, as part of conformity assessment, that they have applied state‑of‑the‑art cybersecurity engineering practices. Such practices should, under the proposal, be appropriate to the device's intended use, the environment of deployment and the potential consequences of cyber incidents for patient and public health.

New digital health reporting obligations

The most concrete potential new obligations for digital medtech arise from the insertion of a new article 82a in the IVDR and a corresponding cyber‑incident reporting provision in the MDR (article 87a) bearing the same name (reporting of actively exploited vulnerabilities and severe incidents related to devices).

The new provisions establish that, in addition to the existing reporting obligations for serious incidents and field safety corrective actions, manufacturers should notify the CSIRTs designated as coordinators under the Cyber Resilience Act and the Network and Information Security Directive (NIS2) legislation, as well as ENISA, of two categories of events. The first category covers any actively exploited vulnerability – as defined in the Cyber Resilience Act – that is contained in the device. The second category encompasses any severe incident – also within the meaning of the Cyber Resilience Act – that has an impact on the security of the device.

Should the proposed text eventually become law, manufacturers will be required to submit such reports through the EU database on medical devices (Eudamed) platform within 30 days of becoming aware of the actively exploited vulnerability or severe incident. The amended regulations further specify that these reports, as well as any report that also qualifies as an actively exploited vulnerability or severe incident, should be made available simultaneously to the relevant CSIRTs and to ENISA.

The draft provisions are designed to integrate device‑specific reporting with the broader EU cybersecurity incident reporting framework, with the hope that information on vulnerabilities and severe cyber incidents affecting devices and diagnostics is shared with national and EU‑level cyber authorities.

This reporting is in addition to standard vigilance reporting under the existing regulations, which is also subject to a slightly amended regime. In the future, manufacturers may therefore have to distinguish between clinical incidents, cyber incidents, and those that fall into both categories, and ensure that both vigilance and cyber reporting channels are used where required.

Alignment with the EU digital legislation

The explicit cross‑references in the proposed amendments to definitions in the Cyber Resilience Act  demonstrate the Commission's intention to avoid duplication of obligations. For regulated medical devices and IVDs, compliance with MDR-IVDR cyber provisions, including incident reporting via Eudamed, is expected to count towards satisfying horizontal cyber obligations, consistent with the lex specialis principle granted to the two regulations by the draft legislation.

At the same time, the Commission may adopt common specifications and the MDCG may adopt guidance in accordance with the regulations to further align technical expectations with emerging cybersecurity standards and best practices, including those developed by ENISA and international standardisation bodies.

Osborne Clarke comment

The draft revisions to the MDR and IVDR framework ambitions to take a more explicit, structured approach to digital risk. For software manufacturers, the prospect of down‑classification for less critical applications and the availability of WET‑based pathways could reduce regulatory friction, provided that the products genuinely meet the criteria. However, the bar for demonstrating safe and secure operation is also being raised, with cybersecurity potentially becoming a more integral part of the GSPRs.

The new proposed obligation to report actively exploited vulnerabilities and severe cyber incidents within 30 days to both regulatory and cyber authorities is an important potential change, as it would require significant organisational readiness. Manufacturers that already operate mature vulnerability disclosure programmes, may be well placed to integrate these MDR and IVDR‑specific reporting channels. Others may need to enhance their monitoring and incident management capabilities.

Looking ahead, the medtech regulations' cyber regime is likely to interact closely with the Cyber Resilience Act, NIS2 and the Artificial Intelligence Act. For manufacturers of AI‑enabled medical devices, notified bodies may increasingly examine training data quality, model robustness and cyber resilience as interconnected aspects of risk management. While the Commission's proposal is still subject to the EU legislative process, the direction of travel suggests that cross‑functional collaboration – bringing together regulatory, clinical, software engineering and cybersecurity expertise – may become increasingly valuable as the integrated digital-health regulatory landscape continues to evolve.

This is the third article in a series of Insights on the European Commission's MDR and IVDR legislative proposals.