Abstract
The increasing complexity of Connected Medical Devices (CMDs) and their integration into digital healthcare systems has heightened the urgency for robust cybersecurity practices. To guide stakeholders in this domain, the Medical Device Coordination Group have issued the MDCG 2019-16 guidelines, titled “Guidance on Cybersecurity for Medical Devices”, which outlines key expectations for ensuring cybersecurity throughout the lifecycle of medical devices. Despite being non-binding, these guidelines are now the most widely accepted framework for integrating cybersecurity into the lifecycle of CMDs in the EU and are considered essential for achieving compliance with the cybersecurity and safety requirements in EU’s Medical Device Regulation (MDR 2017/745) and In Vitro Diagnostic Regulation (IVDR 2017/746).
Despite being widely used, experts and industry stakeholders have pointed out several limitations and challenges when applying the MDCG 2019-16 guidelines. This was observed by the European Health and Digital Executive Agency (HaDEA), which encouraged the projects funded under the Horizon Europe call “Enhancing cybersecurity of connected medical devices”: HORIZON-HLTH-2022-IND-13-01 to analyse the practical usage of the guidelines in diverse CDM scenarios, and to provide recommendations for improvements. Consequently, the NEMECYS project (2023-2025) applied the guidelines in their four different case studies and evaluated their applicability and practical use. In this brief, we summarise the key findings and policy recommendations from the project. The aim is to provide constructive input aimed at enhancing the clarity, completeness, and usability for the next revision of the guidelines.