Abstract
This paper compares the distinct cybersecurity requirements for certifying connected medical devices (CMDs) in the EU and the US, as outlined in the MDCG 2019–16 guidance and the FDA premarket and postmarket guidances, respectively. By examining both the organizational approaches of the MDCG and FDA and their specific guidance documents, this study identifies key differences and areas of convergence. Findings, informed by stakeholder feedback gathered within the Horizon Europe NEMECYS project, reveal a notable disparity, with CMD stakeholders expressing significant dissatisfaction with the current EU regulatory framework, particularly regarding its applicability and clarity. The analysis highlights the strengths and weaknesses of each approach from a practical implementation perspective. Ultimately, the paper emphasizes the critical need for the European regulatory landscape to evolve towards clearer and more actionable guidance, especially in rapidly emerging fields like AI-driven medical devices, to effectively support the secure advancement of CMDs.