HICP 2026 is out and, while HICP is written for healthcare delivery organizations, three of its practices bind manufacturers indirectly through HDO procurement:
1. Medical device security practice: HDOs are increasingly asking for SBOMs, MDS2 forms, and end-of-support horizons at RFP time. If you can't deliver, you lose deals.
2. Vulnerability management practice: HDOs expect a working CVD channel and a published disclosure timeline. They will test it during due diligence.
3. Third-party risk management practice: HDOs are being asked to keep evidence that their device suppliers operate a security program. Expect security questionnaires to get longer and more prescriptive in the 2026–2027 procurement cycle.
If your commercial team hasn't seen HICP 2026 yet, hand them the manufacturer-facing sections - the language HDOs use in RFPs is largely lifted from it.
-
MDCG 2019-16 Rev.2 at six months: Notified Body audit patternsSix months in, Notified Body audits under MDCG 2019-16 Rev.2 show three clear failure modes - narrative-only SBOMs, CVD policies without operational evidence, and traceability gaps between security risk controls and design outputs.
-
Three years of Section 524B: the deficiencies that never went awayThree-year retrospective on Section 524B enforcement: SBOM depth, VEX justification, and CVD operational evidence remain the top three categories of cyber deficiencies. Two new patterns emerged in 2026 - AI/ML threat-model gaps and weak end-of-support labeling.
-
IEC 81001-5-1 Amendment 1 reaches FDIS - what MedTech teams should trackAmendment 1 to IEC 81001-5-1 (health software security lifecycle) is in Final Draft International Standard ballot. It sharpens SBOM, CVD, and postmarket vulnerability expectations - and it's the standard EU Notified Bodies are quietly aligning MDCG 2019-16 audits against.