Skip to main content
    MedTech Cyber Tips
    The Ultimate Guide
    Updates
    EU MDR

    MDCG 2019-16 Rev.2 lands - Notified Body audits are catching up

    The latest revision to MDCG 2019-16 tightens expectations around SBOMs, post-market vulnerability handling, and traceability between security risk controls and design outputs. Here's the FDA-to-CE gap, condensed.

    Reviewed by ·Published ·Last reviewed July 2026

    MDCG 2019-16 Rev.2 brings EU expectations closer to FDA's Feb 2026 cyber premarket guidance, but with three notable deltas:

    1. SBOM is now an explicit expectation, not just an implied 'state-of-the-art' artifact. Notified Bodies are asking for CycloneDX or SPDX with version pinning.

    2. Coordinated Vulnerability Disclosure must be documented as an operating capability - a published policy alone is insufficient.

    3. Traceability between security risk control measures and design outputs must be demonstrable in the technical file, not just narrated.

    If you have a clean FDA 524B package, you are 70–80% of the way to MDR cyber. The remaining work is mostly traceability plumbing and PMS process evidence.

    More updates