MDCG 2019-16 Rev.2 brings EU expectations closer to FDA's Feb 2026 cyber premarket guidance, but with three notable deltas:
1. SBOM is now an explicit expectation, not just an implied 'state-of-the-art' artifact. Notified Bodies are asking for CycloneDX or SPDX with version pinning.
2. Coordinated Vulnerability Disclosure must be documented as an operating capability - a published policy alone is insufficient.
3. Traceability between security risk control measures and design outputs must be demonstrable in the technical file, not just narrated.
If you have a clean FDA 524B package, you are 70–80% of the way to MDR cyber. The remaining work is mostly traceability plumbing and PMS process evidence.
-
MDCG 2019-16 Rev.2 at six months: Notified Body audit patternsSix months in, Notified Body audits under MDCG 2019-16 Rev.2 show three clear failure modes - narrative-only SBOMs, CVD policies without operational evidence, and traceability gaps between security risk controls and design outputs.
-
Three years of Section 524B: the deficiencies that never went awayThree-year retrospective on Section 524B enforcement: SBOM depth, VEX justification, and CVD operational evidence remain the top three categories of cyber deficiencies. Two new patterns emerged in 2026 - AI/ML threat-model gaps and weak end-of-support labeling.
-
IEC 81001-5-1 Amendment 1 reaches FDIS - what MedTech teams should trackAmendment 1 to IEC 81001-5-1 (health software security lifecycle) is in Final Draft International Standard ballot. It sharpens SBOM, CVD, and postmarket vulnerability expectations - and it's the standard EU Notified Bodies are quietly aligning MDCG 2019-16 audits against.