The EU Cybersecurity Act established a framework for European cybersecurity certification schemes administered by ENISA. The first adopted scheme is the European Common Criteria-based scheme (EUCC). As of today, these schemes are not mandatory for most medical devices, and the MDR cybersecurity baseline remains Annex I Sections 17.2 and 17.4, interpreted through MDCG 2019-16 Rev.1 and EN IEC 81001-5-1:2022. MedTech founders should track the schemes but not yet treat them as a certification path.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • The EU Cybersecurity Act (Regulation (EU) 2019/881) created a framework for European cybersecurity certification schemes and gave ENISA the coordinating role.
  • The first adopted scheme under that framework is the European Common Criteria-based scheme (EUCC), which builds on the existing Common Criteria methodology.
  • Additional schemes are under development, including candidate schemes for cloud services (EUCS) and for 5G.
  • For medical devices today, the single source of truth remains MDR Annex I and the MDR-aligned standards. The EU certification schemes are not currently mandatory for most MedTech.
  • The NIS2 Directive and the Cyber Resilience Act operate alongside the Cybersecurity Act and may impose obligations on MedTech depending on scope and classification.
  • In Tibor's view, founders should watch the schemes but keep their compliance effort anchored to MDR and EN IEC 81001-5-1:2022 until a specific scheme becomes applicable or required by a customer.

Why this matters (Hook)

A cloud-native Class IIa software startup is in a sales conversation with a large European hospital group. The hospital's CIO asks whether the product is certified under "the EU cybersecurity scheme". The founder does not know what scheme the CIO means. The hospital CIO is not entirely sure either, but has heard the phrase at a recent conference. The sales conversation stalls while both sides try to align on what is actually required.

This conversation is becoming more common. The EU cybersecurity regulatory landscape has expanded significantly in recent years, and language from different regulations blends together at the procurement table. A MedTech founder who cannot navigate the landscape risks either promising certification that is not yet possible or appearing uninformed on a topic the customer cares about.

Tibor's view from the notified body side is that MDR cybersecurity expectations remain the primary path today and will for some time. Felix's view from the startup coaching side is that founders who cannot name the relevant regulations in a customer meeting lose credibility regardless of the underlying technical work.

This post maps the landscape without overclaiming. Several statements below are flagged as [MDR VERIFY] because the schemes are moving targets and accuracy matters more than currency.

What the regulations actually say (Surface)

There are several EU regulations in play. They do not all apply to every medical device. The order below moves from the oldest and most stable to the newest and least stable.

Regulation (EU) 2017/745 (MDR). The baseline for medical devices. Annex I Section 17.2 requires software to be developed in accordance with the state of the art, including information security. Annex I Section 17.4 requires minimum IT requirements. MDCG 2019-16 Rev.1 is the authoritative interpretation. EN IEC 81001-5-1:2022 is the current state-of-the-art standard for health software security activities.

Regulation (EU) 2019/881 (EU Cybersecurity Act). Establishes a European framework for cybersecurity certification schemes and strengthens the role of ENISA (the European Union Agency for Cybersecurity). The Cybersecurity Act does not itself certify products. It creates the legal machinery under which specific schemes can be adopted.

EUCC (European Common Criteria-based scheme). The first certification scheme adopted under the Cybersecurity Act framework. It is based on the existing Common Criteria methodology (ISO/IEC 15408) and is relevant primarily for high-assurance hardware and software components.

EUCS (candidate scheme for cloud services). A candidate scheme that would apply to cloud service providers. Still under development.

Directive (EU) 2022/2555 (NIS2). Not a certification scheme but a directive on network and information security. It imposes cybersecurity obligations on essential and important entities, which may include certain healthcare operators and potentially manufacturers in specific circumstances.

Cyber Resilience Act. A regulation focused on products with digital elements. Scope exclusions exist for products already covered by sector-specific regulation such as MDR.

European Health Data Space (EHDS). A regulation focused on health data rather than device cybersecurity, but relevant because it interacts with how medical device data is handled.

The honest summary is that several of these instruments are in motion, and the precise text that is legally binding changes more often than a regulatory blog post can comfortably track. The items flagged above should be verified against the current Official Journal before being cited externally.

A worked example (Test)

A Series A startup builds a Class IIb SaMD that runs on AWS Frankfurt. The hospital customer asks a three-part question.

Part 1. Is the device EU Cybersecurity Act certified. The honest answer today for most MedTech is "no, because the applicable scheme does not exist yet, and the MDR cybersecurity baseline is the currently governing framework for medical device software". The founder can point to the CE certificate, the MDCG 2019-16 Rev.1 alignment, and the EN IEC 81001-5-1:2022 conformity as the current cybersecurity evidence.

Part 2. Is the AWS Frankfurt backend EUCS certified. The honest answer today is "EUCS is still a candidate scheme and no adopted EUCS certification exists for the backend" [MDR VERIFY]. The founder points instead to the AWS ISO 27001 certification, the regional hosting commitment, and the data processing agreement.

Part 3. Does NIS2 apply to the manufacturer. The honest answer depends on whether the manufacturer is classified as an essential or important entity under the directive as transposed in the relevant member state. Most small MedTech startups are not in scope as manufacturers, but their hospital customers often are, which is why the question arrives at the manufacturer's table even when the manufacturer is not the direct obligation holder.

In each case the correct founder response is the same shape. Name the current legal baseline. Name the state-of-the-art standard. Name the evidence available today. Flag what is still emerging and commit to tracking it.

The Subtract to Ship playbook (Ship)

Step 1. Anchor compliance effort to MDR and EN IEC 81001-5-1:2022. These are the stable references. Everything else is optional surface area.

Step 2. Keep a one-page regulatory landscape briefing ready for customer meetings. The briefing lists MDR, Cybersecurity Act, EUCC, EUCS, NIS2, Cyber Resilience Act, and EHDS with one sentence each on current applicability. When a customer asks, the founder has the language ready.

Step 3. Do not chase schemes that do not yet exist. A startup that spends engineering time preparing for a speculative future scheme is a startup burning cash on uncertain value. Revisit scheme relevance on a quarterly cadence.

Step 4. Watch the customer signals. If a hospital procurement form begins to reference a specific scheme by name and by version, the scheme has become operationally relevant and the manufacturer reassesses. Until then, the manufacturer tracks.

Step 5. Verify every regulatory claim before using it externally. Because several items here are flagged [MDR VERIFY], nothing in this landscape should be quoted from memory. The landscape moves and a wrong citation in a sales conversation is worse than no citation at all.

Step 6. Distinguish clearly between "required by law" and "best practice". Rule 10 of this blog applies with particular force here. MDR Annex I is required by law. EUCC is not currently required by law for most medical devices. The distinction belongs in every customer conversation.

Reality Check

  1. Does the team have a clear answer to the question "which EU cybersecurity instruments apply to this device today".
  2. Are the applicable instruments anchored to specific article or section numbers, or only to regulation titles.
  3. Is the MDR cybersecurity baseline (Annex I Sections 17.2 and 17.4 plus EN IEC 81001-5-1:2022) fully met.
  4. Is there a process for tracking the status of EUCC, EUCS, NIS2, and the Cyber Resilience Act on a regular cadence.
  5. When a customer asks about "EU cybersecurity certification", can the founder give a one-minute accurate answer without overclaiming.
  6. Is every external regulatory claim verified against the current Official Journal before being used in sales material.
  7. Does the internal team distinguish between schemes that are legally required today and schemes that are emerging.
  8. Does the post-market surveillance plan include a regulatory change watch for cybersecurity instruments.

Frequently Asked Questions

Is the EU Cybersecurity Act mandatory for medical devices today. The Cybersecurity Act creates a framework for voluntary certification schemes. Certification under an adopted scheme becomes relevant only when a specific scheme applies and is required by law or by customer contract.

What is EUCC. EUCC is the first cybersecurity certification scheme adopted under the Cybersecurity Act framework. It is based on Common Criteria methodology.

Does EUCC replace the MDR cybersecurity baseline. No. MDR Annex I remains the baseline for medical devices regardless of any certification scheme under the Cybersecurity Act.

Is NIS2 a certification scheme. No. NIS2 is a directive on network and information security that imposes obligations on certain entities. It is not a certification scheme.

How does the Cyber Resilience Act relate to MDR. The Cyber Resilience Act contains scope provisions addressing sector-specific regulation.

What should a founder actually do right now. Meet the MDR Annex I cybersecurity baseline, align to EN IEC 81001-5-1:2022, keep the landscape briefing current, and reassess scheme applicability quarterly.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Annex I Sections 17.2, 17.4.
  2. Regulation (EU) 2019/881 on ENISA and on information and communications technology cybersecurity certification (EU Cybersecurity Act).
  3. MDCG 2019-16 Rev.1 (December 2019, Rev.1 July 2020). Guidance on cybersecurity for medical devices.
  4. EN IEC 81001-5-1:2022. Health software and health IT systems safety, effectiveness and security. Security activities in the product life cycle.
  5. ENISA publications on the European cybersecurity certification framework.