Down‑classification, Established Software Concepts, and Cyber-Incident Reporting Could Reshape Digital Medtech Compliance
Medical device software and connected devices occupy a crucial space within two major regulatory frameworks: the Medical Devices Regulation (MDR)-In Vitro Diagnostic Medical Devices Regulation (IVDR) and the EU’s extensive agenda on digitalization and cybersecurity, notably the Cyber Resilience Act. These regulations are set to undergo significant revisions that may reshape compliance processes for digital medtech.
Understanding the Regulatory Landscape
The proposed revision of the MDR and IVDR, introduced in December 2025, serves to refine the definitions and classification rules for software. This new framework extends the concept of "well-established technology" (WET) to digital products and integrates cybersecurity considerations explicitly into the regulations’ general safety and performance requirements (GSPRs).
As part of this initiative, the European Commission has suggested that manufacturers report actively exploited vulnerabilities and severe cyber incidents to Computer Security Incident Response Teams (CSIRTs) and to the EU Agency for Cybersecurity (ENISA). These changes reflect an acknowledgment of the complex digital landscape and the inherent risks associated with medical technology.
Digital Risks within the Medtech Framework
Initially, the MDR and IVDR recognized software as a medical device, implementing specific classification rules. The broad language in classification rule 11 has led many software products to face higher risk classifications than anticipated, often placing them in higher categories (IIa/IIb) that require full notified body assessment.
Recent evaluations have revealed that these software rules sometimes result in "unnecessary up‑classification," particularly for tools that indirectly assist in clinical decision-making. As digital incidents demonstrate vulnerabilities in connected devices, the need for clearer responsibilities on manufacturers is urgent. This is where the intersection of regulatory integrity and cybersecurity becomes necessary for effective medtech compliance.
The Concept of Down-Classification
One of the most noteworthy aspects of the proposed revisions is the potential for down-classification. The proposal aims to adjust the existing classification frameworks to allow for lower-risk designations for certain device categories. This includes reusable surgical instruments, accessories to active implantable devices, and, importantly, software.
The idea here is to differentiate between software that could lead to serious consequences—such as death or irreversible health deterioration—and those with less critical implications. This risk-based approach ensures that not all clinical decision-support software is treated as inherently high risk.
Manufacturers of standalone software may find new opportunities to argue for lower classifications based on updated medical-device coordination group (MDCG) guidance. However, this is contingent on clear documentation and the nature of their intended purpose, opening various avenues for developers while ensuring regulatory compliance.
Applying the WET Concept to Software
The introduction of the WET category, intended to streamline compliance, now encompasses software as well. In the proposed text, WET refers to well-established technologies with a consistent history of safe clinical use. This is an exciting development because certain algorithms and software that meet these criteria may be recognized as WET, qualifying them for simplified assessment routes.
For instance, older, widely used algorithms that have a strong safety record could significantly benefit from this classification. In contrast, emerging technologies like AI-driven solutions might not fit into this category due to their evolving nature and the ongoing need for thorough validation.
Cybersecurity Considerations in GSPRs
Cybersecurity now occupies a more integral role in the GSPRs of the MDR and IVDR. The revisions aim to clarify expectations around cybersecurity obligations. Manufacturers will be required to integrate measures to minimize risks related to data integrity, confidentiality, and availability—especially regarding software updates and network connectivity.
Cyber risk management must now become a fundamental part of technical documentation, reinforcing that cybersecurity is not merely an ancillary concern. Through enhanced obligations, the expectation is that manufacturers demonstrate they employ state-of-the-art cybersecurity engineering practices that align with their device’s intended use and deployment environment.
Emerging Reporting Obligations for Digital Health
The introduction of new reporting obligations marks a significant change in the proposed revisions to the IVDR and MDR. Specifically, the obligatory reporting of actively exploited vulnerabilities and severe incidents related to medical devices aims to strengthen digital health security.
Manufacturers will need to notify relevant CSIRTs and ENISA about vulnerabilities and severe incidents within 30 days of awareness. This places an urgent emphasis on organizational readiness, compelling firms to enhance their vulnerability disclosure and incident management strategies.
The integration of these reporting requirements aims to align device-specific obligations with broader EU cybersecurity frameworks. Manufacturers will face the challenge of distinguishing between clinical incidents and those of a cyber nature in their reporting procedures.
Alignment with EU Digital Legislation
The proposed amendments underscore an intention to avoid duplicative obligations within the regulatory landscape. Compliance with the MDR-IVDR cyber provisions—including incident reporting—will likely suffice for satisfying broader cybersecurity requirements under the Cyber Resilience Act and the Network and Information Security Directive (NIS2).
In addition, the Commission anticipates adopting common specifications and guidance to align technical expectations in response to the evolving landscape of cybersecurity standards. This reflects a concerted effort to bolster the digital health ecosystem’s overall safety and resilience.
The draft revisions and their potential impacts on medtech compliance signal a notable shift toward more structured and digital-forward regulations. With the prospect of down-classification for less critical applications alongside heightened expectations for cybersecurity and reporting, manufacturers must prepare for a more integrated and complex compliance environment. Understanding these layers will be crucial for leveraging the regulatory landscape effectively as it evolves.
