As connected medical devices become increasingly integrated into digital healthcare systems, cybersecurity has emerged as a critical component of patient safety and system resilience. Ensuring that these devices remain secure throughout their lifecycle is therefore a growing priority for regulators, manufacturers, and healthcare providers across Europe.
This policy brief, developed in the framework of the NEMECYS project, examines the practical implementation of the MDCG 2019-16 guidelines on cybersecurity for medical devices. Although these guidelines are currently the most widely used reference framework for cybersecurity in the EU medical device ecosystem, stakeholders have identified several challenges when applying them in real-world settings.
Drawing on insights from four NEMECYS case studies, the brief highlights key issues related to practical applicability, terminology, risk management, verification and validation, and defence-in-depth strategies. Based on this analysis, it puts forward a set of policy recommendations aimed at improving the clarity, usability, and completeness of the guidelines in future revisions.
By translating technical experience into actionable policy insights, the brief contributes to ongoing European discussions on strengthening cybersecurity governance in the medical device sector and supporting the safe deployment of connected medical technologies.