EU MDR / IVDR

EU regulations on medical devices and in-vitro diagnostics — clinical, technical, and increasingly cybersecurity requirements.

Regulator

Notified Bodies under European Commission oversight

Jurisdiction

European Union

Status

MDR active since May 2021; IVDR May 2022 with phased transition through 2027.

In force since

Active

Regulator's source

Who it applies to

Manufacturers, authorised representatives, importers, and distributors of medical devices and IVDs in the EU.

Audit / certification status

Continuous evidence pipeline available; audit support included for all customers.

What it requires

What MDR / IVDR actually requires.

These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.

Cybersecurity per MDCG 2019-16 Rev 1 (MDR) and equivalent guidance for IVDR.

Risk management to ISO 14971 incorporating cybersecurity.

Software life-cycle to IEC 62304 and risk management to IEC TIR 60601-4-5 where applicable.

Post-market surveillance and vigilance, including cybersecurity incident handling.

Unique Device Identification (UDI) and EUDAMED registration.

How Safeguard maps to it

Pre-mapped controls. Continuous evidence.

Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.

Software bill of materials and component lifecycle tracking for IEC 62304.

MDCG 2019-16 control crosswalk with continuous evidence.

Vigilance reporting workflow with EUDAMED-compatible export.

Evidence we produce

Artifacts your auditor accepts.

Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.

MDCG 2019-16 cybersecurity package.

Software lifecycle records per IEC 62304.

Post-market cybersecurity surveillance reports.

Related frameworks

One evidence base. Many regulators.

These frameworks share substantial control overlap with MDR / IVDR. Customers running one assessment typically satisfy the others with the same evidence base.

HIPAA / HITECH

North America

Privacy, security, and breach notification rules for Protected Health Information (PHI) in the United States.

Open

ISO/IEC 27001:2022

Cross-jurisdictional

The global Information Security Management System standard, updated in 2022 with 93 Annex A controls in four themes.

Open

IEC 62443

Cross-jurisdictional

The industrial automation and control systems security standard family — the OT equivalent of ISO 27001.

Open

Ready for MDR / IVDR?

Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.

Back to the framework map