The EU proposal COM(2025) 1023 introduces CRA-like reporting obligations for cybersecurity of medical devices and IVDs, requiring reporting via Eudamed to member-state CSIRTs and ENISA.
The key points
- The proposal COM(2025) 1023 introduces, via new Article 87a MDR and Article 82a IVDR, reporting obligations for actively exploited vulnerabilities and serious security incidents affecting medical devices and in vitro diagnostics. The COM(2025) 1023 text is available on EUR-Lex.
- Recipients are the CSIRTs of the Member States designated as coordinators and the EU Agency for Cybersecurity ENISA — analogous to the reporting regime under the Cyber Resilience Act (CRA) (Cyber Resilience Act (CRA)).
- Reporting is done via Eudamed and CSIRTs and ENISA will be given direct access to the European medical device database.
- The notification deadline is uniformly 30 days after becoming aware. That deviates significantly from the CRA’s staggered deadlines (24 hours, 72 hours, 14 days).
- Annex I of MDR and IVDR is amended: cybersecurity is explicitly named as part of the essential safety and performance requirements.
- The proposal has not yet been adopted. The public consultation ended in early May 2026; entry into force is not expected before late 2026 or early 2027.
What happened
The Commission presented proposal COM(2025) 1023 in response to ongoing criticism since 2024 about MDR and IVDR: overly complex procedures, lack of predictability, disproportionate burdens for SMEs, and bottlenecks at notified bodies. The proposal is designed as targeted simplification and addresses eight thematic areas, from streamlining conformity assessment to international cooperation.
One thematic block covers the “interaction with other Union legal acts.” It is here that the new cybersecurity reporting obligations are anchored. Recital 44 of the proposal identifies the underlying gap directly: medical devices are excluded from the Cyber Resilience Act; the vigilance system under MDR and IVDR captures cybersecurity incidents only insofar as they qualify as serious incidents, but systematically excludes incidents without an immediate patient-safety link. The Commission regards this as a “significant gap in cybersecurity” and closes it via two new articles.
What changes concretely
The central change consists of three elements: a precise definition of what must be reported, a new reporting obligation via Eudamed, and an explicit embedding of cybersecurity in Annex I. The following sections set out the mechanics.
What is an actively exploited vulnerability?
An actively exploited vulnerability is, for the purposes of Article 3(42) of Regulation (EU) 2024/2847 (Cyber Resilience Act), a vulnerability for which there is sufficient evidence that a malicious actor has exploited it in a system without the manufacturer’s authorization. The new Article 87a MDR refers directly to that definition.
Today: vigilance focused on patient safety, no cybersecurity reporting channel
Under the current framework, manufacturers of medical devices report only serious incidents to the competent authorities under Article 87 MDR. “Serious” means death or a serious deterioration in health, or the potential for such. Cybersecurity incidents that affect the integrity or availability of a product but have no immediate impact on patient safety are not covered by that obligation. Because medical devices are explicitly excluded from the Cyber Resilience Act, there is currently no mandatory reporting channel for that constellation.
Going forward: additional cybersecurity obligation via Eudamed
The new Article 87a MDR (parallel: Article 82a IVDR) obliges manufacturers to report each of the following events:
- any actively exploited vulnerability present in the product within the meaning of Article 3(42) CRA,
- any serious security incident within the meaning of Article 14(5) CRA that affects the safety of the product.
The report is made through the electronic system referred to in Article 92 MDR (that is, Eudamed) and must simultaneously be made accessible to the CSIRTs designated as coordinators by Member States and to ENISA. A vigilance report under Article 87 MDR whose subject also qualifies as an actively exploited vulnerability or serious security incident will be mirrored to CSIRTs and ENISA. These bodies will be granted access to Eudamed for that purpose.
Comparison of deadlines
| Regime | Deadline for actively exploited vulnerabilities / serious security incidents |
|---|---|
| Cyber Resilience Act, Article 14 | 24-hour early warning, 72-hour update, 14-day final report |
| MDR proposal, Article 87a | 30 days after becoming aware |
The proposal adopts the addressees and definitions from the CRA — but not the staggered deadlines. The uniform 30-day period is substantially longer than the CRA’s early-warning requirement, which the Commission justifies by the character of medical devices and the parallel vigilance logic. Organizations that already implement CRA-compliant processes will meet the 30-day deadline easily; those that operate solely under MDR vigilance will need to expand their vulnerability triage.
Cybersecurity in Annex I
Alongside the new reporting obligation, the proposal amends Annex I of MDR and Annex I of IVDR to explicitly mention cybersecurity among the essential safety and performance requirements. Until now, the sector derived corresponding requirements from general safety provisions and the MDCG guidance on cybersecurity. With the proposal, the requirement is explicitly entrenched.
Assessment for manufacturers
For manufacturers of cybersecurity-relevant products (for example, networked infusion pumps with wireless connectivity, imaging devices with remote maintenance, point-of-care diagnostics with a cloud component, or patient monitors on OT networks), the regulatory logic shifts in three areas.
First, triage becomes more complex. Previously, an incident had to be assessed only for whether it qualified as a serious incident under Article 87 MDR. Going forward, a second assessment dimension is added: is there an actively exploited vulnerability or a serious security incident related to the product? Both assessments are independent and both can (also in parallel) trigger reporting obligations.
Second, the stakeholder landscape in incident management changes. Cybersecurity officers and vigilance officers must integrate their processes so that a cybersecurity incident without a patient-safety link still enters the reporting path. Organizations that today separate these roles both personally and organizationally should reconsider their interfaces.
Third, Eudamed becomes a shared transmission path for different recipient groups. The CSIRTs designated as coordinators and ENISA are already known in the cybersecurity context from the CRA and the NIS2 directive. With the proposal, they receive for the first time a formal channel into the medical device regime.
The mechanics thus resemble the reporting under the Cyber Resilience Act while remaining sector-specific. Manufacturers that produce both CRA-covered products and medical devices (for example, suppliers of components used in both domains) will need to master both reporting channels without conflating them.
When will it apply
The proposal is not in force. The public consultation ended on 6 May 2026; trilogue negotiations are expected in mid-2026, and adoption is realistic at the earliest by late 2026 or early 2027. Transitional periods are likely to follow before the new reporting obligations become binding. Until then, MDR and IVDR in their current wording remain applicable — including existing vulnerability management requirements.
