Medical Device Regulation (MDR): Why Cybersecurity And Fuzz Testing Are No Longer Optional

• Europe has shifted from the old MDD (Medical Device Directive) to the newer MDR (Medical Device Regulation).

• The transition has caused confusion and inconsistency, as some devices are still MDD-certified and need to transition, while others are already under MDR.

• MDR specifies “what” needs to be done, but not “how” to do it — leaving gaps in implementation details.

• Fuzz testing is explicitly mentioned in the MDCG guidance documents (MDCG 2019-16) and IEC 81001-5-1. Both documents are considered state of the art. They are not legally binding but auditors may treat them mandatory. 

From MDD to MDR: A Regulatory Shift with Growing Pains

The MDR came into full effect in 2021, but many devices are still certified under MDD and will need to transition. As a result, Europe is facing a period of regulatory limbo. The MDR outlines what manufacturers must achieve but not how to do it, creating a gap between regulatory intent and practical implementation.

To help bridge this gap, manufacturers rely on:

• Harmonized standards, officially recognized under MDR

• Guidance documents, like those published by the Medical Device Coordination Group (MDCG)

• The industry concept of “state of the art”, often cited by auditors. 

Harmonized Standards: A Short List for Now

Under MDR, only two standards have been officially harmonized so far:

• ISO 13485: Quality management systems

• ISO 14971: Risk management

For everything else, including cybersecurity, manufacturers have to rely on non-harmonized but widely recognized standards, and make the case that their approach aligns with “state of the art” practices.

This is more than a buzzword. When auditors can’t point to a specific clause in a regulation, they often fall back on whether your approach reflects the current state of the art. And that can still lead to a non-conformity finding if your processes fall short of expectations.

MDCG Guidance: Not Legally Binding, But Still Mandatory?

The Medical Device Coordination Group (MDCG) regularly publishes guidance documents to clarify parts of the MDR. While technically not law, these documents are treated as essential during audits. As one industry expert put it: “We didn’t follow one MDCG guidance, and the auditors didn’t care that it was non-binding—they issued a non-conformity and gave us a year to comply.”

MDCG guidance reflects auditor expectations, and ignoring them is not a viable option if you want to pass certification smoothly. 

MDCG has issued guidance on cybersecurity for medical devices (MDCG 2019-16), emphasizing secure design, manufacturing, and testing methodologies, including fuzz testing.

Chapter 3.7. Verification/Validation of MDCG 2019-16 – Guidance on Cybersecurity for Medical Devices. 

IEC 81001-5-1: A State Of The Art Cybersecurity Standard

A European cybersecurity standard, IEC 81001-5-1:2021 - Health software and health IT systems safety, effectiveness and security - Part 5-1: Security — Activities in the product life cycle, is expected to be harmonized under MDR. Even before harmonization, it’s being treated as state of the art, especially for devices involving health software.

And here’s where things get important: IEC 81001-5-1 explicitly mentions fuzz testing three times as a practical example of:

• Abuse case testing
• Dynamic security testing
• Threat mitigation (input validation testing). 

Abuse case testing: According to Chapter 5.7.3 Vulnerability testing, testing shall include abuse cases for malformed or unexpected input testing for uncovering security issues. And this is what fuzz testing is designed for. 

Threat mitigation: The standard's Annex B—B. 5.7.2 names fuzz testing as a practical example of threat mitigation testing that detects undesired system behavior when incorrect data or an excessive load of data is sent to a system interface. 

Who Decides If You Can Sell Medical Devices in Europe?

In the U.S., the FDA is the sole regulatory authority. In Europe, it’s different.

Compliance decisions are made by notified bodies — independent organizations (like TÜV SÜD) accredited to assess conformity with MDR. These bodies send auditors (or assessors) to:

1. Review your technical documentation

2. Visit your site for process audits

3. Evaluate your risk management, including cybersecurity

If gaps are found, you’ll receive feedback and a timeline to address them before a CE mark can be granted.

What is Fuzz Testing?

Regulatory expectations in Europe are evolving fast. While full harmonization under MDR may take years, the combination of MDCG guidance and emerging standards like IEC 81001-5-1 already defines the new normal.

If you’re a manufacturer preparing for MDR compliance, now is the time to integrate state-of-the-art cybersecurity practices—including fuzz testing—into your development and documentation processes.

Fuzzing, also known as fuzz testing, is a dynamic application security testing method used to uncover bugs and vulnerabilities in software.

During a fuzz test, a program is executed with invalid, unexpected, or random inputs, aiming to uncover vulnerabilities or crash the application.

Fuzzing is exceptionally effective in mitigating buffer overflows, memory corruption, code injection, denial of service, and other vulnerabilities typical in C/C++ programming. This makes it highly popular among embedded software engineers.

Learn more about how fuzz testing help secure medical devices in the free white paper "Testing Medical Devices: Why Fuzzing is a Must." In this paper, we discuss 4 main reasons why more and more standards advocate for fuzz testing for medical devices. 

GET THE WHITE PAPER

Explore AI-Automated Fuzz Testing by Code Intelligence