UK medical device cybersecurity: where the rules stand (and don't) .
Imagine you're building a connected insulin pump or an AI diagnostic tool. You've done the hard work on security. Threat modelling, penetration testing, secure development lifecycle, the lot. You submit for UKCA marking and discover that none of it was actually required. The regulation doesn't mention cybersecurity. Not once.
Meanwhile, a competitor ships a device with hardcoded credentials and no encryption. Also gets UKCA marked. Same process, same outcome.
Welcome to UK medical device cybersecurity regulation in 2026.
The premarket problem: cybersecurity isn't required
Here's the uncomfortable truth. The UK Medical Devices Regulations 2002 (UK MDR 2002), which governs what you need to demonstrate for UKCA marking, contains no explicit cybersecurity requirements. Zero. The word "cybersecurity" doesn't appear. Neither does "IT security" or "protection against unauthorised access".
Section 12.1a requires software to be "validated according to the state of the art taking into account the principles of development lifecycle, risk management, validation and verification." Sounds broad enough to cover security, right? In practice, UK Approved Bodies assess against what's written. And what's written doesn't include penetration tests, SBOMs, or vulnerability disclosure.
This isn't an oversight from last year. UK MDR 2002 is based on the EU's Medical Devices Directive from 1993. Before you could buy a book from Amazon on the internet. We're still using it.
The EU moved on. Their MDR 2017/745 at least mentions "state of the art" along with "information security" in GSPR 17.2, and requires "minimum requirements concerning IT security measures, including protection against unauthorised access" in GSPR 17.4. Still principles-based rather than prescriptive, but it's something. More importantly, European Notified Bodies have decided what "state of the art" actually means: Team NB recommended IEC 81001-5-1:2021 back in 2022. The IG-NB questionnaires expect it too. The standard won't be formally harmonised until May 2028, but try getting CE marking for a connected device without demonstrating alignment to it now.
The FDA? They went further. Section 524B (effective March 2023) mandates specific deliverables: a cybersecurity plan, cybersecurity risk management, coordinated vulnerability disclosure, Software Bill of Materials. No ambiguity about what's expected.
The UK? We're still waiting.
Postmarket surveillance: cybersecurity finally gets a mention
There is one area where things have improved, sort of. The Medical Devices (Post-market Surveillance Requirements) (Amendment) Regulations 2024 came into force on 16 June 2025. The legislation itself doesn't explicitly mention cybersecurity. But the accompanying MHRA guidance document does.
Example 26 in the guidance is explicit:
Scenario: "A cybersecurity flaw is identified but there have not yet been reports of it having a negative impact on users.
Rationale: The cybersecurity flaw is an incident. If there is potential for serious deterioration in health as a result (either directly or indirectly) then this becomes a reportable incident. Any patches required to resolve a reportable cybersecurity issue should be rolled out as FSCA."
So while the word "cybersecurity" doesn't appear in the regulations themselves, MHRA has made clear through guidance that security flaws fall within scope. If a vulnerability could lead to patient harm, you now have 15 calendar days to report it. Critical public health threats require notification within 2 days.
The practical implication that catches people out: security patches are now Field Safety Corrective Actions. That critical vulnerability fix you'd normally push quietly? It needs a Field Safety Notice submitted to MHRA before distribution, tracking of remediation effectiveness, and records kept for 10 to 15 years depending on device class.
Your PSURs need to include cybersecurity incidents too. Class IIb and III devices require annual reporting; Class IIa every two years. You'll also need systems detecting trends in cyber events. If incident frequency increases, you're submitting trend reports even for individually minor issues.
So we have a situation where there's no premarket requirement to build security in, but significant postmarket obligations when (not if) things go wrong. Feels backwards, doesn't it?
MHRA's missing premarket cybersecurity guidance
This gap was supposed to close by the end of 2025. The MHRA's December 2024 roadmap committed to publishing dedicated cybersecurity guidance for Software as a Medical Device in Q2 2025.
For manufacturers, this creates genuine uncertainty. What does MHRA expect? What will Approved Bodies ask for? The planned guidance was meant to clarify when vulnerabilities should be reported, what "secure by design" means in a UK context, and how to handle legacy devices. Instead, you're left interpreting broad statutory language and hoping you've guessed right.
NHS DTAC: the de facto cybersecurity standard
Here's where it gets interesting. If you're selling to the NHS (and let's be honest, that's most of the UK healthcare market) there's a completely separate framework that actually does mandate cybersecurity. It just has nothing to do with medical device regulations.
The Digital Technology Assessment Criteria (DTAC), managed by NHS England since February 2021, establishes baseline standards for digital health technologies across five domains: clinical safety, data protection, technical security, interoperability, and usability. For connected medical devices, the technical security requirements are time consuming but not as comprehensive as FDA or EU MDR expectations.
Cyber Essentials Plus certification is mandatory for suppliers handling NHS data classified as "Official." That means annual external verification of five core controls: security update management, user access controls, secure configuration, malware protection, and firewalls.
Penetration testing must be conducted with evidence provided.
Data Security and Protection Toolkit (DSPT) compliance is required for any organisation accessing NHS patient data, with annual assessment.
Then there's DCB0129 for clinical safety. You need a Clinical Risk Management System, a Clinical Safety Officer (must be a registered clinician), a Clinical Safety Case Report, and a Hazard Log maintained throughout the product lifecycle.
This creates a strange situation. You can obtain UKCA marking for a connected insulin pump without any cybersecurity assessment whatsoever. But you cannot sell that same pump to an NHS trust without Cyber Essentials Plus, penetration testing, clinical risk management, and DSPT compliance.
For practical purposes, if you're targeting the NHS market, DTAC and DCB0129 are your controlling requirements. It exceeds anything in UK medical device law by a considerable margin.
One catch: there's no "passportability." Each NHS organisation assesses you separately. You'll be presenting evidence packs repeatedly.
What's coming
The MHRA roadmap indicates substantial changes coming in 2026 and 2027. New premarket regulations should reach Parliament and come into force in 2026, introducing explicit provisions for AI, cybersecurity, and digital health technologies. It is unclear if this will replace the NHS requirements on Cybersecurity.
What to do now
The regulatory patchwork is frustrating, but you can chart a sensible path.
Immediately: The PMS regulations are in force, so establish systems to detect and report cybersecurity incidents within 15 days, prepare FSCA procedures for security patches, integrate cyber events into your reporting.
For NHS market access: Get Cyber Essentials Plus (annual renewal). Implement DCB0129 with a qualified Clinical Safety Officer. Conduct penetration testing at least annually. Complete DSPT. Prepare evidence packs because you'll need them for every procurement.
For future proofing: Design to the highest common denominator. Implement IEC 81001-5-1 even though it's not required in the UK yet. It's already "state of the art" for European Notified Bodies and the UK will likely follow. Maintain SBOMs, and monitor for vulnerabilities. Establish coordinated vulnerability disclosure. Document your security architecture properly. Requirements from IEC 81001-5-1 can be mapped to the fragmented NHS requirements.
The manufacturers who'll have the easiest time when UK requirements eventually materialise are those already building to international best practice. The ones scrambling will be those who did the bare minimum for UKCA marking and now need to retrofit security into legacy architectures.
I know which position I'd rather be in.
The bottom line
UK medical device cybersecurity regulation is in an awkward interim state. Postmarket surveillance now captures cybersecurity incidents with real reporting obligations. Premarket requirements remain silent. If you're selling to the NHS, DTAC is your actual cybersecurity standard, enforced at procurement.
Regulatory reform is coming in 2026 and 2027. Until then, you're navigating overlapping frameworks rather than a coherent regime. Not ideal. But at least now you know what you're dealing with.