CE-Ready Penetration Testing for EU MDR & IVDR Compliance
In a market where every line of code can impact a life, cybersecurity isn’t just a technical concern — it’s a business-critical commitment. The EU MDR and IVDR demand more than functional safety; they require verifiable assurance that your software is protected against evolving cyber threats.
At Sekurno, we help you bridge the gap between innovation and compliance through targeted, regulator-aligned penetration testing — protecting your product, your users, and your path to CE-marked success.
Built-in Security for
EU MDR/IVDR Compliance
Security, safety, and performance are foundational principles under both the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR).
For any device containing software — embedded or standalone — cybersecurity must be:
Built-in from design
Maintained across the lifecycle
Proven through objective evidence
Manufacturers must address digital risks with the same rigor as clinical safety, ensuring protection against unauthorized access, data loss, and software compromise. This means implementing proactive, verifiable controls — and validating them with real-world testing.
Core Cybersecurity Requirements
Penetration Testing:
A Required Layer of Assurance
Defence-in-depth strategy is a key philosophy of the secure medical device development life-cycle. It comprises security practices that define the essential processes an organisation must implement across the entire product lifecycle.
At the heart of this strategy lies security verification and validation testing, which ensures that cybersecurity controls are not only present, but truly effective in practice.
Security verification and validation testing — a structured, evidence-based assessment used to confirm that a device’s cybersecurity controls are effective, implemented correctly, and function as intended in real-world conditions. It ensures security is maintained throughout the device lifecycle — from development to deployment and beyond.
Regulatory Expectations:
Although penetration testing is not explicitly mentioned in the MDR or IVDR, it is strongly recommended in MDCG 2019-16 as part of cybersecurity verification and validation activities — particularly for software classified as Class IIa, IIb, or III.
In practice, Notified Bodies often request evidence of penetration testing during the review of Technical Documentation to demonstrate the effectiveness of implemented security controls.
According to MDCG 2019-16 Guidance on Cybersecurity for medical devices security verification and validation testing methods should include:
Penetration testing isn’t just a security add-on — it's a regulatory enabler. It ensures your product design is resilient, your QMS remains effective, and your documentation aligns with what Notified Bodies expect to see
Validate the effectiveness of your cybersecurity controls
Minimize exploitable vulnerabilities and reduce cyber risk
Demonstrate compliance with regulatory expectations
Produce audit-ready evidence for your Technical Documentation
Strengthen post-market surveillance with actionable security insights
Prevent delays in CE marking due to missing or weak security validation
The Common Reasons of CE Marking Delays
One of the leading causes of CE marking delays is incomplete cybersecurity documentation and missing verification evidence. Submissions often include vague claims about security without the supporting proof regulators expect — such as a tested update strategy, risk-based control validation, or penetration testing results. These gaps frequently trigger clarification rounds with Notified Bodies, extending timelines and slowing down market access.
At Sekurno, we tailor penetration testing to the unique architecture of medical and diagnostic software. From web interfaces to APIs and cloud-connected endpoints, we simulate real-world threats that help uncover high-impact vulnerabilities early. Our testing delivers evidence for both your QMS and Technical Documentation — helping ensure conformity across development, risk controls, and regulatory submission.
Whether you’re building a Class II software-only device or a high-risk connected system, we equip your team with both confidence and compliance evidence — empowering you to launch securely and meet EU regulatory expectations head-on.
Sekurno’s MDR/IVDR-Aligned Penetration Testing Service
What We Test — Through a CE-Marking Lens
We assess the real-world resilience of the entire connected ecosystem around your device — including companion apps, cloud infrastructure, APIs, and backend systems — ensuring it’s ready for both market launch and regulatory scrutiny.
Defense-in-Depth Testing for MDR/IVDR Devices
Our testing methodology is built to validate that cybersecurity controls are not just defined, but demonstrably effective, using methods that mirror real-world attack scenarios and align with secure product development best practices.
Methodologies
True to our commitment, we don't merely reference methodologies like OWASP and PTES — we embody them. After thorough testing, we conclude with a detailed checklist, ensuring transparent and genuine adherence to these recognized standards.
From Findings to Peace of Mind
Upon the conclusion of each project, we furnish our clients with the essential insights and documentation:
Compliance Testing Solutions Beyond EU MDR/IVDR
Our penetration testing services are designed to make your systems truly secure — not just technically compliant. By focusing on real-world threats and infrastructure risks, we help you meet and exceed the expectations of critical frameworks like GDPR, HIPAA, FDA, ISO/IEC 27001, and SOC 2. Whether you're preparing for regulatory submissions, client due diligence, or certification audits, we ensure your cybersecurity posture delivers lasting protection and regulatory confidence.
HIPAA
FDA
ISO/IEC 27001
SOC 2
What Our Clients Say
Nima S, CEO, OASYS NOW
We felt that Sekurno really checked every bit and piece of our system.
This was evident in the deliverables they provided, with full transparency — including the testing status of each OWASP WSTG requirement and testing logic informed by their own threat modeling.
They were also the only team that advocated for a white-box approach — giving their security engineers deeper visibility into our application’s implementation and design, which can ultimately help with uncovering meaningful issues. It made the entire process feel aligned with how we actually build and operate.