CE-Ready penetration testing for EU MDR & IVDR Compliance
In a market where every line of code can impact a life, cybersecurity isn’t just a technical concern — it’s a business-critical commitment. The EU MDR and IVDR demand more than functional safety; they require verifiable assurance that your software is protected against evolving cyber threats.
At Sekurno, we help you bridge the gap between innovation and compliance through targeted, regulator-aligned penetration testing — protecting your product, your users, and your path to CE-marked success
Built-in security for
EU MDR/IVDR Compliance
Security, safety, and performance are foundational principles under both the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR).
For any device containing software — embedded or standalone
— cybersecurity must be:
Built-in from design
Maintained across the lifecycle
Proven through objective evidence
Manufacturers must address digital risks with the same rigor as clinical safety, ensuring protection against unauthorized access, data loss, and software compromise. This means implementing proactive, verifiable controls — and validating them with real-world testing.
Core cybersecurity requirements
Risk Management of Security Threats
MDR Annex I §3; IVDR Annex I §3; MDCG 2019-16, §3.2
Manufacturers must treat cybersecurity threats as part of their risk management system — continuously identifying, assessing, mitigating, and monitoring security risks & vulnerabilities throughout the device lifecycle.
Secure-by-Design Software
MDR Annex I §17.2; IVDR Annex I §16.2; MDCG 2019-16, §3.1
For both embedded systems and standalone medical software, development must follow secure software lifecycle practices — including risk analysis, threat modeling, and robust verification and validation methods.
Protection from Unauthorized Access
MDR Annex I §17.4 & §18.8 / IVDR §16.4; MDCG 2019-16, §3.6
Devices must include technical measures that prevent unauthorized access, ensure data confidentiality, and enforce secure configuration of software, hardware, and connected networks.
Validation of Security Functionality
MDR Annex I §17.2; IVDR Annex I §16.2; MDCG 2019-16, §3.7
Security controls must not only be documented but demonstrably effective. This requires practical testing — such as penetration tests, code reviews, or security feature validation — aligned with the product’s risk profile.
Penetration testing:
a required layer of assurance
Defence-in-depth strategy is a key philosophy of the secure medical device development life-cycle. It comprises security practices that define the essential processes an organisation must implement across the entire product lifecycle.
At the heart of this strategy lies security verification and validation testing, which ensures that cybersecurity controls are not only present, but truly effective in practice.
Security verification and validation testing — a structured, evidence-based assessment used to confirm that a device’s cybersecurity controls are effective, implemented correctly, and function as intended in real-world conditions. It ensures security is maintained throughout the device lifecycle — from development to deployment and beyond.
Regulatory Expectations:
Although penetration testing is not explicitly mentioned in the MDR or IVDR, it is strongly recommended in MDCG 2019-16 as part of cybersecurity verification and validation activities — particularly for software classified as Class IIa, IIb, or III.
In practice, Notified Bodies often request evidence of penetration testing during the review of Technical Documentation to demonstrate the effectiveness of implemented security controls.
According to MDCG 2019-16 Guidance on Cybersecurity for medical devices security verification and validation testing methods should include
Manual Penetration Testing
Recognizing the possibility of human error, we counteract it by providing detailed checklists of all tests conducted
Secure Code Review
Each detection method excels at identifying particular types of vulnerabilities. We utilize every method: SAST, DAST, SCA, Code review, and Manual testing
Fuzz Testing
Before testing, we conduct threat modeling to pinpoint risks specific to the designated scope. This is a vital step in our planning before execution
Security Feature Testing
Code-informed testing stands out as the prime risk-reduction strategy, and we're masters at it. A substantial number of our team previously worked as developers
Vulnerability & Dependency Scanning
Guided by your business context and our risk management expertise, we provide solutions tailored to facilitate your business growth
Penetration testing isn’t just a security add-on — it's a regulatory enabler. It ensures your product design is resilient, your QMS remains effective, and your documentation aligns with what Notified Bodies expect to see
Validate the effectiveness of your cybersecurity controls
Demonstrate compliance with regulatory expectations
Minimize exploitable vulnerabilities and reduce cyber risk
Produce audit-ready evidence for your Technical Documentation
Strengthen post-market surveillance with actionable security insights
Prevent delays in CE marking due to missing or weak security validation
In practice, most auditors and enterprise buyers expect to see real evidence that your security program is working under pressure. Penetration testing provides exactly that — helping you move from documented intent to demonstrated assurance.
The common reasons of CE marking delays
One of the leading causes of CE marking delays is incomplete cybersecurity documentation and missing verification evidence. Submissions often include vague claims about security without the supporting proof regulators expect — such as a tested update strategy, risk-based control validation, or penetration testing results. These gaps frequently trigger clarification rounds with Notified Bodies, extending timelines and slowing down market access.
At Sekurno, we tailor penetration testing to the unique architecture of medical and diagnostic software. From web interfaces to APIs and cloud-connected endpoints, we simulate real-world threats that help uncover high-impact vulnerabilities early. Our testing delivers evidence for both your QMS and Technical Documentation — helping ensure conformity across development, risk controls, and regulatory submission.
Whether you’re building a Class II software-only device or a high-risk connected system, we equip your team with both confidence and compliance evidence — empowering you to launch securely and meet EU regulatory expectations head-on.
Sekurno’s MDR/IVDR-Aligned Penetration Testing Service
What we test — through a CE-marking lens
We assess the real-world resilience of the entire connected ecosystem around your device — including companion apps, cloud infrastructure, APIs, and backend systems — ensuring it’s ready for both market launch and regulatory scrutiny.
K8S Configurations
Container isolation, configuration checks, network policies, role-based access control, etc.
Mobile Applications
Insecure local storage, root/jailbreak vulnerabilities, misuse of biometric APIs, session replay, or over-permissive access to device resources
Web Applications
Broken access controls (e.g., IDOR), insecure authentication flows, session hijacking, XSS/CSRF flaws, or unencrypted personal health data in transmission
Leaked or Weak Credentials
Credential reuse, hardcoded secrets in codebases or CI/CD, exposed secrets in containers, or credentials found in public repositories
Network Pentesting
Unfiltered ports, legacy or insecure protocols (e.g., FTP, Telnet), improper firewall zoning, or unsafe pathways from external interfaces to patient-impacting systems
Cloud Infrastructure
Public cloud storage with patient data, insecure backups, over-permissive IAM roles, missing encryption at rest, or logging gaps that hinder incident response
API Testing
Missing access validation, broken object-level authorization), insecure rate limits, weak cryptography, or exposure of health data through unprotected endpoints
Defense-in-Depth testing for MDR/IVDR devices
Our testing methodology is built to validate that cybersecurity controls are not just defined, but demonstrably effective, using methods that mirror real-world attack scenarios and align with secure product development best practices
Threat Modeling
Recognizing the possibility of human error, we counteract it by providing detailed checklists of all tests conducted
Manual Penetration Testing
Each detection method excels at identifying particular types of vulnerabilities. We utilize every method: SAST, DAST, SCA, Code review, and Manual testing
Secure Code & Logic Review Testing
Before testing, we conduct threat modeling to pinpoint risks specific to the designated scope. This is a vital step in our planning before execution
Automated Scanning (SAST/DAST)
Code-informed testing stands out as the prime risk-reduction strategy, and we're masters at it. A substantial number of our team previously worked as developers
Dependency & Component Analysis
Guided by your business context and our risk management expertise, we provide solutions tailored to facilitate your business growth.
Methodology
True to our commitment, we don't merely reference methodologies like OWASP and PTES — we embody them. After thorough testing, we conclude with a detailed checklist, ensuring transparent and genuine adherence to these recognized standards.
From findings to peace of mind
Upon the conclusion of each project, we furnish our clients with the essential insights and documentation
AI & LLM Penetration Testing Report
A dual-focused document combining an executive summary for decision-makers with in-depth technical findings for your engineers. Includes real-world impact, reproduction steps, and prioritized fixes
Threat Model Document
A structured representation of the threat landscape tailored to your environment, highlighting potential threats and their prioritized mitigation
Testing Checklist
A comprehensive list enumerating every test we conducted, ensuring transparency and thoroughness in our approach.
Letter of Attestation
.jpg)
A formal statement confirming all critical and high-risk issues have been remediated and verified, providing independent validation of your system’s security posture
Compliance testing solutions beyond MDR/IVDR
Our penetration testing services are designed to make your systems truly secure — not just technically compliant. By focusing on real-world threats and infrastructure risks, we help you meet and exceed the expectations of critical frameworks like GDPR, HIPAA, FDA, ISO/IEC 27001, and SOC 2. Whether you're preparing for regulatory submissions, client due diligence, or certification audits, we ensure your cybersecurity posture delivers lasting protection and regulatory confidence.
SOC 2
FDA
EU MDR/IVDR
iSO 27001
What our clients are saying
90% of our clients return
Sekurno exceeded our expectations, identifying critical vulnerabilities that neither we nor other vendors had detected, and providing actionable recommendations. Their team was responsive, flexible, and consistently provided valuable insights.
Sep 18, 2024
Markus T.
Chief Technology Architect
If you are going to invest in penetration testing, make sure it is more than just a formality. Work with a partner who helps you learn something from the process and improves your actual security. With Sekurno, we received useful feedback and our team became more security aware as a result.
April 11, 2025
Mads
CTO
Our collaboration with Sekurno has consistently been seamless.
Jun 12, 2023
Roy
DG VP
We were genuinely impressed; Sekurno identified vulnerabilities that even major cybersecurity companies within the Google group missed
April 11, 2025
Chan S.
CEO
Their expertise was evident in every aspect of the engagement.
Sep 18, 2024
Max, R.
Deputy CTO
