Cyber Security Is Now a Patient Safety Obligation

“The vendors who act now go into the mandate with a current assurance output — not a queue position”

“The manufacturers who establish independent assurance before the mandate arrives have a procurement advantage, a regulatory buffer, and a defensible position if a cyber incident occurs”

MHRA post-market surveillance regulations came into force in June 2025. A cyber vulnerability in your connected device is now a notifiable safety event and not an IT issue. Independent assessment gives you the evidence to demonstrate you have it under control.

MHRA PMS regulations in force June 2025. Serious cyber incidents must be reported within 15 days. NHS DSPT Version 8 deadline: 30 June 2026

The regulatory bar for medical device cybersecurity has moved

Manufacturers must now proactively monitor device security and report cyber-related incidents within 15 days. NHS procurement already requires evidence of cybersecurity readiness. And the MHRA is publishing dedicated SaMD cybersecurity guidance in 2026. Self-declaration is no longer credible evidence.

What your clients are asking

Your device connects to our network and processes patient data. What independent evidence do you have of its cybersecurity posture?"

NHS procurement teams are asking this question now. MHRA will require it in regulation by 2027. Independent CRTF assessment provides the structured, credible evidence to answer it.

What Our Product Assessment Covers

Security by Design

Threat modelling from requirements

Secure development evidence

Connected Attack Surface

Network interfaces

Data transmission security

Cloud backend security

Software Lifecycle

Update mechanisms

Version control integrity

OTA security

Post-Market Surveillance

Vulnerability monitoring

Incident response process

MHRA reporting alignment

Supply Chain Integrity

Third-party components

SBOM visibility

Dependency risk management

Operational Security

Clinical environment integration

Access controls

Audit trail evidence

The Timeline You Need to Know

Jun 2025

MHRA PMS regulations in force. 15-day cyber incident reporting.

Jun 2026

NHS DSPT v8 deadline. Independent audit requirements.

2026

MHRA AI medical device framework and SaMD cybersecurity guidance published.

2027–28

Independent assurance expected as condition of NHS procurement and MHRA registration.

WHY SECURLAB?

FULL ACCREDITATION STACK

ISO 17020 (Pending) | ISO 27001 | ISO 9001 | CE+

The most comprehensive assurance credential set available from an independent specialist.

INDEPENDENT

We do not consult for the clients we assess.

Our output is credible because our independence is structural, not claimed.

NCSC-LISTED CRTF

One of the only independent specialist CRTFs in the UK.

Listed on the NCSC website — the credential procurement teams recognise.

FASTER AND CLEARER

Workflow platform reduces delivery time without reducing quality.

You know what we are assessing, what evidence we need, and what the output will look like.

FAQs

  • Not yet as a formal mandate, however MHRA post-market surveillance regulations already require you to monitor and report cyber incidents within 15 days, and NHS procurement already asks for cybersecurity evidence. Independent assurance gives you the evidence base for both. The formal mandate is expected in 2027.

  • Yes. Our assessment methodology maps to NCSC security principles, which align with the MHRA's stated direction for SaMD cybersecurity requirements. We explicitly reference MHRA PMS obligations in our assessment scope.

  • Partially. EU MDR requires cyber risk management but does not mandate independent cybersecurity assessment in the structured way NCSC CRTF does. UK MHRA requirements are increasingly diverging from EU MDR, and UK NHS procurement has specific evidence expectations.

  • Yes, and urgently. Under new UK medical device regulations expected in 2026, most SaMD products will be reclassified as Class IIa bringing significantly more rigorous requirements. Establishing your cybersecurity evidence base now, before reclassification, is materially easier than doing it under regulatory pressure.

  • You must report to MHRA within 15 days. Without independent assurance evidence, demonstrating that you had adequate cybersecurity controls in place becomes significantly harder, increasing both regulatory and legal exposure. Independent assessment is your evidence that controls existed and were independently validated.