|

Medical Device Regulation UK Update (June 2025): Post-Market Surveillance (PMS) Cybersecurity Requirements

ByLuke Hill 6 minute read
Masked radiographer operating mri scanner under blue lighting, illustrating uk medical-device regulation context

1. Executive summary 

Medical device compliance landscape in Great Britain (England, Wales, and Scotland) has undergone a significant transformation with the introduction of new Post-Market Surveillance (PMS) regulations.  

Luke Hill, Senior Security Consultant at Cyber Alchemy, explains how these crucial updates, which officially came into force on the 16th of June, 2025, represent a pivotal shift in how medical devices are regulated throughout their entire lifecycle.  

2. The New Landscape of Medical Device Regulation in the UK

On the 16th of June 2025, the UK’s first dedicated Post-Market Surveillance (PMS) regulations entered force, radically tightening the cyber obligations in Great Britain. These amendments introduce comprehensive PMS requirements for all medical devices, including in vitro diagnostic (IVD) devices and active implantable medical devices. Significantly, they explicitly extend to Software as a Medical Device (SaMD), highlighting the growing recognition of software’s critical role in patient safety.  

The regulations apply to medical devices placed on the market or put into service from the 16th of June, onwards, irrespective of whether they bear a CE mark or a UKCA mark. However, existing devices will still operate under existing regulations. Still, if any individual devices of existing models are placed on the market after this date, all applicable new PMS regulations must be complied with. To simplify this, the Medicines and Healthcare products Regulatory Agency (MHRA) recommend that organisations migrate to the new standard as it is simpler to operate one system, and the new regulations exceed the old ones.  

It’s also important to note that the PMS regulations only apply in Great Britain (England, Scotland & Wales), with Northern Ireland falling into the post-market surveillance rules set out in EU MDR 2017/745 and EU IVDR 2017/746.  

3. What does it mean? A Cybersecurity Perspective 

For medical device manufacturers, one of the most impactful aspects of these new regulations is the explicit integration of cybersecurity into post-market oversight. This means cybersecurity is no longer just an IT concern; it is a regulated safety issue requiring vigilant attention and prompt action. The key takeaways from the legislation from a cyber security perspective are: 

Vulnerabilities as Reportable Incidents 

Crucially, the UK’s PMS regulations now explicitly recognise cybersecurity flaws as potential device incidents. If a security vulnerability is identified in a medical device and could lead to a serious deterioration in health, it is treated as a “serious incident” under the vigilance system and must be reported to the regulator. 

Mandatory Patching and Field Safety Corrective Actions (FSCAs) 

Any software patch or update required to fix a critical cyber issue must be deployed as a Field Safety Corrective Action (FSCA). This means manufacturers are legally required to issue timely updates and security patches, following a formal FSCA procedure, which includes notifying users via Field Safety Notices (FSNs) that are first reviewed by the MHRA. 

Proactive Risk Management and Monitoring 

The legislation imposes “clearer duties for risk mitigation and communication”. Manufacturers must integrate cyber risk management into their quality systems and PMS plans. This includes proactively monitoring for threats and vulnerabilities, keeping abreast of known vulnerabilities (e.g., CVEs) in device software or third-party components, and monitoring device performance for signs of attack or misuse. Post-market data must feed back into risk management, requiring manufacturers to update their risk assessments and technical documentation in light of real-world findings, including new cyber threats. 

Tightened Incident Reporting Timelines 

The overhaul significantly tightens incident reporting timelines, which apply equally to cyber-related incidents. Manufacturers must report any serious incident (including those from cyberattacks or software failures) to the MHRA within 15 days. For the most urgent threats, such as those posing a serious public health risk, the timeline is within 2 days, and incidents resulting in death or unanticipated serious deterioration in health must be reported within 10 days. 

Trend Analysis Including Cyber Events 

Manufacturers are now required to analyse incident data to spot patterns or increasing frequency of events, which explicitly encompasses cybersecurity events. This helps ensure emerging cyber risks are detected and acted upon early. 

Documentation and Reporting Obligations 

Manufacturers must compile Post-Market Surveillance Reports (PMSRs) or Periodic Safety Update Reports (PSURs) at defined intervals, summarising device performance, safety issues, and actions taken. These reports must include summaries of cybersecurity incidents, updates deployed, and any trend data on cyber threats. All PMS records, including incident reports and FSCA details, must be retained for 10 years (or 15 years for implants). 

4. Alchemical Insights – Key actions to take now  

To thrive in this new regulatory environment, proactive engagement with cybersecurity and PMS is not optional—it’s foundational. Here are key actions for your company: 

Embed Cybersecurity into Your DNA 

Treat cybersecurity vulnerabilities as direct safety incidents. Integrate cyber risk management directly into your quality management systems and PMS plans, moving beyond a checkbox approach. For those that develop software, then aligning to IEC 81001-5-1 is a fantastic standard that governs the lifecycle requirements for developing and maintaining health software.  

Implement Proactive Threat Monitoring With an SBOM

Actively monitor for emerging cyber threats, known vulnerabilities (CVEs) in your device’s software and third-party components, and any anomalies in device performance that could indicate a cyber issue.  

Maintaining accurate software inventories in an SBOM is a crucial way to understand what CVEs might be in your devices and is essential for secure software development.  

Threat intelligence and CVE feeds are important factors to consider when planning to meet the threat monitoring requirements. The National Vulnerability Database has a free API for those wanting to get their own CVE feed, but several other solutions are available that track vulnerabilities in SBOMs and software. 

Prepare for Tightened Incident Reporting Timelines 

Be ready to report serious incidents, including those stemming from cyberattacks or software failures, to the MHRA within 15 days, or even more urgently (2-10 days) for severe threats. Having templates for incident reporting is a good way to save time in a crisis and ensure you can meet the MHRA requirements.  

Formalise Software Patching and Updates 

Establish clear, rapid processes for developing and deploying software patches or updates for critical cyber issues as FSCAs, ensuring all necessary Field Safety Notices (FSNs) are promptly issued and MHRA-reviewed. Write a 72-hour patch playbook, which, at a high level, your process could be: 

Triage → develop → validate → draft FSN → MHRA submission → deploy

Drafting an FSN template for security patches using plain English and patient-centric language is another good way to streamline this process.  

Comprehensive Reporting for PMSRs/PSURs 

Ensure your Post-Market Surveillance Reports (PMSRs) and Periodic Safety Update Reports (PSURs) thoroughly document all cybersecurity incidents, updates deployed, and any trend data related to cyber threats. Be prepared to provide these reports to the MHRA within three working days upon request. With that three-day turnaround, it’s essential to keep the evidence pack submission ready.  

Review and Update Your PMS System 

Ensure your existing PMS system is capable of continuously gathering and analysing data on device performance and safety throughout its entire expected lifespan and even beyond, especially for cyber-related issues. 

5. Conclusion  

The new UK medical device regulations underscore a clear message: robust cybersecurity is no longer merely an add-on; it is fundamental to patient safety, market access, and maintaining trust in your medical technologies. Navigating these complex requirements demands expertise and a proactive approach. 

Cyber Alchemy specialises in helping MedTech companies understand and implement the rigorous security measures required by the latest UK regulations. From integrating cyber risk management into your PMS plan to enabling development teams to set up robust vulnerability monitoring and patching capabilities through training and hands-on consultancy, we are here to support your journey. 

Let robust compliance and proactive security become your competitive advantage. Contact us today to discuss how we can help you build a secure, compliant, and resilient medical devices for the UK market. 

Further Reading

Medical devices post-market surveillance requirements: https://www.gov.uk/government/publications/medical-devices-post-market-surveillance-requirement

DTAC Compliance Services: https://cyberalchemy.co.uk/service/dtac-compliance/

About the author 

Luke Hill, Senior Security Consultant at Cyber Alchemy 

Luke brings deep expertise in security consultancy, penetration testing and regulatory-aligned security measures in the Health and Social Care sector. He leads Cyber Alchemy’s technical and regulatory efforts in the MedTech space, supporting a broad range of MedTech companies in building resilient devices and applications to achieve compliance with complex UK, USA, and EU regulations. 

                Avatar of luke hill

                Similar Posts