SaMD, Cybersecurity & EUDAMED

Software as a Medical Device, Digital Security & the EU Database

The digital transformation of healthcare brings new regulatory challenges. Software as a Medical Device (SaMD) is now explicitly regulated under the MDR/IVDR, cybersecurity is a mandatory General Safety and Performance Requirement, and EUDAMED is the EU's central database for medical device transparency. This module covers all three pillars.

Software as a Medical Device (SaMD)

Under the MDR and IVDR, software intended to be used for a medical purpose is explicitly a medical device in its own right — even if it runs on general-purpose hardware like a smartphone or cloud server. This is one of the most significant expansions of scope compared to the old MDD/IVDD framework.

Why This Matters for You

Many clinical decision-support tools, diagnostic apps, and patient monitoring software used in hospitals are now regulated medical devices. Understanding SaMD qualification helps you identify which software in your hospital requires CE marking and which does not.

Key Regulatory References

MDR Annex VIII Rule 11

Software Classification

Primary classification rule for standalone software medical devices

MDR Annex I §17.2/17.4

Cybersecurity GSPRs

General Safety & Performance Requirements for IT security and software devices

MDCG 2019-11

Software Qualification

Guidance on qualification and classification of software under MDR/IVDR

MDCG 2019-16

Cybersecurity Guidance

Guidance on cybersecurity for medical devices — key principles and requirements

MDR Articles 27–29

UDI System

Requirements for Unique Device Identification — UDI-DI, UDI-PI, and UDI database

MDR Articles 33–34

EUDAMED

Establishment and management of the European Database on Medical Devices

IEC 62304

Software Lifecycle

Medical device software lifecycle processes — development, maintenance, risk management

IEC 81001-5-1

Health Software Security

Security activities in the product lifecycle of health software and health IT systems

IMDRF SaMD N12

SaMD Risk Framework

International framework for SaMD risk categorisation (informative, not legally binding in EU)

MDCG 2020-1

Clinical Evaluation of SaMD

Guidance on clinical evaluation of medical device software (including AI/ML)

Key Takeaways

Identify which clinical software in your hospital qualifies as SaMD and verify it carries valid CE marking

Include cybersecurity requirements in medical device procurement — ask for SBOM, patch policy, and end-of-support dates

Implement UDI scanning at point of use to improve traceability and enable faster recalls

Monitor EUDAMED for device safety alerts, certificate status, and Notified Body information

Irish Context — SaMD & the HPRA

Software as a Medical Device (SaMD) falls under HPRA oversight in Ireland. If your hospital is developing or procuring clinical decision support software, confirm its regulatory status with the manufacturer.

The HPRA follows MDCG 2019-11 guidance for qualifying and classifying software — the same framework covered in this module.

This is educational content only and is not an accredited or externally verified course. Always refer to official HPRA publications and your facility's own policies.