OPENREGULATORY
Sign in Get started
Ask a question
Getting Started 2 answers

Are there general authentication requirements for patient mobile applications under MDR?

Anonymous · Published June 20, 2025 · 2 comments
Are there any general guidelines or requirements under the Medical Device Regulation (MDR) for authentication in patient-facing mobile applications?
I am specifically interested in requirements that would apply across multiple markets, not country-specific identity verification rules. I have found that the MDCG cybersecurity guideline only mentions 'sufficiently complex passwords', which seems vague. Are there more concrete or widely accepted standards, or is this generally left open to interpretation?

Join the discussion. Leave a comment. Guest comments are welcome — add your email to get reply notifications.

Charlotte Evans 12 months ago
Looking for MDR-wide requirements, not country-specific ones.
 Reply to this comment
Samantha Green 12 months ago
Interested in recommendations beyond 'complex passwords' in MDCG guidance.
 Reply to this comment

Discussion

2 Answers

Accepted answer Dr. Oliver Eidel · Founder & CEO, OpenRegulatory ·
Overall, MDR does not specify detailed authentication requirements for patient mobile applications. The MDCG cybersecurity guidance mainly suggests using 'sufficiently complex passwords,' which is quite general. Most of the specifics are left open, and there are no concrete requirements that apply across all markets under MDR.
For certain countries, like Germany (e.g., for DiGA applications), there are stricter requirements such as two-factor authentication, but these are local rules rather than MDR-wide. For a scalable approach, you might want to follow best practices like offering two-factor authentication and secure password policies, but MDR itself does not mandate specifics.

Join the discussion. Leave a comment. Guest comments are welcome — add your email to get reply notifications.

No comments yet. Be the first to share your thoughts.
A
Anonymous · Regulatory Affairs Specialist, MediSafe AG ·
There's a product standard in Germany, BSI TR 03161, for digital health applications. It's quite detailed, although maybe more than needed for MDR compliance. It can offer some guidance if you want to go beyond the basics, but keep in mind it's a national, not EU-wide, requirement. The current official version is only in German but may provide helpful ideas.

Join the discussion. Leave a comment. Guest comments are welcome — add your email to get reply notifications.

No comments yet. Be the first to share your thoughts.
Want to add your answer to this question?
Write an answer under your name by logging in or signing up, or post anonymously.

Keep reading

All questions
A

How is medical device regulation developed and how can its usability be improved for start-ups?

Anonymous · 1 comment
12 months ago
I am interested in understanding how medical device regulation, specifically the MDR, is developed and what could be done to improve its usability, especially for small start-ups. From my experience a
Accepted 3 answers

Regulation like the MDR is developed at the EU level as part of the "new legislative framework" for product safety. The process involves EU institutio

A

Do We Need a User Manual for Our Software as a Medical Device?

Anonymous
about 2 years ago
We’re developing a mobile app which will be a medical device. We’re wondering whether we have to provide a user manual for it, keeping in mind that most (non - medical device) apps on the market don’t
Accepted 1 answer

Our recommended strategy for MDR class I and IIa would be this: • Have an electronic user manual which is accessible in your app by e.g. linking to

A

How can the usability of the MDR and related standards be improved for startups?

Anonymous · 1 comment
4 months ago
One user described difficulties in applying the Medical Device Regulation (MDR) and related standards, especially as a startup. The user finds the regulations and standards difficult to read and under
Accepted 4 answers

Great question! I think improving the usability of the MDR and related standards is a big challenge, especially for startups. The MDR is law and ISO s

Still have a question? Ask a question here publicly — for free.

Or talk to one of our consultants — first calls are free. Check out our services and prices.

Looking to automate your regulatory work? Check out our eQMS, Formwork. Built for lean, founder-led companies. There’s a free version too.