5. Governance Layer
5.1 Management & Audit Log
What this module is, in one paragraph. The Management & Audit Log is the executive launchpad for the QMS — the single screen that aggregates findings from CAPA, Risk, Training, Document Control, AI Findings, Vigilance, and EUDAMED into one inbox; hosts the ISO 13485:2016 15-clause coverage matrix (which Wrapper module satisfies each clause, with status); tracks internal audit cycles (§8.2.3); hosts management review records (§5.6); tracks NB communications (every email / letter / certificate exchange per response-deadline); surfaces the AI Act conformity matrix (Articles 9-15, 17, 72) split into two scopes (Wrapper-own AI obligations and customer-AI obligations); and renders the Regulatory Health Score gauge per device per regulator. ISO 13485 §5.6 (Management Review) requires top management to review the QMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness; §8.2.3 (Internal Audit) requires planned audits; §8.2.4 (Monitoring and Measurement of Processes) requires evidence of process performance. FDA 21 CFR 820.20 (Management Responsibility) and §820.22 (Quality Audit) impose the equivalent. MDR Annex IX §2.2 specifies that the NB audits all of these. EU AI Act Art. 14 + Art. 17 require organisational and management oversight of AI systems.
Regulatory pathway summary. Supports ISO 13485:2016 §5.6 (management review) + §8.2.3 (internal audit) + §8.2.4 (monitoring); FDA 21 CFR 820.20 (management responsibility) + §820.22 (quality audit); MDR Annex IX §2.2 (NB audit of management procedures); MDSAP Chapter 1 (Management); EU AI Act Art. 14 (Human Oversight) + Art. 17 (QMS for AI); ISO 14971:2019 §4.4 (risk-management review); ISO 13485 §4.1.6 (validation of QMS software).
| Purpose | The QMS Manager’s command-and-control deck — one screen for executive oversight. |
| What the user sees | Tiles: Open Gaps by Regulation (MDR / FDA / AI Act / ISO 13485 / ISO 27001 / SOC-2); Audit Findings Severity matrix (Major × Minor × Observation, Open × Closed); Upcoming Reviews; Vigilance Snapshot last-30d; ISO 13485 clause-coverage map (15 clauses); AI Act conformity tile (dual scope); NB communication queue; eQMS validation tile; Regulatory Health Score gauges per device. |
| Regulatory frameworks | ISO 13485 §5.6, §8.2.3, §8.2.4, §4.1.6; FDA 21 CFR 820.20, §820.22; MDR Annex IX §2.2; MDSAP Chapter 1; EU AI Act Art. 14, 17; ISO 14971 §4.4. |
| Solves the regulatory problem of | "Management review not documented" — most common ISO 13485 §5.6 finding; ISO 13485 clause-by-clause coverage not retrievable at audit. |
| Pathway milestone unlocked | NB surveillance audit readiness; MDSAP audit readiness; FDA QMSR alignment (effective 2 Feb 2026); ISO 13485 §5.6 + §8.2.3 evidence. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| Management review | ISO 13485 §5.6; 21 CFR 820.20(c); MDSAP Chapter 1 | Periodic (typically quarterly / biannually) | All classes |
| Management review inputs | ISO 13485 §5.6.2 | Every review session | All classes |
| Management review outputs | ISO 13485 §5.6.3 | Every review session | All classes |
| Internal audit programme | ISO 13485 §8.2.3; 21 CFR 820.22 | At planned intervals | All classes |
| Internal audit results | ISO 13485 §8.2.3 | After each audit | All classes |
| Monitoring of QMS processes | ISO 13485 §8.2.4 | Continuous | All classes |
| eQMS software validation | ISO 13485 §4.1.6 | Software used in QMS | All classes |
| ISO 13485 §4.1.6 — Wrapper-as-tool | ISO 13485 §4.1.6 | Validation evidence pack | All classes |
| ISO 13485 §4.2.3 — Document control coverage | ISO 13485 §4.2.3 | Continuous | All classes |
| ISO 13485 §5.6 management review | (above) | (above) | All classes |
| ISO 13485 §6.2 training | (above) | (above) | All classes |
| ISO 13485 §7.1 product realisation planning | (above) | (above) | All classes |
| ISO 13485 §7.3 design and development | (above) | (above) | All classes |
| ISO 13485 §7.3.10 design transfer | (above) | (above) | All classes |
| ISO 13485 §7.4 purchasing | (above) | (above) | All classes |
| ISO 13485 §7.5.1 control of production | (above) | (above) | All classes |
| ISO 13485 §8.2.1 feedback | (above) | (above) | All classes |
| ISO 13485 §8.2.3 internal audit | (above) | (above) | All classes |
| ISO 13485 §8.2.4 monitoring of processes | (above) | (above) | All classes |
| ISO 13485 §8.3 control of non-conforming product | (above) | (above) | All classes |
| ISO 13485 §8.4 data analysis | (above) | (above) | All classes |
| ISO 13485 §8.5.2 corrective action | (above) | (above) | All classes |
| ISO 13485 §8.5.3 preventive action | (above) | (above) | All classes |
| NB communications | MDR Annex IX §3.4; MDCG 2021-8 | Every NB exchange | All classes (NB scope) |
| EU AI Act Art. 14 (oversight tile) | EU AI Act Art. 14 | High-risk AI deployment | High-Risk AI |
| EU AI Act Art. 17 (AI QMS) | EU AI Act Art. 17 | High-risk AI Provider | High-Risk AI |
| ISO 14971 §4.4 review | ISO 14971 §4.4 | Risk-management review | All classes |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Management review inputs aggregator | "Show me the inputs to the last management review" — ISO 13485 §5.6.2 evidence in one click. |
| ISO 13485 15-clause coverage | "Which Wrapper module satisfies clause X?" — answered with a coverage map. |
| Internal audit cycle | §8.2.3 audit programme not documented — top-five ISO 13485 stage-2 finding. |
| NB communication queue | "Show me your response to NB letter X" — answered with timestamped log. |
| AI Act conformity tile dual scope | Wrapper-own AI obligations confused with customer-AI obligations — operational risk in dual-Provider environments. |
| eQMS validation tile | ISO 13485 §4.1.6 evidence not retrievable — NB observation; SaaS validation gap. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| Management review records | ISO 13485 §5.6 surveillance pass; MDSAP Chapter 1 evidence |
| 15-clause coverage map | NB Annex IX clause-coverage review; MDSAP Chapter mapping |
| Internal audit cycle | ISO 13485 §8.2.3 evidence; FDA 21 CFR 820.22 readiness |
| NB communication log | MDR Annex IX §3.4 audit-trail of cooperation |
| AI Act conformity matrix | EU AI Act Art. 17 evidence |
| eQMS validation | ISO 13485 §4.1.6 evidence |
Why these regulations are non-negotiable. "Management review not documented" is the most common ISO 13485 §5.6 audit finding. Without §8.2.3 internal-audit evidence, the QMS fails stage-2 audit. Without §4.1.6 eQMS validation evidence, the use of any software (including Wrapper itself) in the QMS is unsupported — a fundamental NB finding. Under MDR Annex IX §2.2, the NB audits all management procedures including their software implementation.
Who uses this module and when. QMS Manager daily. Executive sponsor weekly. PRRC monthly for §5.6 management review session. NB / MDSAP auditor at every audit. FDA inspector at every inspection (especially §820.20 management responsibility).
5.2 AI Governance Log
What this module is, in one paragraph. The AI Governance Log is the operational evidence engine for every AI system used by Wrapper and by Wrapper’s customers — covering both Wrapper’s own seven AI workflows (FormSuggestion, ImpactMapper, SmartImpactMapper, Search, RiskDiscussion, TrainingDiscussion, TrainingImpact) and customer-embedded AI systems (e.g. customer diagnostic AI models). The EU AI Act (Regulation 2024/1689) classifies medical-device AI as High-Risk under Annex III, point 5 when it is itself a medical device or a safety component thereof; high-risk obligations include Art. 9 (Risk Management System), Art. 10 (Data Governance), Art. 11 (Technical Documentation, with Annex IV structure), Art. 12 (Logging / Traceability), Art. 13 (Transparency), Art. 14 (Human Oversight), Art. 15 (Accuracy, Robustness, Cybersecurity), Art. 17 (Quality Management System), Art. 50 (Transparency obligations including watermarking), Art. 72 (Post-Market Monitoring). FDA SaMD + Clinical Decision Support + GMLP + PCCP guidance layer the FDA framework. IEC 42001:2023 is the new AI management-system standard. IEC 81001-5-1 + IEC 62304 govern software lifecycle. The AI Governance Log carries 13 tabs covering each obligation: AI Systems Registry, Dataset Governance, Model Lifecycle / Frozen Model Registry, V&V Log, Inference Traceability Log, Human Oversight Log, Monitoring / Drift Log, Change Control + PCCP, AI Cybersecurity, AI Suppliers, AI Audit Trail, AI Incidents, AI Regulatory Evidence — plus a 14th "AI Transparency Register" for Art. 50 + Art. 13 disclosure events. Each evidence row carries multiple regulatory mappings (EU AI Act / FDA SaMD / MDR Annex II) so a single row presents in five regulator lenses without duplication.
Regulatory pathway summary. Supports EU AI Act Reg. 2024/1689 Art. 9 (RMS), Art. 10 (Data Governance), Art. 11 (Technical Documentation), Art. 12 (Logging), Art. 13 (Transparency), Art. 14 (Human Oversight), Art. 15 (Accuracy/Robustness/Cybersecurity), Art. 17 (QMS), Art. 26 (Deployer obligations), Art. 50 (Transparency obligations), Art. 72 (Post-Market Monitoring), Annex IV (Technical Documentation structure); FDA SaMD (2017) + Clinical Decision Support (2022) + Good Machine Learning Practice (2021) + Predetermined Change Control Plan (2024); IEC 42001:2023 (AI management systems); IEC 62304:2006+A1:2015 (software lifecycle); IEC 81001-5-1:2021 (health-software cybersecurity); ISO/IEC 23894:2023 (AI risk management); ISO 13485:2016 §4.1.6 + §7.3; FDA 21 CFR Part 11 for HITL log integrity.
| Purpose | The operational AI lifecycle evidence the EU AI Act and FDA SaMD demand. |
| What the user sees | Dashboard with Active-AI / High-Risk-AI / Oversight-Exceptions / Drift-Warnings / Pending-AI-Reviews / Dataset-Gaps / AI-CAPA / AI-Validation-Expiry tiles; 14 tabs; a "View as" lens (Operational / EU AI Act / FDA SaMD / MDR / Audit Evidence). |
| Regulatory frameworks | EU AI Act Reg. 2024/1689; FDA SaMD/CDS/GMLP/PCCP; IEC 42001; IEC 62304; IEC 81001-5-1; ISO/IEC 23894; ISO 13485 §4.1.6 + §7.3; FDA 21 CFR Part 11. |
| Solves the regulatory problem of | EU AI Act Art. 9-15 evidence not assembled by 2 August 2026 → device cannot be placed on EU market as AI-enabled; FDA SaMD evidence missing → 510(k)/De Novo rejection; PCCP boundary breach → unauthorised retraining. |
| Pathway milestone unlocked | EU AI Act conformity assessment under Art. 43; FDA SaMD submission with PCCP; IEC 42001 AI-QMS certification; ISO 14971 software-risk evidence. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| AI Systems Registry | EU AI Act Art. 11; IEC 42001 §6 | Every AI system | High-Risk + Limited-Risk AI |
| Dataset Governance (training / validation / test split, source, demographics, bias review, ground truth, freeze hash) | EU AI Act Art. 10(1)-(5); FDA GMLP principles 1-4 | All AI/ML training | High-Risk AI |
| Model Lifecycle / Frozen Model Registry | FDA SaMD configuration-item; EU AI Act Art. 11 + Annex IV §2; FDA PCCP | Every released model | High-Risk AI |
| V&V Log | EU AI Act Art. 15(1)-(2); IEC 62304 §5.6 + §5.7; FDA SaMD VV | Every release | High-Risk AI / SaMD |
| Inference Traceability Log | EU AI Act Art. 12; FDA SaMD reproducibility | All clinically-meaningful inferences | High-Risk AI |
| Human Oversight Log | EU AI Act Art. 14(1)-(4); FDA AI/ML Action Plan | All AI-assisted regulated decisions | High-Risk AI + Limited-Risk |
| Monitoring / Drift Log | EU AI Act Art. 72; FDA AI/ML Action Plan post-market | All deployed AI | High-Risk AI |
| Change Control + PCCP | EU AI Act Art. 43 (substantial modification); FDA PCCP | Every AI change | High-Risk AI |
| AI Cybersecurity | EU AI Act Art. 15(4)-(5); MDR Annex I §17; IEC 81001-5-1 | All AI in medical device | High-Risk AI / SaMD |
| AI Suppliers | EU AI Act Art. 25 (general-purpose AI provider); MDR Annex II §5 | Third-party AI dependency | High-Risk AI |
| AI Audit Trail | EU AI Act Art. 12 + 21 CFR Part 11.10(e) | All AI mutations | High-Risk AI |
| AI Incidents | EU AI Act Art. 73 (serious incident reporting) | AI-caused or AI-contributing incident | High-Risk AI |
| AI Regulatory Evidence | EU AI Act Art. 11 + Annex IV §1-9 | Per regulatory submission | High-Risk AI |
| AI Transparency Register | EU AI Act Art. 13 + Art. 50 | Public-facing AI disclosure | High-Risk AI + Limited-Risk |
| AI as Limited-Risk (Wrapper own) | EU AI Act Art. 50 | Wrapper’s own 7 AI workflows | Limited-Risk |
| AI Deployer obligations | EU AI Act Art. 26 | Customer organisation deploying AI | Deployer scope |
| IEC 42001 AI QMS | IEC 42001 §6-§10 | AI management system | All AI scope |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| AI Systems Registry | Inventory of every AI system not retrievable — EU AI Act Art. 11 gap. |
| Dataset Card (Art. 10) | Bias review not performed (HFpEF, sex, ethnic, age) — EU AI Act Art. 10(2) gap; FDA GMLP gap. |
| Frozen Model Registry | Foundation model silently updated — FDA reproducibility violation. |
| V&V evidence | V&V missing for subgroup — EU AI Act Art. 15(2) gap. |
| Inference Traceability | "Why did the AI produce this output for patient X?" unanswerable — Art. 12 gap. |
| HITL Log | Auto-applied AI decision without human override — Art. 14 violation; Limited-Risk classification breaks. |
| Monitoring / Drift | Sensitivity dropped 7 points and no one noticed — Art. 72 + FDA AI/ML Action Plan gap. |
| PCCP boundary | Retraining outside PCCP boundary — FDA PCCP violation. |
| AI Incidents | AI-caused incident not reported under Art. 73 — competent-authority enforcement. |
| AI Transparency Register | Model card not published — Art. 13 + Art. 50 gap. |
| AI Suppliers | Third-party AI provider’s risk profile unknown — Art. 25 gap for general-purpose AI. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| Full 14-tab AI Governance Log | EU AI Act conformity assessment under Art. 43; FDA SaMD submission |
| Frozen Model + PCCP | FDA AI/ML iterative-improvement compliance |
| HITL Log | EU AI Act Art. 14 evidence; defensible Limited-Risk classification for Wrapper own AI |
| Monitoring | Art. 72 post-market AI compliance |
| AI Incidents | Art. 73 serious-incident compliance |
| Transparency Register | Art. 13 + Art. 50 evidence |
| IEC 42001 mapping | IEC 42001 AI-QMS certification |
Why these regulations are non-negotiable. EU AI Act Art. 43 requires AI conformity assessment before placing high-risk AI on the market after 2 August 2026; without Annex IV documentation, the device is unmarketable. FDA SaMD evidence is required at premarket review; without PCCP, every iterative AI update triggers a full new submission cycle. FDA AI/ML Action Plan requires post-market drift monitoring evidence; absence opens a Form-483 observation.
Who uses this module and when. AI/ML Lead daily. PRRC for high-risk AI. Information Security Officer for AI Cybersecurity. FDA reviewer at premarket and post-market. NB Auditor at AI-aware surveillance.
5.3 Supplier Log
What this module is, in one paragraph. MDR Annex II §5 + MDR Annex IX §4 (NB supplier-audit expectation) + FDA 21 CFR 820.50 → QMSR Supplier Purchasing Controls + ISO 13485:2016 §7.4 (Purchasing) require the manufacturer to evaluate and select suppliers based on their ability to supply product in accordance with the manufacturer’s requirements, define quality requirements, monitor performance, take action when requirements are not met, and maintain records. The manufacturer is legally responsible for the regulatory compliance of every supplier whose component, software, or service touches the device. Wrapper’s Supplier Log carries the Master Registry (per-supplier metadata, criticality, regulatory status, performance score, audit dates), the qualification workflow (8 critical-supplier forms SUP-FRM-001..008 covering Initial Questionnaire, Quality-System Assessment, On-Site Audit Checklist, Quality Agreement, Material Specifications, Risk Assessment, Business-Continuity Verification, Regulatory Compliance Check; plus 3 routine-supplier forms SUP-FRM-101..103), the performance and monitoring dashboard, the receiving QC sub-log, the switching and dual-sourcing logic with an alternate-qualification scorecard (6 weighted criteria), the business continuity matrix (Component → Primary / Alt 1 / Alt 2 / switchover time / stock buffer), and the regulatory compliance tracking per supplier across six regulatory lenses (ISO 13485 certificate validity, FDA Establishment Registration, MDR certification, RoHS, REACH, Conflict Minerals = Dodd-Frank §1502 / CMRT). Five AI agents — QualiBot (new-supplier-request sentinel), AuditBot (audit-due scheduled scan), MonitorBot (NCMR rate threshold), RenewBot (Quality-Agreement expiry), SwitchBot (performance-decline triage) — automate routine oversight, with all actions flowing through the AI Findings inbox for human approval.
Regulatory pathway summary. Supports MDR Annex II §5 (suppliers in the technical documentation) + MDR Annex IX §4 (NB supplier-audit expectation); FDA 21 CFR 820.50 Supplier Purchasing Controls (→ QMSR equivalent post 2 Feb 2026); ISO 13485:2016 §7.4 (Purchasing) including §7.4.1 + §7.4.2 + §7.4.3; MDSAP Chapter 6 (Purchasing); EU REACH Regulation (EC) 1907/2006; EU RoHS Directive 2011/65/EU; US Dodd-Frank §1502 conflict-minerals (CMRT).
| Purpose | The regulatory chain-of-custody for every component in the device. |
| What the user sees | 8-tab dashboard (Dashboard, Master Registry, Qualification, Performance, Receiving QC, Switching, Business Continuity, Regulatory Compliance); per-supplier scorecards; AI agents producing structured findings the QMS Manager approves. |
| Regulatory frameworks | MDR Annex II §5 + Annex IX §4; FDA 21 CFR 820.50 / QMSR; ISO 13485 §7.4; MDSAP Chapter 6; REACH (EC) 1907/2006; RoHS 2011/65/EU; Dodd-Frank §1502. |
| Solves the regulatory problem of | Critical supplier on the FDA OAI list contaminating the dossier; ISO 13485 cert expiry at supplier blocking re-certification; single-source critical-component exposure invisible at audit. |
| Pathway milestone unlocked | NB Annex II §5 supplier-evidence; FDA inspection 21 CFR 820.50 readiness; ISO 13485 §7.4 surveillance pass; MDSAP Chapter 6 evidence. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| Supplier evaluation criteria | ISO 13485 §7.4.1; 21 CFR 820.50(a)(1) | Every supplier qualification | All suppliers |
| Selection based on ability to supply | ISO 13485 §7.4.1; 21 CFR 820.50(a)(2) | Qualification decision | All suppliers |
| Purchase information | ISO 13485 §7.4.2; 21 CFR 820.50(b) | Every PO | All suppliers |
| Verification of purchased product | ISO 13485 §7.4.3; 21 CFR 820.80 | Receiving QC | All suppliers |
| Quality Agreement | ISO 13485 §7.4.2(a); 21 CFR 820.50(b)(1)-(4) | Critical supplier | Critical suppliers |
| Risk-based supplier classification | ISO 13485 §7.4.1; 21 CFR 820.50(a)(3) | Triage Critical / Routine | All suppliers |
| Audit programme | MDR Annex IX §4; ISO 13485 §7.4.1; MDSAP Chapter 6 | Critical suppliers | Critical suppliers |
| Supplier corrective action | ISO 13485 §8.5.2; 21 CFR 820.50(a)(2) | NCMR escalation | All suppliers |
| Performance monitoring | ISO 13485 §7.4.1; MDSAP Chapter 6 | Continuous | All suppliers |
| Re-evaluation | ISO 13485 §7.4.1 | Periodic + on negative events | All suppliers |
| Business continuity | MDSAP Chapter 6; MDR Art. 10(1)(g) | Critical single-source | Critical suppliers |
| RoHS conformity | RoHS Directive 2011/65/EU | EEE components | EU scope |
| REACH SVHC | REACH (EC) 1907/2006 | Substances of very high concern | EU scope |
| Conflict minerals (CMRT) | Dodd-Frank §1502; SEC Conflict Minerals Rule | 3TG components in US-listed company | US scope |
| FDA Establishment Registration | 21 CFR 807 | FDA-regulated supplier | FDA scope |
| ISO 13485 cert validity | ISO 13485 §7.4.1; MDSAP Chapter 6 | Supplier under ISO 13485 | Certified suppliers |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| FDA-OAI list check | Critical supplier on FDA Official-Action-Indicated list — contaminates manufacturer dossier; immediate re-qualification trigger. |
| ISO 13485 cert expiry | Supplier ISO 13485 cert lapsed — manufacturer’s §7.4.1 evidence gap. |
| Receiving QC NCMR rate | Component reject rate > 5 % — quality alert; MonitorBot triggers NCMR + 8D template. |
| Quality Agreement expiry | QA expires unnoticed — ISO 13485 §7.4.2 violation; RenewBot triggers renewal. |
| Single-source exposure | Critical component single-sourced without alternate qualified — MDSAP Chapter 6 finding; business-continuity risk. |
| RoHS / REACH gap | EEE component sold into EU without RoHS conformity — Directive 2011/65/EU enforcement. |
| Conflict minerals | 3TG sourcing not declared — SEC Conflict Minerals Rule violation; CMRT non-compliance. |
| Supplier audit overdue | Critical-supplier audit overdue — MDR Annex IX §4 NB finding. |
| Switching decision unsupported | "Why did you switch supplier?" — answered with AlternateQualificationGate scorecard. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| Full 8-tab supplier log | NB Annex II §5 supplier-evidence; MDSAP Chapter 6 evidence |
| Quality Agreement | ISO 13485 §7.4.2 evidence |
| Audit programme | MDR Annex IX §4 NB supplier-audit evidence |
| Receiving QC | ISO 13485 §7.4.3 + 21 CFR 820.80 evidence |
| RoHS / REACH / CMRT | EU + US import-compliance evidence |
| 5 AI agents | Continuous operational supplier oversight; reduces "supplier issue not detected" findings |
Why these regulations are non-negotiable. MDR Annex II §5 requires supplier evidence in the TF; without it, NB Annex II review fails. FDA 21 CFR 820.50 is a top-three Form-483 citation in CGMP inspections. ISO 13485 §7.4 is one of the most-cited stage-2 audit findings. REACH + RoHS non-conformity is enforced at EU member-state level — a non-conforming component triggers product recall.
Who uses this module and when. Purchasing Agent daily. QA Engineer per critical supplier. QMS Manager dashboard view. NB Auditor at supplier-evidence audit. FDA Inspector at §820.50 inspection focus.
5.4 Cybersecurity Log
What this module is, in one paragraph. Cybersecurity is now a premarket gate at FDA and a top-three NB audit focus for medical-device SMEs. FDA Cybersecurity in Medical Devices (final guidance September 2023) + Secure Product Development Framework (SPDF) specify eight elements that must accompany every premarket submission: Security Risk Management, Security Architecture, Cybersecurity Testing, Cybersecurity Management Plan, Vulnerability Communication Plan, Software Bill of Materials, Penetration Testing, Labeling. EU MDR Annex I §17 + MDCG 2019-16 require medical-device cybersecurity controls. IEC 81001-5-1:2021 specifies the health-software cybersecurity lifecycle. IEC 62304 §5 + §6 integrate security into the software lifecycle. ISO 27001:2022 demands an Information Security Management System with 93 Annex A controls. SOC-2 Trust Services Criteria demand evidence per CC1–CC9 plus Availability / Confidentiality / Processing Integrity / Privacy. NIST CSF 2.0 provides the dashboard lens (Govern / Identify / Protect / Detect / Respond / Recover). NIS2 Directive (EU) imposes incident-response obligations on essential entities. CycloneDX + SPDX specify SBOM formats. Wrapper’s Cybersecurity Log carries 17 tabs covering every regulator’s expectation: Dashboard, ISMS Document Register, ISMS Risk Register (ISO 27005, distinct from ISO 14971 device risk), Threat Model (STRIDE/PASTA), SBOM Registry, Vulnerability Tracker (CVE feeds, dependency-check, KEV, EPSS), Pentest Results, Security Incident Log (with explicit Vigilance-boundary decision-tree), Access Control Review (quarterly per SOC-2 CC6), Encryption Inventory, Backup / Recovery Testing, Cyber CAPA (linked to CAPA module), Security Training (linked to Training module), Vendor / Third-Party Cyber Risk (linked to Supplier module), SOC-2 Evidence Locker (one row per CC# × period × evidence artefact), FDA Cybersecurity Submission Package generator (the 8 SPDF elements per device per submission), EU MDR §17 Cyber Evidence (per device per MDCG 2019-16 element).
Regulatory pathway summary. Supports ISO 27001:2022 Annex A (93 controls organised 5.x Organisational / 6.x People / 7.x Physical / 8.x Technological) + ISO 27005 (information-security risk); SOC-2 Trust Services Criteria 2017 (with 2022 points of focus) CC1-CC9 + Availability + Confidentiality + Processing Integrity + Privacy; FDA Cybersecurity in Medical Devices (final guidance September 2023) + SPDF; EU MDR Annex I §17 + MDCG 2019-16; IEC 81001-5-1:2021; IEC 62304:2006+A1:2015 §5 + §6; NIST CSF 2.0; CycloneDX 1.5 / SPDX 2.3 SBOM standards; NIS2 Directive (EU) 2022/2555.
| Purpose | One log answering five cybersecurity regulators at once. |
| What the user sees | 17 tabs with regulator-citation per row; ISMS-readiness gauge; SOC-2 evidence locker per CC# × period; FDA cyber package per device per submission; lens-switchable (NIST CSF / ISO 27001 / SOC-2 / FDA / EU MDR §17). |
| Regulatory frameworks | ISO 27001:2022 Annex A; ISO 27005; SOC-2 TSC 2017+2022; FDA Cyber Sept 2023; MDR Annex I §17 + MDCG 2019-16; IEC 81001-5-1; IEC 62304; NIST CSF 2.0; NIS2; CycloneDX 1.5 / SPDX 2.3. |
| Solves the regulatory problem of | FDA premarket submission rejected for missing SBOM; ISO 27001 stage-2 audit failure on Annex A coverage; SOC-2 Type-2 attestation incomplete on a CC# evidence sample; MDR §17 NB observation. |
| Pathway milestone unlocked | FDA Cybersecurity premarket package; ISO 27001 stage-1 + stage-2 + surveillance; SOC-2 Type-2 attestation; EU MDR §17 NB audit pass. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| ISMS Doc Register | ISO 27001:2022 Annex A 5.1-5.37 (Organisational) | All ISMS scope | ISMS scope |
| ISMS Risk Register | ISO 27005:2022 | All ISMS scope | ISMS scope |
| Threat Model | FDA SPDF §3; IEC 81001-5-1 §5 | Pre-design + at architecture change | SaMD + FDA scope |
| SBOM Registry (CycloneDX/SPDX) | FDA Cyber 2023 §V.A.4; NIS2 Art. 21; Executive Order 14028 | Every software release | SaMD + FDA scope |
| Vulnerability Tracker | FDA Cyber 2023 §V.A.5; ISO 27001 A.8.8 | All software components | All software scope |
| Pentest Results | FDA Cyber 2023 §V.A.7; ISO 27001 A.8.29 | Annual + before major release | All software scope |
| Security Incident Log | NIS2 Art. 23; ISO 27001 A.5.24-A.5.28; SOC-2 CC7.3 | Every security incident | ISMS scope |
| Access Control Review | SOC-2 CC6.3; ISO 27001 A.5.18 | Quarterly + on privileged change | ISMS scope |
| Encryption Inventory | ISO 27001 A.8.24; SOC-2 CC6.6/CC6.7 | All cryptographic implementations | ISMS scope |
| Backup / Recovery Testing | ISO 27001 A.8.13; SOC-2 Availability A1.2 | Periodic backup-test | ISMS scope |
| Cyber CAPA | linked to CAPA + ISO 27001 A.5.24-A.5.28 | Cyber-originated CAPA | ISMS scope |
| Security Training | ISO 27001 A.6.3; SOC-2 CC1.4 | All personnel | ISMS scope |
| Vendor Cyber Risk | ISO 27001 A.5.19-A.5.23; FDA Cyber 2023 SBOM 3rd-party | Every cyber-relevant vendor | ISMS scope |
| SOC-2 Evidence Locker | SOC-2 TSC | Attestation cycle | SOC-2 scope |
| FDA Cyber Submission Package | FDA Cyber 2023 §V.A (8 elements) | Every FDA submission | FDA scope |
| EU MDR §17 Cyber Evidence | MDR Annex I §17 + MDCG 2019-16 | Every CE-marked device | EU scope |
| NIS2 incident reporting | NIS2 Art. 23 (24-hour early warning + 72-hour update + 1-month final) | NIS2 essential/important entity | NIS2 scope |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| SBOM Registry | FDA premarket missing SBOM (CycloneDX or SPDX) — refusal-to-accept; submission re-required. |
| Vulnerability Tracker with KEV/EPSS | Known-Exploited-Vulnerability hits device dependency — 1-hour finding window; AI-CAPA triggered. |
| Pentest Results | FDA Cyber 2023 §V.A.7 missing pentest evidence — premarket rejection. |
| Security Incident Log + Vigilance boundary | Cyber incident with patient-safety impact routed to Vigilance Log; IT-only to Cyber Log; explicit decision-tree avoids duplication. |
| Access Control Review (quarterly) | SOC-2 CC6.3 evidence missing — Type-2 attestation incomplete. |
| Encryption Inventory | "Show me your data-at-rest encryption" — answered per asset with key-management evidence. |
| Backup Testing | DR-test evidence missing — SOC-2 Availability A1.2 attestation incomplete. |
| ISO 27001 Applicability Statement | Annex A control X marked Applicable but no evidence — stage-2 audit finding. |
| MDCG 2019-16 elements | NB Annex I §17 review missing cybersecurity elements — observation. |
| NIS2 24-hour early warning | Incident not reported within 24 hours — NIS2 Art. 23 enforcement. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| Full 17-tab log | FDA Cybersecurity premarket acceptance; ISO 27001 stage-1 + stage-2 + surveillance; SOC-2 Type-2 attestation; EU MDR §17 NB pass |
| FDA Cyber Submission Package generator | FDA premarket submission acceptance |
| SOC-2 Evidence Locker | SOC-2 Type-2 attestation completion |
| ISMS Doc Register | ISO 27001 Applicability Statement evidence |
| SBOM + Vuln Tracker | FDA Cyber post-market vulnerability management |
| NIS2 incident workflow | NIS2 essential-entity compliance |
Why these regulations are non-negotiable. FDA Cybersecurity in Medical Devices (Sept 2023 final) is enforced at premarket — without the 8 SPDF elements, the submission is rejected. ISO 27001 Annex A 5.x–8.x coverage is required for ISMS certification. SOC-2 Type-2 attestation requires per-CC# evidence with sample-period coverage. MDR Annex I §17 is part of every CE marking — non-conformity blocks CE.
Who uses this module and when. Information Security Officer daily. CISO weekly. SOC-2 auditor at attestation. NB Auditor at MDR §17 review. FDA reviewer at premarket and post-market.
