Transition or not, your MDD SaMD may die in 2025, not 2028
By Mitch on Friday, 19 April 2024, 13:32 - Regulations - Permalink
Yes, 2025.
Why? Because Windows 10 end-of-support is the 5th October 2025.
Are there any MDD SaMD running on Windows 11? No, Windows 11 was released the 5th October 2021, just after May 2021.
So, all MDD SaMD are officially running on Windows 10. Till the 5th October 2025.
Thank-you Microsoft, you set a regulatory deadline involuntarily!
And Windows Server?
Same problem. Even worse. Because Windows Server 2019 end-of-support is in the past: 9th January 2024.
Are there any MDD SaMD running on Windows 2022? No, Windows 2022 was released the 18th August 2021, after May 2021.
So, all MDD SaMD are officially running on Windows 2019 are out of support and should be withdrawn from the market by conscentious manufacturers.
MDCG 2020-3 Rev.1
Thanks to MDCG 2020-3 rev.1, we know that porting SaMD from Windows 10 to Windows 11 is a significant change. It's written black on white on page 13 of that MDCG guide.
Yet, the MDCG leaves the door open, the change is significant only: if modification to the device software is required. Considering that Windows 11 share the same core as Windows 10, there shouldn't be any problem. Same situation with Windows Server 2019 and 2022.
Verify carefully that your MDD SaMD in its current release works like a charm on Windows 11 (or Windows Server 2022). And document it carefully in a software test plan and software test report. Update your risk assessment to assert that running on Windows 11 (or Windows Server 2022) doesn't bring any unacceptable risk.
If that's the case, you're saved. You can let your clients use this software till 2028. And you can do cybersecurity updates on that software.
Worst case: If your MDD SaMD needs updates to run on Windows 11, then you can't port it to Windows 11 and stay on your MDD certification. Unless you use the excuse of cybersecurity update to let it run on Windows 11 (no, I will deny any responsibility for this assertion!!!) and claim it is still under the MDD regime.
Same situation with Windows Server 2022.
What will you do?
So, worst case, your MDD software doesn't run as intended on Windows.
Unless you have deep pockets, you can't invest so much in MDR certification and press your Notified Body to certify your future MDR software in time.
Thus, either you drop it, or you plan to certify it somewhere later. Say, in 2026.
Another solution would be to update accompanying documents, to explain to your users what kind of compensating measures they could put in place to isolate Windows 10 PCs on the network. I can hear from here the cold answer of IT security guys, to your suggestions of compensating measures.
I can also hear from here the even colder answer of IT security guys, for suggesting keeping Windows Server 2019 with compensating security measures.
What will do users?
If your software doesn't run on Windows 11, users will continue to use the software on the non-maintained Windows 10 version.
With the security holes.
Such a good idea, in the current cyber context.
Same problem with Windows Server, even though it is less likely.
Or they will use it on Windows 11 / Windows Server 2022, coping with bugs and other problems.
Will you close your eyes in your PMS reports?
Consequence
The MDR transition once again turns good security principles and software lifecycle principles upside down.
Absurdity of MDR transition rigidities versus reality of SaMD lifecycle.
