Global Medical Device Cybersecurity Regulations

This article presents a structured overview of key medical device cybersecurity regulations and guidance from major regulatory regions worldwide. Organizations working on bringing new medical devices containing software or firmware should follow the requirements specified here based on the country they are expected to be marketed.

2YearCountry / RegionDocument & Link
Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (Final Guidance)2025United States (FDA)FDA final guidance released June 27, 2025 (fda.gov)
Postmarket Management of Cybersecurity in Medical Devices (Guidance)2016United States (FDA)FDA postmarket cybersecurity guidance (fda.gov)
Regulation (EU) 2017/745 on Medical Devices (MDR)2017European UnionMDR includes cybersecurity requirements in risk management Annex I §17.4
Regulation (EU) 2017/746 on In Vitro Diagnostic Medical Devices (IVDR)2017European UnionIVDR imposes cybersecurity obligations similar to MDR
Regulation (EU) 2024/2847 – Cyber Resilience Act2024 (comes into force 2027)European UnionHorizontal cybersecurity regulation covering digital products, including medical devices with digital elements
Directive (EU) 2022/2555 – NIS 2 Directive2023European UnionExpands healthcare and medical‑device manufacturer obligations for cybersecurity risk management and incident reporting  (pmc.ncbi.nlm.nih.gov)
Essential Requirements – Article 12 Clause 3 on Cybersecurity (Japan)2023Japan (MHLW/PMDA)Amendment requiring compliance with JIS T 81001‑5‑1 for internet‑connected medical device software; enforcement began April 1, 2023
“Ensuring Cyber Security of Medical Devices” Notification (MHLW)2015JapanInitial notification on evaluating cybersecurity risk for devices
Guidance on Ensuring Cyber Security of Medical Devices (MHLW)2018JapanPractical guidance for pre‑market design and post‑market cybersecurity risk management
Complying with Medical Device Cyber Security Requirements Guidance2022 (updated)Australia (TGA)TGA guidance; revised Essential Principle 12.1 from Feb 25, 2021 
Best Practices Guide for Medical Device Cybersecurity (Draft)2025 (draft)Singapore (HSA/CSA)Public consultation document from March to May 2025
Cybersecurity Labelling Scheme for Medical Devices (CLS MD)2022Singapore (CSA/MOH/HSA)Voluntary multi‑level label scheme launched 16 Oct 2024
Guidelines for the Security Assessment of Medical Devices2020China (NMPA/CAC)Cybersecurity assessment methodology for registration
Medical Device Cybersecurity Vulnerability Identification & Assessment Methodology (Draft)2022China (State Drug Administration)Published draft methodology in Nov 2022 
Guidance Document: Pre-market Requirements for Medical Device Cybersecurity2019Canada (Health Canada)Health Canada pre-market cybersecurity guidance
Health Canada Cybersecurity Guidance2019CanadaHealth Canada pre-market cybersecurity guidance
MHRA & UK – Good Machine Learning Practice & Transparency Principles2024United Kingdom (UH MHRA)Joint GMLP / transparency principles for ML‑enabled devices

Notes & Context:

  • United States: The 2025 FDA final guidance adds new statutory provisions under section 524B of the FD&C Act.
  • European Union: The MDR and IVDR embed cybersecurity requirements, while the NIS 2 and Cyber Resilience Act expand obligations for manufacturers and software products.
  • Japan: Starting from 2015, Japan developed formal requirements culminating in 2023 with mandatory cybersecurity conformance to JIS T 81001-5-1.

Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None