The Crosswalk

The global medical device cybersecurity crosswalk.

The reference RA/QA teams reach for when planning international submissions. Twenty-nine regulators, one device, side by side, without losing a quarter to regulatory whiplash.

Open the matrix Read the playbook

The map.

Hover any covered jurisdiction for a one-line read on its cybersecurity maturity. Click to open the full profile.

Leading — statutory, SBOM mandated

Advanced — mandatory, robust framework

Developing — guidance, tightening

Emerging — early-stage requirements

Watchlist — regulator known, no cyber crosswalk yet

Sanctions — commercial export restricted

Out of scope. See methodology →

How to use this atlas

Four ways in.

Compare jurisdictions

Stack any 5 markets side by side across legal framework, SBOM, CVD, post-market and penalties.

Open

Drill into one regulator

Each profile covers scope, key documents, timeline, unique requirements and reuse from FDA.

Open

Follow the playbook

Eight moves that turn cybersecurity from a market-entry tax into a global accelerant.

Open

Decode the acronyms

From SPDF to MLPS to CH-REP, twenty-plus terms every globalising MedTech founder will hit.

Open

All jurisdictions

Twenty-nine regulators. One device. Twenty-nine different stories.

Status key

MandatoryStatutory or binding regulation. Non-compliance blocks market access.

GuidanceNon-statutory guidance. Typically enforced via review and registration.

EmergingFramework adopted but not yet fully enforced or in active implementation.

Mandatory

FDA / CDRH

United States

Mar 2023

Mandatory

EC / MDCG

European Union

May 2021

Guidance

MHRA

United Kingdom

Reform program 2024–26

Mandatory

PMDA / MHLW

Japan

Apr 2024 (cybersecurity notification)

Mandatory

NMPA

China

2022

Mandatory

Health Canada

Canada

Jun 2019 (rev. 2024)

Guidance

TGA

Australia

Jul 2019 (rev. 2022)

Mandatory

MFDS

South Korea

2019 (rev. 2023)

Guidance

HSA

Singapore

Apr 2022 (rev.)

Mandatory

ANVISA

Brazil

Mar 2023 (RDC 751)

Guidance

SFDA

Saudi Arabia

2022

Mandatory

Swissmedic

Switzerland

May 2021 (MedDO)

Guidance

CDSCO

India

Oct 2023 (full notified-device coverage)

Mandatory

AMAR / MoH

Israel

2019 (cybersecurity circular)

Guidance

TFDA

Taiwan

Jul 2021

Guidance

COFEPRIS

Mexico

Dec 2021 (NOM-241)

Mandatory

MOHAP / DHA / DoH

United Arab Emirates

2020 (DoH ADHICS)

Guidance

SAHPRA

South Africa

2017 (licensing); cyber guidance 2022

Guidance

MDA

Malaysia

2021 (cybersecurity guidance)

Guidance

Thai FDA

Thailand

2021 (revised MD Act)

Guidance

Kemenkes

Indonesia

2017

Guidance

ANMAT

Argentina

2002 (rev. 2022)

Guidance

Medsafe

New Zealand

WAND active; reform Bill in progress

Mandatory

TİTCK

Turkey

Jun 2021

Mandatory

DMP / Helsetilsynet

Norway

May 2021

Guidance

INVIMA

Colombia

2005 (rev. 2023)

Emerging

ISP / ANID

Chile

2024 (Ley 21.541 in implementation)

Mandatory

DMEC / MoH

Vietnam

Jan 2022

Guidance

FDA Philippines

Philippines

2018

Mandatory

SES

Ukraine

2013 (Resolution 753), revised 2023

Mandatory

NCEMP

Kazakhstan

2016 (EAEU Decision 46)

Guidance

EDA

Egypt

2019 (Law 151/2019 — EDA establishment)

Guidance

MDD

Hong Kong

2004 (voluntary MDACS launched)

Guidance

KDA

Kuwait

2017 (KDFC medical device circulars)

Mandatory

Roszdravnadzor

Russia

2012 (Gov. Decree 1416)

Head to head

The pairings everyone asks about.

Six in-depth comparisons of the most-searched regulator pairings — bottom-line, deltas, and answers to the questions that come up in every dual-submission planning call.

FDA 524B vs EU MDR

The FDA's §524B regime and the EU MDR cybersecurity expectations (MDCG 2019-16 + GSPR Annex I §17) share a common backbone — SPDF-style lifecycle, SBOM, threat …

Compare

FDA 524B vs PMDA

PMDA's 2024 cybersecurity guidance is the closest international mirror of FDA §524B — same SPDF logic, same SBOM expectation, same lifecycle commitments. The di…

Compare

FDA 524B vs MHRA

MHRA recognises CE marking until June 2030 and broadly aligns with MDCG 2019-16, so an FDA cybersecurity package travels well — about 80% reusable. The active d…

Compare

FDA 524B vs Health Canada

Health Canada's 2024 pre-market cybersecurity guidance is the highest-reuse target on the planet for FDA-cleared devices — roughly 95% of the FDA evidence trans…

Compare

FDA 524B vs NMPA

NMPA is the largest reformat on the crosswalk. FDA evidence stays useful, but China overlays MLPS 2.0 (cybersecurity classification), PIPL (personal information…

Compare

EU MDR vs MHRA

Until 30 June 2030 MHRA accepts CE-marked devices on the GB market with no additional submission — so the cybersecurity file you built for MDR works as-is. Afte…

Compare

EU MDR vs PMDA

PMDA's 2024 cybersecurity guidance is closer to MDCG 2019-16 than most regulators — both anchor on IMDRF N60 and SPDF logic. About 80% of an EU technical file t…

Compare

EU MDR vs Health Canada

Health Canada's 2024 pre-market cybersecurity guidance is one of the highest-reuse targets for an EU technical file — roughly 85% lifts cleanly. The additions a…

Compare

FDA 524B vs TGA

TGA's 2024 cybersecurity guidance v2 is closely aligned to FDA §524B — both reference IMDRF N60, both expect SPDF-style lifecycle evidence, both want an SBOM. A…

Compare

FDA 524B vs MFDS

MFDS's 2024 cybersecurity notification is broadly aligned to FDA §524B at the principles level — same lifecycle expectations, same threat-model and SBOM logic. …

Compare