§ 02 · Side by side
Pick your markets. See the deltas.
Select up to five jurisdictions to put their cybersecurity expectations head to head. Click any column header to drill into the full profile.
Last updated ·
Status key
MandatoryStatutory or binding regulation. Non-compliance blocks market access.
GuidanceNon-statutory guidance. Typically enforced via review and registration.
EmergingFramework adopted but not yet fully enforced or in active implementation.
Quick compare · two jurisdictions
Pick two markets — including emerging tier — for a focused side-by-side.
| Dimension |
United States U.S. Food and Drug Administration, Center for Devices and Radiological Health |
European Union European Commission, Medical Device Coordination Group (with national Competent Authorities) |
|---|---|---|
| Legal framework | FD&C Act §524B + Feb 3 2026 Final Guidance, aligned to QMSR (21 CFR Part 820 / ISO 13485:2016, effective Feb 2 2026). Supersedes Jun 2025 guidance and replaces 2014 premarket cybersecurity guidance. | MDR Annex I GSPR 17.2 + NIS2 Directive (CRA explicitly excludes products covered by MDR/IVDR) |
| Status | Mandatory | Mandatory |
| Pre-market expectations | Cybersecurity treated as part of device safety under the QMSR (ISO 13485:2016). Secure Product Development Framework (SPDF) presented as one way to satisfy QMSR. Threat model, SBOM in machine-readable format, security risk management (AAMI TIR57), security architecture views (global system, multi-patient harm, updateability), security testing. | Risk management per ISO 14971, IT security in technical documentation, IEC 81001-5-1, minimum IT requirements in IFU, verification & validation evidence reviewed by Notified Body. |
| Post-market expectations | Coordinated vulnerability disclosure plan, post-market monitoring, patching commitments and timelines for the supported device lifetime. | PMS plan, PSUR, vigilance reporting within 15 days for serious incidents (2 days for serious public health threats). |
| SBOM | Required | Recommended |
| Vulnerability disclosure | Mandatory CVD plan submitted with application. Updates must be free of charge. | Required under NIS2 for essential/important entities; encouraged for all manufacturers. |
| Penalty / enforcement | Refusal to Accept (RTA) of submission, adds months to clearance. | MDR: market removal + national fines. NIS2: up to €10M or 2% global turnover (where the manufacturer is in scope as an essential/important entity). |
| Open full crosswalk | Open full crosswalk |
Deep compare · up to five
Stack up to five fully-crosswalked jurisdictions.
5 / 5 selected
| Dimension |
FDA 524BUnited States
FDA / CDRH |
EU MDREuropean Union
EC / MDCG |
PMDAJapan
PMDA / MHLW |
NMPAChina
NMPA |
HSASingapore
HSA |
|---|---|---|---|---|---|
| Legal framework | FD&C Act §524B + Feb 3 2026 Final Guidance, aligned to QMSR (21 CFR Part 820 / ISO 13485:2016, effective Feb 2 2026). Supersedes Jun 2025 guidance and replaces 2014 premarket cybersecurity guidance. | MDR Annex I GSPR 17.2 + NIS2 Directive (CRA explicitly excludes products covered by MDR/IVDR) | Pharmaceuticals & Medical Devices Act + MHLW Notifications + IMDRF N60 alignment | NMPA Cybersecurity Guideline + MLPS 2.0 + Data Security Law + PIPL | Health Products Act + HSA Cybersecurity Guidance + CSA Cybersecurity Act |
| Pre-market expectations | Cybersecurity treated as part of device safety under the QMSR (ISO 13485:2016). Secure Product Development Framework (SPDF) presented as one way to satisfy QMSR. Threat model, SBOM in machine-readable format, security risk management (AAMI TIR57), security architecture views (global system, multi-patient harm, updateability), security testing. | Risk management per ISO 14971, IT security in technical documentation, IEC 81001-5-1, minimum IT requirements in IFU, verification & validation evidence reviewed by Notified Body. | Cybersecurity documentation in STED, JIS T 81001-5-1 application, threat analysis, SBOM submission. | Cybersecurity description, risk analysis, network type classification, verification & validation in registration dossier. | Cybersecurity by design, risk assessment, labelling, MDS supporting docs at registration; abridged route if cleared by FDA/EU/TGA/HC/PMDA. |
| Post-market expectations | Coordinated vulnerability disclosure plan, post-market monitoring, patching commitments and timelines for the supported device lifetime. | PMS plan, PSUR, vigilance reporting within 15 days for serious incidents (2 days for serious public health threats). | Incident reporting to PMDA, lifetime support obligations, periodic safety updates. | Annual self-assessment, incident reporting within 24h, software upgrade approvals required. | Field Safety Corrective Action (FSCA) reporting, vigilance, periodic security updates. |
| SBOM | Required | Recommended | Required | Recommended | Recommended |
| Vulnerability disclosure | Mandatory CVD plan submitted with application. Updates must be free of charge. | Required under NIS2 for essential/important entities; encouraged for all manufacturers. | Required, IPA (Information-technology Promotion Agency) coordination. | MIIT CNVD (China National Vulnerability Database) coordination required. | Encouraged via CSA SingCERT. |
| Penalty for non-compliance | Refusal to Accept (RTA) of submission, adds months to clearance. | MDR: market removal + national fines. NIS2: up to €10M or 2% global turnover (where the manufacturer is in scope as an essential/important entity). | Approval suspension; recall orders; criminal penalties for misleading data. | Registration revocation, fines under DSL up to RMB 10M, criminal liability for serious data breaches. | Suspension or cancellation of registration; CSA penalties for critical info infrastructure. |