The Crosswalk

    § 02 · Side by side

    Pick your markets. See the deltas.

    Select up to five jurisdictions to put their cybersecurity expectations head to head. Click any column header to drill into the full profile.

    Last updated ·
    Status key
    MandatoryStatutory or binding regulation. Non-compliance blocks market access.
    GuidanceNon-statutory guidance. Typically enforced via review and registration.
    EmergingFramework adopted but not yet fully enforced or in active implementation.
    Filters
    38 / 38

    Cybersecurity diligence ranking

    Which regulators demand the most rigorous cybersecurity evidence?

    Composite score (0-100) computed from 12 weighted requirements in the FDA translation matrix. Weightings prioritize dimensions that actually change security posture - threat modeling, SBOM/vuln mapping, testing, CVD, patching, incident reporting - over paperwork-only obligations.

    # Jurisdiction Tier Required / Expected Top gaps vs FDA
    1 Flag of United States
    FDA 524B
    FDA / CDRH
    100
    Tier 1 - Rigorous 12 req · 0 exp Matches FDA rigor
    2 Flag of China
    NMPA
    NMPA
    91
    Tier 1 - Rigorous 7 req · 4 exp
    • Security architecture views (global / multi-patient / updateability)
    3 Flag of South Korea
    MFDS
    MFDS
    83
    Tier 2 - Substantive 4 req · 7 exp
    • Security architecture views (global / multi-patient / updateability)
    4 Flag of European Union
    EU MDR
    EC / MDCG
    80
    Tier 2 - Substantive 3 req · 8 exp
    • Security architecture views (global / multi-patient / updateability)
    5 Flag of United Kingdom
    MHRA
    MHRA
    78
    Tier 2 - Substantive 2 req · 9 exp
    • Security architecture views (global / multi-patient / updateability)
    6 Flag of Canada
    Health Canada
    Health Canada
    78
    Tier 2 - Substantive 2 req · 9 exp
    • Security architecture views (global / multi-patient / updateability)
    7 Flag of Switzerland
    Swissmedic
    Swissmedic
    78
    Tier 2 - Substantive 2 req · 9 exp
    • Security architecture views (global / multi-patient / updateability)
    8 Flag of Taiwan
    TFDA Cyber
    TFDA
    78
    Tier 2 - Substantive 2 req · 9 exp
    • Security architecture views (global / multi-patient / updateability)
    9 Flag of Singapore
    HSA
    HSA
    75
    Tier 2 - Substantive 2 req · 8 exp
    • SBOM tied to known vulnerabilities + support status
    • Security architecture views (global / multi-patient / updateability)
    10 Flag of Japan
    PMDA
    PMDA / MHLW
    72
    Tier 2 - Substantive 2 req · 7 exp
    • Machine-readable SBOM (SPDX or CycloneDX)
    • SBOM tied to known vulnerabilities + support status
    • Security architecture views (global / multi-patient / updateability)
    11 Flag of Australia
    TGA
    TGA
    63
    Tier 3 - Emerging 2 req · 2 exp
    • Threat model with device-specific attack surface
    • Machine-readable SBOM (SPDX or CycloneDX)
    • SBOM tied to known vulnerabilities + support status
    12 Flag of Israel
    AMAR
    AMAR / MoH
    60
    Tier 3 - Emerging 2 req · 1 exp
    • Threat model with device-specific attack surface
    • Machine-readable SBOM (SPDX or CycloneDX)
    • SBOM tied to known vulnerabilities + support status
    13 Flag of India
    CDSCO
    CDSCO
    58
    Tier 3 - Emerging 1 req · 2 exp
    • Threat model with device-specific attack surface
    • Machine-readable SBOM (SPDX or CycloneDX)
    • SBOM tied to known vulnerabilities + support status
    14 Flag of Brazil
    ANVISA
    ANVISA
    54
    Tier 3 - Emerging 1 req · 1 exp
    • Threat model with device-specific attack surface
    • Machine-readable SBOM (SPDX or CycloneDX)
    • SBOM tied to known vulnerabilities + support status
    15 Flag of Saudi Arabia
    SFDA
    SFDA
    54
    Tier 3 - Emerging 1 req · 1 exp
    • Threat model with device-specific attack surface
    • Machine-readable SBOM (SPDX or CycloneDX)
    • SBOM tied to known vulnerabilities + support status
    16 Flag of United Arab Emirates
    MOHAP
    MOHAP / DHA / DoH
    53
    Tier 3 - Emerging 0 req · 2 exp
    • Threat model with device-specific attack surface
    • Machine-readable SBOM (SPDX or CycloneDX)
    • SBOM tied to known vulnerabilities + support status

    Not sure how to use this? Try the journey planner to turn these scores into a sequenced submission roadmap.