Legal anchor
EU MDR
MDR Annex I §17 + MDCG 2019-16; CRA from Dec 2027.
PMDA
PMD Act + Ordinance 169 + MHLW 2023 cyber notification.
Takeaway
Both reference IMDRF N60; PMDA leans on JIS T 81001-5-1 as its primary harmonised standard.
Head to head
EU MDRvs PMDA
European Union and Japan medical-device cybersecurity, compared.
Last updated ·
Bottom line
PMDA's 2024 cybersecurity guidance is closer to MDCG 2019-16 than most regulators — both anchor on IMDRF N60 and SPDF logic. About 80% of an EU technical file transfers cleanly; the work is translation, a Japanese Marketing Authorisation Holder (MAH), and re-mapping to JIS T 81001-5-1.
Who this is for · EU-CE-marked sponsors planning a Japan Shonin or third-party certification.
Where they differ
SBOM
EU MDR
Strongly expected today; mandatory under CRA from 2027.
PMDA
Recommended; PMDA reviews for connected devices.
Takeaway
One CycloneDX file satisfies both — no rework needed.
Local presence
EU MDR
EU Authorised Representative.
PMDA
Japanese Marketing Authorisation Holder (MAH) is mandatory.
Takeaway
MAH liability is broader than an EU AR; choose carefully.
Incident timeline
EU MDR
15 days (serious); 24 hours for active exploit under CRA (2027+).
PMDA
15 days for serious incidents; immediate if public-health threat.
Takeaway
Same baseline; CRA will pull EU ahead post-2027.
Full profile
European Union
MDR 2017/745 + MDCG 2019-16 Cybersecurity Guidance
Open profileFull profile
Japan
PMSD Act + MHLW Cybersecurity Notifications (2023–24)
Open profileFrequently asked
Is my EU technical file accepted in Japan?
Not as-is. Japan accepts the content but requires the dossier in PMDA's STED-aligned format, a Japanese MAH, and Japanese-language labelling and IFU. Cybersecurity evidence (threat model, SBOM, pen-test, risk assessment) transfers without rework.
Does PMDA recognise CE marking?
No formal recognition. CE evidence is accepted as supporting documentation in a PMDA dossier, but the regulator runs its own review.