The Crosswalk

    Head to head

    Flag of United States FDA 524BvsFlag of United Kingdom MHRA

    United States and United Kingdom medical-device cybersecurity, compared.

    Last updated ·

    Bottom line

    MHRA recognises CE marking until June 2030 and broadly aligns with MDCG 2019-16, so an FDA cybersecurity package travels well — about 80% reusable. The active divergence is the UK's emerging post-market vigilance regime and the future Software-as-a-Medical-Device framework, both of which are tightening faster than the US baseline.

    Who this is for · US sponsors evaluating the UKCA / MHRA route post-Brexit.

    Where they differ

    Legal basis

    Flag of United States FDA 524B

    FD&C §524B.

    Flag of United Kingdom MHRA

    UK MDR 2002 (as amended) + recognition of CE / IMDRF.

    Takeaway

    MHRA is converging with EU MDR for now; SaMD framework is in flux.

    SBOM

    Flag of United States FDA 524B

    Mandatory.

    Flag of United Kingdom MHRA

    Strongly expected; explicit in draft UK SaMD guidance.

    Takeaway

    Generate once, file everywhere.

    Local presence

    Flag of United States FDA 524B

    U.S. agent.

    Flag of United Kingdom MHRA

    UK Responsible Person (UKRP) required for non-UK manufacturers.

    Takeaway

    UKRP holds the technical file including your cyber documentation.

    Full profile

    Flag of United StatesUnited States

    FDA Premarket Cybersecurity Guidance & FD&C §524B

    Open profile

    Full profile

    Flag of United KingdomUnited Kingdom

    UK MDR 2002 (as amended) + MHRA Cyber Guidance

    Open profile

    Frequently asked

    Do I need a separate UK submission if I have CE marking?

    Until June 30 2030, CE-marked devices may be placed on the GB market with no further submission. After that date, expect a UKCA / UK SaMD pathway requiring UKRP-held documentation including cybersecurity evidence.

    Other head-to-heads