The Crosswalk

    Head to head

    Flag of United States FDA 524BvsFlag of China NMPA

    United States and China medical-device cybersecurity, compared.

    Last updated ·

    Bottom line

    NMPA is the largest reformat on the crosswalk. FDA evidence stays useful, but China overlays MLPS 2.0 (cybersecurity classification), PIPL (personal information), DSL (data security), and data-localisation expectations that have no FDA analogue. Plan on ~45% reuse and a 9-12 month timeline.

    Who this is for · US sponsors evaluating the China market and how much extra work it costs.

    Where they differ

    Cyber framework

    Flag of United States FDA 524B

    §524B + SPDF.

    Flag of China NMPA

    NMPA Cybersecurity Guidance + MLPS 2.0 + PIPL + DSL.

    Takeaway

    China stacks four regimes on top of the device rules.

    SBOM

    Flag of United States FDA 524B

    Mandatory.

    Flag of China NMPA

    Expected for connected devices; format not yet standardised.

    Takeaway

    CycloneDX still works, but expect Chinese translation of component descriptions.

    Data residency

    Flag of United States FDA 524B

    No federal localisation rule.

    Flag of China NMPA

    Personal & important data must be stored on Chinese servers.

    Takeaway

    Architecture decisions made for the US may force a re-deploy in China.

    Full profile

    Flag of United StatesUnited States

    FDA Premarket Cybersecurity Guidance & FD&C §524B

    Open profile

    Full profile

    Flag of ChinaChina

    Technical Review Guideline on Medical Device Cybersecurity (2022 rev.)

    Open profile

    Frequently asked

    Can I run my Chinese device on a US-hosted cloud?

    Generally no — PIPL and DSL push personal and 'important' data into Chinese-hosted environments, with CAC security assessment for cross-border transfers above defined thresholds.

    Other head-to-heads