Legal anchor
FDA 524B
FD&C §524B.
TGA
Therapeutic Goods (Medical Devices) Regulations 2002 + TGA cyber guidance v2 (2024).
Takeaway
Both are mandatory; TGA leans heavily on IMDRF harmonisation.
Head to head
FDA 524Bvs TGA
United States and Australia medical-device cybersecurity, compared.
Last updated ·
Bottom line
TGA's 2024 cybersecurity guidance v2 is closely aligned to FDA §524B — both reference IMDRF N60, both expect SPDF-style lifecycle evidence, both want an SBOM. An FDA cybersecurity package is roughly 85% reusable. The additions are an Australian Sponsor, MDSAP-aligned QMS, and TGA's specific essential-principles documentation format.
Who this is for · US-cleared sponsors planning Australian TGA Conformity Assessment.
Where they differ
SBOM
FDA 524B
Mandatory (SPDX or CycloneDX).
TGA
Expected for connected devices; same format accepted.
Takeaway
Single SBOM serves both submissions.
QMS
FDA 524B
QMSR / ISO 13485:2016.
TGA
MDSAP or ISO 13485:2016.
Takeaway
MDSAP audit covers FDA + TGA + 3 others in one pass.
Local presence
FDA 524B
U.S. agent.
TGA
Australian Sponsor with regulatory liability.
Takeaway
Sponsor liability is broader than a U.S. agent's.
Full profile
United States
FDA Premarket Cybersecurity Guidance & FD&C §524B
Open profileFull profile
Australia
Medical Device Cybersecurity Guidance
Open profileFrequently asked
Is Australia the easiest second market after Canada for FDA-cleared devices?
It's competitive. Canada wins on volume of cybersecurity reuse (~95%) and English-only labelling. Australia wins on MDSAP convergence and a single-Sponsor model. Most sponsors file both in parallel.