The Crosswalk

    International Medical Device Regulators Forum

    IMDRF N60

    Source

    Principles & practices for medical device cybersecurity

    Last updated ·

    What it is

    Voluntary, harmonised guidance covering the total product life cycle. Acts as the reference point most national regulators map to.

    Why it matters

    If you design to N60, you have a credible story in the FDA, Health Canada, PMDA, TGA, MFDS, HSA and SFDA submissions. It is the single biggest leverage point for global cybersecurity strategy.

    Adopted or referenced by

    FDA Health Canada PMDA TGA MFDS HSA SFDA ANVISA

    Verified adoption · self-reported by regulators

    Implementation status across IMDRF members

    IMDRF/MC/N84 FINAL:2025 (Edition 2) · 1 September 2025

    8 of 14 regulators report full implementation. 4 partial. 2 not yet.

    Implemented

    8
    • Australia
    • Brazil
    • Canada
    • EU
    • South Korea
    • Singapore
    • Switzerland
    • USA

    Partly implemented

    4
    • China
    • Japan
    • Russia
    • Saudi Arabia

    Not implemented

    2
    • UK
    • Argentina

    Status reported by each regulator to IMDRF as of 1 September 2025. "Implemented" means all relevant elements, concepts and principles of the IMDRF document are followed; "partly" means modified or applied to a narrower product range. Source: IMDRF/MC/N84 FINAL:2025 (Edition 2).

    Key clauses

    Shared responsibility

    Manufacturers, healthcare providers and users share security obligations through the lifecycle.

    Information sharing

    CVD programs and ISAO membership recommended.

    TPLC

    Pre-market AND post-market activities are mandatory components of any conformity story.