The Crosswalk

    International Medical Device Regulators Forum

    IMDRF N70

    Source

    Principles & practices for the cybersecurity of legacy medical devices

    Last updated ·

    What it is

    Guidance for managing devices that are still in active clinical use but no longer fully supported. Defines roles for manufacturers, healthcare delivery organisations and regulators across the legacy phase of the lifecycle.

    Why it matters

    If your portfolio includes any device older than 5 years that's still on the market, N70 is the reference regulators will measure your end-of-life and patching commitments against.

    Adopted or referenced by

    FDA EU MDR MFDS Swissmedic PMDA (partly) HSA (partly)

    Verified adoption · self-reported by regulators

    Implementation status across IMDRF members

    IMDRF/MC/N84 FINAL:2025 (Edition 2) · 1 September 2025

    4 of 14 regulators report full implementation. 3 partial. 7 not yet.

    Implemented

    4
    • EU
    • South Korea
    • Switzerland
    • USA

    Partly implemented

    3
    • China
    • Japan
    • Singapore

    Not implemented

    7
    • Australia
    • Brazil
    • Canada
    • Russia
    • UK
    • Argentina
    • Saudi Arabia

    Status reported by each regulator to IMDRF as of 1 September 2025. "Implemented" means all relevant elements, concepts and principles of the IMDRF document are followed; "partly" means modified or applied to a narrower product range. Source: IMDRF/MC/N84 FINAL:2025 (Edition 2).

    Key clauses

    Lifecycle phases

    Defines development, support, limited-support and end-of-support phases with clear obligations at each.

    Communication

    Manufacturers must publish end-of-support dates and security advisories to operators.

    Compensating controls

    When patching is no longer feasible, alternative mitigations must be documented and shared.