The Crosswalk

    International Medical Device Regulators Forum

    IMDRF N73

    Source

    Principles & practices for SBOM in medical device cybersecurity

    Last updated ·

    What it is

    The international playbook for software bill of materials in medical devices. Defines content, format, exchange and lifecycle expectations for SBOMs.

    Why it matters

    Generate one CycloneDX or SPDX SBOM aligned to N73 and you satisfy the FDA, are accepted by Health Canada and South Korea, and have ~80% of what the EU CRA will demand from 2027.

    Adopted or referenced by

    FDA Health Canada MFDS EU (partly) PMDA (partly) HSA (partly) TGA (partly)

    Verified adoption · self-reported by regulators

    Implementation status across IMDRF members

    IMDRF/MC/N84 FINAL:2025 (Edition 2) · 1 September 2025

    3 of 14 regulators report full implementation. 6 partial. 5 not yet.

    Implemented

    3
    • Canada
    • South Korea
    • USA

    Partly implemented

    6
    • Australia
    • China
    • EU
    • Japan
    • Singapore
    • Switzerland

    Not implemented

    5
    • Brazil
    • Russia
    • UK
    • Argentina
    • Saudi Arabia

    Status reported by each regulator to IMDRF as of 1 September 2025. "Implemented" means all relevant elements, concepts and principles of the IMDRF document are followed; "partly" means modified or applied to a narrower product range. Source: IMDRF/MC/N84 FINAL:2025 (Edition 2).

    Key clauses

    Machine-readable formats

    SPDX or CycloneDX. JSON or XML. Tags for known vulnerabilities and support level.

    Lifecycle commitment

    SBOM updated at every release; legacy components flagged with end-of-support dates.

    Distribution

    Provided to procurers and operators on request, not just regulators.