§ 06 · Methodology
How we decide what's on the map.
Transparent inclusion criteria, color tiers, the Emerging tier definition, and the seven sanctioned jurisdictions we deliberately leave gray.
What “covered” means
A jurisdiction earns a colored tile and a full crosswalk page when all four of these conditions hold:
- 01A national medical-device regulator exists and operates a registration, notification, or approval pathway.
- 02Cybersecurity expectations for connected medical devices or SaMD are documented — either as named guidance, a circular, a recognized standard, or as enforced general data/health-security law that demonstrably applies to devices.
- 03The market is reachable by a US/EU manufacturer (no comprehensive sanctions blocking commercial export of medical devices).
- 04The jurisdiction is large or strategically important enough that an RA team would actually plan for it on a global rollout.
Total covered today: 42 jurisdictions across 6 continents (35 with full crosswalks, 7 as emerging-tier profiles).
Color tiers
Leading
Statutory cybersecurity requirements with SBOM mandated and pre-market refusal as enforcement.
Advanced
Mandatory cyber framework with named guidance, SBOM expected, post-market duties.
Developing
Cyber guidance published; tightening but not yet pre-market gating.
Emerging
Early-stage requirements; relies heavily on FDA/EU recognition and IMDRF principles.
Gray
Not yet profiled, or intentionally omitted under sanctions (7 jurisdictions, see below).
Tiers are an editorial judgment — a snapshot of regulatory maturity, not a compliance score for any specific manufacturer or device. Tiers are reviewed each time a covered jurisdiction publishes new guidance.
The Emerging tier — and how it differs from Covered and Watchlist
Emerging is a real category, not a placeholder. A jurisdiction lands here when its device regulator and statutory framework are real and reachable — but cybersecurity-specific expectations have not been formally written down yet, or are being absorbed from foreign approvals and adjacent law (data protection, critical infrastructure). We publish a brief profile rather than a full crosswalk.
Covered
Full crosswalk page. Named cyber guidance or statute we can cite line-by-line.
- ✓ Named cyber guidance
- ✓ Pre-/post-market expectations documented
- ✓ SBOM posture assessable
- ✓ Crosswalk to FDA package
Emerging
Brief profile in the click-through panel. Real regulator, no cyber-specific text yet.
- ✓ Device regulator + statutory framework
- ✓ Reference-country approval pathway
- ~ Cyber posture inferred from adjacent law
- ✗ No medical-device cyber crosswalk yet
Watchlist
Reserved bucket for jurisdictions actively drafting guidance we expect to promote next.
- ✓ Regulator known
- ~ Draft guidance circulating
- ✗ No reachable framework to summarise
- ✗ Currently empty after the 2026 promotion pass
How a country becomes Emerging
- 01There is an identifiable national medical-device regulator with a published registration or licensing pathway.
- 02There is a statutory basis for that regulator (act, decree, ministerial order) — not just a draft Bill.
- 03The market is reachable by a US/EU manufacturer (no comprehensive sanctions).
- 04The regulator either accepts foreign approvals (FDA, CE, Health Canada, TGA, PMDA) as a route to entry, or has explicit IMDRF/GHTF alignment we can describe in a paragraph.
Currently emerging · 7 jurisdictions
Pakistan· DRAP
Nigeria· NAFDAC
Kenya· PPB
Morocco· DMP
Peru· DIGEMID
Bangladesh· DGDA
Sri Lanka· NMRAClick any of these on the world map to see their regulator, statutory framework, current cyber posture, and which foreign approvals they recognize.
How we estimate "FDA package reuse"
Each crosswalk page shows an ~X% figure labeled FDA package reuse. It is an editorial estimate of how much of a complete FDA cybersecurity submission package — SPDF artifacts, SBOM, threat model, security testing, architecture views, CVD plan, and post-market lifecycle commitments — can be reused as-is in another jurisdiction's submission, before localization, format conversion, or additional local evidence is needed.
The number is not a regulatory equivalence rating, a clearance prediction, or a quantitative score. The tilde (~) is doing real work: treat it as a rough planning band for RA/QA scoping, not a percentage you'd defend in an audit.
Six dimensions we weigh
SBOM acceptance
Will the regulator accept a SPDX/CycloneDX SBOM produced for FDA, or do they require a specific local format/registry?
SPDF / SSDLC alignment
Does the regulator recognize the FDA Secure Product Development Framework, IEC 81001-5-1, or IEC 62443-4-1 as evidence of secure development?
Threat model & risk evidence
Is an AAMI TIR57 / ISO 14971 cybersecurity risk file accepted, or is a locally formatted risk dossier required?
CVD plan & post-market
Are the FDA CVD plan and patch SLAs sufficient, or does the jurisdiction require a local PSIRT, in-country contact, or different reporting timelines?
Standards recognition
Does the regulator publish a recognized-consensus-standards list that includes the same standards FDA recognizes?
Localization & sovereignty
Language requirements, in-country data/representation rules, sovereign certification regimes, and registration-flow deltas.
How the bands map
100%
Source
FDA itself — the reference package.
85–95%
High reuse
Strong IMDRF + SPDF alignment, recognizes FDA submissions or equivalent standards (Canada, Switzerland, Israel, UAE, Norway).
70–80%
Solid base
IEC 81001-5-1 / IMDRF aligned but local registration flow and language deltas (UK, Japan, Australia, Singapore, Brazil, Taiwan).
55–65%
Partial
Substantive process, format, or representation deltas (EU MDR, MFDS, India, Mexico, Vietnam, Indonesia).
≤ 50%
Low reuse
Sovereign certification, data-localization, or fundamentally different framework (China, Saudi Arabia in some cases).
n/a
Emerging
Not scored — no formal cyber expectations to map FDA artifacts against.
Limitations
- • Editorial estimate by reviewers familiar with the underlying frameworks — not a peer-reviewed scoring rubric.
- • Assumes a typical Class II / moderate-risk connected device. High-risk implants, AI/ML SaMD, and combination products will deviate.
- • Reflects the regulator's published expectations as of each entry's Last reviewed date — not informal reviewer practice.
- • Does not include QMS, clinical, labeling, or general device-registration effort — only cybersecurity submission artifacts.
Why a country might be gray
Not yet covered
The country has no national medical-device regulator, the regulator has no public registration pathway, or the market is too small to warrant a profile on a global rollout. If a jurisdiction has a real regulator and a statutory framework but no named cyber guidance, it sits in the Emerging tier above instead — not gray.
Intentionally omitted (sanctions)
US OFAC, EU and UK sanctions regimes restrict commercial export of medical devices — particularly connected and software-driven devices — to the following markets without specific licenses. Listing a crosswalk for them would be misleading guidance for the typical reader of this site:
- 🇷🇺 Russia
- 🇧🇾 Belarus
- 🇮🇷 Iran
- 🇰🇵 North Korea
- 🇸🇾 Syria
- 🇨🇺 Cuba
- 🇻🇪 Venezuela
Humanitarian medical-device exports are often permitted under general licenses; commercial market access is functionally closed. Some of these jurisdictions (notably Russia) maintain real medical-device cyber frameworks — we just don't crosswalk them here.
What this map is not
- It is not a substitute for legal or regulatory counsel. Tier colors don't tell you whether your specific device clears in any given market.
- It is not a global trade compliance map. We flag sanctions only to explain omissions — not to assess export controls for your product.
- It is not exhaustive. ~190 UN member states exist; we cover the jurisdictions that matter most for typical global medical-device launches.
Think we're missing one?
If you've shipped into a market you'd like added — or you disagree with a tier — tell us. We add jurisdictions in batches when they meet the four-condition test above.
Read the FAQ →