The Crosswalk

    § 03 · The playbook

    Eight moves that turn cybersecurity into a global accelerant.

    What we wish every MedTech founder knew before their first international submission.

    Last updated ·

    The eight moves

    1. 01

      Map your target markets

      Stack-rank jurisdictions by revenue potential, time-to-clearance and reciprocity (MDSAP, MRA, reference jurisdiction routes). Most US-cleared devices reach Canada and Singapore 60–90% faster via abridged routes.

    2. 02

      Build to the highest baseline

      Design once against IEC 81001-5-1 + IEC 62443-4-1 + AAMI TIR57 inside your ISO 13485 / QMSR design controls. The FDA (Feb 2026 guidance now anchored on QMSR), PMDA, EU and HSA all converge here - treat SPDF as one satisfaction path within the QMS, not a parallel document set.

    3. 03

      Generate one SBOM, format it three ways

      SPDX 2.3 for the FDA, CycloneDX for industry partners, and a human-readable PDF for Notified Bodies and PMDA reviewers.

    4. 04

      Stand up a CVD program before submission

      FDA, PMDA and Health Canada expect a coordinated vulnerability disclosure plan in the submission itself, not as a post-clearance promise.

    5. 05

      Localise post-market obligations

      Cyber-incident clocks are tight and uneven: China 24h, EU CRA 24h early-warning + 72h full notification (from 11 Sep 2026), US FDA 30 days. Build one playbook with regional triggers and language packs - and design to the 24h floor, not the 15-day MDR vigilance clock.

    6. 06

      Plan for divergence, not convergence

      CRA (EU, 2027), AI Act, China MLPS evolution will pull standards apart again. Architect for configurability, crypto agility, regional telemetry, kill-switches.

    7. 07

      Get an external pen test before submission

      FDA reviewers increasingly expect third-party security testing evidence. SFDA and HSA reviewers reuse it. One report, many submissions.

    8. 08

      Treat MDSAP as your QMS keystone

      MDSAP audit covers AU, BR, CA, JP, US in one go, and MDSAP-aligned ISO 13485 evidence now maps 1:1 to the FDA QMSR that took effect Feb 2 2026. Embed cybersecurity QMS controls (design controls, CAPA, complaint handling) so they pass MDSAP + QMSR review without rework.