§ 03 · The playbook
Eight moves that turn cybersecurity into a global accelerant.
What we wish every MedTech founder knew before their first international submission.
The eight moves
-
01
Map your target markets
Stack-rank jurisdictions by revenue potential, time-to-clearance and reciprocity (MDSAP, MRA, reference jurisdiction routes). Most US-cleared devices reach Canada and Singapore 60–90% faster via abridged routes.
-
02
Build to the highest baseline
Design once against IEC 81001-5-1 + IEC 62443-4-1 + AAMI TIR57 inside your ISO 13485 / QMSR design controls. The FDA (Feb 2026 guidance now anchored on QMSR), PMDA, EU and HSA all converge here - treat SPDF as one satisfaction path within the QMS, not a parallel document set.
-
03
Generate one SBOM, format it three ways
SPDX 2.3 for the FDA, CycloneDX for industry partners, and a human-readable PDF for Notified Bodies and PMDA reviewers.
-
04
Stand up a CVD program before submission
FDA, PMDA and Health Canada expect a coordinated vulnerability disclosure plan in the submission itself, not as a post-clearance promise.
-
05
Localise post-market obligations
Cyber-incident clocks are tight and uneven: China 24h, EU CRA 24h early-warning + 72h full notification (from 11 Sep 2026), US FDA 30 days. Build one playbook with regional triggers and language packs - and design to the 24h floor, not the 15-day MDR vigilance clock.
-
06
Plan for divergence, not convergence
CRA (EU, 2027), AI Act, China MLPS evolution will pull standards apart again. Architect for configurability, crypto agility, regional telemetry, kill-switches.
-
07
Get an external pen test before submission
FDA reviewers increasingly expect third-party security testing evidence. SFDA and HSA reviewers reuse it. One report, many submissions.
-
08
Treat MDSAP as your QMS keystone
MDSAP audit covers AU, BR, CA, JP, US in one go, and MDSAP-aligned ISO 13485 evidence now maps 1:1 to the FDA QMSR that took effect Feb 2 2026. Embed cybersecurity QMS controls (design controls, CAPA, complaint handling) so they pass MDSAP + QMSR review without rework.