Eight moves that turn cybersecurity into a global accelerant.

The eight moves

1. 01

   Map your target markets

   Stack-rank jurisdictions by revenue potential, time-to-clearance and reciprocity (MDSAP, MRA, reference jurisdiction routes). Most US-cleared devices reach Canada and Singapore 60–90% faster via abridged routes.

2. 02

   Build to the highest baseline

   Design once against IEC 81001-5-1 + IEC 62443-4-1 + AAMI TIR57. The FDA, PMDA, EU and HSA all converge here. Anything less and you'll re-engineer per market.

3. 03

   Generate one SBOM, format it three ways

   SPDX 2.3 for the FDA, CycloneDX for industry partners, and a human-readable PDF for Notified Bodies and PMDA reviewers.

4. 04

   Stand up a CVD program before submission

   FDA, PMDA and Health Canada expect a coordinated vulnerability disclosure plan in the submission itself, not as a post-clearance promise.

5. 05

   Localise post-market obligations

   Cyber-incident clocks are tight and uneven: China 24h, EU CRA 24h early-warning + 72h full notification (from 11 Sep 2026), US FDA 30 days. Build one playbook with regional triggers and language packs — and design to the 24h floor, not the 15-day MDR vigilance clock.

6. 06

   Plan for divergence, not convergence

   CRA (EU, 2027), AI Act, China MLPS evolution will pull standards apart again. Architect for configurability, crypto agility, regional telemetry, kill-switches.

7. 07

   Get an external pen test before submission

   FDA reviewers increasingly expect third-party security testing evidence. SFDA and HSA reviewers reuse it. One report, many submissions.

8. 08

   Treat MDSAP as your QMS keystone

   MDSAP audit covers AU, BR, CA, JP, US in one go. Embed cybersecurity QMS controls (design controls, CAPA, complaint handling) so they pass MDSAP review without rework.