TGA

Australia — TGA

GuidanceLast updated · 2024 (TGA cybersecurity guidance v2)Verified · 2026-05-28

Medical Device Cybersecurity Guidance

Authority

Therapeutic Goods Administration

Enforced

Jul 2019 (rev. 2022)

Legal framework

Therapeutic Goods Act + Essential Principles 12.1

FDA package reuse

~85%

Editorial estimate · how →

Scope

All medical devices with software, networking or wireless connectivity. Two TGA documents: pre-market for industry and post-market for users.

Pre-market

Total Product Life Cycle (TPLC) approach, IEC 81001-5-1 referenced, evidence proportional to risk.

Post-market

Incident reporting, MDSAP audits, ongoing patching.

SBOM

Recommended

Encouraged; ACSC ISM compatibility valued.

Vulnerability disclosure

Encouraged, ACSC alignment.

Penalty

Cancellation from ARTG, civil penalties.

Unique requirements

01Australian Sponsor required
02ARTG inclusion process
03Aligns to ACSC Essential Eight where applicable

Highlights

TPLC philosophy
MDSAP recognition
Light-touch but tightening

Aligns with

IMDRF N60 IEC 81001-5-1 MDSAP

Timeline

Jul 2019

First TGA cybersecurity guidance
Jul 2022

Revised guidance published

Key documents

Medical device cyber security guidance for industry (PDF)

https://www.tga.gov.au/sites/default/files/medical-device-cyber-security-guidance-industry.pdf

Complying with medical device cyber security requirements

https://www.tga.gov.au/resources/guidance/complying-medical-device-cyber-security-requirements

TGA medical device cyber security hub

https://www.tga.gov.au/safety/safety-monitoring-and-information/medical-device-cyber-security

TGA head-to-head

Compare

TGAvsFDA 524B

Open comparison

Related markets

Saudi Arabia

~85% FDA reuse

Argentina

~85% FDA reuse

Colombia

~85% FDA reuse

United Kingdom

~80% FDA reuse

Frequently asked about Australia

Is SBOM required for medical devices in Australia?

Recommended. Encouraged; ACSC ISM compatibility valued.

What does TGA require for pre-market cybersecurity?

Total Product Life Cycle (TPLC) approach, IEC 81001-5-1 referenced, evidence proportional to risk.

What are the post-market cybersecurity obligations under TGA?

Incident reporting, MDSAP audits, ongoing patching.

What is the penalty for non-compliance with TGA cybersecurity rules?

Cancellation from ARTG, civil penalties.

How much of my FDA cybersecurity package is reusable in Australia?

Roughly 85% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).