ANVISA
Brazil — ANVISA
RDC 751/2022 + Cybersecurity Guide for Medical Devices
Authority
Agência Nacional de Vigilância Sanitária
Enforced
Mar 2023 (RDC 751)
Legal framework
RDC 751/2022 + LGPD
Scope
All medical devices, with risk-class proportional cybersecurity scrutiny. SaMD specifically addressed.
Pre-market
Cybersecurity documentation in registration dossier, risk management evidence aligned to ISO 14971.
Post-market
Tecnovigilância reporting, lifecycle updates, post-market surveillance.
SBOM
RecommendedEncouraged, not strictly required.
Vulnerability disclosure
Encouraged, CERT.br coordination.
Penalty
Registration cancellation; LGPD fines up to 2% Brazilian revenue (max BRL 50M per infraction).
Unique requirements
- 01Brazilian Registration Holder (BRH)
- 02Portuguese-language IFU and labelling
- 03INMETRO certification for electrical safety
Highlights
- Risk-class based scrutiny
- MDSAP partially recognised
- Portuguese-language documentation required
Aligns with
Timeline
-
2020
ANVISA cybersecurity guide v1
-
Sep 2022
RDC 751/2022 published
-
Mar 2023
RDC 751 effective
Key documents
Related markets
Frequently asked about Brazil
Is SBOM required for medical devices in Brazil?
Recommended. Encouraged, not strictly required.
What does ANVISA require for pre-market cybersecurity?
Cybersecurity documentation in registration dossier, risk management evidence aligned to ISO 14971.
What are the post-market cybersecurity obligations under ANVISA?
Tecnovigilância reporting, lifecycle updates, post-market surveillance.
What is the penalty for non-compliance with ANVISA cybersecurity rules?
Registration cancellation; LGPD fines up to 2% Brazilian revenue (max BRL 50M per infraction).
How much of my FDA cybersecurity package is reusable in Brazil?
Roughly 60% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).