The Crosswalk

    Health Canada

    Flag of CanadaCanada - Health Canada

    MandatoryLast updated · 2019 (no cybersecurity-specific revision confirmed at canada.ca as of Jun 2026)Verified · 2026-07-16

    Pre-market Requirements for Medical Device Cybersecurity

    Authority

    Health Canada, Medical Devices Bureau

    Enforced

    Jun 2019

    Legal framework

    Medical Devices Regulations (SOR/98-282)

    FDA package reuse

    ~95%

    Scope

    Class II, III, IV devices with software. Cybersecurity evidence required as part of licence application.

    Pre-market

    Risk management, secure design, verification evidence in licence application; aligns with FDA SPDF.

    Post-market

    Mandatory problem reporting, CVD plan, software change reports.

    SBOM

    Recommended

    Not strictly mandatory but strongly aligned to FDA expectations; reuse FDA package.

    Vulnerability disclosure

    Recommended via Canadian Centre for Cyber Security (CCCS).

    Penalty

    Licence cancellation, suspension, public advisories.

    Unique requirements

    • 01Bilingual labelling and IFU
    • 02Canadian Importer or Resident
    • 03MDSAP audit accepted in lieu of dedicated QMS audit

    Highlights

    • Aligned with FDA premarket cybersecurity guidance (Feb 2026)
    • MDSAP-friendly evidence reuse
    • Bilingual labelling (EN/FR)

    Aligns with

    FDA Feb 2026 Final Guidance IMDRF N60 ISO 13485 via MDSAP

    Timeline

    1. Jun 2019

      Original guidance published

    Key documents

    Health Canada head-to-head

    Related markets

    Frequently asked about Canada

    Is SBOM required for medical devices in Canada?

    Recommended. Not strictly mandatory but strongly aligned to FDA expectations; reuse FDA package.

    What does Health Canada require for pre-market cybersecurity?

    Risk management, secure design, verification evidence in licence application; aligns with FDA SPDF.

    What are the post-market cybersecurity obligations under Health Canada?

    Mandatory problem reporting, CVD plan, software change reports.

    What is the penalty for non-compliance with Health Canada cybersecurity rules?

    Licence cancellation, suspension, public advisories.

    How much of my FDA cybersecurity package is reusable in Canada?

    Roughly 95% - an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).