Health Canada

Canada — Health Canada

MandatoryLast updated · 2024Verified · 2026-05-28

Pre-market Requirements for Medical Device Cybersecurity

Authority

Health Canada, Medical Devices Bureau

Enforced

Jun 2019 (rev. 2024)

Legal framework

Medical Devices Regulations (SOR/98-282)

FDA package reuse

~95%

Editorial estimate · how →

Scope

Class II, III, IV devices with software. Cybersecurity evidence required as part of licence application.

Pre-market

Risk management, secure design, verification evidence in licence application; aligns with FDA SPDF.

Post-market

Mandatory problem reporting, CVD plan, software change reports.

SBOM

Recommended

Not strictly mandatory but strongly aligned to FDA expectations; reuse FDA package.

Vulnerability disclosure

Recommended via Canadian Centre for Cyber Security (CCCS).

Penalty

Licence cancellation, suspension, public advisories.

Unique requirements

01Bilingual labelling and IFU
02Canadian Importer or Resident
03MDSAP audit accepted in lieu of dedicated QMS audit

Highlights

Aligned with FDA 2023 guidance
MDSAP-friendly evidence reuse
Bilingual labelling (EN/FR)

Aligns with

FDA 2023 Guidance IMDRF N60 ISO 13485 via MDSAP

Timeline

Jun 2019

Original guidance published
2024

Update aligned to FDA 2023 guidance

Key documents

Pre-market Requirements for Medical Device Cybersecurity (Health Canada)

https://www.canada.ca/en/health-canada/services/drugs-health-products/medical-devices/application-information/guidance-documents/cybersecurity.html

Medical Devices Regulations SOR/98-282

https://laws-lois.justice.gc.ca/eng/regulations/sor-98-282/

Health Canada head-to-head

Compare

Health CanadavsFDA 524B

Open comparison

Compare

Health CanadavsEU MDR

Open comparison

Related markets

United States

~100% FDA reuse

Israel

~90% FDA reuse

United Arab Emirates

~85% FDA reuse

Japan

~70% FDA reuse

Frequently asked about Canada

Is SBOM required for medical devices in Canada?

Recommended. Not strictly mandatory but strongly aligned to FDA expectations; reuse FDA package.

What does Health Canada require for pre-market cybersecurity?

Risk management, secure design, verification evidence in licence application; aligns with FDA SPDF.

What are the post-market cybersecurity obligations under Health Canada?

Mandatory problem reporting, CVD plan, software change reports.

What is the penalty for non-compliance with Health Canada cybersecurity rules?

Licence cancellation, suspension, public advisories.

How much of my FDA cybersecurity package is reusable in Canada?

Roughly 95% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).