NMPA

China — NMPA

MandatoryLast updated · 2024 (revised technical review guideline)Verified · 2026-05-28

Technical Review Guideline on Medical Device Cybersecurity (2022 rev.)

Authority

National Medical Products Administration

Enforced

2022

Legal framework

NMPA Cybersecurity Guideline + MLPS 2.0 + Data Security Law + PIPL

FDA package reuse

~45%

Editorial estimate · how →

Scope

All medical devices with cybersecurity features: data storage, exchange, remote control or interfaces. Network type classification determines depth of evidence.

Pre-market

Cybersecurity description, risk analysis, network type classification, verification & validation in registration dossier.

Post-market

Annual self-assessment, incident reporting within 24h, software upgrade approvals required.

SBOM

Recommended

Not strictly required; component lists must appear in technical documentation.

Vulnerability disclosure

MIIT CNVD (China National Vulnerability Database) coordination required.

Penalty

Registration revocation, fines under DSL up to RMB 10M, criminal liability for serious data breaches.

Unique requirements

01MLPS 2.0 cybersecurity grading (Level 2 or 3 typical)
02Cross-border data transfer security assessment
03Chinese Legal Agent and registration via NMPA
04Software changes may trigger re-registration

Highlights

Data localisation under PIPL
MLPS 2.0 grading required
Cross-border data transfer restrictions

Aligns with

IMDRF N60 (partial) GB/T standards MLPS 2.0

Timeline

Jan 2017

First NMPA cybersecurity guideline
Sep 2021

DSL & PIPL effective
Mar 2022

Revised cybersecurity guideline

Key documents

NMPA Cybersecurity Guideline (2022)

https://www.nmpa.gov.cn/

Data Security Law of the PRC

http://www.npc.gov.cn/

PIPL, Personal Information Protection Law

http://www.npc.gov.cn/

NMPA head-to-head

Compare

NMPAvsFDA 524B

Open comparison

Related markets

Kazakhstan

~45% FDA reuse

Switzerland

~55% FDA reuse

Turkey

~55% FDA reuse

Russia

~35% FDA reuse

Frequently asked about China

Is SBOM required for medical devices in China?

Recommended. Not strictly required; component lists must appear in technical documentation.

What does NMPA require for pre-market cybersecurity?

Cybersecurity description, risk analysis, network type classification, verification & validation in registration dossier.

What are the post-market cybersecurity obligations under NMPA?

Annual self-assessment, incident reporting within 24h, software upgrade approvals required.

What is the penalty for non-compliance with NMPA cybersecurity rules?

Registration revocation, fines under DSL up to RMB 10M, criminal liability for serious data breaches.

How much of my FDA cybersecurity package is reusable in China?

Roughly 45% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).