INVIMA
Colombia — INVIMA
Decreto 4725/2005 + INVIMA SaMD and cybersecurity criteria
Authority
Instituto Nacional de Vigilancia de Medicamentos y Alimentos
Enforced
2005 (rev. 2023)
Legal framework
Decreto 4725/2005 + Ley 1581 (data protection) + INVIMA circulars
Scope
All medical devices marketed in Colombia; risk-class based sanitary registration.
Pre-market
Risk-class dossier; reference-jurisdiction route accepts FDA / CE / Health Canada / TGA / PMDA.
Post-market
Tecnovigilancia reporting, sanitary surveillance.
SBOM
RecommendedEncouraged via FDA alignment.
Vulnerability disclosure
ColCERT coordinated disclosure encouraged.
Penalty
Registration cancellation, sanitary fines.
Unique requirements
- 01Colombian Sanitary Registration Holder
- 02Spanish-language IFU and labelling
- 03BPM (Buenas Prácticas de Manufactura) certification
Highlights
- Reference jurisdiction route accepted
- Spanish-language documentation
- Andean Community harmonisation
Aligns with
Timeline
-
2005
Decreto 4725 published
-
2023
SaMD and cyber circulars updated
Key documents
Related markets
Frequently asked about Colombia
Is SBOM required for medical devices in Colombia?
Recommended. Encouraged via FDA alignment.
What does INVIMA require for pre-market cybersecurity?
Risk-class dossier; reference-jurisdiction route accepts FDA / CE / Health Canada / TGA / PMDA.
What are the post-market cybersecurity obligations under INVIMA?
Tecnovigilancia reporting, sanitary surveillance.
What is the penalty for non-compliance with INVIMA cybersecurity rules?
Registration cancellation, sanitary fines.
How much of my FDA cybersecurity package is reusable in Colombia?
Roughly 85% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).