The Crosswalk

    MDD

    Flag of Hong KongHong Kong — MDD

    GuidanceLast updated · 2024Verified · 2026-05-28

    Medical Device Administrative Control System (MDACS)

    Authority

    Medical Device Division, Department of Health

    Enforced

    2004 (voluntary MDACS launched)

    Legal framework

    Voluntary Medical Device Administrative Control System (MDACS) operated by the MDD; PDPO (Cap. 486) for personal data; CSL bill under development for critical infrastructure including healthcare.

    FDA package reuse

    ~90%

    Scope

    All medical devices marketed in Hong Kong via voluntary MDACS listing. Separate from mainland China's NMPA regime. SaMD covered by MDACS Technical Reference TR-004.

    Pre-market

    Reliance-based: listing requires evidence of approval by at least one Reference Country regulator (FDA, EU, Health Canada, TGA, PMDA). Cybersecurity expectations follow the reference-country submission.

    Post-market

    MDACS adverse-event reporting; PCPD handles personal-data breach notifications under PDPO.

    SBOM

    Recommended

    Not mandated by MDACS, but reference-country SBOMs accepted as part of the listing dossier.

    Vulnerability disclosure

    HKCERT coordinates ICT incidents; no medical-device-specific CVD requirement.

    Penalty

    Removal from MDACS listing; healthcare procurement consequences (most HA tenders require MDACS-listed devices).

    Unique requirements

    • 01Local Responsible Person appointment
    • 02Reference-country approval as the gating evidence
    • 03Traditional Chinese labelling for consumer devices

    Highlights

    • Reliance on FDA/CE/HC/TGA/PMDA approvals
    • Listing is voluntary but de-facto required for HA procurement
    • Separate regime from mainland China NMPA

    Aligns with

    IMDRF N60 (via reference countries) ISO 13485

    Timeline

    1. 2004

      MDACS voluntary listing launched

    2. 2021

      PDPO amendments tighten doxxing/data-protection rules

    3. 2024

      Cybersecurity Legislation Bill (CSL) for CII published for consultation

    Key documents

    Related markets

    Frequently asked about Hong Kong

    Is SBOM required for medical devices in Hong Kong?

    Recommended. Not mandated by MDACS, but reference-country SBOMs accepted as part of the listing dossier.

    What does MDD require for pre-market cybersecurity?

    Reliance-based: listing requires evidence of approval by at least one Reference Country regulator (FDA, EU, Health Canada, TGA, PMDA). Cybersecurity expectations follow the reference-country submission.

    What are the post-market cybersecurity obligations under MDD?

    MDACS adverse-event reporting; PCPD handles personal-data breach notifications under PDPO.

    What is the penalty for non-compliance with MDD cybersecurity rules?

    Removal from MDACS listing; healthcare procurement consequences (most HA tenders require MDACS-listed devices).

    How much of my FDA cybersecurity package is reusable in Hong Kong?

    Roughly 90% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).