The Crosswalk

    CDSCO

    Flag of IndiaIndia — CDSCO

    GuidanceLast updated · 2024Verified · 2026-05-28

    Medical Devices Rules 2017 + 2024 cybersecurity amendments

    Authority

    Central Drugs Standard Control Organization

    Enforced

    Oct 2023 (full notified-device coverage)

    Legal framework

    Medical Devices Rules 2017 + DPDP Act 2023 + CERT-In Directions

    FDA package reuse

    ~60%

    Scope

    All notified medical devices and IVDs, including SaMD with networking capability. Cybersecurity expectations layered onto existing licence application.

    Pre-market

    Risk management aligned to ISO 14971, software lifecycle per IEC 62304, cybersecurity description in Plant Master File and Device Master File.

    Post-market

    Materiovigilance Programme of India (MvPI) reporting; CERT-In 6-hour incident reporting for connected systems.

    SBOM

    Recommended

    Encouraged in technical documentation; not yet a hard line item but expected for Class C/D under 2024 amendments.

    Vulnerability disclosure

    CERT-In coordinated disclosure mandatory for service providers; recommended for manufacturers.

    Penalty

    Licence cancellation, imprisonment up to 5 years under D&C Act, DPDP penalties up to ₹250 crore.

    Unique requirements

    • 01Indian Authorised Agent required for foreign manufacturers
    • 02BIS standards referenced for electrical safety
    • 03CERT-In empanelled auditor often expected for cyber claims

    Highlights

    • CERT-In 6-hour incident rule
    • DPDP Act data localisation pressure
    • Voluntary registration ending, mandatory licensing in force

    Aligns with

    IMDRF N60 ISO 14971 IEC 62304

    Timeline

    1. Jan 2018

      MDR 2017 effective

    2. Apr 2022

      CERT-In Directions on incident reporting

    3. Oct 2023

      All notified devices require licence

    4. 2024

      Cybersecurity amendments and DPDP Act rules

    Key documents

    Related markets

    Frequently asked about India

    Is SBOM required for medical devices in India?

    Recommended. Encouraged in technical documentation; not yet a hard line item but expected for Class C/D under 2024 amendments.

    What does CDSCO require for pre-market cybersecurity?

    Risk management aligned to ISO 14971, software lifecycle per IEC 62304, cybersecurity description in Plant Master File and Device Master File.

    What are the post-market cybersecurity obligations under CDSCO?

    Materiovigilance Programme of India (MvPI) reporting; CERT-In 6-hour incident reporting for connected systems.

    What is the penalty for non-compliance with CDSCO cybersecurity rules?

    Licence cancellation, imprisonment up to 5 years under D&C Act, DPDP penalties up to ₹250 crore.

    How much of my FDA cybersecurity package is reusable in India?

    Roughly 60% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).