PMDA / MHLW

Japan — PMDA / MHLW

MandatoryLast updated · Mar 2024Verified · 2026-05-28

PMSD Act + MHLW Cybersecurity Notifications (2023–24)

Authority

Pharmaceuticals and Medical Devices Agency / Ministry of Health, Labour and Welfare

Enforced

Apr 2024 (cybersecurity notification)

Legal framework

Pharmaceuticals & Medical Devices Act + MHLW Notifications + IMDRF N60 alignment

FDA package reuse

~70%

Editorial estimate · how →

Scope

Programmed medical devices (PMD) and SaMD with network connectivity. Applies at marketing authorization (Shonin) and certification.

Pre-market

Cybersecurity documentation in STED, JIS T 81001-5-1 application, threat analysis, SBOM submission.

Post-market

Incident reporting to PMDA, lifetime support obligations, periodic safety updates.

SBOM

Required

SBOM expected at submission since 2023 MHLW notification; format flexibility but machine-readable preferred.

Vulnerability disclosure

Required, IPA (Information-technology Promotion Agency) coordination.

Penalty

Approval suspension; recall orders; criminal penalties for misleading data.

Unique requirements

01Japanese-language documentation (STED)
02Marketing Authorization Holder (MAH) must be Japan-based
03JIS T 81001-5-1 (Japanese adoption of IEC 81001-5-1)

Highlights

Closely tracks IMDRF N60
SBOM expected from 2024
Lifetime support clause

Aligns with

IMDRF N60 JIS T 81001-5-1 IEC 62443-4-1

Timeline

2014

PMSD Act revised
Mar 2023

MHLW cybersecurity notification issued
Apr 2024

Enforcement of updated requirements

Key documents

PMDA Medical Device Cybersecurity Page

https://www.pmda.go.jp/english/review-services/reviews/0002.html

MHLW Cybersecurity Notification (2023)

https://www.mhlw.go.jp/

JIS T 81001-5-1

https://www.jisc.go.jp/

PMDA head-to-head

Compare

PMDAvsFDA 524B

Open comparison

Compare

PMDAvsEU MDR

Open comparison

Related markets

Vietnam

~70% FDA reuse

Ukraine

~70% FDA reuse

South Korea

~65% FDA reuse

European Union

~60% FDA reuse

Frequently asked about Japan

Is SBOM required for medical devices in Japan?

Required. SBOM expected at submission since 2023 MHLW notification; format flexibility but machine-readable preferred.

What does PMDA / MHLW require for pre-market cybersecurity?

Cybersecurity documentation in STED, JIS T 81001-5-1 application, threat analysis, SBOM submission.

What are the post-market cybersecurity obligations under PMDA / MHLW?

Incident reporting to PMDA, lifetime support obligations, periodic safety updates.

What is the penalty for non-compliance with PMDA / MHLW cybersecurity rules?

Approval suspension; recall orders; criminal penalties for misleading data.

How much of my FDA cybersecurity package is reusable in Japan?

Roughly 70% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).