MFDS
South Korea - MFDS
Cybersecurity Review Guideline for Medical Devices
Authority
Ministry of Food and Drug Safety
Enforced
2019 (rev. 2023); Digital Medical Products Act (DMPA) enforced Jan 24 2025
Legal framework
Medical Devices Act + MFDS Cybersecurity Notification + Digital Medical Products Act (DMPA, Act No. 20139, enforced Jan 24 2025)
Scope
Medical devices with wired/wireless communication. AI/ML medical devices have additional addendum.
Pre-market
Cybersecurity assessment report at submission, K-GMP integration.
Post-market
Periodic re-evaluation every 5 years, incident reporting.
SBOM
RecommendedAligns to IMDRF N60 expectations.
Vulnerability disclosure
KISA (Korea Internet & Security Agency) coordination.
Penalty
Approval revocation, public recall orders.
Unique requirements
- 01K-GMP audit
- 02Korean Licence Holder (KLH)
- 03AI/ML addendum requires change control plan
Highlights
- 5-year periodic review
- K-GMP integration
- AI/ML specific addendum (2023)
Aligns with
Timeline
-
Nov 2019
First cybersecurity guideline
-
2023
AI/ML addendum and revision
-
Jan 24 2025
Digital Medical Products Act (DMPA) enters into force; dedicated regulatory framework for digital medical products, with companion Electronic Intrusion Security Guidelines
Key documents
MFDS head-to-head
Related markets
Frequently asked about South Korea
Is SBOM required for medical devices in South Korea?
Recommended. Aligns to IMDRF N60 expectations.
What does MFDS require for pre-market cybersecurity?
Cybersecurity assessment report at submission, K-GMP integration.
What are the post-market cybersecurity obligations under MFDS?
Periodic re-evaluation every 5 years, incident reporting.
What is the penalty for non-compliance with MFDS cybersecurity rules?
Approval revocation, public recall orders.
How much of my FDA cybersecurity package is reusable in South Korea?
Roughly 65% - an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).