MFDS
South Korea — MFDS
Cybersecurity Review Guideline for Medical Devices
Authority
Ministry of Food and Drug Safety
Enforced
2019 (rev. 2023)
Legal framework
Medical Devices Act + MFDS Cybersecurity Notification
Scope
Medical devices with wired/wireless communication. AI/ML medical devices have additional addendum.
Pre-market
Cybersecurity assessment report at submission, K-GMP integration.
Post-market
Periodic re-evaluation every 5 years, incident reporting.
SBOM
RecommendedAligns to IMDRF N60 expectations.
Vulnerability disclosure
KISA (Korea Internet & Security Agency) coordination.
Penalty
Approval revocation, public recall orders.
Unique requirements
- 01K-GMP audit
- 02Korean Licence Holder (KLH)
- 03AI/ML addendum requires change control plan
Highlights
- 5-year periodic review
- K-GMP integration
- AI/ML specific addendum (2023)
Aligns with
Timeline
-
Nov 2019
First cybersecurity guideline
-
2023
AI/ML addendum and revision
Key documents
MFDS head-to-head
FDA 524BRelated markets
Frequently asked about South Korea
Is SBOM required for medical devices in South Korea?
Recommended. Aligns to IMDRF N60 expectations.
What does MFDS require for pre-market cybersecurity?
Cybersecurity assessment report at submission, K-GMP integration.
What are the post-market cybersecurity obligations under MFDS?
Periodic re-evaluation every 5 years, incident reporting.
What is the penalty for non-compliance with MFDS cybersecurity rules?
Approval revocation, public recall orders.
How much of my FDA cybersecurity package is reusable in South Korea?
Roughly 65% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).