The Crosswalk

    NCEMP

    Flag of KazakhstanKazakhstan โ€” NCEMP

    MandatoryLast updated ยท 2024Verified ยท 2026-05-28

    EAEU Medical Device Rules (Decision 46) โ€” Kazakhstan implementation

    Authority

    National Center for Expertise of Medicines and Medical Products

    Enforced

    2016 (EAEU Decision 46)

    Legal framework

    Eurasian Economic Union (EAEU) Medical Device Rules adopted by Decision 46 of the EEC Council, implemented in Kazakhstan via the Code on People's Health and NCEMP procedural rules.

    FDA package reuse

    ~45%

    Scope

    All medical devices placed on the Kazakh market. EAEU registration grants access across RU, BY, AM, KG, KZ. Software-as-a-medical-device follows EAEU SaMD guidelines.

    Pre-market

    Common Technical Document-style dossier including QMS (ISO 13485), risk management, clinical evaluation, and software lifecycle (IEC 62304). Cybersecurity controls evaluated implicitly under software safety; explicit cyber expectations rely on Law on Personal Data and State Technical Service baselines.

    Post-market

    EAEU vigilance reporting via NCEMP; serious incidents within 15 working days. Cross-border data flows constrained by Law on Personal Data.

    SBOM

    Not specified

    Not addressed in EAEU rules today; CycloneDX accepted as supporting evidence on a voluntary basis.

    Vulnerability disclosure

    No medical-device-specific CVD regime; State Technical Service (STS) coordinates ICT incidents in healthcare.

    Penalty

    Registration suspension, removal from EAEU Unified Register, administrative fines under the Code on Administrative Offences.

    Unique requirements

    • 01EAEU dossier format (CTD-style)
    • 02Local authorised representative in Kazakhstan
    • 03Russian-language labelling and IFU

    Highlights

    • EAEU mutual recognition across 5 member states
    • ISO 13485 QMS expectation
    • No statutory medical-device cyber rule yet

    Aligns with

    EAEU SaMD guidance ISO 13485 IEC 62304 ISO 14971

    Timeline

    1. May 2017

      EAEU Decision 46 takes effect

    2. 2021

      EAEU SaMD guidance issued

    3. 2024

      NCEMP digital dossier portal expanded

    Key documents

    Related markets

    Frequently asked about Kazakhstan

    Is SBOM required for medical devices in Kazakhstan?

    Not specified. Not addressed in EAEU rules today; CycloneDX accepted as supporting evidence on a voluntary basis.

    What does NCEMP require for pre-market cybersecurity?

    Common Technical Document-style dossier including QMS (ISO 13485), risk management, clinical evaluation, and software lifecycle (IEC 62304). Cybersecurity controls evaluated implicitly under software safety; explicit cyber expectations rely on Law on Personal Data and State Technical Service baselines.

    What are the post-market cybersecurity obligations under NCEMP?

    EAEU vigilance reporting via NCEMP; serious incidents within 15 working days. Cross-border data flows constrained by Law on Personal Data.

    What is the penalty for non-compliance with NCEMP cybersecurity rules?

    Registration suspension, removal from EAEU Unified Register, administrative fines under the Code on Administrative Offences.

    How much of my FDA cybersecurity package is reusable in Kazakhstan?

    Roughly 45% โ€” an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).