COFEPRIS
Mexico — COFEPRIS
NOM-241-SSA1-2021 + COFEPRIS digital-health criteria
Authority
Comisión Federal para la Protección contra Riesgos Sanitarios
Enforced
Dec 2021 (NOM-241)
Legal framework
Ley General de Salud + NOM-241-SSA1-2021 + LFPDPPP
Scope
Medical devices and SaMD marketed in Mexico. Cybersecurity expectations folded into Good Manufacturing Practices.
Pre-market
Risk management dossier, software lifecycle evidence, evidence reuse from FDA / Health Canada accepted via equivalence.
Post-market
Tecnovigilancia reporting, software change notifications.
SBOM
RecommendedEncouraged in technical file, not strictly mandated.
Vulnerability disclosure
Encouraged via CERT-MX coordination.
Penalty
Sanitary registration suspension, fines under General Health Law.
Unique requirements
- 01Mexican Registration Holder (Titular)
- 02Spanish-language IFU and labelling
- 03Equivalence dossier accelerates approval
Highlights
- Equivalence route for FDA / Health Canada
- Top-3 LATAM market by device spend
- NOM-241 GMP compliance underpins everything
Aligns with
Timeline
-
Dec 2021
NOM-241-SSA1-2021 published
-
2023
Equivalence agreements broadened
-
2024
Digital-health criteria refined
Key documents
Related markets
Frequently asked about Mexico
Is SBOM required for medical devices in Mexico?
Recommended. Encouraged in technical file, not strictly mandated.
What does COFEPRIS require for pre-market cybersecurity?
Risk management dossier, software lifecycle evidence, evidence reuse from FDA / Health Canada accepted via equivalence.
What are the post-market cybersecurity obligations under COFEPRIS?
Tecnovigilancia reporting, software change notifications.
What is the penalty for non-compliance with COFEPRIS cybersecurity rules?
Sanitary registration suspension, fines under General Health Law.
How much of my FDA cybersecurity package is reusable in Mexico?
Roughly 90% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).