MDA
Malaysia — MDA
Medical Device Act 2012 + MDA Cybersecurity Guidance MDA/GD/0041
Authority
Medical Device Authority, Ministry of Health Malaysia
Enforced
2021 (cybersecurity guidance)
Legal framework
Medical Device Act 737 + MDA Guidance Documents + PDPA
Scope
All medical devices and SaMD requiring registration with MDA. Cybersecurity proportional to risk class.
Pre-market
Cybersecurity description in CSDT (Common Submission Dossier Template), evidence aligned to IMDRF N60.
Post-market
Mandatory problem reporting, field corrective action notifications.
SBOM
RecommendedEncouraged for higher-risk devices; mirrors IMDRF N60 expectations.
Vulnerability disclosure
MyCERT coordinated disclosure encouraged.
Penalty
Registration cancellation; PDPA fines and criminal liability for breaches.
Unique requirements
- 01Malaysian Authorised Representative
- 02Conformity Assessment Body (CAB) involvement
- 03Bahasa Malaysia labelling
Highlights
- ASEAN CSDT template alignment
- Risk-class proportional evidence
- PDPA overhaul in progress (2024–25)
Aligns with
Timeline
-
Jul 2013
Medical Device Act 737 effective
-
2021
Cybersecurity guidance MDA/GD/0041 issued
-
2024
PDPA amendments tighten breach reporting
Key documents
Related markets
Frequently asked about Malaysia
Is SBOM required for medical devices in Malaysia?
Recommended. Encouraged for higher-risk devices; mirrors IMDRF N60 expectations.
What does MDA require for pre-market cybersecurity?
Cybersecurity description in CSDT (Common Submission Dossier Template), evidence aligned to IMDRF N60.
What are the post-market cybersecurity obligations under MDA?
Mandatory problem reporting, field corrective action notifications.
What is the penalty for non-compliance with MDA cybersecurity rules?
Registration cancellation; PDPA fines and criminal liability for breaches.
How much of my FDA cybersecurity package is reusable in Malaysia?
Roughly 80% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).