The Crosswalk

    Roszdravnadzor

    Flag of RussiaRussia — Roszdravnadzor

    MandatoryLast updated · 2024Verified · 2026-05-28

    Roszdravnadzor Medical Device Registration & FSTEC/FSB Cyber Overlay (informational — sanctions apply)

    Authority

    Federal Service for Surveillance in Healthcare

    Enforced

    2012 (Gov. Decree 1416)

    Legal framework

    Government Decree 1416 on medical device registration + Roszdravnadzor procedural rules; Federal Law 152-FZ on Personal Data; FSTEC/FSB cryptographic and ICT-security rules for connected devices in critical information infrastructure (Federal Law 187-FZ).

    FDA package reuse

    ~35%

    Scope

    All medical devices placed on the Russian market. Connected devices serving healthcare critical information infrastructure (KII) fall under 187-FZ obligations including state-certified cryptography (GOST) where applicable.

    Pre-market

    Roszdravnadzor registration dossier with QMS (GOST ISO 13485) and technical documentation. Software safety per GOST IEC 62304. Cybersecurity assessed where the device falls under KII; FSTEC certification may be required for connected hospital systems.

    Post-market

    Vigilance reporting to Roszdravnadzor; serious incidents within tight timelines. KII operators report incidents to GosSOPKA (NCCCI).

    SBOM

    Not specified

    No statutory SBOM rule; FSTEC certification process examines components but not in machine-readable SBOM form.

    Vulnerability disclosure

    NCCCI (GosSOPKA) for KII operators; no medical-device-specific CVD regime.

    Penalty

    Registration suspension, market withdrawal, administrative fines and, for KII violations, criminal liability under 187-FZ.

    Unique requirements

    • 01Russian authorised representative
    • 02Russian-language labelling and IFU
    • 03GOST IEC 62304 software lifecycle compliance
    • 04FSTEC certification path for KII-connected devices
    • 05OFAC / EU / UK sanctions screening before any market activity

    Highlights

    • EAEU framework available in parallel (where sanctions allow)
    • Critical Infrastructure (KII) overlay via 187-FZ
    • GOST cryptography requirements where KII applies

    Aligns with

    GOST ISO 13485 GOST IEC 62304 EAEU rules (parallel route)

    Timeline

    1. 2012

      Gov. Decree 1416 establishes registration regime

    2. 2018

      Federal Law 187-FZ on Critical Information Infrastructure takes effect

    3. Feb 2022

      Comprehensive Western sanctions imposed; market access restricted

    4. 2024

      FSTEC tightens cryptography rules for hospital ICT

    Key documents

    Related markets

    Frequently asked about Russia

    Is SBOM required for medical devices in Russia?

    Not specified. No statutory SBOM rule; FSTEC certification process examines components but not in machine-readable SBOM form.

    What does Roszdravnadzor require for pre-market cybersecurity?

    Roszdravnadzor registration dossier with QMS (GOST ISO 13485) and technical documentation. Software safety per GOST IEC 62304. Cybersecurity assessed where the device falls under KII; FSTEC certification may be required for connected hospital systems.

    What are the post-market cybersecurity obligations under Roszdravnadzor?

    Vigilance reporting to Roszdravnadzor; serious incidents within tight timelines. KII operators report incidents to GosSOPKA (NCCCI).

    What is the penalty for non-compliance with Roszdravnadzor cybersecurity rules?

    Registration suspension, market withdrawal, administrative fines and, for KII violations, criminal liability under 187-FZ.

    How much of my FDA cybersecurity package is reusable in Russia?

    Roughly 35% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).