SFDA
Saudi Arabia β SFDA
MDS-G42 Guidance on Cybersecurity of Medical Devices
Authority
Saudi Food and Drug Authority
Enforced
2022
Legal framework
Medical Devices Law + MDS-G42 + NCA Essential Cybersecurity Controls
Scope
All medical devices with cybersecurity-relevant features. Reference jurisdiction model accelerates clearance.
Pre-market
Threat modelling, security risk management aligned to AAMI TIR57 / IEC 81001-5-1.
Post-market
Incident reporting to SFDA, coordinated disclosure expected.
SBOM
RecommendedEncouraged, mirrors FDA approach.
Vulnerability disclosure
Recommended via Saudi NCA channels.
Penalty
Marketing authorisation withdrawal, sanctions under NCA framework.
Unique requirements
- 01Authorized Representative in KSA
- 02MDMA (Medical Device Marketing Authorization)
- 03NCA ECC overlap for healthcare entities
Highlights
- Closely tracks IMDRF N60 & FDA
- Overlaps with NCA Essential Cybersecurity Controls
- Reference jurisdiction model
Aligns with
Timeline
-
2022
MDS-G42 published
Key documents
Related markets
Frequently asked about Saudi Arabia
Is SBOM required for medical devices in Saudi Arabia?
Recommended. Encouraged, mirrors FDA approach.
What does SFDA require for pre-market cybersecurity?
Threat modelling, security risk management aligned to AAMI TIR57 / IEC 81001-5-1.
What are the post-market cybersecurity obligations under SFDA?
Incident reporting to SFDA, coordinated disclosure expected.
What is the penalty for non-compliance with SFDA cybersecurity rules?
Marketing authorisation withdrawal, sanctions under NCA framework.
How much of my FDA cybersecurity package is reusable in Saudi Arabia?
Roughly 85% β an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).