HSA

Singapore — HSA

GuidanceLast updated · 2024 (SaMD lifecycle refresh)Verified · 2026-05-28

Regulatory Guidelines for Software Medical Devices + Cybersecurity (rev. 2022)

Authority

Health Sciences Authority, Medical Devices Cluster

Enforced

Apr 2022 (rev.)

Legal framework

Health Products Act + HSA Cybersecurity Guidance + CSA Cybersecurity Act

FDA package reuse

~90%

Editorial estimate · how →

Scope

Standalone software medical devices and devices with software components. Reference jurisdiction route accelerates approval.

Pre-market

Cybersecurity by design, risk assessment, labelling, MDS supporting docs at registration; abridged route if cleared by FDA/EU/TGA/HC/PMDA.

Post-market

Field Safety Corrective Action (FSCA) reporting, vigilance, periodic security updates.

SBOM

Recommended

Aligned to IMDRF N60; expected for higher-risk devices.

Vulnerability disclosure

Encouraged via CSA SingCERT.

Penalty

Suspension or cancellation of registration; CSA penalties for critical info infrastructure.

Unique requirements

01Singapore Registrant required
02Reference jurisdiction route (FDA/EU/TGA/HC/PMDA approvals accepted)
03Critical Info Infrastructure (CII) designation may apply

Highlights

Aligned to IMDRF N60 & FDA
Reference jurisdiction abridged route
Strong overlap with CSA Cybersecurity Act

Aligns with

IMDRF N60 FDA 2023 Guidance IEC 81001-5-1

Timeline

Dec 2019

First SaMD guidelines
Apr 2022

Cybersecurity guidance revision

Key documents

HSA Regulatory Guidelines for Software Medical Devices

https://www.hsa.gov.sg/medical-devices/guidance-documents

CSA Singapore Cybersecurity Act

https://www.csa.gov.sg/legislation/cybersecurity-act

Related markets

Mexico

~90% FDA reuse

New Zealand

~90% FDA reuse

Hong Kong

~90% FDA reuse

Australia

~85% FDA reuse

Frequently asked about Singapore

Is SBOM required for medical devices in Singapore?

Recommended. Aligned to IMDRF N60; expected for higher-risk devices.

What does HSA require for pre-market cybersecurity?

Cybersecurity by design, risk assessment, labelling, MDS supporting docs at registration; abridged route if cleared by FDA/EU/TGA/HC/PMDA.

What are the post-market cybersecurity obligations under HSA?

Field Safety Corrective Action (FSCA) reporting, vigilance, periodic security updates.

What is the penalty for non-compliance with HSA cybersecurity rules?

Suspension or cancellation of registration; CSA penalties for critical info infrastructure.

How much of my FDA cybersecurity package is reusable in Singapore?

Roughly 90% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).