The Crosswalk

    HSA

    Flag of SingaporeSingapore - HSA

    GuidanceLast updated · Dec 2025 (HSA GL-04 Revision 4: Regulatory Guidelines for Software Medical Devices including ML-Enabled Medical Devices)Verified · 2026-07-16

    Regulatory Guidelines for Software Medical Devices incl. ML-Enabled Devices (GL-04 Rev.4, Dec 2025) + Cybersecurity

    Authority

    Health Sciences Authority, Medical Devices Cluster

    Enforced

    Apr 2022 (rev.)

    Legal framework

    Health Products Act + HSA Cybersecurity Guidance + CSA Cybersecurity Act

    FDA package reuse

    ~90%

    Scope

    Standalone software medical devices and devices with software components. Reference jurisdiction route accelerates approval.

    Pre-market

    Cybersecurity by design, risk assessment, labelling, MDS supporting docs at registration; abridged route if cleared by FDA/EU/TGA/HC/PMDA.

    Post-market

    Field Safety Corrective Action (FSCA) reporting, vigilance, periodic security updates.

    SBOM

    Recommended

    Aligned to IMDRF N60; expected for higher-risk devices.

    Vulnerability disclosure

    Encouraged via CSA SingCERT.

    Penalty

    Suspension or cancellation of registration; CSA penalties for critical info infrastructure.

    Unique requirements

    • 01Singapore Registrant required
    • 02Reference jurisdiction route (FDA/EU/TGA/HC/PMDA approvals accepted)
    • 03Critical Info Infrastructure (CII) designation may apply

    Highlights

    • Aligned to IMDRF N60 & FDA
    • Reference jurisdiction abridged route
    • Strong overlap with CSA Cybersecurity Act

    Aligns with

    IMDRF N60 FDA 2023 Guidance IEC 81001-5-1

    Timeline

    1. Dec 2019

      First SaMD guidelines

    2. Apr 2022

      Cybersecurity guidance revision

    3. Dec 2025

      HSA GL-04 Revision 4 published: updated SaMD/ML-enabled device lifecycle guidance with expanded cybersecurity definitions and AI-specific requirements

    Key documents

    Related markets

    Frequently asked about Singapore

    Is SBOM required for medical devices in Singapore?

    Recommended. Aligned to IMDRF N60; expected for higher-risk devices.

    What does HSA require for pre-market cybersecurity?

    Cybersecurity by design, risk assessment, labelling, MDS supporting docs at registration; abridged route if cleared by FDA/EU/TGA/HC/PMDA.

    What are the post-market cybersecurity obligations under HSA?

    Field Safety Corrective Action (FSCA) reporting, vigilance, periodic security updates.

    What is the penalty for non-compliance with HSA cybersecurity rules?

    Suspension or cancellation of registration; CSA penalties for critical info infrastructure.

    How much of my FDA cybersecurity package is reusable in Singapore?

    Roughly 90% - an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).