TFDA
Taiwan — TFDA
Cybersecurity Guidance for Medical Devices (2021, rev. 2023)
Authority
Taiwan Food and Drug Administration
Enforced
Jul 2021
Legal framework
Medical Devices Act + TFDA Cybersecurity Guidance + IMDRF N60 alignment
Scope
Network-connected medical devices and SaMD. Risk-based depth of cybersecurity evidence at registration.
Pre-market
Threat modelling, secure design, verification & validation; SBOM expected for higher-risk devices.
Post-market
Vulnerability monitoring, software change reporting, periodic security updates.
SBOM
RequiredExpected at submission for Class II/III network-connected devices; SPDX or CycloneDX accepted.
Vulnerability disclosure
TWCERT/CC coordinated disclosure encouraged.
Penalty
Licence revocation, recall, fines under Medical Devices Act.
Unique requirements
- 01Taiwan Licence Holder required
- 02Traditional Chinese labelling and IFU
- 03QSD (Quality System Documentation) inspection
Highlights
- Closely tracks IMDRF N60
- SBOM expected for Class II/III
- Reference jurisdiction route accepted for FDA approvals
Aligns with
Timeline
-
Jul 2021
First cybersecurity guidance
-
2023
Revision aligned to IMDRF N60
Key documents
Related markets
Frequently asked about Taiwan
Is SBOM required for medical devices in Taiwan?
Required. Expected at submission for Class II/III network-connected devices; SPDX or CycloneDX accepted.
What does TFDA require for pre-market cybersecurity?
Threat modelling, secure design, verification & validation; SBOM expected for higher-risk devices.
What are the post-market cybersecurity obligations under TFDA?
Vulnerability monitoring, software change reporting, periodic security updates.
What is the penalty for non-compliance with TFDA cybersecurity rules?
Licence revocation, recall, fines under Medical Devices Act.
How much of my FDA cybersecurity package is reusable in Taiwan?
Roughly 80% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).