MHRA

United Kingdom — MHRA

GuidanceLast updated · Mar 2024 (roadmap update)Verified · 2026-05-28

UK MDR 2002 (as amended) + MHRA Cyber Guidance

Authority

Medicines and Healthcare products Regulatory Agency

Enforced

Reform program 2024–26

Legal framework

UK MDR 2002 + DTAC + NHS DSPT

FDA package reuse

~80%

Editorial estimate · how →

Scope

Devices marketed in Great Britain (Northern Ireland follows EU MDR via the Windsor Framework). Software as a Medical Device addressed by separate MHRA Change Programme.

Pre-market

Risk-based, leverages BS EN 81001-5-1 and FDA-aligned evidence. UKCA marking with grace period for CE-marked devices.

Post-market

MORE vigilance reporting + DTAC for NHS deployment + DSPT for connected services.

SBOM

Recommended

Not mandated; encouraged via NCSC guidance and aligns with FDA expectations for dual-market devices.

Vulnerability disclosure

Encouraged via the NCSC Vulnerability Disclosure Toolkit.

Penalty

Market removal, criminal liability under Consumer Protection Act.

Unique requirements

01DTAC clinical safety, data protection, technical assurance for NHS
02DSPT compliance for hosted services
03International recognition route for FDA/Health Canada/TGA approvals (proposed 2025)

Highlights

Pragmatic FDA/EU dual-recognition
DTAC required for NHS deployment
Future divergence from EU MDR

Aligns with

IMDRF N60 BS EN 81001-5-1 NCSC CAF

Timeline

Jan 2021

Brexit transition ends, UKCA introduced
Sep 2021

MHRA SaMD Change Programme launched
2024

International Recognition route consultation
2025–26

New Statutory Instrument expected

Key documents

MHRA Software & AI as a Medical Device Change Programme

https://www.gov.uk/government/publications/software-and-ai-as-a-medical-device-change-programme

NHS Digital Technology Assessment Criteria (DTAC)

https://transform.england.nhs.uk/key-tools-and-info/digital-technology-assessment-criteria-dtac/

NCSC Vulnerability Disclosure Toolkit

https://www.ncsc.gov.uk/information/vulnerability-disclosure-toolkit

MHRA head-to-head

Compare

MHRAvsFDA 524B

Open comparison

Compare

MHRAvsEU MDR

Open comparison

Related markets

Taiwan

~80% FDA reuse

South Africa

~80% FDA reuse

Malaysia

~80% FDA reuse

Philippines

~80% FDA reuse

Frequently asked about United Kingdom

Is SBOM required for medical devices in United Kingdom?

Recommended. Not mandated; encouraged via NCSC guidance and aligns with FDA expectations for dual-market devices.

What does MHRA require for pre-market cybersecurity?

Risk-based, leverages BS EN 81001-5-1 and FDA-aligned evidence. UKCA marking with grace period for CE-marked devices.

What are the post-market cybersecurity obligations under MHRA?

MORE vigilance reporting + DTAC for NHS deployment + DSPT for connected services.

What is the penalty for non-compliance with MHRA cybersecurity rules?

Market removal, criminal liability under Consumer Protection Act.

How much of my FDA cybersecurity package is reusable in United Kingdom?

Roughly 80% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).