The Crosswalk

    MHRA

    Flag of United KingdomUnited Kingdom - MHRA

    GuidanceLast updated · 2026 (Draft Medical Devices (Amendment) Regulations 2026 published; MHRA stakeholder impact survey underway alongside the Feb 2026 CE-recognition consultation)Verified · 2026-07-16

    UK MDR 2002 (as amended) + MHRA Cyber Guidance

    Authority

    Medicines and Healthcare products Regulatory Agency

    Enforced

    Reform program 2024–26

    Legal framework

    UK MDR 2002 + DTAC + NHS DSPT

    FDA package reuse

    ~80%

    Scope

    Devices marketed in Great Britain (Northern Ireland follows EU MDR via the Windsor Framework). Software as a Medical Device addressed by separate MHRA Change Programme.

    Pre-market

    Risk-based, leverages BS EN 81001-5-1 and FDA-aligned evidence. UKCA marking with grace period for CE-marked devices.

    Post-market

    MORE vigilance reporting + DTAC for NHS deployment + DSPT for connected services.

    SBOM

    Recommended

    Not mandated; encouraged via NCSC guidance and aligns with FDA expectations for dual-market devices.

    Vulnerability disclosure

    Encouraged via the NCSC Vulnerability Disclosure Toolkit.

    Penalty

    Market removal, criminal liability under Consumer Protection Act.

    Unique requirements

    • 01DTAC clinical safety, data protection, technical assurance for NHS
    • 02DSPT compliance for hosted services
    • 03International recognition route for FDA/Health Canada/TGA approvals (Draft 2026 Regulations codify the pathway; MHRA impact survey open)

    Highlights

    • Pragmatic FDA/EU dual-recognition
    • DTAC required for NHS deployment
    • Future divergence from EU MDR

    Aligns with

    IMDRF N60 BS EN 81001-5-1 NCSC CAF

    Timeline

    1. Jan 2021

      Brexit transition ends, UKCA introduced

    2. Sep 2021

      MHRA SaMD Change Programme launched

    3. 2024

      International Recognition route consultation

    4. Feb 16 2026

      MHRA consultation on indefinite recognition of CE-marked devices launched (closed; analysis underway)

    5. 2026

      Draft Medical Devices (Amendment) Regulations 2026 published for consultation; MHRA impact survey open

    Key documents

    MHRA head-to-head

    Related markets

    Frequently asked about United Kingdom

    Is SBOM required for medical devices in United Kingdom?

    Recommended. Not mandated; encouraged via NCSC guidance and aligns with FDA expectations for dual-market devices.

    What does MHRA require for pre-market cybersecurity?

    Risk-based, leverages BS EN 81001-5-1 and FDA-aligned evidence. UKCA marking with grace period for CE-marked devices.

    What are the post-market cybersecurity obligations under MHRA?

    MORE vigilance reporting + DTAC for NHS deployment + DSPT for connected services.

    What is the penalty for non-compliance with MHRA cybersecurity rules?

    Market removal, criminal liability under Consumer Protection Act.

    How much of my FDA cybersecurity package is reusable in United Kingdom?

    Roughly 80% - an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).