SAHPRA

South Africa — SAHPRA

GuidanceLast updated · 2023Verified · 2026-05-28

Medicines and Related Substances Act + SAHPRA medical device guidance

Authority

South African Health Products Regulatory Authority

Enforced

2017 (licensing); cyber guidance 2022

Legal framework

Medicines Act + SAHPRA MD Regulations + POPIA

FDA package reuse

~80%

Editorial estimate · how →

Scope

All medical devices and IVDs requiring establishment licensing. Cybersecurity addressed via general safety and POPIA data-protection overlay.

Pre-market

Risk-based registration dossier; CE / FDA approvals accepted as supporting evidence.

Post-market

Vigilance reporting to SAHPRA; POPIA breach notifications to the Information Regulator.

SBOM

Recommended

Not mandated; encouraged for SaMD aligned to FDA expectations.

Vulnerability disclosure

Encouraged via CSIRT.gov.za.

Penalty

Licence suspension; POPIA fines up to R10M; criminal liability.

Unique requirements

01South African Establishment Licence
02Local Authorised Representative
03POPIA compliance for any patient-data processing

Highlights

Reference jurisdiction route for FDA / CE
POPIA data-protection overlay
Phased medical device licensing rollout

Aligns with

IMDRF N60 ISO 13485 FDA 2023 Guidance

Timeline

2017

Medical device licensing introduced
Jul 2021

POPIA full enforcement
2022

SAHPRA cybersecurity guidance circulated

Key documents

SAHPRA Medical Devices

https://www.sahpra.org.za/medical-devices/

POPIA

https://popia.co.za/

Related markets

United Kingdom

~80% FDA reuse

Taiwan

~80% FDA reuse

Malaysia

~80% FDA reuse

Philippines

~80% FDA reuse

Frequently asked about South Africa

Is SBOM required for medical devices in South Africa?

Recommended. Not mandated; encouraged for SaMD aligned to FDA expectations.

What does SAHPRA require for pre-market cybersecurity?

Risk-based registration dossier; CE / FDA approvals accepted as supporting evidence.

What are the post-market cybersecurity obligations under SAHPRA?

Vigilance reporting to SAHPRA; POPIA breach notifications to the Information Regulator.

What is the penalty for non-compliance with SAHPRA cybersecurity rules?

Licence suspension; POPIA fines up to R10M; criminal liability.

How much of my FDA cybersecurity package is reusable in South Africa?

Roughly 80% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).