Cybersecurity Requirements

This page outlines mandatory cybersecurity controls for medical device software under NMPA standards, including risk assessment, authentication, encryption, vulnerability management, and incident reporting.

---

Regulatory basis

NMPA's digital health and SaMD framework is based on:

• MDSAR 2021 general device framework applied to software
• NMPA standalone software classification guidance (独立软件分类界定指导原则)
• NMPA SaMD registration technical review guidance (人工智能医疗器械注册审查指导原则, 2022)
• IEC 62304 as adopted in China's YY/T 0664 standard

Disclaimer

Content on this site is written with AI assistance and is intended as a navigation aid only. Always verify against official NMPA sources before making regulatory decisions. Not affiliated with NMPA or any Chinese Government body. Not legal or regulatory advice.

Add cybersecurity requirements for SaMD: (1) Risk analysis must include cybersecurity threats (unauthorized access, data tampering, system availability); (2) Implement user authentication, data encryption (in transit and at rest), and access controls per GB/T 22239 (China Cybersecurity Baseline); (3) Software must support secure firmware updates with integrity verification; (4) Conduct penetration testing and vulnerability assessment; (5) Post-market cybersecurity monitoring required with 24-month update cycle for patches and patches must be validated before release; (6) Report security incidents to NMPA immediately if affecting device safety/effectiveness; (7) Maintain cybersecurity incident response plan.