New cybersecurity guidelines for medical devices


The China Food and Drug Administration (CFDA) has issued guidelines aimed at implementing China’s new Cybersecurity Law (CSL) in the administration of medical devices. The development is a clear signal that Chinese regulators intend to enhance cybersecurity protection in the healthcare sector.

From 1 January 2018, medical device companies will be required to register their networked medical devices with the CFDA and be assessed for their cybersecurity protection status under the Principles on Guiding Technology Examination of Medical Device Cybersecurity Registration (CFDA guidelines).


Cybersecurity threats represent a risk to the safe and effective operation of networked medical devices. A data breach may lead to infringement of patients’ personal privacy while a network attack can cause the malfunction of a device resulting in the injury or death of patients. Medical device companies are therefore expected to pay attention to these issues throughout the product life cycle to ensure proper cybersecurity protection for their networked products.

When applying to register networked medical devices with the CFDA, the CFDA guidelines require applicant companies to conduct a self-assessment of the relevant cybersecurity protection standards or measures. Applicants need to be aware that while the CFDA guidelines do not express the cybersecurity protection standards as mandatory obligations, failure to meet the requirements may delay product registrations. In practical terms, this can have an impact on the success and timing of the roll-out of new products.


By way of background, the CSL was introduced on 7 November 2016 and took effect on 1 June 2017. The CSL imposes obligations on network operators to formulate internal security management systems for cybersecurity protection and take measures to protect important data, among other things. Failure to comply with the CSL may result in various penalties, including the imposition of fines on directly responsible personnel.

The CFDA guidelines, which were issued on 20 January 2017, aim to implement the CSL in the administration of medical devices in China. The key features of the CFDA guidelines include:

Non-mandatory principles. The guidelines do not specify mandatory requirements for registration. When registering medical device products, the applicant may conduct a self-assessment on whether some measures proposed under the CFDA guidelines should apply. If not, the applicant may elaborate the reasons or propose alternative solutions to ensure its compliance with the CSL and other relevant regulations.

Application scope. The CFDA guidelines apply to the registration of Grade II and Grade III medical devices that have electronic data exchange or remote control functions through network connection (qualified devices).

Impact on product lifecycle. Companies that intend to register qualified devices in China are expected to consider cybersecurity protection issues during the entire lifecycle of the medical devices, including product design, development, production, distribution and maintenance. Specifically, cyber-
security protection of the qualified devices should satisfy the following requirements: (a) confidentiality − the data can only be accessed by authorized users within an authorized timeframe through authorized means; (b) integrity − the data must be accurate, comprehensive and cannot be altered without authorization; and (c) availability − the data must be accessible and utilized as expected.

Product registration documents. In order to register qualified devices with the CFDA, the applicant is required to submit a standalone cybersecurity description file and a cybersecurity instruction manual. When there is a major cybersecurity update affecting the safety or effectiveness of the qualified devices after the initial registration, the applicant is required to file a revised application with the CFDA.

Review factors. When reviewing the product cybersecurity registration process, the CFDA will consider:

1.Data − the data on the qualified devices can be categorized as personal data and equipment data. Different protection measures should be adopted depending on the type of data and the transmission method. Personal data usually warrant enhanced protection and relevant personal privacy protection rules should be followed.

2.Technology − different cybersecurity protection technology can be utilized. The applicant may follow various international and national standards to build up their cybersecurity protection capability.

3.Off-the-shelf software − the applicant is expected to pay close attention to the cybersecurity risks associated with off-the-shell software and adopt relevant maintenance procedures, as well as notify users of relevant information in a timely manner.

Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by e-mailing Danian Zhang (Shanghai) at: