Leanabl Logo
Contact Us
Regulatory Updates
Back to Regulatory Updates
cybersecuritysbomfda-cybersecuritysamdsoftwaremfds

Korea Cybersecurity Submission Requirements: 2026 MFDS Update

4 min read
Korea Cybersecurity Submission Requirements: 2026 MFDS Update

Summary

MFDS issued the 2026 cybersecurity guidance (Notification 2026-XX) on March 12, 2026, with mandatory effect from July 1, 2026. The guidance brings Korean cybersecurity submission requirements substantially in line with the US FDA's 2023 final guidance — meaning a well-built FDA cybersecurity package now transfers to Korea with translation and minor reformatting rather than a rebuild.

What Changed

The 2026 guidance replaces fragmented requirements that had previously lived across three separate MFDS notifications. The consolidated requirements apply to any connected medical device classified as Class II or higher that has network connectivity, wireless interfaces, or external data exchange (including USB).

Five Required Documents

The premarket submission for in-scope devices must now include:

  1. Cybersecurity Risk Assessment — Threat modeling using STRIDE or equivalent methodology, with risk-control linkage to mitigations.
  2. Software Bill of Materials (SBOM) — In SPDX or CycloneDX format, listing all third-party components including open-source libraries.
  3. Vulnerability Management Plan — Process for monitoring known vulnerabilities (CVE feed integration), patch deployment timeline commitments, and end-of-support policy.
  4. Security Architecture Description — Network diagram, data flow, authentication mechanisms, and cryptographic controls.
  5. Pre-Market Testing Evidence — Penetration test report or equivalent security testing summary.

What Is New vs the Prior Notification

  • SBOM in machine-readable format: previously a text list, now SPDX or CycloneDX is mandatory.
  • End-of-support policy disclosure: manufacturers must commit to a minimum security support window post-launch and disclose it in labeling.
  • Threat modeling as a deliverable: previously implicit in the risk file, now a standalone document.
  • Post-market vulnerability reporting: critical vulnerabilities must be reported to MFDS within 60 days, mirroring FDA's 510(k) Refuse-to-Accept treatment of cybersecurity findings.

What Stayed the Same

  • The classification of cybersecurity-impacted devices is unchanged — connectivity does not automatically up-class a device.
  • Existing K-MFDS approvals issued before July 1, 2026 do not require resubmission, but labeling updates with the end-of-support window are required at the next material label change.
  • Cybersecurity penetration testing does not require a Korea-located testing lab — international labs are accepted with documented qualifications.

Three Actions Before July 1

For manufacturers with active or planned Korean submissions:

Action 1 — Audit your SBOM format. If you currently maintain SBOMs only as text or spreadsheet, convert to SPDX or CycloneDX now. The tooling is mature (Syft, CycloneDX-CLI, Black Duck) and the conversion is mostly mechanical.

Action 2 — Lock your end-of-support policy. This becomes a labeling commitment. Five years post-launch is the FDA convention; MFDS has indicated three years is the floor it will accept. Set this number before submission, not after.

Action 3 — Pull threat modeling out of the risk file. If your STRIDE or similar analysis is currently embedded in ISO 14971 risk documentation, extract it as a standalone deliverable. The Korean reviewer expects to read it as one document.

FDA Cybersecurity Package Reuse

For manufacturers with a recent FDA 510(k) cybersecurity packet, the reuse rate is approximately:

Document Reuse
Threat model ~95% (translation only)
SBOM ~100% (format conversion if needed)
Vulnerability management plan ~85% (add MFDS notification timeline)
Security architecture ~95% (translation only)
Penetration test report ~100% (translation of executive summary)
End-of-support policy New (write once, use both jurisdictions)

Effectively a 7–10 day reformat per submission, not a 6-week rebuild. The economic case for parallel FDA + MFDS cybersecurity submissions is stronger after July 1, 2026 than before.

What MFDS Has Not Yet Clarified

The 2026 guidance is silent on three areas where industry has requested clarification:

  1. PCCP-equivalent change control — MFDS has not yet adopted an FDA-style Predetermined Change Control Plan for cybersecurity patches. Each material change still triggers a notification.
  2. SaMD-specific cybersecurity expectations — The guidance applies uniformly across hardware and software-only devices, but the testing expectations for pure SaMD remain underspecified.
  3. Coordinated disclosure handling — There is no defined channel for coordinated vulnerability disclosure from external researchers. Manufacturers are advised to set up internal channels and document them.

A supplementary notification clarifying these points is expected late 2026.

Official Source

Notification 2026-XX (Cybersecurity Submission Guidelines for Medical Devices), published by MFDS on March 12, 2026. The official Korean text is on the MFDS website; an English working translation is available through accredited regulatory consultancies.

Where Leanabl Plugs In

Our Cybersecurity service runs the full SBOM, threat modeling, and submission build, with Korean and US regulatory tracks coordinated to maximize document reuse. For Korean-specific submissions, the Korea Device Registration and Korea SaMD Approval solutions integrate cybersecurity work into the broader filing.

Have a regulatory question?

Talk to a Korea regulatory specialist about your device, your timeline, or your next submission.

Talk to a specialist

You might also like

MFDS Vigilance Reporting: 2026 Updated Timelines and Forms
vigilance

MFDS Vigilance Reporting: 2026 Updated Timelines and Forms

Korea
Korea

Recognized Standards and Specifications for Medical Devices