MFDS Releases 2026 Cybersecurity Submission Guidance
What Changed
MFDS Notice 2026-12 (의료기기 사이버보안 제출 가이드라인 개정안) revises cybersecurity submission requirements with three major additions:
1. Mandatory SBOM Submission
Previously: SBOM recommended but not required.
Effective July 2026: SBOM mandatory in SPDX 2.3 or CycloneDX 1.5 format for all Class II+ devices with:
- Network connectivity (wired or wireless)
- Cloud integration
- Firmware-based devices
- Software-as-a-Medical-Device (SaMD)
SBOM must include:
- All software components (commercial, open source, proprietary)
- Component versions
- Known vulnerabilities (CVE references) at time of submission
- Update mechanism for each component
2. Expanded Threat Model Documentation
New requirement: STRIDE-based threat modeling with Korean-context analysis.
Previously: Generic threat modeling acceptable.
New expectations:
- Korean healthcare delivery environment considered (hospital IT infrastructure typical configuration)
- Korean privacy regulations (Personal Information Protection Act) integrated
- Korean cybersecurity incident reporting requirements addressed
- Korean medical device cybersecurity certification standards referenced
3. Post-Market Vulnerability Monitoring Plan
New mandatory plan covering:
- Vulnerability monitoring sources (CVE feeds, vendor notifications, security researchers)
- Risk assessment process for newly discovered vulnerabilities
- Patch development and validation timeline (typically 60–180 days)
- Coordinated disclosure procedure
- MFDS notification timeline for critical vulnerabilities (within 30 days of confirmation)
Who Is Affected
| Device Category | Cybersecurity Submission Required |
|---|---|
| Class II connected devices | Yes — full submission package |
| Class II non-connected, firmware-based | Yes — abbreviated package |
| Class II purely mechanical | No |
| Class III/IV — any with software | Yes — full submission package |
| Class I — any classification | No |
Comparison: MFDS vs FDA vs EU MDR Cybersecurity
| Requirement | MFDS (July 2026) | FDA (Final Guidance 2023) | EU MDR (MDCG 2019-16) |
|---|---|---|---|
| SBOM mandatory | Yes (SPDX/CycloneDX) | Yes (any format) | Recommended |
| Threat modeling | STRIDE + Korean context | STRIDE recommended | Risk-based, format flexible |
| Penetration testing | Recommended | Recommended | Recommended |
| Post-market monitoring | Required plan | Required (Section 524B) | Required |
| Coordinated disclosure | Required process | Required | Required |
| Korean-specific elements | Yes | N/A | N/A |
What to Do — 3 Actions
Action 1: Audit Existing Cybersecurity Documentation (by April 2026)
- Inventory current cybersecurity submissions for Korean-marketed devices
- Identify SBOM completeness
- Verify threat model coverage
- Assess post-market monitoring readiness
Action 2: Build SBOM Pipeline (by May 2026)
- Implement SBOM generation in development pipeline
- Choose SPDX or CycloneDX format (or both)
- Establish CVE monitoring for components
- Validate SBOM accuracy with security audit
Action 3: Develop Korean Context Threat Model (by June 2026)
- Add Korean healthcare environment considerations
- Integrate Korean privacy regulations
- Document Korean incident reporting workflow
- Train RA team on revised submission format
Impact on Existing Approvals
| Device Status | Action Required |
|---|---|
| MFDS-approved before July 2026, no changes | No immediate action; next submission must comply |
| MFDS-approved with planned post-July 2026 update | Update must include compliant cybersecurity package |
| MFDS-pending review July 2026+ | Submission must comply with new requirements |
| In preparation for submission | Build to new requirements now |
Cost Implications
Compared to 2024 cybersecurity submission costs:
| Cost Component | Pre-2026 | Post-July 2026 |
|---|---|---|
| Threat modeling | $5K–$15K | $8K–$20K |
| SBOM generation and validation | $3K–$10K | $5K–$15K |
| Post-market plan development | $2K–$5K | $5K–$12K |
| Documentation translation | $3K–$8K | $5K–$12K |
| Total cybersecurity submission cost | $13K–$38K | $23K–$59K |
Approximately 50–80% cost increase for cybersecurity-relevant Class II+ devices.
Connection to Other Korean Regulations
The 2026 guidance aligns with:
- Personal Information Protection Act (PIPA): Patient data protection requirements
- Medical Device Software Cybersecurity Korean Standard (KS X 5089): National standard reference
- Korean Healthcare ISMS: Hospital cybersecurity management system framework
- MFDS AI Medical Device Guidelines: Cybersecurity for AI/ML medical devices
Frequently Asked Questions
Q: Is the SBOM format mandatory SPDX or CycloneDX, or can we use both?
A: MFDS accepts either SPDX 2.3 or CycloneDX 1.5. Both formats also accepted. Internal industrial format not accepted.
Q: What's the penalty for non-compliance after July 2026?
A: MFDS will issue deficiency notices for submissions lacking cybersecurity package. Existing approved devices with non-compliant updates may face conditional approval pending remediation.
Q: Does the guidance apply to legacy devices?
A: Only when submitting changes or renewals. Legacy approvals remain valid until next regulatory action.
Q: How does Leanabl help with the new requirements?
A: Leanabl's Medical Device Cybersecurity service includes 2026-compliant submission preparation, including SBOM generation strategy, Korean-context threat modeling, and post-market plan development.
Q: Where is the official notice published?
A: MFDS Notice 2026-12, available at mfds.go.kr. English unofficial translations typically available 4–6 weeks after Korean publication.
How Leanabl Helps
- Medical Device Cybersecurity — 2026-compliant submissions
- Korea SaMD Approval — for cybersecurity-intensive AI/ML devices
- Korea Medical Device Registration — full registration with cybersecurity
Contact Leanabl for 2026 cybersecurity transition planning.
Last updated: 2026-02-03.
Have a regulatory question?
Talk to a Korea regulatory specialist about your device, your timeline, or your next submission.
Talk to a specialist
