Cybersecurity Labelling Scheme for Medical Devices, CLS(MD)

Both schemes aim to rate devices accordingly to the levels of cybersecurity provisions and assessment, thereby enhancing transparency and empowering users to make more informed decisions when using or purchasing these devices.

It is important to note that the schemes target different types of devices:

• The CLS(IoT) covers consumer smart devices such as Wi-Fi Routers, Smart Home Hubs, Smart Sensors, Smart Lighting, Smart Appliances, and more.

• The CLS(MD) covers medical devices as per described in the First Schedule of the Health Products Act which have any of the following characteristics:

  • Handles personal identifiable information (PII) and clinical data and has the ability to collect, store, process, or transfer such data;

  • Connects to other devices, systems, and services - Has the ability to communicate using wired and/or wireless communication protocols through a network of connections.

The Cybersecurity Labelling Scheme for Medical Devices (CLS(MD)) is a new initiative, and many applications are still being processed as of Oct 2024. As more applications are approved, more labelled medical devices will become available over time.

Medical devices currently available in Singapore must be registered/ declared with the Health Sciences Authority (HSA) and meet regulatory requirements, including its cybersecurity standards that is aligned to international standards.

However, as medical devices become increasingly connected to hospital and home networks, potentially elevating cyber risks, the CLS(MD) is a proactive measure aimed to improve the cybersecurity of medical devices and ensure their resilience against evolving threats.

The CLS(MD) scheme will require the medical device to be registered with HSA if they are intended for supply in Singapore. Please see below for the different scenarios and the exception to the case in c) below:

a. Manufacturers may submit applications for the CLS(MD) for medical devices already listed on either the HSA Class A Medical Device Database (applicable to Class A devices) or the Singapore Medical Device Database (applicable to Class B, C, and D devices). Cybersecurity clauses VDP.1, CSUP.1, CSUP.4, RDMP.1 (HSA baseline clauses) will be considered fulfilled for these devices and will not be assessed within the CLS(MD) application.

b. Manufacturers may also submit applications for the CLS(MD) for medical devices intended for supply or use in Singapore which are currently undergoing HSA registration or not yet listed in either the HSA Class A Medical Device Database (applicable to Class A devices) or the Singapore Medical Device Database (applicable to Class B, C, and D devices). For such devices, the CLS(MD) label will be issued only upon confirmation of the device's listing in these HSA databases. For such applications, clauses VDP.1, CSUP.1, CSUP.4, RDMP.1 will not be assessed during the CLS(MD) application.

c. In certain circumstances, manufacturers may also submit applications for medical devices not intended for supply or use in Singapore. For these devices, it is to be noted that the manufacturer shall not utilise the CLS(MD) label in any manner that Cybersecurity Certification Centre (CCC) would deem to be misleading, including any suggestion that the device is approved to be for supply or use in Singapore, or any representation that contradicts the device's non-registered status with HSA. For such applications, clauses VDP.1, CSUP.1, CSUP.4, RDMP.1 will be assessed during the CLS(MD) application.

Yes, CLS(MD) labelled medical devices are required to provide evidence and conformity declarations to HSA during HSA registration.

Special Access Routes (SAR) Devices within scope of the CLS(MD) can apply for the CLS(MD).

The CLS(MD) is presently not recognised outside Singapore. However, efforts are underway by CSA, HSA and Synapxe to establish mutual recognition arrangements (MRA). MRAs offer several benefits: enable manufacturers to streamline their processes, save time and reduce costs by avoiding duplicative testing, and enhance access to new markets. Additionally, such mutual recognitions would also provide healthcare institutions and consumers with wider access to more secure medical devices.

Applications are now open. Interested applicants may visit the GoBusiness platform to apply. To stay informed, please visit our official website at https://www.csa.gov.sg/cls-md where information on the application process will be provided.

The application fees for CLS(MD) are as follows (excluding GST):

• Level 1: $85

• Level 2: $142

• Level 3: $4,493

• Level 4: $10,421

Although applications for the sandbox is now closed, the received sandbox applications will continue to be processed. Successful applicants will be informed of the results via email. For further enquiries on your applications, please kindly reach out to cls_md@csa.gov.sg.

CSA will continue to work with manufacturers for the applications received during the Sandbox phase.

The CLS(MD) application process provides the opportunity for applicants to address identified issues and meet the requirements. Alternatively, applicants may be granted a lower CLS(MD) level if the criteria for the lower level are satisfied.

Estimated turnarounds:

• Level 1 - around 2 working days.

• Level 2 - around 5 working days.

• Level 3 - Expected duration of time spent by the lab on penetration testing is around 1 month.

• Level 4 - Expected duration of time spent by the lab on security evaluation is around 3 months.

Estimated durations are subjected to the quality of the submission, and not inclusive of time spent by CSA on the review of the reports, as well as time required for further testing/rectifications.

For documents with a file size of more than 7MB, please kindly approach CSA via cls_md@csa.gov.sg. A secured personalised Highway link will be provided for the collection of these documents. Highway, a tool from Open Government Products, allows secure file collection through personalised links.

NDA documents are business and legal agreements between manufacturers and test laboratories and fall outside the jurisdiction of CSA.

Please kindly send an email to cls_md@csa.gov.sg to express your interest in receiving updates on the CLS(MD).

Manufacturers shall engage from the list of approved CLS(MD) testing laboratories. Testing laboratories interested in becoming an approved CLS(MD) test laboratory can access the requirements for testing laboratories [PDF, 456 KB].

CLS(MD) labels are valid for the period in which the manufacturer will support the device with security updates, up to a maximum of 3 years.

Vulnerabilities shall be reported to both CSA and HSA. Manufacturers are required to inform CSA of the vulnerabilities at cls_md@csa.gov.sg and hsa_medical_device@hsa.gov.sg with the appropriate details. In addition, manufacturers are also required to continue making a Field Safety Corrective Action (FSCA) and Adverse Event (AE) reports to HSA in accordance to the requirements laid out in GN-10 Guidance on Medical Device Field Safety Corrective Action and GN-05 Guidance on the Reporting of Adverse Events respectively.

The digital copy of the CLS(MD) label will be provided in .png and .pdf formats. For specific requirements on the use of the label, please kindly refer to the CLS(MD) publications.

For professional-use-only devices, the affixing of the label is optional.

For devices that can be sold to non-qualified practitioners or users, the label shall be affixed on the packaging of devices as part of increasing awareness of the device cybersecurity capabilities for consumers to make informed purchasing decisions.

Affixing of the CLS(MD) label on non-PUO medical devices can be conducted prior or after importation into Singapore. Manufacturer’s License is not required for the affixing of CLS(MD) labels on the device packaging, provided there is no breach to the primary packaging that maintains the sterility or integrity of the medical device. However, the conduct of this activity should follow the Good Distribution Practice for Medical Devices (GDPMDS) principles.

Products labelled under the CLS(MD) will be listed at the CSA CLS(MD) webpage.