Compare

Two terms, side by side

Pick any two terms to see definitions, context, pitfalls, and sources in parallel.

Cybersecurity

SPDX(SPDX)

In one line

An open SBOM and license-data format published as ISO/IEC 5962:2021.

Definition

SPDX (Software Package Data Exchange) is an open specification, maintained by the Linux Foundation and standardized as ISO/IEC 5962:2021, for communicating software bill-of-materials information including components, licenses, copyrights, and security references. SPDX 3.0 (2024) extends the format with profiles for security, AI/ML, and dataset provenance. It is one of the two SBOM formats explicitly accepted by FDA (the other is CycloneDX).

Why it matters

SPDX is most common in build pipelines that already use it for license compliance (e.g., automotive, aerospace, large enterprise software). For MedTech teams choosing fresh, CycloneDX is often easier to pair with VEX, but SPDX is fully acceptable to FDA and a better fit when license attribution is also a deliverable.

Common pitfalls

•Treating SPDX as solely a license-compliance artifact and omitting security-relevant metadata.
•Producing SPDX 1.x or 2.x output when modern tooling expects SPDX 2.3 or 3.0.
•Hand-editing SPDX files instead of generating them from the build - drift is inevitable.

Sources

SPDX Specifications · Linux Foundation
ISO/IEC 5962:2021 (SPDX) · ISO/IEC
FDA Cybersecurity Guidance (Sept 2023) · FDA

Open full page

Cybersecurity

CycloneDX

In one line

A lightweight, OWASP-maintained SBOM format designed for application security and supply-chain use cases.

Definition

CycloneDX is an OWASP-flagship SBOM specification designed to support application security, supply-chain risk, and license compliance use cases. CycloneDX supports first-class representation of components, services, dependencies, vulnerabilities, exploitability (VEX), formulation (build provenance), and ML model bill-of-materials (ML-BOM). It is one of the two SBOM formats explicitly accepted by FDA.

Why it matters

CycloneDX has become the default for CI/CD-generated SBOMs in MedTech because community tooling (Syft, cdxgen, the CycloneDX CLI) and integrations with Anchore, Snyk, and Dependency-Track are mature. The single-file SBOM+VEX model meaningfully reduces the operational burden of post-market vulnerability response.

Common pitfalls

•Producing CycloneDX without dependency relationships - that breaks transitive impact analysis.
•Using CycloneDX 1.4 when modern tooling expects 1.5/1.6.
•Skipping the BOM-Link / VEX block, forcing operators to maintain a separate exploitability feed.

Sources

CycloneDX Specification · OWASP
ECMA-424 CycloneDX Bill of Materials Standard · ECMA
FDA Cybersecurity Guidance (Sept 2023) · FDA

Open full page

Why compare MedTech terms side by side?

MedTech terminology is full of pairs that look interchangeable but carry very different regulatory, clinical, and commercial consequences. Picking the wrong framework, pathway, or standard early in a project can add months to a submission, invalidate clinical evidence, or trigger an audit finding. Side-by-side comparison is the fastest way to surface those differences before they become costly mistakes.

Each comparison on this page pulls from the same vendor-neutral, sourced definitions used throughout the MedTech Terms glossary. You see the one-line summary, the formal definition, why it matters in practice, common pitfalls, and the primary sources (FDA guidance, EU MDR/IVDR articles, ISO/IEC standards, MDCG documents, IMDRF principles) that back each entry. That makes the comparison defensible in regulatory strategy memos, design reviews, and submission narratives.

Common comparison patterns

Regulatory pathway choice - 510(k) vs PMA, 510(k) vs De Novo, Abbreviated vs Special 510(k).
Quality systems - QSR vs ISO 13485, QMSR vs QSR.
Software classification - SaMD vs SiMD, Locked vs adaptive AI.
EU frameworks - MDR vs IVDR, CE Mark vs UKCA.
Cybersecurity artifacts - SPDX vs CycloneDX SBOM, CVE vs CVSS.
Post-market actions - Recall vs field action, Removal vs correction.

How to use this tool

Pick term A and term B from the dropdowns, or click a preset above. The URL updates with both slugs so you can bookmark or share the exact comparison with a colleague, a notified body reviewer, or your regulatory consultant. Click Open full page on either side for the complete entry, including FAQs, related terms, and the full citation list. If you are not sure which term to start with, browse the Categories view or the A-Z index.

MedTech Terms is a vendor-neutral community resource sponsored by Blue Goat Cyber. Definitions are written for educational use and are not legal or regulatory advice.