What's in IMDRF/CYBER WG/N73?

N73 covers cybersecurity expectations for legacy medical devices - devices that cannot be reasonably protected against current cybersecurity threats - and frames a shared responsibility model between manufacturers, healthcare providers, and operators.

How does IMDRF guidance interact with FDA's 2023 guidance?

FDA's 2023 guidance explicitly cites IMDRF documents and aligns its expectations to them. Following IMDRF principles is a strong indicator of FDA conformance.

All terms

CybersecurityConnected & Cyber-Physical Devices Global Markets

IMDRF Principles and Practices for Medical Device Cybersecurity

International harmonized guidance on medical-device cybersecurity from the IMDRF Cybersecurity Working Group.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

The International Medical Device Regulators Forum (IMDRF) Cybersecurity Working Group has published a series of guidance documents - most notably IMDRF/CYBER WG/N60 (Principles and Practices for Medical Device Cybersecurity, 2020) and N73 (Principles and Practices for the Cybersecurity of Legacy Medical Devices, 2023) - that harmonize regulator expectations across jurisdictions including the FDA, Health Canada, MHRA, TGA, PMDA, and the EU.

What the regulation says

IMDRF guidance is non-binding but heavily influences national regulators. FDA's 2023 cybersecurity guidance, Health Canada's Pre-market Requirements for Medical Device Cybersecurity, and the EU MDR Annex I §17.2 all align to IMDRF principles. Submitting a product that meets IMDRF principles materially eases multi-jurisdiction filings.

What this means in practice

MedTech teams pursuing global submissions use IMDRF principles as the common backbone, then layer on jurisdiction-specific requirements (524B for the US, MDCG 2019-16 for the EU). The legacy-device guidance (N73) is particularly valuable because it addresses devices designed before modern cybersecurity expectations existed.

Common pitfalls

•Treating IMDRF guidance as the ceiling rather than the floor - national regulators add specifics.
•Ignoring N73's legacy-device guidance for products approaching end-of-support.

Frequently asked questions

No. IMDRF documents are harmonized recommendations. National regulators (FDA, Health Canada, MHRA, TGA, EU) adopt and adapt them through their own guidance and regulation.

Primary references

3 sources

Link health: 2 verified 1 needs review· last checked 2026-05-09

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Sources: 3
Updated: 5/5/2026

Compare with another term

Learn in 60 seconds

International harmonized guidance on medical-device cybersecurity from the IMDRF Cybersecurity Working Group.

·MedTech teams pursuing global submissions use IMDRF principles as the common backbone, then layer on jurisdiction-specific requirements (524B for the US, MDCG 2019-16 for the EU).
·The legacy-device guidance (N73) is particularly valuable because it addresses devices designed before modern cybersecurity expectations existed.

Remember this

Watch out: Treating IMDRF guidance as the ceiling rather than the floor - national regulators add specifics.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.