On March 9, 2023, a new regulation for ensuring cyber security was issued in the Essential Requirements Criteria in Japan. The Essential Requirements Criteria’s Article 12 already had 2 clauses, but clause 3 on cybersecurity has now been added. In short, medical devices using programs are now required to ensure safety and basic performance by implementing risk management throughout the medical device software life cycle – according to JIS T 2304 (IEC 62304). The new Japanese regulation stipulates that, in addition to the conformity to the JIS T 2304 (IEC 62304), for medical devices connected to other IT devices and medical devices connected to the Internet, cyber security measures based on JIS T 81001-5-1 (IEC 81001-5-1) are required to reduce cyber security risks to acceptable levels.
This new regulation was put into practice on April 1, 2023, with a one-year transitional period until March 31, 2024. When applying for device approval after the end of the transitional period, it is required that device manufacturers demonstrate conformity to the above cyber security regulation. This provision and transition period also applies to already approved products. Hence, device manufacturers will need to update their registrations accordingly.