Navigating Global SaMD Regulations: FDA, EU MDR, TGA, PMDA, NMPA Guide

Software as a Medical Device (SaMD) is transforming healthcare, enabling AI-driven diagnostics, real-time patient monitoring, and advanced clinical decision support. As SaMD solutions become more sophisticated and personalized, navigating regulatory requirements is critical to ensure safety, efficacy, and timely access to global markets.

This guide explores SaMD regulatory compliance globally, highlighting key frameworks, classification rules, submission pathways, and post-market obligations across major regions.

What is SaMD?

According to the International Medical Device Regulators Forum (IMDRF), SaMD is software intended for one or more medical purposes that performs those purposes without being part of a hardware medical device. Unlike embedded software or firmware, SaMD often runs on cloud platforms, smartphones, or web applications, introducing unique compliance and cybersecurity challenges.

It is worth noting that in January 2026, the FDA withdrew its guidance adopting IMDRF principles specifically for SaMD clinical evaluation, as part of a broader shift toward a more deregulatory approach to digital health. While the IMDRF framework remains a useful reference for global strategy, manufacturers targeting the U.S. market should monitor FDA guidance closely as the agency continues to refine its approach.

Common SaMD Applications:

AI-driven diagnostic imaging tools
Mobile apps for vital sign monitoring or chronic condition management
Clinical Decision Support Systems (CDSS)
Digital therapeutics
AI/ML-based adaptive algorithms that continuously learn from real-world performance data (a growing and heavily scrutinized category in 2026)

Global Regulatory Overview for SaMD

Regulatory authorities classify SaMD based on risk and intended use, which affects submission requirements, review pathways, and post-market obligations.

Region	Classification	Submission Pathway	Key Local Considerations	Time to Approval
FDA (US)	Class I–III	510(k), De Novo, PMA	AI transparency, PCCP for adaptive algorithms, QMSR alignment	3–12 months (510k/De Novo); 12–24+ months (PMA)
EU MDR	Class I–III	CE Mark via Notified Body	Cybersecurity, UDI, EUDAMED registration mandatory from May 2026	6–18 months
TGA (Australia)	Class I–III	ARTG Inclusion	Feb 2026 AI guidance: technology-agnostic risk-based approach; cybersecurity standards (IEC 81001-5-1) now required	3–9 months
Health Canada	Class I–IV	Medical Device License	Risk classification, QMS, cybersecurity documentation	6–12 months
PMDA (Japan)	Class I–III	Marketing Certification / Marketing Approval; Two-Step Approval available for novel SaMD	Japanese labeling required; Priority Review available for designated innovative SaMD; local clinical data often required	3–6 months (Priority/certified); 6–24+ months (full approval)
NMPA (China)	Class I–III	Registration dossier	Local testing, data hosting, Mandarin labeling, new GMP effective Nov 2026	12–24 months

Tip: Always map intended use to each region’s risk classification, classification mistakes remain a top cause of delays across all markets.

Key Regulatory Considerations for SaMD

1. Risk Classification

Intended use determines SaMD classification in all major markets, and getting this right early is critical. Higher classification means more documentation, Notified Body involvement, and longer timelines.

2. Clinical Evaluation

Regulators require clinical evidence proportional to risk. The EU demands a Clinical Evaluation Report and often PMCF for every SaMD, while China and Japan continue to require localized clinical data in most cases.

3. Cybersecurity & Privacy

Cybersecurity is an active regulatory requirement across all major markets. Manufacturers should implement security-by-design principles, maintain a Software Bill of Materials (SBOM), and establish continuous vulnerability monitoring. In the EU, AI-enabled SaMD is now additionally subject to the EU AI Act, with most obligations applying from August 2026.

4. Post-Market Surveillance

For SaMD, particularly AI/ML-enabled products, regulatory compliance extends well beyond market entry. Post-market obligations include vigilance reporting, tracking software updates and version changes, and for adaptive algorithms, monitoring real-world performance against pre-specified metrics.

5. Labeling & Instructions for Use

Clear labeling is critical for safety and compliance. Some markets allow digital instructions, while others require physical inserts with localized language.

Global SaMD Compliance Checklist

Follow this global SaMD regulatory checklist to streamline approvals:

Classification: Map intended use to each region’s risk class
Clinical Evidence: Build a global evidence strategy early and include localized trials where required
Cybersecurity: Implement security-by-design, maintain a Software Bill of Materials (SBOM), and establish continuous vulnerability monitoring
EU AI Act: If your SaMD uses AI, ensure compliance with high-risk AI system obligations applying from August 2026
Labeling: Ensure language and regulatory-specific content requirements are met for each target market
Post-Market Surveillance: Continuous monitoring, incident reporting, and for AI/ML products, real-world algorithm performance tracking

FAQs on Global SaMD Regulation

Q: When does a software update trigger re-approval?
A: Minor bug fixes typically do not, but updates that affect intended use, safety, or AI algorithm behavior may require re-submission. In the U.S., a Predetermined Change Control Plan (PCCP) can allow pre-specified modifications without a new submission.

Q: How do adaptive AI algorithms affect regulatory classification?
A: Continuously learning software may elevate risk class or trigger additional post-market monitoring obligations. In 2026, regulators across all major markets are paying close attention to how adaptive algorithms perform against real-world data after deployment.

Q: Which markets require local clinical evidence for SaMD?
A: China and Japan typically mandate localized studies. Australia and Canada may require local clinical evidence depending on the device’s risk classification and intended use.

Tip: Cybersecurity and AI transparency are the fastest-evolving areas of SaMD regulation in 2026 — build both into your development process from day one, not as an afterthought.

Expert Scenario: Algorithm Updates Across Regions

A European AI diagnostic tool updated its algorithm:

EU: A significant algorithm change affecting intended use or performance triggers Notified Body review before the CE mark can be updated. Under the EU AI Act, high-risk AI systems must also update their conformity assessment and EU AI database registration.
US: A PCCP filed at the time of original submission can allow pre-specified algorithm updates without a new submission making upfront PCCP planning a significant competitive advantage for iterative AI products.
China: Local testing remains mandatory for algorithm changes, typically adding six or more months. China’s updated 2026 mandatory standards may also require re-testing even where the change appears minor.

Tip: Early alignment of your change control strategy across all target markets prevents delays and costly rework.

Forward-Looking Trends in SaMD Regulation

The regulatory landscape for SaMD is rapidly evolving:

EU AI Act implementation: High-risk AI medical devices face new transparency, human oversight, and registration obligations from August 2026 layered on top of existing MDR requirements.
FDA’s evolving AI framework: The FDA has signaled a new, forward-thinking regulatory framework for AI devices is in development, with further guidance expected throughout 2026 and beyond.
IMDRF harmonization: Global alignment efforts continue, though the FDA’s 2026 withdrawal of its IMDRF-aligned SaMD clinical evaluation guidance signals that regional divergence remains a reality manufacturers must plan for.
Continuous cybersecurity monitoring: Real-time vulnerability management and SBOM maintenance are becoming baseline regulatory expectations, not optional best practices.