Navigating Global SaMD Regulations: FDA, EU MDR, TGA, PMDA, NMPA Guide

Software as a Medical Device (SaMD) is transforming healthcare, enabling AI-driven diagnostics, real-time patient monitoring, and advanced clinical decision support. As SaMD solutions become more sophisticated, particularly those powered by machine learning and adaptive algorithms, navigating an increasingly complex and rapidly evolving global regulatory landscape is critical to ensuring safety, efficacy, and timely market access.

This guide reflects the regulatory landscape as of April 2026, incorporating the most significant recent developments including the FDA’s new Quality Management System Regulation, the EU AI Act’s August 2026 high-risk AI deadline, Australia’s new AI SaMD guidance, and changes to clinical decision support software policy.

What is SaMD?

According to the International Medical Device Regulators Forum (IMDRF), SaMD is software intended for medical purposes that operates independently of a physical medical device. Unlike embedded software or firmware, SaMD often runs on cloud platforms, smartphones, or web applications, introducing unique compliance, cybersecurity, and post-market obligations.

Common SaMD Applications:

• AI-driven diagnostic imaging tools
• Mobile apps for vital sign monitoring or chronic condition management
• Clinical Decision Support Systems (CDSS)
• Digital therapeutics
• Adaptive machine learning models for disease prediction or treatment planning

Global Regulatory Overview for SaMD

Regulatory authorities classify SaMD based on risk and intended use, which affects submission requirements, review pathways, and post-market obligations.

Key Regulatory Considerations for SaMD in 2026

1. Risk Classification

Intended use determines SaMD classification in all major markets. High-risk diagnostic and therapeutic tools face stricter scrutiny than wellness or lower-risk monitoring applications. Classification is increasingly complex for AI-based SaMD, where adaptive algorithms can change a device’s risk profile over time and regulators are paying close attention.

In the EU, most AI-enabled SaMD that requires Notified Body involvement under the MDR will also automatically qualify as a high-risk AI system under the EU AI Act, triggering a second layer of compliance obligations on top of MDR requirements.

2. Clinical Evaluation

Regulators require clinical evidence proportional to risk. For lower-risk devices, existing literature, performance data, or demonstrated equivalence to a predicate may suffice. For higher-risk devices and particularly for AI-based SaMD, the bar is significantly higher:

• China and Japan typically mandate localized clinical trials
• Australia requires clinical justification aligned with the Essential Principles, and the TGA’s 2026 AI guidance reinforces that regulatory classification is based on intended clinical purpose, not underlying technology
• EU requires clinical evaluation reports demonstrating that clinical accuracy translates to measurable patient benefit; not just technical performance
• FDA now applies a Total Product Life Cycle (TPLC) approach for AI-enabled devices, requiring evidence of model performance, bias analysis, human-AI workflow considerations, and post-market monitoring plans in marketing submissions

3. AI-Specific Regulatory Frameworks: What Changed in 2025–2026

This is the fastest-moving area of SaMD regulation globally.

United States — FDA: In January 2025, the FDA issued draft guidance on AI-enabled device software functions, introducing a Total Product Life Cycle (TPLC) framework that requires manufacturers to address model description, training data lineage, performance tied to clinical claims, bias analysis, and monitoring plans in their submissions. The FDA’s Predetermined Change Control Plan (PCCP) framework allows manufacturers to pre-specify planned algorithm updates that can proceed without a new submission, provided changes remain within the approved parameters. In January 2026, the FDA updated its Clinical Decision Support (CDS) guidance, taking a more deregulatory approach to certain lower-risk software functions, and withdrew its prior IMDRF-based SaMD Clinical Evaluation guidance. The FDA’s Quality Management System Regulation (QMSR), effective February 2, 2026, aligns US quality system requirements with ISO 13485 for the first time.

European Union — MDR + AI Act Dual Compliance: EU SaMD manufacturers now face a dual regulatory framework. AI-enabled SaMD regulated under the MDR or IVDR that requires Notified Body involvement will automatically qualify as a high-risk AI system under the EU AI Act (Regulation 2024/1689). High-risk AI obligations under the Act, covering data governance, transparency, human oversight, record-keeping, and accountability, apply from August 2026. The MDCG published guidance (MDCG 2025-6) in June 2025 defining “Medical Device Artificial Intelligence (MDAI)” products subject to this dual regulation. Manufacturers should contact their Notified Body now to understand how AI Act requirements are being integrated into MDR/IVDR conformity assessments. Additionally, EUDAMED’s four mandatory modules take effect May 28, 2026, requiring all economic operators to register and obtain a Single Registration Number (SRN) before that date.

Australia — TGA: In February 2026, the TGA released new guidance specifically on AI-based SaMD, following its 2025 final report on AI in healthcare. The TGA’s position is clear: regulatory obligations are triggered by the manufacturer’s intended purpose, not by the presence of AI technology. If software uses AI to influence clinical decisions or patient care, it falls within the regulatory framework. The TGA is also consulting on updates to its Essential Principles with greater emphasis on software lifecycle management, cybersecurity, and change control for AI-enabled devices.

4. Cybersecurity and Data Privacy

Cybersecurity has moved from a best practice to a hard regulatory requirement across all major markets. For SaMD developers, compliance now means:

• Secure by design: FDA’s 2025 premarket cybersecurity guidance requires manufacturers to embed threat modeling, risk assessments, and update mechanisms into development from day one, not added at submission
• Software Bill of Materials (SBOM): The FDA now requires an SBOM listing all third-party software components, enabling tracking of known vulnerabilities across the device lifecycle
• Section 524B of the FD&C Act: All new US device submissions must include a cybersecurity plan covering how the manufacturer will monitor, identify, and address vulnerabilities
• EU AI Act: Explicitly includes cybersecurity in the general safety and performance requirements for AI-enabled medical devices; manufacturers must report actively exploited vulnerabilities to national authorities via EUDAMED
• GDPR, PIPL (China), and regional standards: Data privacy compliance is a parallel obligation in every market and must be factored into architecture decisions early in development

Tip: Plan cybersecurity measures at architecture stage. Regulators in the US, EU, and Australia all expect security to be built in and will scrutinize whether it was designed in from the start or retrofitted.

5. Algorithm Updates and the PCCP Framework

One of the most practical regulatory questions for AI SaMD developers is when a software or algorithm update triggers re-submission.

• Minor bug fixes that do not affect clinical performance generally do not require re-submission
• Algorithm changes that affect diagnostic outputs, intended use, or clinical claims typically do require regulatory action
• FDA PCCP: The Predetermined Change Control Plan allows manufacturers to pre-specify planned modifications to their AI/ML algorithms in advance. Updates that fall within the approved PCCP parameters can proceed without a new submission, significantly reducing time and cost for iterative AI development
• EU: Any change that affects the CE mark requires Notified Body review before implementation; particularly important for adaptive algorithms

6. Post-Market Surveillance

Post-market obligations for SaMD are growing in scope globally:

• Vigilance reporting and adverse event monitoring
• Software version and update tracking
• Real-world performance monitoring, particularly for AI models (algorithm drift, dataset shift)
• In the EU, EUDAMED will become the central repository for post-market surveillance reporting from May 2026
• AI-enabled SaMD under the EU AI Act must include AI-specific performance monitoring in their post-market surveillance plans

7. Labeling and Instructions for Use

Clear labeling is critical for safety and compliance, with key regional differences:

• Most markets require localized language in labeling and IFU
• Not all markets accept electronic IFU; design packaging for your full global footprint before finalizing specifications
• China requires the registration license number to appear on the label after approval
• EU and Swiss Medic are moving toward accepting electronic IFU for professional users, with the EU’s December 2025 MDR/IVDR simplification proposal including provisions for digital labeling

Global SaMD Compliance Checklist for 2026

Use this checklist before initiating submissions across major markets:

• Classification: Map intended use to each region’s risk class before development begins, especially for AI-based software where classification can shift with algorithm changes
• AI Framework Compliance: Assess EU AI Act applicability (August 2026 deadline); evaluate FDA TPLC and PCCP requirements for algorithm lifecycle management
• Clinical Evidence: Identify local trial requirements early (China, Japan) and plan clinical strategy in parallel with development, not after
• Cybersecurity: Implement SBOM, threat modeling, secure update mechanisms, and a vulnerability management plan from architecture stage
• Quality Management: Ensure QMS aligns with ISO 13485; US manufacturers must comply with the new QMSR effective February 2026
• Labeling: Confirm language, physical vs. electronic IFU acceptability, and market-specific label requirements before finalizing packaging
• Post-Market Surveillance: Build AI performance monitoring into PMS plans; confirm EUDAMED registration before May 28, 2026

Expert Scenario: Algorithm Updates Across Regions

A European AI diagnostic tool updated its core imaging algorithm after real-world deployment revealed a performance improvement opportunity:

• EU (MDR + AI Act): Notified Body review required before CE mark changes. From August 2026, the AI Act also requires documentation of data governance and model performance monitoring as part of the updated technical file
• US (FDA): If a PCCP was filed at original submission and the update falls within the pre-specified parameters, no new submission is required. If not, clinical validation documentation of the change is required
• Australia (TGA): Change assessment required to determine whether the update affects the device’s regulatory classification or intended purpose
• China (NMPA): Local testing mandatory; algorithm changes affecting clinical outputs typically require re-registration, adding six months or more to approval timelines

Forward-Looking Trends in SaMD Regulation (2026 and Beyond)

EU AI Act full implementation (August 2026): High-risk AI obligations under the EU AI Act apply from August 2026. SaMD manufacturers with AI-enabled devices requiring Notified Body involvement must be ready for dual MDR/AI Act conformity assessments. Notified Bodies designated under the MDR are expected to extend their scope to cover AI Act requirements.

FDA QMSR and AI lifecycle framework: The QMSR’s alignment with ISO 13485 marks a significant shift in US quality system expectations. The FDA’s TPLC and PCCP frameworks are setting the template for how AI algorithm changes are managed globally; other regulators are watching closely.

Global cybersecurity escalation: The US, EU, UK, South Korea, and Australia have all issued or updated cybersecurity guidance for SaMD in 2024–2026. SBOM requirements, secure-by-design mandates, and post-market vulnerability monitoring are becoming standard expectations globally; not US-specific requirements.

Harmonization gaining momentum — with important gaps: IMDRF continues to advance global harmonization of SaMD classification and clinical evaluation principles. However, the EU AI Act introduces a new layer of EU-specific requirements that currently have no direct parallel in other major markets, creating a potential divergence point for global SaMD strategy.

Generative AI and large language models entering regulatory scope: Regulators globally are beginning to address AI systems that generate clinical content, assist with documentation, or integrate into diagnostic workflows using large language models. This remains an evolving area, but manufacturers building generative AI components into SaMD should expect increasing regulatory scrutiny on transparency, hallucination risk, and human oversight requirements.

FAQs on Global SaMD Regulation

Q: When does a software update trigger re-approval?
A: It depends on the nature of the change and the market. Minor bug fixes that do not affect clinical performance generally do not require re-submission. In the US, the FDA’s Predetermined Change Control Plan (PCCP) framework allows manufacturers to pre-specify planned algorithm modifications that can proceed without a new submission, provided they remain within the approved change parameters. In the EU, changes that affect the CE mark require Notified Body review before implementation. For adaptive AI algorithms that continuously learn from real-world data, changes to model outputs may require re-submission or at minimum formal documentation and post-market reporting.

Q: How does the EU AI Act affect SaMD already cleared under the MDR?
A: If your SaMD required Notified Body involvement under the MDR (Class IIa, IIb, or III), it will likely qualify as a high-risk AI system under the EU AI Act, triggering additional requirements for data governance, transparency, human oversight, and record-keeping from August 2026. The MDCG’s June 2025 guidance (MDCG 2025-6) provides the framework for how these dual obligations interact. Manufacturers should conduct a gap analysis of existing MDR technical documentation against AI Act requirements now.

Q: Which markets require local clinical evidence for SaMD?
A: China typically requires local clinical trials unless the device qualifies for exemption. Japan frequently requires Japanese clinical data, particularly for higher-risk devices. Australia and Canada may require additional clinical justification depending on device classification and risk.

Tip: Build your PCCP and change control framework at initial submission across all markets. Retrofitting it after deployment is significantly more costly and time-consuming.