Cybersecurity Labelling Scheme for Medical Devices (Level 2)
The Cybersecurity Labelling Scheme for Medical Devices (Level 2) is issued by the Cyber Security Agency of Singapore (CSA) for medical devices that meet specific cybersecurity provisions. This voluntary scheme aims to enhance cybersecurity awareness and practices among manufacturers. The label is valid for up to 3 years, with processing typically completed in 2 days.
- Validity
- Up to 3 years
- Processing time
- 2 days
- Issuing authority
- CYBER SECURITY AGENCY OF SINGAPORE (CSA)
Need help applying for this licence?
We handle the full application — document prep, agency liaison, follow-up — alongside your incorporation.
Who needs the Cybersecurity Labelling Scheme for Medical Devices (Level 2)
This licence applies to Singapore businesses registered under the following SSIC industry codes:
- Voluntary / supplementaryDivision 21 — MANUFACTURE OF PHARMACEUTICALS AND BIOLOGICAL PRODUCTS
Includes: 21011 Manufacture of pharmaceutical intermediates and fine chemicals for human use, 21012 Manufacture of pharmaceutical products and preparations for human use, 21013 Manufacture of pharmaceutical products for veterinary use, 21021 Manufacture of vaccines for human use
- Voluntary / supplementaryDivision 26 — MANUFACTURE OF COMPUTER, ELECTRONIC AND OPTICAL PRODUCTS
Includes: 26111 Manufacture of discrete devices, 26112 Semiconductor wafer fabrication, 26113 Assembly and testing of semiconductors, 26114 Manufacture of solar wafers
What's involved in getting the Cybersecurity Labelling Scheme for Medical Devices (Level 2)
The scope of the application — what must be in place, how the agency reviews, and where applications typically stall.
What this licence allows the business to do
The Cybersecurity Labelling Scheme for Medical Devices (CLS(MD)) enables manufacturers to demonstrate compliance with cybersecurity standards for their medical devices. By obtaining this label, businesses can enhance consumer trust and facilitate informed decision-making among healthcare providers regarding the security of medical devices.
What must be in place before the licence can be granted
Before the label can be issued, certain conditions must be met. A Declaration of Conformity is required, confirming that the device meets the relevant cybersecurity level provisions. Additionally, a Supporting Evidence Document must be provided, demonstrating compliance with the necessary requirements. This documentation is crucial for the agency's assessment of the device's cybersecurity capabilities.
How the agency reviews and decides
The Cyber Security Agency of Singapore (CSA) conducts a thorough review of the submitted documentation. This includes evaluating the Declaration of Conformity and the Supporting Evidence Document to ensure that the medical device aligns with the specified cybersecurity standards. The agency's review process is designed to ensure that only devices meeting the required security levels receive the label.
Common reasons applications stall
Applications for the Cybersecurity Labelling Scheme may face delays due to incomplete documentation or insufficient evidence demonstrating compliance with cybersecurity requirements. A common issue is the lack of clarity in the Supporting Evidence Document, which can lead to misunderstandings regarding the device's capabilities. Ensuring that all documentation is comprehensive and clearly outlines compliance can help prevent such delays.
Required documents and prerequisites
Items the applicant typically needs ready before submitting:
- Declaration of Conformity
- To declare that the device met with the relevant cybersecurity level security provision.
- Supporting Evidence Document
- To provide evidence that demonstrates the product's compliance with requirements.
- Download application templates here.
Cybersecurity Labelling Scheme for Medical Devices (Level 2) FAQ
Do I need this licence to start operating?
While the Cybersecurity Labelling Scheme for Medical Devices is voluntary, obtaining this label can significantly enhance the credibility of your medical devices. It is advisable for manufacturers aiming to demonstrate a commitment to cybersecurity and to gain consumer trust.
What can my business do once licensed?
Once a medical device is labeled under the Cybersecurity Labelling Scheme, it can be marketed as compliant with recognized cybersecurity standards. This can improve marketability and consumer confidence, as healthcare providers and patients will have assurance regarding the device's security.
What happens if I operate without it?
Operating without the Cybersecurity Labelling Scheme may limit your ability to demonstrate the cybersecurity robustness of your medical devices. This could potentially affect consumer trust and market acceptance, especially in a sector where data security is paramount.
What's the most common reason applications get rejected?
The most common reason for rejection is the submission of incomplete or unclear documentation. Specifically, if the Declaration of Conformity or Supporting Evidence Document does not adequately demonstrate compliance with the required cybersecurity provisions, the application may be stalled or rejected.
Can a foreign-owned company hold this licence?
Yes, foreign-owned companies can apply for the Cybersecurity Labelling Scheme for Medical Devices. However, they must ensure that their medical devices meet the necessary cybersecurity standards and provide the required documentation for assessment.
Get a quote — incorporation + this licence
We package this with your company setup so you launch with the licence already approved.
Other CSA licences
Cybersecurity Labelling Scheme for Medical Devices (Level 1)
The Cybersecurity Labelling Scheme for Medical Devices (Level 1) is issued by the Cyber Security Agency of Singapore (CSA) for medical devices that meet specific cybersecurity provisions. This voluntary scheme aims to enhance cybersecurity awareness and is valid for up to 3 years, with processing typically completed in 1 day.
Cybersecurity Labelling Scheme for Medical Devices (Level 3)
The Cybersecurity Labelling Scheme for Medical Devices (Level 3) is issued by the Cyber Security Agency of Singapore (CSA) for medical devices that handle personal identifiable information and connect to other systems. The licence is valid for up to 3 years, with processing typically completed in 1 month.
Cybersecurity Labelling Scheme for Medical Devices (Level 4)
The Cybersecurity Labelling Scheme for Medical Devices (Level 4) is issued by the Cyber Security Agency of Singapore (CSA) for medical devices that meet specific cybersecurity provisions. Valid for up to 3 years, the processing time for this scheme is approximately 3 months.