Cybersecurity Labelling Scheme for Medical Devices (Level 3)
The Cybersecurity Labelling Scheme for Medical Devices (Level 3) is issued by the Cyber Security Agency of Singapore (CSA) for medical devices that handle personal identifiable information and connect to other systems. The licence is valid for up to 3 years, with processing typically completed in 1 month.
- Validity
- Up to 3 years
- Processing time
- 1 month
- Issuing authority
- CYBER SECURITY AGENCY OF SINGAPORE (CSA)
Need help applying for this licence?
We handle the full application — document prep, agency liaison, follow-up — alongside your incorporation.
Who needs the Cybersecurity Labelling Scheme for Medical Devices (Level 3)
This licence applies to Singapore businesses registered under the following SSIC industry codes:
- Voluntary / supplementaryDivision 21 — MANUFACTURE OF PHARMACEUTICALS AND BIOLOGICAL PRODUCTS
Includes: 21011 Manufacture of pharmaceutical intermediates and fine chemicals for human use, 21012 Manufacture of pharmaceutical products and preparations for human use, 21013 Manufacture of pharmaceutical products for veterinary use, 21021 Manufacture of vaccines for human use
- Voluntary / supplementaryDivision 26 — MANUFACTURE OF COMPUTER, ELECTRONIC AND OPTICAL PRODUCTS
Includes: 26111 Manufacture of discrete devices, 26112 Semiconductor wafer fabrication, 26113 Assembly and testing of semiconductors, 26114 Manufacture of solar wafers
What's involved in getting the Cybersecurity Labelling Scheme for Medical Devices (Level 3)
The scope of the application — what must be in place, how the agency reviews, and where applications typically stall.
What this licence allows the business to do
The Cybersecurity Labelling Scheme for Medical Devices (CLS(MD)) enables manufacturers to obtain a cybersecurity label for their medical devices, indicating the level of cybersecurity provisions in place. This label helps consumers and healthcare providers make informed decisions regarding the use of these devices, promoting a security-by-design approach in the industry.
What must be in place before the licence can be granted
Before the CLS(MD) can be granted, certain prerequisites must be satisfied. This includes a Declaration of Conformity, which asserts that the device meets the relevant cybersecurity level provisions. Additionally, a Supporting Evidence Document is required to demonstrate compliance with the established requirements. These documents must be prepared and available for review by the agency.
How the agency reviews and decides
The Cyber Security Agency of Singapore (CSA) reviews the submitted documentation to assess compliance with the cybersecurity standards. This process may involve evaluating the evidence provided to ensure that the medical device meets the necessary cybersecurity criteria. The agency's thorough review is essential for maintaining the integrity of the labelling scheme.
Common reasons applications stall
Applications for the CLS(MD) may face delays or rejections due to incomplete documentation or insufficient evidence of compliance with cybersecurity provisions. A common issue is the lack of a well-prepared Supporting Evidence Document, which must clearly demonstrate that the device adheres to the required standards. Additionally, discrepancies in the Declaration of Conformity can lead to complications, emphasizing the importance of accurate and comprehensive submissions.
Required documents and prerequisites
Items the applicant typically needs ready before submitting:
- Declaration of Conformity
- To declare that the device met with the relevant cybersecurity level security provision.
- Supporting Evidence Document
- To provide evidence that demonstrates the product's compliance with requirements.
- Download application templates here.
Cybersecurity Labelling Scheme for Medical Devices (Level 3) FAQ
Do I need this licence to start operating?
While the Cybersecurity Labelling Scheme for Medical Devices is voluntary, obtaining this licence can enhance the credibility of your medical device in the market. It signals to consumers and healthcare providers that your device meets established cybersecurity standards, which can be crucial for gaining trust and ensuring safety.
What can my business do once licensed?
Once your medical device is certified under the Cybersecurity Labelling Scheme, it can display the cybersecurity label, indicating its compliance with the relevant cybersecurity provisions. This can improve marketability and consumer confidence, as it assures users that the device has undergone rigorous cybersecurity assessments.
What happens if I operate without it?
Operating a medical device without the Cybersecurity Labelling Scheme may limit your market access and consumer trust. Without the label, potential customers may be hesitant to use your device due to concerns about its cybersecurity, which could impact sales and reputation.
What's the most common reason applications get rejected?
The most common reason for rejection of applications for the Cybersecurity Labelling Scheme is incomplete or insufficient documentation. Specifically, a lack of a comprehensive Supporting Evidence Document or discrepancies in the Declaration of Conformity can lead to delays or denials, highlighting the need for thorough preparation.
Can a foreign-owned company hold this licence?
Yes, foreign-owned companies can apply for the Cybersecurity Labelling Scheme for Medical Devices in Singapore. However, they must ensure that their medical devices meet the necessary cybersecurity standards and provide the required documentation to demonstrate compliance.
Get a quote — incorporation + this licence
We package this with your company setup so you launch with the licence already approved.
Other CSA licences
Cybersecurity Labelling Scheme for Medical Devices (Level 1)
The Cybersecurity Labelling Scheme for Medical Devices (Level 1) is issued by the Cyber Security Agency of Singapore (CSA) for medical devices that meet specific cybersecurity provisions. This voluntary scheme aims to enhance cybersecurity awareness and is valid for up to 3 years, with processing typically completed in 1 day.
Cybersecurity Labelling Scheme for Medical Devices (Level 2)
The Cybersecurity Labelling Scheme for Medical Devices (Level 2) is issued by the Cyber Security Agency of Singapore (CSA) for medical devices that meet specific cybersecurity provisions. This voluntary scheme aims to enhance cybersecurity awareness and practices among manufacturers. The label is valid for up to 3 years, with processing typically completed in 2 days.
Cybersecurity Labelling Scheme for Medical Devices (Level 4)
The Cybersecurity Labelling Scheme for Medical Devices (Level 4) is issued by the Cyber Security Agency of Singapore (CSA) for medical devices that meet specific cybersecurity provisions. Valid for up to 3 years, the processing time for this scheme is approximately 3 months.