The Cybersecurity Labelling Scheme for IoT [CLS(IoT)] and the Cybersecurity Labelling Scheme for Medical Devices [CLS(MD)] both aim to rate devices accordingly to the levels of cybersecurity provisions and assessment. Through the use of Cybersecurity Labels, these schemes provide an indication of the security level of these devices, thereby enhancing transparency and empowering users to make more informed decisions when using or purchasing these devices.
It is important to note that the schemes target different types of devices:
The CLS(IoT) covers consumer smart devices such as Wi-Fi Routers, Smart Home Hubs, Smart Sensors, Smart Lighting, Smart Appliances, and more.
The CLS(MD) covers medical devices as per described in the First Schedule of the Health Product Act1 (Cap122D, 2008 Rev Ed) which have any of the following characteristics:
Handles personal identifiable information (PII) and clinical data and has the ability to collect, store, process, or transfer such data;
Special Access Routers (SAR) Devices within scope of the CLS(MD) can apply for the CLS(MD).
During the Sandbox Phase, priority will be given to new medical devices that have not been approved by HSA.
Upon official launch of the CLS(MD), the scheme will be accessible to both new and existing HSA-approved medical devices.
It is important to note that while manufacturers may apply for the CLS(MD) scheme while seeking regulatory approval from the Health Sciences Authority (HSA), the CLS(MD) label will only be issued upon successful approval of the medical device by HSA.
The “CLS(MD) Declaration of Conformity” and “CLS(MD) Supporting evidence template” are required for CLS(MD) applications. These templates can be accessed here. Manufacturers can then upload the completed documents into the GoBusiness Licensing Portal during application.
The HSA Cybersecurity Lifecycle Requirements are integrated into the CLS(MD) as clauses VDP.1, CSUP.1, CSUP.4, and RDMP.1.
For Class A medical devices, these requirements will be assessed during the CLS(MD) application.
For Class B/C/D medical devices that are approved by HSA, these requirements have already been assessed during the approval process by HSA and will not be reassessed within the CLS(MD) application. However, if the Class B/C/D medical device has not been approved by HSA, these requirements will be assessed as part of the CLS(MD) application.
The CLS(MD) is presently not recognised outside Singapore. However, pursuing international mutual recognition is a key objective, as such arrangements would enable manufacturers to save time and costs by avoiding duplicating testing and enhance access to new markets.