Cybersecurity Labelling Scheme for Medical Devices, CLS(MD)

FAQ

Scheme Overview

1. What distinguishes the Cybersecurity Labelling Scheme for IoT from the Cybersecurity Labelling Scheme for Medical Devices?

The Cybersecurity Labelling Scheme for IoT [CLS(IoT)] and the Cybersecurity Labelling Scheme for Medical Devices [CLS(MD)] both aim to rate devices accordingly to the levels of cybersecurity provisions and assessment. Through the use of Cybersecurity Labels, these schemes provide an indication of the security level of these devices, thereby enhancing transparency and empowering users to make more informed decisions when using or purchasing these devices.

It is important to note that the schemes target different types of devices:

 

  • The CLS(IoT) covers consumer smart devices such as Wi-Fi Routers, Smart Home Hubs, Smart Sensors, Smart Lighting, Smart Appliances, and more.

  • The CLS(MD) covers medical devices as per described in the First Schedule of the Health Product Act1 (Cap122D, 2008 Rev Ed) which have any of the following characteristics:

    1. Handles personal identifiable information (PII) and clinical data and has the ability to collect, store, process, or transfer such data;

    2. Connects to other devices, systems, and services - Has the ability to communicate using wired and/or wireless communication protocols through a network of connections.

2. Can Special Access Routes (SAR) devices apply for CLS(MD)?

Special Access Routers (SAR) Devices within scope of the CLS(MD) can apply for the CLS(MD).

3. Does the CLS(MD) scheme require the medical devices to be approved by HSA?

During the Sandbox Phase, priority will be given to new medical devices that have not been approved by HSA.

Upon official launch of the CLS(MD), the scheme will be accessible to both new and existing HSA-approved medical devices.

It is important to note that while manufacturers may apply for the CLS(MD) scheme while seeking regulatory approval from the Health Sciences Authority (HSA), the CLS(MD) label will only be issued upon successful approval of the medical device by HSA. 

4. What are the necessary document templates for CLS(MD) application submission and where can I find them?

The “CLS(MD) Declaration of Conformity” and “CLS(MD) Supporting evidence template” are required for CLS(MD) applications. These templates can be accessed here. Manufacturers can then upload the completed documents into the GoBusiness Licensing Portal during application. 

5. Does the CLS(MD) application process differ for medical devices that are already approved with HSA?

The HSA Cybersecurity Lifecycle Requirements are integrated into the CLS(MD) as clauses VDP.1, CSUP.1, CSUP.4, and RDMP.1.

For Class A medical devices, these requirements will be assessed during the CLS(MD) application.

For Class B/C/D medical devices that are approved by HSA, these requirements have already been assessed during the approval process by HSA and will not be reassessed within the CLS(MD) application. However, if the Class B/C/D medical device has not been approved by HSA, these requirements will be assessed as part of the CLS(MD) application.


6. If a medical device is assessed and found not to meet the CLS(MD) level applied for, what are the next steps?

The CLS(MD) application process provides the opportunity for applicants to address identified issues and meet the requirements. Alternatively, applicants may be granted a lower CLS(MD) level if the criteria for the lower level are satisfied.

7. If an application cannot be completed during the sandbox phase, will application fees be applied retroactively at the launch of the CLS(MD) scheme?

Application fees will not be retroactively applied at the launch of the CLS(MD) scheme for sandbox applications.

8. Is the CLS(MD) Label recognised internationally?

The CLS(MD) is presently not recognised outside Singapore. However, pursuing international mutual recognition is a key objective, as such arrangements would enable manufacturers to save time and costs by avoiding duplicating testing and enhance access to new markets. 

 

 

Testing Laboratories

1. What are the testing laboratories that manufacturers may use for CLS(MD)?

For CLS(MD) level 3 and level 4 applications, manufacturers shall engage the approved CLS(MD) testing laboratories listed here. Testing laboratories interested in becoming an approved CLS(MD) test laboratory can access the requirements for testing laboratories here

Labelling Requirements

1. If there are product name changes due to acquisitions or formerly registered by original equipment manufacturer (OEM), will that require a change notification submission to CSA?

Manufacturers are advised to inform CSA at cls_md@csa.gov.sg so that relevant changes can be made to the CLS(MD) product registry.

2. Do manufacturers need to inform both CSA and HSA if a device has been affected by security vulnerabilities?

Vulnerabilities shall be reported to both CSA and HSA respectively. Manufacturers are required to inform CSA of the vulnerabilities at cls_md@csa.gov.sg. In addition, manufacturers are also required to make a Field Safety Corrective Action (FSCA) and Adverse Event (AE) reporting to HSA in accordance to the requirements laid out in GN-10 Guidance on Medical Device Field Safety Corrective Action and GN-05 Guidance on the Reporting of Adverse Events respectively.