TGA Medical Device Cybersecurity: Australia Requirements in 2026

The TGA aligns with IMDRF principles and recognizes much of the content that satisfies the FDA's February 3, 2026 final premarket cybersecurity guidance. The mechanism is different: instead of a single submission section, cybersecurity evidence is mapped to the Essential Principles 12 and 12A and to the conformity assessment route appropriate for the device class. This post explains what the TGA expects in 2026, where Australian sponsors and overseas manufacturers most commonly fall short, and how to convert an existing FDA package into ARTG-ready content.

Key Takeaways

• The TGA classifies devices as Class I, IIa, IIb, III, and AIMD, broadly aligned with the EU MDR system.
• Cybersecurity is regulated through Essential Principles 12 (software) and 12A (programmable medical devices).
• The TGA's 2022 cybersecurity guidance lists six pre-market expectations that mirror the FDA and Health Canada model.
• Postmarket vigilance under the Uniform Recall Procedure for Therapeutic Goods (URPTG) applies to cybersecurity incidents.
• An FDA Section 524B package is reusable but must be mapped to the Essential Principles and Australian labeling rules.

Table of Contents

• How the TGA Classifies Medical Devices
• Essential Principles 12 and 12A
• The TGA Cybersecurity Guidance Content Areas
• Mapping an FDA Section 524B Package to ARTG Content
• Postmarket Obligations and Recall Reporting
• How Blue Goat Approaches TGA Submissions
• FAQ

Why this matters

The Australian Register of Therapeutic Goods (ARTG) is the gateway for medical device commercialization in Australia. Cybersecurity expectations are written into the Essential Principles in the Therapeutic Goods (Medical Devices) Regulations 2002 and elaborated in the TGA's industry guidance. The guidance aligns with IMDRF N60 ("Principles and Practices for Medical Device Cybersecurity") and references IEC 81001-5-1, AAMI TIR57, and ISO 14971. Sponsors that operate from an FDA Section 524B baseline can reuse most technical content, but the conformity assessment evidence, labeling, and postmarket plan need to map to Australian rules. Skipping that mapping is the most common reason TGA reviewers raise cybersecurity questions on otherwise complete applications.

How the TGA Classifies Medical Devices

EU-Aligned Classification

The TGA uses classes broadly aligned with the EU MDR: Class I, Class IIa, Class IIb, Class III, and Active Implantable Medical Devices (AIMD). The classification rules under Schedule 2 of the Regulations determine the conformity assessment route. Connected diagnostic and therapeutic software devices commonly fall in Class IIa or IIb; implantables and life-sustaining devices fall in Class III or AIMD.

The Software Classification Rule

The TGA implemented software-as-a-medical-device classification rules (Rule 4.3) that elevated many SaMD products to Class IIa or higher. This rule is significant for cybersecurity because the rule shifts the bar for evidence and conformity assessment. Sponsors must check current classification rules for software products at the time of application.

Essential Principles 12 and 12A

What the Essential Principles Require

Essential Principle 12 covers medical devices that incorporate software or are themselves software, requiring development per the state of the art with consideration for the principles of development lifecycle, risk management, validation, and verification. Essential Principle 12A explicitly covers programmable medical devices and requires repeatability, reliability, and performance consistent with the intended use. Cybersecurity sits inside both principles. [KEY REQUIREMENT] The TGA expects sponsors to demonstrate compliance with EPs 12 and 12A through documented evidence, not by reference to compliance with other jurisdictions alone.

How the TGA Reads the Evidence

The TGA accepts evidence from EU notified body conformity assessments, MDSAP audits, and FDA submissions in many cases, but the sponsor's Australian Declaration of Conformity must explicitly map evidence to the relevant Essential Principles. A US-cleared device with an FDA Section 524B package still needs the EP mapping for the ARTG inclusion.

The TGA Cybersecurity Guidance Content Areas

The TGA's "Medical device cyber security guidance for industry" lists six pre-market expectations:

TGA expectation	What it covers
Risk management	Security risk management process per AAMI TIR57 or equivalent, integrated with ISO 14971
Secure design	Architectural decisions, trust boundaries, defense in depth
Verification	Security testing including penetration testing where appropriate
SBOM	Inventory of software components, including third-party libraries
Labeling	Information for users on secure deployment and operation
Postmarket plan	Vulnerability monitoring, response, and update strategy

The structure mirrors the FDA Feb 3, 2026 guidance and the Health Canada 2019 guidance, which is why the technical content is largely portable.

Mapping an FDA Section 524B Package to ARTG Content

What Maps Directly

See also: Health Canada Medical Device Cybersecurity: 2026 Requirements, CISA KEV Catalog for Medical Devices: What It Is and How to Use It, and Docker Containers in Medical Devices: What the FDA Expects You to Test.

The threat model, SBOM with VEX, security architecture views, verification and penetration testing evidence, and postmarket cybersecurity management plan from a Section 524B package map directly into the TGA's six expectations. Sponsors should bundle the evidence with an explicit EP 12 and EP 12A mapping document so reviewers can trace each expectation to a piece of evidence.

What Needs Adaptation

The Australian labeling content must satisfy local language and regulatory requirements. The postmarket plan must reference Uniform Recall Procedure for Therapeutic Goods (URPTG) obligations and the TGA's adverse event reporting expectations, not the FDA's 21 CFR Part 803 pathway alone. The Declaration of Conformity must be Australian-specific.

Postmarket Obligations and Recall Reporting

URPTG and Hazard Alerts

The Uniform Recall Procedure for Therapeutic Goods governs how sponsors handle product recalls, hazard alerts, and safety advisories in Australia. Cybersecurity incidents that meet the threshold for a hazard alert or recall trigger URPTG obligations, including notifications to the TGA and to healthcare providers.

Adverse Event Reporting

Sponsors must report serious adverse events and near-incidents to the TGA. Cybersecurity incidents that result in or could result in serious injury, illness, or death are reportable. The IR plan and CVD policy referenced in the application package should make the Australian reporting pathway explicit.

How Blue Goat Approaches TGA Submissions

We treat TGA submissions as an Essential Principles mapping exercise for sponsors who already have an FDA Section 524B package. The technical content set carries over largely intact; the work is in the Declaration of Conformity, the EP 12/12A mapping, the Australian-specific labeling, and the postmarket plan adaptation for URPTG and TGA adverse event reporting. Our team holds CISSP, OSCP, and prior military red-team credentials, and our submission work is grounded in IEC 81001-5-1, AAMI TIR57, ISO 14971, IMDRF N60, and the FDA February 3, 2026 final premarket cybersecurity guidance. If the regulator raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. Start with our international medical device cybersecurity services or compare regimes on the EU MDR vs FDA cybersecurity guide.

FAQ

Does the TGA require an SBOM?

Yes. The TGA's medical device cybersecurity guidance lists an SBOM as one of the six pre-market expectations. CycloneDX and SPDX are the common formats, consistent with FDA and Health Canada practice. The SBOM must be current at the time of application.

Can the TGA accept an FDA Section 524B submission as-is?

The technical content is largely accepted, but the sponsor still must produce an Australian Declaration of Conformity, an Essential Principles 12 and 12A mapping, and labeling and postmarket content that fit Australian requirements. The TGA does not waive the EP mapping based on FDA clearance alone.

What is Essential Principle 12A?

EP 12A is the Australian Essential Principle that explicitly covers programmable medical devices. It requires that programmable medical devices perform with repeatability, reliability, and consistency appropriate for the intended use. Cybersecurity evidence supports EP 12A by demonstrating that security controls do not undermine that performance.

How does TGA classification differ from FDA classification?

The TGA uses an EU-aligned classification system (I, IIa, IIb, III, AIMD), while the FDA uses three classes (I, II, III) under 21 CFR Part 860. The classification rules are different, and a device that is FDA Class II may be TGA Class IIa, IIb, or III depending on the rules that apply.

What postmarket reporting applies to cybersecurity incidents?

Sponsors must report serious adverse events and near-incidents to the TGA, and incidents that meet the threshold for a hazard alert or recall trigger URPTG obligations. The postmarket cybersecurity plan should describe the decision criteria, the timeline, and the owner for each pathway.

Ready to bring your device to the Australian market?

If you have an FDA-cleared device and need a TGA ARTG inclusion with cybersecurity content that maps cleanly to Essential Principles 12 and 12A, we can help. If the regulator raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. Schedule a discovery call.

---

Christian Espinosa, Founder, Blue Goat Cyber, CISSP, OSCP. Christian has led international medical device cybersecurity programs across FDA, EU MDR, and APAC pathways and previously commanded military red-team operations. Read more at christian-espinosa.