On February 4, 2026, the Medical Device Division (MDD) of Hong Kong announced a revision to Technical Reference TR-007: Software Medical Devices and Cybersecurity, effective February 3, 2026.
This represents a more substantial update compared to previous revisions, strengthening expectations relating to software life cycle oversight, technical documentation, cybersecurity controls, and post-market management.
Scope
Revision of Technical Reference TR-007: Software Medical Devices and Cybersecurity, introducing enhanced requirements relating to Total Product Life Cycle (TPLC) concepts, expanded definitions and clarifications, strengthened technical documentation expectations, updated cybersecurity requirements, and new post-market management obligations. The revised requirements take immediate effect.
Background
TR-007 provides technical guidance for software-related medical devices under Hong Kong’s Medical Device Administrative Control System (MDACS), including Software as a Medical Device (SaMD) and Software in a Medical Device (SiMD).
In this latest revision, MDD has cited IMDRF Guidance on Principles and Practices for Medical Device Cybersecurity and introduced more explicit and comprehensive requirements, reflecting increasing regulatory focus on continuous cybersecurity management, software change control, and life cycle oversight for software-enabled medical devices.
Key Points
Introduction of Life Cycle Concepts
The revised TR-007 formally introduces the Total Product Life Cycle (TPLC) concept, encouraging manufacturers to integrate quality, safety, and performance considerations from initial product conception through to the end of support.
Expanded Definitions and Clarifications
Key updates include:
- New definition for Cybersecurity: A formal definition of cybersecurity has been added, defined as a state where information and systems are protected from unauthorized activities to maintain confidentiality, integrity, and availability.
- Clarification of non-medical device software (Clause 4.1.5): TR-007 now clearly identifies software not considered a medical device, including:
- Hospital information systems for billing
- Electronic health records for storage only
- General wellness or fitness applications
- Updated examples for SiMD and SaMD: Examples have been updated to include software such as blood glucose meter software and urinalysis image analysis software.
Enhanced Technical Documentation Requirements
The revised TR-007 introduces strengthened documentation expectations, including:
- Architecture diagrams: Applicants may be requested to submit system and software architecture diagrams to support verification and validation activities.
- Software version justification: If the software version used in validation reports differs from the version being listed, manufacturers must provide justification regarding the relevance of the validation evidence.
Strengthened Cybersecurity Requirements
The revised “Basic cybersecurity requirements” (Clause 5.5.4.1) introduce two new mandatory plans:
- Patching and updates plan: Outlining how software will be updated to maintain safety either routinely or in response to vulnerabilities.
- Recovery plan: Detailing procedures to restore the device to normal operating conditions following a cybersecurity incident.
Moreover, the revision emphasizes that cybersecurity risk controls must be verified and validated.
New Section on Post-Market Management (Section 7)
A new Section 7 has been introduced on post-market management. It mandates that the Local Responsible Person (LRP) must report software-related adverse events, including cybersecurity incidents that affect device performance or safety, to MDD.
Updates to Reference Documents
This revision newly references the following guidance documents:
- IMDRF Guidance on Principles and Practices for Medical Device Cybersecurity
- Health Canada Guidance Document: Software as a Medical Device (SaMD) — Classification Examples
- Hong Kong MDD Guidance Note GN03: Adverse Event Reporting by Local Responsible Person
In addition, this revision cites an updated version of the Health Sciences Authority (HSA) guideline: Software Medical Devices – A Life Cycle Approach, Revision 3.0 (2024.03).
Implications to Clients
If your product qualifies as SaMD or incorporates SiMD, this revision is applicable to your medical device.
The updated requirements reflect a regulatory shift toward continuous cybersecurity management and full life cycle oversight. Compliance will require closer coordination among software engineering, cybersecurity, and regulatory affairs teams to meet enhanced expectations for technical documentation, patch management, and post-market incident reporting.
ISO 27032 and ISO/IEC 27001 are cited within TR-007. Clients are advised to ensure that the requirements of these ISO standards, together with the revised Technical Reference, are appropriately implemented within their quality management system for relevant medical devices.
Reference
You can view the full MDD announcement here: https://www.mdd.gov.hk/en/whats-new/mdacs-activities/index-id-2353.html
TR-007: Software Medical Devices and Cybersecurity
• Link to the updated English version
• Link to the new Chinese version
Next Steps
If you require support in interpreting the revised TR-007 requirements, reviewing your cybersecurity documentation, or aligning your SaMD/SiMD technical files and post-market processes with MDACS expectations, our regulatory team can assist throughout the process.
Contact us at info@nordpacificmed.com or click the button below for more details.