Qualysec
Blog

MDMA SFDA Approval Process: Complete Guide to Medical Device Marketing Authorization in Saudi Arabia

Learn the SFDA MDMA approval process for medical devices in Saudi Arabia, including compliance requirements, classification, and technical documentation.

Published on July 17, 2026
Read Time: 19 min
CONNECT WITH US

A medical device may be ready for hospitals, clinics, or distributors, but Saudi market entry begins much earlier than the first shipment. It begins with whether the device can meet the Saudi Food and Drug Authority’s (SFDA) MDMA requirements.

The timing matters. Saudi Arabia’s medical devices market was valued at around USD 13.54 billion in 2025 and is projected to reach nearly USD 25.74 billion by 2034, with growth linked to healthcare infrastructure development and increasing demand driven by chronic health conditions. For manufacturers, this creates strong commercial interest, but also a need for careful regulatory planning.

MDMA SFDA approval can involve device qualification, classification, technical documentation, QMS evidence, authorised representation, GHAD submission, fees, SFDA questions and post-market duties. Software, AI-enabled tools, connected devices, IVDs, sterile devices, implants and higher risk products need even closer attention because the evidence expectations can be more detailed.

This guide focuses only on the Saudi MDMA process, helping you understand what medical device marketing authorization involves before bringing your device to the Kingdom.

Key Takeaways

  • MDMA SFDA approval is product-specific. The device name, model, manufacturer, intended use, risk class, and supporting file must all match.
  • CE marking or FDA clearance may support the application, but it cannot replace Saudi review or GHAD submission.
  • Risk classification decides the real weight of the file, including technical evidence, clinical or performance data, fees and post-market expectations.
  • Foreign manufacturers need to choose the authorised representative carefully because the AR affects certificate control, SFDA communication and lifecycle compliance.
  • Software, AI, SaMD, IoT and cloud-connected devices need stronger cybersecurity evidence, not just standard technical documentation.

What Is MDMA SFDA Approval?

MDMA means Medical Device Marketing Authorization. It is the approval a medical device or IVD needs from the Saudi Food and Drug Authority before it can be placed on the Saudi market.

Think of it as the official checkpoint before a product moves into real commercial use. Without MDMA, a device cannot be legally marketed, imported, distributed or used in Saudi Arabia. The rule applies whether the manufacturer is based inside the Kingdom or entering from another country through an authorised representative.

Some manufacturers assume that a CE mark, FDA clearance or approval from another market is enough to move ahead. It can help, but it is not a replacement for SFDA medical device approval. The SFDA still reviews the product against Saudi requirements.

Overview of the SFDA Medical Device Regulatory Framework

Saudi Arabia does not treat medical device entry as a simple import activity. The Saudi Food and Drug Authority regulates how devices are approved, brought into the country, distributed, monitored after sale, and reported when safety concerns appear. So, even if a product already has CE marking, FDA clearance, or approval in another market, it still needs to meet Saudi requirements before commercial use.

The main document behind Medical device marketing authorization is MDS REQ. It sets out what manufacturers need to prepare for authorization, including device information, technical evidence, quality records and other details SFDA needs before allowing the product onto the Saudi market.

Applications are submitted through GHAD, SFDA’s electronic system for medical device licensing and marketing authorization services. Before using GHAD, manufacturers need to get the basics right:

  • Confirm that the product qualifies as a medical device or IVD
  • Identify the correct risk classification
  • Prepare technical documentation that matches the device and intended use
  • Provide quality management system evidence
  • Appoint a local authorised representative if the manufacturer is outside Saudi Arabia
  • Submit the application through GHAD for SFDA review
  • Maintain post-market surveillance and vigilance after authorization

Which Products Need MDMA SFDA Approval?

Which Products Need MDMA SFDA Approval

Not every health-related product needs MDMA. The real question is what the product is meant to do.

If a device or IVD is intended to diagnose a condition, monitor a patient, support treatment, prevent disease, replace part of the body, or help manage an injury or physiological process, it will likely fall under Saudi Arabia medical device regulations. SFDA looks at the intended purpose, the claims made by the manufacturer, and the possible risk to the person using it.

Common products that may need authorization include:

  • Diagnostic equipment
  • Surgical instruments
  • Implants
  • Sterile consumables
  • IVD kits
  • Patient monitoring devices
  • Medical device accessories
  • Software as a Medical Device
  • AI and machine learning-based clinical tools
  • Wearables with medical claims
  • Telemedicine products
  • Digital therapeutics products

The same product can be treated differently depending on its claims. A wellness wearable that tracks steps may not need the same route as a wearable that claims to detect heart rhythm problems. A general lifestyle app is different from software that supports diagnosis or treatment decisions.

So, before starting the file, manufacturers need to check the product’s purpose, label claims, features, and risk profile carefully.

SFDA Medical Device Classification and Its Impact on MDMA Approval

Before preparing a file, you need to know how SFDA sees the product. Saudi Arabia uses a risk-based classification system for medical devices and IVDs. The class is not chosen by the manufacturer’s preference. It comes from the device’s intended use and the risk it may create if something goes wrong.

SFDA classes are:

  • Class A for low-risk devices
  • Class B for low to moderate risk devices
  • Class C for moderate to high risk devices
  • Class D for high-risk devices

Classification depends on several details. SFDA looks at how long the device is used, whether it enters the body, whether it is active, and whether it delivers energy, medicine, or another substance. Implantable devices usually need closer review. The same applies when a wrong result or device failure could lead to serious harm. If more than one rule applies, the higher class usually wins.

This matters because classification changes the weight of the SFDA MDMA application. A higher class usually means deeper technical documentation, stronger clinical or performance evidence, more detailed PMS or PSUR expectations, higher official fees, and more chance of SFDA questions during review.

A simple non-sterile Class A accessory may have a lighter file. But sterile Class A devices, reusable surgical instruments, and measuring devices should not be treated as basic low-risk products. A diagnostic AI tool will need even more care because SFDA may look closely at clinical performance, software validation, data handling, and cybersecurity evidence.

For software and connected medical devices, manufacturers should also consider the FDA’s cybersecurity guidance. It recommends secure design, cybersecurity risk assessment, software validation, vulnerability management, and timely security updates. Although this is not an SFDA requirement, following these practices can strengthen the technical documentation.

MDMA SFDA Approval Process: Step-by-Step Guide

MDMA SFDA Approval Process Step-by-Step Guide

Step 1: Confirm Whether the Product Is a Medical Device

A product name or category is not enough to decide the approval route. SFDA looks at the intended use, claims, and actual function of the product.

This matters for physical devices, IVDs, software, AI tools, wearables, and digital health products. A wellness app may sit outside MDMA, but software that supports diagnosis, treatment decisions, or patient monitoring may need SFDA medical device approval.

The wrong qualification can affect the risk class, required evidence, review time and GHAD submission route.

Step 2: Classify the Device

After qualification, place the device under the correct SFDA risk class. The decision should reflect how the product is used and what could happen if it fails. Your classification rationale should cover only the details that matter, such as:

  • Intended use
  • Duration of use
  • Invasiveness
  • Active function
  • Product variants or accessories
  • IVD status, where relevant

Do not treat classification as a quick checkbox. A weak rationale can lead to questions during the SFDA MDMA application, especially when someone does not explain accessories, components, or IVD performance risks clearly.

Step 3: Appoint a Saudi Authorised Representative

Foreign manufacturers generally need a licensed authorised representative in Saudi Arabia before submitting the file. The representative acts as the local regulatory contact and handles communication with SFDA.

The authorised representative usually submits the application, keeps the required records, answers SFDA queries, and supports post-market duties after approval. This role should not be chosen only for convenience.

Some manufacturers appoint their distributor as the authorised representative. That can work, but it may create control issues later if the manufacturer changes commercial partners. A separate regulatory representative can give the manufacturer better continuity and cleaner control over the approval file.

Step 4: Prepare Technical Documentation

Technical documentation is the evidence behind the application. It should explain what the device is, how it works, how it is made, and why it is safe for its intended use.

The file usually includes:

  • Device description and intended purpose
  • Design and manufacturing information
  • Essential principles checklist
  • Applicable standards
  • Risk management file
  • Verification and validation records
  • Clinical or performance evidence
  • Labelling and IFU
  • Post-market surveillance plans

The file should match the product being submitted, not a similar model or an outdated version. SFDA may ask for full documentation during review or after approval, so manufacturers should treat the technical file as a living compliance record, not a one-time submission pack.

Step 5: Submit the Application Through GHAD

Once the file is ready, the application is submitted through GHAD under SFDA’s marketing authorization services. The system is used to enter product details, upload documents, and manage the review process.

Accuracy matters here. Product grouping, model mapping and uploaded files should match the technical documentation. If model names, accessories, variants, or intended uses are unclear, SFDA may raise questions that could have been avoided before submission.

Step 6: Pay Fees and Respond to SFDA Queries

After submission, the applicant must pay the SFDA fee linked to the device class. Higher risk devices usually carry higher review costs and need closer budget planning.

SFDA may return questions during review. Assign one internal owner to manage these requests, collect inputs from regulatory, clinical, quality, and technical teams, and submit a complete response on time.

Recent SFDA guidance points to a 60 calendar day limit for responding to returned MDMA applications across the allowed response cycles. Late or partial answers can put the application at risk, so query handling should be planned before submission.

Step 7: Receive the MDMA Certificate

Once SFDA accepts the application, it issues the MDMA certificate. This certificate confirms that the listed device can be marketed in Saudi Arabia under the approved details.

Before moving ahead with import or distribution, check the certificate carefully. Product name, model numbers, manufacturer details, authorised representative details, risk class and validity should match the submitted file. Even a small mismatch can create problems during import, renewal or post-market activities.

Step 8: Maintain Compliance After Approval

The certificate allows market access, but it also brings ongoing responsibilities. After approval, the manufacturer and authorised representative must continue tracking the device’s safety, performance and regulatory compliance status in Saudi Arabia.

Post-approval work usually covers:

  • Post-market surveillance
  • PSUR, where required
  • Complaint handling
  • Vigilance reporting
  • Field safety corrective actions
  • Certificate renewal
  • Product updates
  • Labelling or IFU changes
  • Traceability records

Changes to the device, manufacturer details, intended use or safety information should be reviewed before implementation. Weak follow-up can affect renewal, inspections and continued market access.

Need a Real Compliance Testing Report Sample Today?

See exactly how security experts document vulnerabilities, risks, and remediation steps in a professional pentest report.

Download Sample Report

Pentest Report

Required Documents for MDMA SFDA Approval

The document list is not identical for every product. A low-risk accessory will not need the same depth of evidence as an implant, sterile device, IVD, software product or AI-enabled clinical tool. SFDA looks at the device class, intended use, technology, risk profile and the type of evidence needed to support safety and performance.

The table below gives a practical checklist of the main areas manufacturers should prepare before submission.

Documentation Area What to Include
Administrative details Legal manufacturer details, authorised representative information, establishment details and application form information
Device identity Device name, model, variants, accessories and UDI or Saudi DI impact where applicable
Intended use Indications, user group, use environment, claims and contraindications
Classification Device class, rule applied and classification rationale
Technical file Device description, design information, manufacturing details and specifications
Essential principles Essential principles checklist and evidence showing conformity
Standards Applied standards and justification for any deviations
Risk management Hazard analysis, risk controls, residual risk evaluation and benefit-risk rationale
Verification and validation Test reports, software validation, usability, electrical safety or performance testing, where applicable
Clinical or performance evidence Clinical evaluation for medical devices or performance evaluation for IVDs
Labelling and IFU English and Arabic labelling where required, IFU, symbols, warnings and user instructions
QMS evidence ISO 13485 certificate or other relevant quality system evidence
PMS or PSUR PMS plan, PMS report or PSUR depending on device class and type
Declarations Manufacturer declarations and relevant conformity statements

Cybersecurity Considerations for MDMA SFDA Approval

Cybersecurity becomes part of the regulatory file when a device depends on software, connectivity or data exchange. It is relevant for SaMD platforms, AI diagnostic tools, connected wearables, remote patient monitoring systems, telemedicine products, cloud-linked devices and IoT-enabled hospital equipment.

The concern is simple. If a device sends patient data, connects to an app, uses APIs, runs through cloud infrastructure, or supports clinical decisions, a security weakness can affect both privacy and patient safety.

Manufacturers should be ready with evidence such as:

  • Threat modelling
  • Secure software development records
  • Authentication and access control details
  • Data encryption approach
  • API security controls
  • Vulnerability management process
  • Patch and update plan
  • Penetration testing report, where applicable
  • Incident response and post-market vulnerability handling process

These documents should connect with the technical file, risk management file and PMS plan. Treating cybersecurity as a separate folder at the end can create gaps between the device risks, software controls and post-market monitoring.

For connected medical devices, SaMD, AI products and healthcare platforms, penetration testing can help manufacturers check whether security controls work before or during regulatory readiness work. Qualysec supports this by testing applications, APIs, cloud environments and connected systems that may form part of the medical device environment.

MDMA Approval Timeline and Review Process

SFDA’s review time is commonly listed as 35 working days when the application is complete and the requirements are met. That number should not be read as the full project timeline.

The real timeline can stretch when the product file is not ready before submission. Common reasons include unclear classification, missing documents, weak clinical evidence, unanswered SFDA queries, or late applicant responses. Software, AI-enabled products and connected devices may also need more review effort because the evidence can cover software validation, cybersecurity, data handling and clinical performance.

Device Class or Action Fee
Class A SAR 15,000
Class B SAR 19,000
Class C SAR 21,000
Class D SAR 23,000
Renewal SAR 5,000
Minor label or IFU update SAR 1,100

Manufacturers should plan time before and after the formal review window. Authorised representative selection, document cleanup, Arabic labelling checks, QMS evidence, cybersecurity testing and query response planning can all add time before the certificate is issued.

Post Approval Compliance Requirements

Getting the certificate is only one part of market access. After that, the manufacturer and the authorised representative must keep the device file accurate, monitor performance in use and act when safety information changes.

Post-approval responsibilities usually include:

  • Keeping technical documentation updated
  • Maintaining quality system evidence
  • Tracking complaints and incidents
  • Running post-market surveillance
  • Preparing PMS reports or PSURs based on device class
  • Reporting vigilance events when required
  • Managing field safety corrective actions
  • Renewing the certificate before expiry
  • Submitting updates for changes to labels, IFU, design, manufacturer details or device information
  • Keeping UDI or Saudi DI information aligned where applicable

Class A devices may need PMS reports, while Class B, C and D devices generally need PSURs with more structured safety and performance updates. The exact effort depends on device type, risk class, and market feedback.

For software based or connected devices, post-market work should also include cybersecurity monitoring. Manufacturers need a way to track vulnerabilities, release patches, handle incidents, and update risk records when new threats appear.

Common Challenges in Obtaining MDMA Approval

1. Wrong Qualification or Classification

Delays can begin at the first decision. If the product is placed under the wrong route or assigned the wrong risk class, the whole file can move in the wrong direction. This affects the evidence required, the review path, and the questions raised later.

2. Overreliance on Foreign Approval

CE marking, FDA clearance, or approval from another market can support the submission. It does not replace SFDA review. Saudi requirements still apply, so manufacturers need a file that matches the product, intended use, class, and local expectations.

3. Poor AR and Certificate Control

Some manufacturers appoint a distributor as the authorised representative without thinking through long-term control. This can become difficult if the distributor changes, the commercial agreement ends, or the manufacturer wants to move the certificate later.

4. Weak Evidence or Outdated Files

A file can slow down when clinical evaluation, IVD performance data, QMS evidence, or risk management records are incomplete. Software and connected devices may face more questions if cybersecurity evidence is weak.

A SaMD product with diagnostic claims, for example, may need clinical evidence, software validation and security testing before the file is ready.

5. Product Grouping Problems

Model grouping should follow regulatory logic, not only sales convenience. Accessories, variants and device families need to be mapped clearly. If the grouping looks unclear, SFDA may ask for clarification or separate submissions.

6. Labelling and Post-Market Gaps

Missing Arabic labelling or IFU requirements can create avoidable delays. PMS plans, PMS reports and PSUR expectations should also be clear before submission.

The same discipline applies after filing. Late replies to SFDA or CAB questions, unplanned label updates and changes to device or manufacturer details can create extra review pressure.

MDMA SFDA Approval Checklist for Manufacturers

MDMA SFDA Approval Checklist for Manufacturers

Use this checklist before submitting the application. It helps catch missing items early and reduces avoidable review questions.

Product and Scope

  • Device name, models, variants, and accessories are mapped
  • Intended use and medical claims are final
  • Medical device or IVD qualification is confirmed
  • Grouping strategy is clear and justified
  • UDI or Saudi DI impact is reviewed where applicable

Regulatory and Local Responsibility

  • Classification rationale is documented
  • Legal manufacturer is identified
  • Saudi authorised representative is selected
  • AR agreement covers certificate control and lifecycle responsibilities
  • Importer, distributor and AR roles are clearly separated
  • GHAD access is confirmed

Technical and Quality Evidence

  • QMS certificate or equivalent evidence is ready
  • The essential principles checklist is completed
  • The applied standards list is prepared
  • Risk management file is updated
  • Clinical evaluation or IVD performance evaluation is available

Software, Connectivity and Cybersecurity

  • Cybersecurity risk assessment is prepared for software or connected products
  • Penetration testing is considered for SaMD, IoT, API connected or cloud-connected devices
  • Security evidence is linked to the risk file and technical documentation

Labelling and Post-Market Readiness

  • Arabic and English labelling is checked
  • IFU is reviewed for accuracy and consistency
  • PMS plan is ready
  • PMS report or PSUR approach is defined
  • SFDA query response owner is assigned before submission

How Qualysec Helps Medical Device Manufacturers Achieve MDMA Compliance

A connected medical product can look fully compliant in documentation and still carry hidden security gaps. APIs may expose patient data. A mobile app may store sensitive information poorly. Cloud settings may leave systems open. An IoT device may accept weak access controls.

Qualysec helps manufacturers find these issues before they become part of a regulatory or post-market problem. Its cybersecurity testing can support SaMD, AI-enabled tools, healthcare portals, mHealth apps, device-to-cloud APIs, EHR integrations, cloud platforms, IoT devices and exposed network infrastructure.

The healthcare device testing approach combines manual review, automated checks and hacker-style validation. Instead of stopping at basic scan results, Qualysec validates real risk, reduces false positives and gives developers clear remediation steps.

Reports include:

  • Severity-ranked vulnerabilities
  • Reproduction steps
  • Remediation guidance
  • Executive summary
  • Retest support and consultation calls

Qualysec does not replace the authorised representative or submission owner. It strengthens the cybersecurity side of the file so manufacturers can address weaknesses before submitting or updating MDMA documentation.

Conclusion

Saudi approval works best when the groundwork is done before the file reaches GHAD. Classification, technical evidence, QMS records, authorised representation, query handling and post-approval duties all need to line up.

This becomes even more important for software-based, AI-enabled, connected, sterile, implantable, IVD-related and higher risk devices. If the file is consistent from the start, manufacturers are less likely to face avoidable delays and can answer SFDA questions with stronger evidence.

For SaMD, AI, IoT and cloud-connected medical products, Qualysec can help manufacturers assess cybersecurity risks through detailed penetration testing and practical remediation support.

Speak Directly With Qualysec’s Certified Security Experts

Discover vulnerabilities before attackers exploit them

Schedule Free Consultation

Security Expert

FAQs

Q. Is MDMA required for all medical devices in Saudi Arabia?

In general, a medical device needs MDMA before it can enter normal commercial use in Saudi Arabia. Some limited cases may follow a different route or exemption, but this depends on the product, its medical purpose and SFDA’s current requirements.

Q. Can I sell a device in Saudi Arabia with CE or FDA approval only?

No. CE marking or FDA clearance can strengthen the supporting file, but it does not give automatic access to Saudi Arabia. SFDA still needs to review the product before it can be placed on the market.

Q. What is GHAD?

GHAD is the online system used by SFDA for medical device licensing and authorization services. It is the platform where applicants enter product details, attach documents, and manage application-related communication.

Q. How long is an MDMA certificate valid?

MDMA certificates are generally issued for a validity period of up to three years. Manufacturers should monitor the expiry date and begin renewal planning early so there is no gap in market authorization.

Q. Are software and AI tools regulated as medical devices?

Yes, when they have a medical purpose. Software, AI tools, mobile health apps, wearables or digital therapeutics may regulate themselves if they help with diagnosis, monitoring, treatment decisions or disease management.

Chandan Sahoo

About Chandan Sahoo

Chandan Kumar Sahoo is the Co-Founder and Chief Executive Officer (CEO) at Qualysec. With over 8 years of experience in security testing and software quality assurance, he leads corporate strategy and expansion, helping organizations globally secure their web, mobile, and cloud environments.

Leave a Comment.

Your email address will not be published. Required fields are marked *

Related Blogs

Subscribe to Newsletter

Get the latest cybersecurity insights, compliance tips, and vulnerability reports delivered directly to your inbox.