Saudi Arabia’s healthcare sector is expanding rapidly, with spending projected to rise from US$74.7 billion in 2017 to US$135.5 billion by 2027. Pharmaceuticals and medical technologies represent around 20% of this expenditure, creating strong opportunities for manufacturers while placing greater emphasis on safety, quality, and regulatory control.
The Saudi Food and Drug Authority oversees medical devices entering and circulating within the Kingdom. However, complying with SFDA medical device regulations requires far more than completing an MDMA application. Classification, authorised representation, technical evidence, cybersecurity, establishment licensing, and postmarket duties must all align.
Applications often stall because device records conflict, supporting documents are incomplete, or companies mistake product authorisation for permission to operate.
So, what does a successful route to the Saudi market actually involve? Let us examine each requirement in the order you need to address it.
Key Takeaways
- SFDA market entry depends on more than product approval. Classification, local representation, establishment licensing and import readiness all affect whether a device can be sold in Saudi Arabia.
- The MDMA applies only to the manufacturer, models, sites and intended use listed in the approval. Changes may require further regulatory action.
- Consistent records are critical. Product names, software versions, certificates, labels and UDI data should match throughout the dossier.
- Connected and software-based devices need security evidence that covers the full system, including apps, APIs, cloud services, networks and IoT components.
- Compliance continues after launch through complaint handling, incident reporting, recalls, renewals, change control and ongoing product record maintenance.
What Are SFDA Medical Device Regulations?
SFDA medical device regulations are the rules that medical device companies must follow to enter and remain in the Saudi market.
The main requirements come from the Medical Devices and Supplies Law and its Implementing Regulation. SFDA also issues guidance for specific products as well as decisions and circulars. Portal procedures form part of the process too.
The rules cover device approval and company licensing. They also apply to imports, distribution, labelling, advertising and inspections. After approval, companies must monitor product safety and report problems. They may also need to manage recalls or corrective actions.
SFDA requirements can change. Always check the latest official documents before preparing an application.
SFDA Medical Device Classification System
Saudi Arabia classifies medical devices according to the level of risk they may present to patients or users.
| Class | General risk level | Illustrative device type |
| Class A | Low | Simple devices that are not sterile and have no measuring function |
| Class B | Low to moderate | Certain diagnostic or therapeutic devices |
| Class C | Moderate to high | Some implants and active devices with greater clinical risk |
| Class D | High | Critical devices and products used to support or sustain life |
These examples provide general guidance only. The final class depends on the SFDA classification rule that applies to the device.
Several details can affect the result. These include the intended purpose and how long the device remains in use. The SFDA also considers whether it is invasive, implantable, active, sterile or designed to measure. Its diagnostic or therapeutic role matters as well. A device may fall into a higher class when failure could cause serious harm.
Accessories do not automatically receive the same class as the main device. IVDs, medical software and AI-based devices may also need a separate assessment.
Manufacturers should document their decision in a classification memorandum. It should state the intended purpose and the rule applied. It should also explain any other rules considered before giving the final class and supporting reasons.
SFDA Medical Device Registration Process: Step-by-Step Guide
1. Confirm That the Product Is a Medical Device
Start by reviewing the product’s intended purpose, claims, mode of action, software functions and accessories. Promotional wording also matters because medical claims can change how the SFDA categorises the product. Any borderline issue should be resolved before registration begins, since choosing the wrong pathway can delay the MDMA application.
2. Determine the Saudi Device Classification
Use the latest SFDA rules to assign the device to the correct risk class. Keep a written record of how the decision was reached. Features such as software components, accessories, sterility and measurement functions may need their own review before the final class is confirmed.
3. Decide Which Products Can Be Grouped
Review whether several models or variations can sit under one SFDA application. Products are more likely to qualify for grouping when they share the same intended use, core technology, risk class and supporting evidence.
You should also compare manufacturing locations, sterilisation methods and labelling. A product range sold as one family elsewhere may still need separate applications in Saudi Arabia if the differences are significant.
4. Appoint a Saudi Authorised Representative
A manufacturer based outside Saudi Arabia must appoint a local authorised representative. Their agreement should spell out who handles SFDA submissions, renewals and official queries.
It should also cover complaints, safety incidents, recalls and access to technical records. Portal control needs equal attention, since unclear ownership can create problems when applications are updated or renewed.
5. Check Establishment Readiness
Product approval alone is not enough. The manufacturer and every Saudi entity involved in placing the device on the market must hold the correct regulatory status.
Check the authorised representative, importer, distributor and warehouse before filing. Include any service provider that performs regulated activities. Missing or expired establishment approvals can hold up importation even when the device application is complete.
6. Conduct a Dossier Gap Assessment
A dossier gap assessment helps catch conflicting details before the application reaches the SFDA. Review the full file and confirm that the following information matches throughout:
- Manufacturer name and address
• Model numbers and intended purpose
• Device class and manufacturing sites
• Software versions
• ISO 13485 certificate details
• Foreign market approvals
• Labels and instructions for use
• Clinical evidence and risk management records
• UDI information
Any mismatch should be corrected before submission. Differences in names, versions or product descriptions often lead to additional questions and review delays.
7. Prepare and Submit the MDMA Application
Arrange the dossier so reviewers can move through it easily. It should cover administrative records, quality documents, technical evidence, clinical support, labelling and postmarket controls.
The completed MDMA application is submitted through the SFDA Unified Electronic System, known as GHAD. Check the live service page before filing because older guidance may refer to previous portal names or processes.
8. Pay the Applicable Fees
MDMA fees are not the same for every application. The amount may depend on the device class, application scope and how products are grouped. Always check the latest SFDA fee schedule before submission rather than relying on a single published figure.
9. Respond to SFDA Review Questions
Treat every SFDA query as a separate issue. Give a direct answer and identify the file and page where the evidence appears. When a document changes, replace it with a clearly dated version so the reviewer can see what was updated.
Run one final consistency check before sending the response. Product names, manufacturer details, intended use and software versions should remain identical throughout the application.
10. Review the Issued Authorisation
Once the approval is issued, compare it with the final application. Check the following details:
- Manufacturer name
• Saudi authorised representative
• Device name and models
• Classification
• Manufacturing sites
• Validity period
• Any conditions or restrictions
Ask the SFDA to correct any error before the device is imported or distributed. Even a small mismatch can create problems during customs clearance or market checks.
Understanding MDMA SFDA Approval
MDMA stands for Medical Devices Marketing Authorisation. It gives a manufacturer permission to place an approved medical device or device family on the Saudi market.
The approval is tied to the information reviewed by the SFDA. It covers the named manufacturer, listed models, declared manufacturing sites and approved intended purpose. Adding a new model or changing a key product detail may require further regulatory action.
What MDMA Does Not Replace
An MDMA does not remove the need for:
- A Saudi authorised representative
• Valid importer and distributor licences
• An approved warehouse where required
• Saudi DI registration
• Import and shipment clearance
• Advertising approval
• Safety reporting after launch
• Timely renewals and change notifications
A device can hold a valid MDMA approval and still face entry delays. This often happens when the importer is not licensed or the shipment records are incomplete. Incorrect labels can cause the same problem. Manufacturers should therefore prepare the product application and local supply arrangements together rather than treating approval as the final step.
SFDA Quality and Compliance Requirements for Medical Devices
Quality Management System
The MDMA file should include a valid ISO 13485 certificate that covers the device and relevant manufacturing sites. It should also account for outsourced processes, critical suppliers and sterilisation facilities where applicable.
ISO 13485 confirms that a quality system is in place. It does not prove device safety or clinical performance on its own.
Technical Documentation
The technical file should explain what the device is and how it works. Include its intended purpose, model list, materials, components and manufacturing details.
It should also show how the device meets essential safety and performance requirements. Support this with the risk management file and relevant verification and validation reports.
Clinical and Performance Evidence
The evidence must show that the device performs as claimed and that its benefits outweigh the known risks. This may rely on published studies, equivalence data, clinical investigations or postmarket experience.
IVD submissions also need analytical and clinical performance data suited to the test and its intended use.
Labelling Requirements
Labels and instructions for use must match the approved device information. They should identify the manufacturer and Saudi authorised representative while clearly stating warnings, storage conditions, model details, lot or serial numbers and expiry dates where relevant.
UDI information and required Arabic text must also be included. Use qualified medical translators, then have the final wording checked by regulatory and technical reviewers before submission.
SFDA Cybersecurity Requirements for Medical Devices
Cybersecurity applies when a device uses software or connects to mobile apps, cloud services, hospital networks or IoT systems. It is also relevant to AI enabled products. The evidence should reflect the actual device design, its interfaces, data flows and operating environment. Patient harm must guide the level of testing and control.
Cybersecurity Documentation
The technical file may include:
- Threat modelling and cybersecurity risk assessment
• Software bill of materials
• Authentication and access controls
• Encryption and audit logs
• Vulnerability management
• Secure update procedures
• Incident response planning
• End of support arrangements
• Coordinated vulnerability disclosure
• Penetration testing reports
Penetration Testing Scope
Testing should cover the parts an attacker could reach. Depending on the product, this may include web and mobile applications, APIs, cloud infrastructure, external networks, IoT components, device communication interfaces and administrative portals.
Confirmed vulnerabilities should link to remediation records. Retesting must show whether the fixes worked, followed by an assessment of any remaining risk.
Qualysec can assess the web, mobile, API, cloud, network and IoT components that support connected medical devices.
SFDA Medical Device Regulations for International Manufacturers
Companies based outside Saudi Arabia can manage the MDMA process themselves or work through a licensed Saudi authorised representative. When a representative is appointed, that company becomes the local contact for regulatory communication with the SFDA.
The role may cover application support, renewals, responses to SFDA questions, complaint handling, incident reporting, recalls, product changes and inspection coordination. It does not automatically include importing, distribution, customs work or sales. Those activities require their own licences and agreements.
The contract should identify the devices covered and explain who controls portal access, records and regulatory correspondence. It should also set deadlines for forwarding complaints, handling renewals and transferring files when the relationship ends.
Manufacturers should keep their own copies of applications, approvals and SFDA communications. This prevents loss of control if the representative changes or the agreement is terminated.
Common SFDA Medical Device Compliance Challenges
Applications often face delays because the dossier contains conflicting information. Common problems include:
- Incorrect device classification
• Unsupported grouping of models
• Expired or incomplete certificates
• ISO 13485 scope gaps
• Different intended purposes across documents
• Weak clinical evidence
• Missing sterilisation or shelf life validation
• Arabic translation errors
• Uncontrolled software versions
• Incomplete cybersecurity records
• UDI mismatches
• Slow responses to SFDA questions
Contradictions are usually harder to fix than missing documents. For example, an application may list one software version while the risk file, penetration test and label refer to others. The manufacturer then has to confirm the correct version and update every affected record before the review can continue.
SFDA Medical Device Compliance Checklist
Before Submission
Confirm that the following items are ready:
- Product status has been confirmed
• Saudi device classification has been documented
• Product grouping has clear justification
• A Saudi authorised representative has been appointed where required
• Establishment roles and licences have been checked
• The ISO 13485 certificate is current and suitable
• Technical documentation is complete
• Clinical evidence is available
• The risk management file is up to date
• Labels and required Arabic content have been reviewed
• Software versions match across all records
• Cybersecurity testing has been completed
• UDI information has been prepared
Before Market Launch
Confirm that:
- MDMA details are correct
• Saudi DI records are complete
• Importer and distributor licences are valid
• Arabic artwork has been approved
• Import documents are ready
• A complaint process is in place
• Vigilance contacts are confirmed
• Recall duties are assigned
• Product traceability has been tested
After Launch
Continue to:
- Monitor complaints
• Assess adverse events
• Report field safety actions
• Review device changes before implementation
• Keep UDI records current
• Renew certificates and licences on time
How Qualysec Helps Medical Device Companies Support SFDA Cybersecurity Compliance
Connected medical devices often depend on apps, APIs, cloud systems, networks and IoT components. Qualysec tests these areas to identify weaknesses that may affect security evidence. Testing can cover:
- Web and mobile applications
• APIs and cloud infrastructure
• External networks
• IoT environments
Qualysec combines automated checks with manual testing to find access control flaws, insecure APIs, data exposure and connected attack paths. Reports include risk ratings, technical evidence and remediation guidance. Retesting can confirm whether fixes worked. These results may support risk records, corrective action tracking and technical documentation.
Qualysec does not grant MDMA approval or replace a Saudi authorised representative. Its role is limited to cybersecurity testing.
Conclusion
Meeting SFDA medical device regulations requires more than securing MDMA approval. Classification, authorised representation, technical evidence, establishment readiness, labelling, cybersecurity and postmarket duties all need attention.
Consistency matters throughout the process. Manufacturer details, intended purpose, model names, software versions, certificates and labels should match across every record.
Approval is not the end of compliance. Manufacturers must continue managing changes, complaints, incidents, renewals and product records after launch. Early regulatory review and cybersecurity testing can reduce avoidable questions, prevent document conflicts and support a smoother entry into the Saudi market.
FAQs
What is SFDA medical device registration?
It is the process used to meet Saudi requirements before a medical device can be placed on the market. Depending on the product, it may involve classification, technical review, MDMA approval, establishment checks, product records and import preparation.
Does every medical device need MDMA approval?
Not always. The correct route depends on whether the product meets the medical device definition, its intended purpose and its classification. Certain products or situations may follow different requirements or qualify for an exemption. The applicable SFDA route should be confirmed before filing.
Does CE marking or US FDA clearance guarantee SFDA approval?
No. Approval in another market can provide useful supporting evidence, but the SFDA carries out its own assessment. Manufacturers still need to meet Saudi requirements for classification, documentation, labelling and market authorisation.
Is ISO 13485 required for SFDA registration?
ISO 13485 provides evidence that the manufacturer has a suitable quality management system. The certificate must cover the relevant activities and sites. It does not remove the need for technical testing, clinical support, risk management and other evidence for the device itself.
How long does SFDA medical device registration take?
There is no single timeline for every application. Review time can change according to the device class, product grouping and dossier quality. SFDA questions may extend the process, especially when documents conflict or the applicant takes too long to respond.




