What is the primary objective of ISO 13485?

The primary objective of ISO 13485:2016 is to specify requirements for a quality management system (QMS) enabling organizations to consistently provide medical devices and related services that meet customer and applicable regulatory requirements. This standard applies to organizations involved in one or more stages of the medical device life cycle, including design, development, production, distribution, installation, servicing, and decommissioning. It emphasizes documented processes, risk-based controls, validation, traceability, and post-market obligations across Clauses 4–8 to ensure audit-ready evidence of conformity.

Who is legally or professionally required to comply with ISO 13485?

ISO 13485 applies to organizations whose activities include one or more stages of the medical device life cycle, such as manufacturers, suppliers, distributors, importers, and service providers. Target entities include medical device manufacturers (design/manufacture), contract manufacturers, sterilization/calibration services, and entities handling post-market activities. Organizations must identify their regulatory roles and incorporate applicable regulatory requirements into the QMS; it is not legally mandatory but is expected by regulators like EU MDR notified bodies and FDA (aligned via QMSR effective February 2, 2026) for market access.

Does ISO 13485 require an external audit or third-party certification?

ISO 13485 does not require third-party certification, but certification by accredited bodies is typically pursued for regulatory recognition and market access. Certification involves Stage 1 (documentation review) and Stage 2 (implementation audit), followed by annual surveillance and triennial recertification. Internal audits (Clause 8.2.4) are mandatory to demonstrate QMS effectiveness, with objective evidence of execution.

How often should an assessment for ISO 13485 be performed?

Internal audits for ISO 13485 must be performed at planned intervals to determine QMS suitability, adequacy, and effectiveness (Clause 8.2.4). Management reviews occur at planned intervals (Clause 5.6), typically annually, reviewing inputs like audits, complaints, CAPA, and regulatory changes. Certification surveillance audits are annual, with recertification every three years.

What are the consequences of non-compliance with ISO 13485?

Non-compliance with ISO 13485 risks regulatory enforcement, including product holds, recalls, market withdrawal, fines, and loss of certification. Audits reveal gaps in evidence (e.g., undocumented processes, invalid records), leading to major nonconformities, CAPA mandates, or certification suspension. Record retention failures (minimum device lifetime or two years post-release) undermine traceability, escalating to regulatory actions like FDA Form 483 observations.

Can ISO 13485 be mapped to other international frameworks?

Yes, ISO 13485 includes Annex B mapping to ISO 9001:2015, but conformity to ISO 13485 does not imply ISO 9001 compliance due to exclusions. It references ISO 14971 for risk management, IEC 62366-1 for usability, and aligns with regulatory frameworks like EU MDR (notified body audits) and FDA QMSR (effective February 2, 2026), serving as a harmonized QMS backbone.

What is the first step to begin implementing ISO 13485?

The first step to implement ISO 13485 is to define the QMS scope, including processes, justifications for exclusions (e.g., Clause 7 for non-design activities), and applicable regulatory requirements (Clause 4.1). Document this in the quality manual, identify outsourced processes with quality agreements, and conduct a gap analysis against Clauses 4–8 to prioritize risk-based remediation.

What is the primary objective of MLPS 2.0 (Multi-Level Protection Scheme)?

MLPS 2.0 (Multi-Level Protection Scheme) establishes a graded cybersecurity protection system for all network operators in China, classifying systems into five levels based on potential harm to national security, social order, and public interests. It mandates commensurate technical, management, physical, and personnel controls per level, operationalizing Article 21 of the 2017 Cybersecurity Law via standards like GB/T 22239-2019, GB/T 25070-2019, and GB/T 28448-2019.

Who is legally or professionally required to comply with MLPS 2.0 (Multi-Level Protection Scheme)?

All network operators in mainland China must comply with MLPS 2.0 (Multi-Level Protection Scheme), including domestic enterprises, foreign-invested companies, cloud providers, and operators of IT, IoT, big data, or industrial control systems. Virtually any entity managing networks falls under this scope, with critical infrastructure often at Level 3+.

Does MLPS 2.0 (Multi-Level Protection Scheme) require an external audit or third-party certification?

Yes, MLPS 2.0 (Multi-Level Protection Scheme) mandates external security reviews by licensed Chinese firms for Level 2+ systems, scoring at least 70/100 for certification. Operators submit results to local Public Security Bureaus (PSBs) for approval; Level 3+ requires periodic re-evaluations.

How often should an assessment for MLPS 2.0 (Multi-Level Protection Scheme) be performed?

MLPS 2.0 (Multi-Level Protection Scheme) assessments are required biennially for Level 2 systems, annually for Level 3, semi-annually for Level 4, and as mandated for Level 5. Re-evaluations also follow major system changes.

What are the consequences of non-compliance with MLPS 2.0 (Multi-Level Protection Scheme)?

Non-compliance with MLPS 2.0 (Multi-Level Protection Scheme) results in fines up to 100,000 yuan, operational suspensions, business license denial, and intensified PSB inspections. Severe cases link to broader sanctions under the Cybersecurity Law.

Can MLPS 2.0 (Multi-Level Protection Scheme) be mapped to other international frameworks?

Yes, MLPS 2.0 (Multi-Level Protection Scheme) control domains—physical, network, data, operations, governance—map to international frameworks like ISO 27001 Annex A and NIST CSF. Organizations leverage existing ISMS for gap analysis while addressing MLPS-specific grading and enforcement.

What is the first step to begin implementing MLPS 2.0 (Multi-Level Protection Scheme)?

The first step for MLPS 2.0 (Multi-Level Protection Scheme) implementation is conducting a provisional self-assessment to classify systems into Levels 1-5 based on impact criteria. Inventory assets, document rationale, and prepare for Level 2+ expert review and PSB filing within 30 days.

Standards Comparison

ISO 13485 vs MLPS 2.0 (Multi-Level Protection Scheme)

ISO 13485

Mandatory

2016

International standard for medical device QMS regulatory compliance

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory

2019

China's regulation for graded cybersecurity protection of networks.

Quick Verdict

ISO 13485 ensures medical device quality worldwide via voluntary certification, while MLPS 2.0 mandates graded cybersecurity for China's networks with PSB enforcement. Companies adopt ISO 13485 for global compliance and market access; MLPS 2.0 to avoid fines and operate legally in China.

Quality Management

ISO 13485

ISO 13485:2016 Medical devices Quality management systems

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Cybersecurity

MLPS 2.0 (Multi-Level Protection Scheme)

Multi-Level Protection Scheme 2.0 (MLPS 2.0)

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Five-level impact-based system classification
Mandatory PSB registration and approval for Level 2+
Third-party audits with 70/100 passing score
Extended controls for cloud, IoT, big data
Law enforcement oversight and periodic re-evaluations

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 13485 Details

What It Is

ISO 13485:2016, titled Medical devices — Quality management systems — Requirements for regulatory purposes, is a global certification standard for QMS in medical devices. It ensures organizations consistently meet customer and regulatory requirements across device lifecycle stages like design, production, and post-market. Employs a risk-based process approach with documented controls.

Key Components

Clauses 4–8 cover QMS foundation, management responsibility, resources, product realization, measurement/improvement.
Includes medical device files, validation, traceability, supplier controls.
Builds on ISO 9001 with medical-specific enhancements like design controls.
Third-party certification through staged audits and surveillance.

Why Organizations Use It

Facilitates market access amid EU MDR, FDA QMSR alignment.
Mitigates risks, enhances patient safety, reduces recalls.
Provides competitive edge, builds stakeholder trust.
Supports supply chain assurance, regulatory convergence.

Implementation Overview

Phased: gap analysis, documentation build, training, validation, internal audits.
Suits manufacturers, suppliers, all sizes globally.
Requires certification audits (Stage 1/2), ongoing surveillance.

MLPS 2.0 (Multi-Level Protection Scheme) Details

What It Is

MLPS 2.0 (Multi-Level Protection Scheme 2.0) is China's mandatory cybersecurity regulation under the 2017 Cybersecurity Law (Article 21). It is a graded protection framework requiring network operators to classify systems into five levels based on potential harm to national security, social order, and public interests. The impact-based approach mandates technical, organizational, and governance controls scaled by level.

Key Components

Core domains: physical security, network protection, data security, access control, monitoring, governance.
Standards: GB/T 22239-2019 (baseline), GB/T 25070-2019 (technical), GB/T 28448-2019 (evaluation).
Five protection levels with common and extended controls for cloud, IoT, big data.
Compliance via self-classification, third-party audits (70/100 score), PSB approval.

Why Organizations Use It

Legal mandate for all China-based networks; non-compliance risks fines, suspensions.
Enhances resilience, supports market access, aligns with data laws (DSL, PIPL).
Builds regulator trust, reduces breach risks, enables procurement.

Implementation Overview

Phased: scoping, classification, gap analysis, remediation, audits, ongoing re-evaluations.
Applies to all sizes/industries in China; Level 2+ needs licensed audits.
Involves documentation, training, PSB filings; annual costs tens of thousands USD for Level 3.

Key Differences

Aspect	ISO 13485	MLPS 2.0 (Multi-Level Protection Scheme)
Scope	Medical device QMS lifecycle	Graded network cybersecurity protection
Industry	Medical devices, global	All network operators, China
Nature	Voluntary certification standard	Mandatory legal regime
Testing	Certification body audits	Third-party assessments, PSB approval
Penalties	Loss of certification	Fines, operational suspension

Scope

ISO 13485

Medical device QMS lifecycle

MLPS 2.0 (Multi-Level Protection Scheme)

Graded network cybersecurity protection

Industry

ISO 13485

Medical devices, global

MLPS 2.0 (Multi-Level Protection Scheme)

All network operators, China

Nature

ISO 13485

Voluntary certification standard

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory legal regime

Testing

ISO 13485

Certification body audits

MLPS 2.0 (Multi-Level Protection Scheme)

Third-party assessments, PSB approval

Penalties

ISO 13485

Loss of certification

MLPS 2.0 (Multi-Level Protection Scheme)

Fines, operational suspension

Frequently Asked Questions

Common questions about ISO 13485 and MLPS 2.0 (Multi-Level Protection Scheme)

ISO 13485 FAQ

MLPS 2.0 (Multi-Level Protection Scheme) FAQ

You Might also be Interested in These Articles...

CIS Controls v8.1, Operationalized: Top 10 Reasons Compliance Monitoring Software Accelerates Real-World Implementation

Operationalize CIS Controls v8.1 with compliance monitoring software. Turn checklists into dashboards, tickets, and audit-proof workflows. Top 10 reasons it acc

The NIS2 "FTE Trap": Why 5 Analysts for 24/7 Security is Actually 8 (and Why the Board Needs to Know)

Exposed: NIS2 FTE Trap math shows 5 analysts fail 24/7 coverage due to sickness, training, leave & 2026 churn. Line-by-line breakdown for compliance. Alert your

Breaking Down NIST CSF 2.0 Structure: Core, Tiers, Profiles, and Real-World Application

Master NIST CSF 2.0 structure: Govern + 5 Core functions, Tiers (Partial-Adaptive), Profiles for gaps, and real-world apps. Build effective cyber risk strategie

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how ISO 13485 and MLPS 2.0 (Multi-Level Protection Scheme) compare against other standards

Other ISO 13485 Comparisons

Other MLPS 2.0 (Multi-Level Protection Scheme) Comparisons

What It Is

Key Components

Clauses 4–8 cover QMS foundation, management responsibility, resources, product realization, measurement/improvement.

Includes medical device files, validation, traceability, supplier controls.

Builds on ISO 9001 with medical-specific enhancements like design controls.

Third-party certification through staged audits and surveillance.

What It Is

Key Components

Core domains: physical security, network protection, data security, access control, monitoring, governance.

Standards: GB/T 22239-2019 (baseline), GB/T 25070-2019 (technical), GB/T 28448-2019 (evaluation).

Five protection levels with common and extended controls for cloud, IoT, big data.

Compliance via self-classification, third-party audits (70/100 score), PSB approval.

Aspect

ISO 13485

MLPS 2.0 (Multi-Level Protection Scheme)

Scope

Medical device QMS lifecycle

Graded network cybersecurity protection

Industry

Medical devices, global

All network operators, China

Nature

Voluntary certification standard

Mandatory legal regime

Testing

Certification body audits

Third-party assessments, PSB approval

Penalties

Loss of certification

Fines, operational suspension