South Korea Digital Medical Products Act (DMPA): Complete Compliance Guide (2026)
The complete guide to South Korea's Digital Medical Products Act — product categories (digital medical devices, digital-convergence pharmaceuticals, digital health-support devices), MFDS classification, approval pathways, AI/ML requirements, cybersecurity obligations, QMS, and labeling requirements.
Why Korea's Digital Medical Products Act Matters
South Korea has one of the world's most digitally advanced healthcare systems. With 5G connectivity in every hospital, a thriving medical device industry, and government-backed digital health initiatives, Korea has become a bellwether market for digital health regulation. The Digital Medical Products Act (DMPA) — passed on January 23, 2024, with most provisions effective from January 24, 2025, and additional requirements taking effect on January 24, 2026 — represents Korea's most comprehensive regulatory framework for digital health products.
For medical device manufacturers, software developers, and regulatory professionals, the DMPA is not a minor regulatory update. It creates an entirely new legal category of products, establishes classification rules specific to digital health technologies, mandates cybersecurity and AI governance requirements, and defines approval pathways that differ from the traditional Medical Devices Act.
This guide explains the complete DMPA framework, including the 2026 updates from MFDS Notices 2026-4 and 2026-6, and provides practical guidance for achieving compliance.
Background: Why Korea Needed a New Digital Health Law
Before the DMPA, digital health products in Korea were regulated under the general Medical Devices Act and In Vitro Diagnostic Medical Devices Act. These frameworks were designed primarily for physical medical devices and did not adequately address the unique characteristics of software, AI, and connected health technologies.
Key problems with the pre-DMPA framework:
- Classification uncertainty: Similar digital products were sometimes classified differently depending on interpretation, increasing compliance risk
- No AI-specific rules: Artificial intelligence and machine learning functions were not explicitly regulated, leaving manufacturers without clear guidance on model validation, change management, or transparency
- Software lifecycle gaps: Expectations for software updates, cybersecurity, and data management were fragmented across multiple guidance documents
- Wellness vs. medical device boundaries: Products combining lifestyle monitoring, clinical data analysis, and automated decision support fell into regulatory gray zones
The DMPA addresses these gaps by creating a dedicated legal framework that covers the full lifecycle of digital medical products — from development and authorization through manufacturing, quality control, post-market surveillance, and labeling.
Korea's Digital Health Legal Framework
The DMPA does not exist in isolation. It is part of Korea's broader medical device regulatory architecture:
| Legislation | Scope | Effective |
|---|---|---|
| Medical Devices Act | General medical devices | May 2004 (ongoing) |
| In Vitro Diagnostic Medical Devices Act | IVDs | May 2020 |
| Digital Medical Products Act (DMPA) | Digital medical products | January 24, 2025 |
| Act on Nurturing Medical Device Industry | Innovation support | May 2020 |
| AI Act (Basic Act) | High-risk AI systems | January 2026 |
Important overlap rules: Where requirements under the DMPA and the AI Act overlap, compliance with the DMPA is deemed to fulfill the corresponding AI Act requirements. This means manufacturers of AI-based digital medical devices need to comply primarily with the DMPA rather than navigating two separate regulatory systems simultaneously.
Software as a medical device (SaMD) and other digital medical devices remain subject to the Medical Devices Act where there are no corresponding provisions in the DMPA. The DMPA takes precedence where it provides specific rules for digital products.
Three Product Categories Under the DMPA
The DMPA defines three distinct product categories, each with its own regulatory requirements:
1. Digital Medical Devices
Digital medical devices are products that incorporate advanced technologies — including intelligent information technology, robotics, and ICT — used for diagnosing, treating, or managing diseases and health conditions. This category includes:
- Software as a Medical Device (SaMD): Software intended for medical purposes that does not need to be part of a hardware medical device
- AI-enabled diagnostic tools: Machine learning and deep learning systems that analyze medical data to support clinical decisions
- Digital therapeutics (DTx): Software-based treatments delivered through mobile apps or other digital platforms
- Connected medical devices with software components: Physical devices with embedded software that communicates data or provides intelligent functions
- Robotics and automated systems: AI-powered surgical systems, rehabilitation robots, and care robots
Digital medical devices are regulated under the DMPA and follow classification rules specific to digital products.
2. Digital-Convergence Pharmaceuticals
These are pharmaceutical products that incorporate digital technologies, such as:
- Digital pills: Medications with ingestible sensors that track adherence
- Pharmaceutical products with companion digital monitoring systems
- Drug-device combinations where the device includes AI or digital health components
Digital-convergence pharmaceuticals are regulated primarily under pharmaceutical legislation but must also satisfy DMPA requirements for the digital components.
3. Digital Medical/Health-Support Devices
This is a new category introduced by the DMPA for products that support health management but may not rise to the level of medical devices. Requirements for this category took effect on January 24, 2026 (Articles 33–35 of the DMPA).
- General wellness and fitness products that provide health information
- Health monitoring devices for non-disease conditions
- Digital health coaching and education platforms
The key distinction: digital medical/health-support devices are intended for health information management and general wellness, not for diagnosing or treating specific diseases.
Classification of Digital Medical Devices
Risk-Based Classification System
Digital medical devices under the DMPA are classified into four risk classes (I–IV), consistent with Korea's general medical device classification system. However, the DMPA introduces classification criteria specific to digital products:
For devices intended for treatment, assistive function, examination, diagnosis, or drug assistance:
| Target Condition | Risk Class |
|---|---|
| Life-threatening condition | Class IV |
| Serious condition | Class III |
| Non-serious condition | Class II |
For devices intended for patient management:
| Target Condition | Risk Class |
|---|---|
| Life-threatening condition | Class III |
| Serious condition | Class II |
| Non-serious condition | Class I |
For devices intended for health information management or other purposes:
| Target Condition | Risk Class |
|---|---|
| Life-threatening condition | Class II |
| Serious condition | Class I |
| Non-serious condition | Class I |
Final Risk Adjustment
For devices in Class II–IV, the final risk classification is adjusted based on:
- The potential for direct or indirect harm resulting from performance degradation or malfunction
- The degree of invasiveness of the digital technology
- The dependency of the patient on the device for critical health decisions
- The possibility of false positive or false negative results and their clinical impact
Product Code System
The DMPA introduces a detailed product code system for digital medical devices. At the time of application, manufacturers must submit a "Product Code and Device Classification Justification Form" as a supporting document.
Example product code: A digital medical device that acquires and analyzes medical imaging to support diagnosis during coronary angiography using deep learning:
B1ABXA1
- B1: Diagnosis using medical imaging
- A: SaMD technology
- B: Artificial intelligence
- X: Two technologies used
- A: Medical device
- 1: SaMD
If the software supports diagnosis of severe cardiovascular disease and malfunction could result in serious injury, it would be classified as Class III.
Approval Pathways
Authorization Pathways by Class
| Device Class | Pathway | Review Authority |
|---|---|---|
| Class I | Pre-market notification | Auto-approved upon submission |
| Class II | Pre-market certification | Registered Certification Bodies (RCBs) |
| Class III | Pre-market approval | MFDS (direct review) |
| Class IV | Pre-market approval | MFDS (direct review) |
Special Authorization Pathways
The DMPA and related regulatory reforms introduce several special pathways for innovative digital products:
Priority Review
Available for digital medical devices that address unmet medical needs or offer significant clinical advantages over existing products.
"Market Immediate Entry Medical Technology" Fast-Track
Launched on January 26, 2026 by the Ministry of Health and Welfare (MOHW) and MFDS, this pathway reduces the time from approval to clinical use from up to 490 days to 80–140 days for innovative devices across 199 designated categories (including digital medical devices, in vitro diagnostics, and medical robots). Devices that have undergone internationally enhanced clinical evaluation during the MFDS authorization phase can enter clinical use immediately without a separate New Medical Technology assessment.
Excellent Governance Systems Provision
The DMPA designates firms with proven AI governance and AI cybersecurity capacity, allowing a "use first, evaluate later" approach for AI products that are difficult to assess individually. This functions similarly to a conditional regulatory sandbox.
Technical Documentation Requirements (MFDS Notice 2026-6)
MFDS Notice 2026-6, effective January 26, 2026, introduced significant updates to the technical documentation requirements:
- Mandatory IMDRF STED format: Technical documentation must follow the Summary Technical Document format established by the International Medical Device Regulators Forum
- Strengthened SaMD oversight: Clear requirements for software lifecycle management, software validation, and version control
- Clinical evidence requirements: Expanded options for clinical documentation, including the use of real-world data and foreign clinical data
- Cybersecurity documentation: Mandatory cybersecurity risk assessment and documentation for connected devices
AI and Machine Learning Requirements
The DMPA introduces specific requirements for AI-based digital medical products that go beyond what traditional medical device regulations require:
Pre-Determined Change Control Plans (PCCP)
Manufacturers of AI/ML-based digital medical devices must submit a Pre-Determined Change Control Plan (PCCP) that describes:
- The types of algorithm changes the manufacturer anticipates making
- The methodology for validating those changes
- The protocol for monitoring real-world performance after changes are implemented
This approach allows AI models to evolve over time without requiring a new marketing authorization for every modification, provided the changes fall within the scope of the approved PCCP.
Software Usability Evaluation
The DMPA requires dedicated software usability evaluation as part of the authorization process. This includes:
- User interface testing with representative users
- Assessment of cognitive load and decision-making impact
- Evaluation of transparency and explainability features
AI Transparency and Labeling (SW-Labeling)
MFDS Notice 2026-6 introduced enhanced disclosure requirements for AI medical devices:
- Model cards: Documentation describing the AI model's training data characteristics, performance metrics, limitations, intended population, and known biases
- AI-specific labeling: Products must include information about AI involvement on the device label
- Confidence levels: For clinical decision support systems, display of confidence levels and alert prioritization logic
- Override documentation: Tracking mechanisms for cases where clinicians override AI recommendations
Clinical Decision Support System (CDSS) Exemptions
The DMPA establishes exemption conditions for certain Clinical Decision Support Systems that meet specific criteria — primarily systems that serve a supporting role without directly driving clinical decisions.
Cybersecurity Requirements
Mandatory Cybersecurity Assessment
The DMPA requires a cybersecurity risk assessment for all connected digital medical devices. This includes:
- Threat modeling: Identification of cybersecurity threats specific to the device's connectivity, data handling, and communication protocols
- Vulnerability management: Processes for identifying, evaluating, and mitigating cybersecurity vulnerabilities throughout the product lifecycle
- Security by design: Integration of cybersecurity controls into the device design, including encryption, authentication, and access control
- Incident response: Procedures for responding to cybersecurity incidents, including notification to MFDS
Electronic Infringement Security
The DMPA includes specific provisions for electronic infringement security — protection against unauthorized access, tampering, and data breaches. This reflects Korea's heightened awareness of cybersecurity threats to medical devices and health data.
Quality Management System (GMP) Requirements
GMP for Digital Medical Devices
The MFDS published updated Good Manufacturing Practice (GMP) Regulations for Medical Devices in February 2026, with four distinct GMP standards:
| GMP Part | Scope | Key Requirements |
|---|---|---|
| Part 1 | General medical devices | Enforcement Rule of the Medical Devices Act; procedures and requirements mandated by the Medical Devices Act |
| Part 2 | Digital medical devices | Based on ISO 13485, with additional requirements for software quality control, AI validation, and cybersecurity management |
| Part 3 | IVDs | Specific requirements for IVD manufacturing, quality control, and performance verification |
| Part 4 | Digital health-specific | Dedicated standards for AI-driven devices and connected health products |
QMS Key Expectations (2026 Update)
The February 2026 GMP update reinforced several critical areas:
- Management responsibility: Deeper implementation of ISO 13485-aligned quality management systems, with emphasis on leadership involvement
- Supplier qualification: Expanded requirements for supplier qualification, periodic re-evaluation, quality agreements, and oversight of outsourced processes
- Process validation: Clarified requirements for critical manufacturing process validation, equipment qualification, and environmental monitoring
- Cybersecurity integration: Cybersecurity and AI validation must be integrated into the QMS, not treated as standalone activities
- Post-market surveillance: Strengthened post-market surveillance requirements, including complaint handling, adverse event reporting, and periodic safety updates
Conformity Assessment for Software
Manufacturers can apply for a conformity assessment for digital medical device software, valid for three years. Regular inspections verify ongoing compliance, and the conformity judgment can be extended for an additional three years upon successful inspection.
Labeling Requirements
New Labeling Rules (Effective January 24, 2026)
The DMPA introduced new labeling requirements for digital medical device software (Article 22), including:
- AI disclosure: Clear identification of AI involvement in the device's operation
- Software version: Prominent display of the software version number
- Data handling information: Description of how the device collects, processes, and stores user data
- Cybersecurity notices: Information about cybersecurity features and how users can report vulnerabilities
- Intended user identification: Clear specification of whether the device is intended for healthcare professionals, patients, or both
Practical Compliance Checklist
For manufacturers planning to bring digital medical products to the Korean market:
| Step | Action | Timeline |
|---|---|---|
| 1. Classification | Determine product code and risk class under DMPA classification rules | Pre-submission |
| 2. Gap analysis | Conduct gap analysis against MFDS GMP standards for digital medical devices (Parts 2/4) | 2–3 months |
| 3. Technical documentation | Prepare IMDRF STED-format technical file with AI/cybersecurity documentation | 3–6 months |
| 4. PCCP development | Develop Pre-Determined Change Control Plan for AI/ML-based products | 1–3 months |
| 5. Cybersecurity assessment | Conduct cybersecurity risk assessment and prepare threat model documentation | 2–4 months |
| 6. Usability evaluation | Conduct software usability evaluation with representative Korean users | 2–4 months |
| 7. QMS update | Update QMS to integrate cybersecurity and AI validation requirements | 3–6 months |
| 8. Labeling compliance | Prepare AI-compliant labeling per Article 22 requirements | 1–2 months |
| 9. Submission | Submit authorization application with all supporting documentation | Per pathway |
| 10. Post-market plan | Establish post-market surveillance system for Korean market | Concurrent |
Key Differences: DMPA vs. General Medical Devices Act
| Aspect | Medical Devices Act | DMPA |
|---|---|---|
| Scope | Physical medical devices and general SaMD | Digital medical devices, digital-convergence pharmaceuticals, digital health-support devices |
| Classification | Based on physical risk | Risk-based plus digital-specific criteria (technology type, AI involvement, data sensitivity) |
| AI/ML governance | Not explicitly addressed | Mandatory PCCP, model cards, transparency requirements |
| Cybersecurity | General safety requirements | Mandatory cybersecurity assessment, electronic infringement security provisions |
| Change management | Traditional variation system | PCCP allows predetermined algorithm changes without new authorization |
| Labeling | General device labeling | AI disclosure, software version, data handling, cybersecurity notices |
Relationship to Korea's AI Act
Korea's AI Act (Basic Act), effective January 2026, establishes requirements for high-risk AI systems across multiple sectors. For digital medical products, the relationship is straightforward:
- DMPA takes precedence: Where the DMPA and AI Act requirements overlap, compliance with the DMPA is deemed to satisfy the corresponding AI Act requirements
- High-risk AI classification: AI-based digital medical devices are considered high-risk AI under the AI Act, but the DMPA's specific requirements (PCCP, model cards, cybersecurity assessment) satisfy the AI Act's obligations
- Dual compliance unnecessary: Manufacturers do not need to separately demonstrate compliance with both acts for the same product
Frequently Asked Questions
Does the DMPA apply to existing SaMD products?
SaMD products that were already approved under the Medical Devices Act continue to be valid. However, new applications for digital medical devices that fall within the DMPA's scope should be submitted under the DMPA framework. Where the DMPA does not provide corresponding provisions, the Medical Devices Act continues to apply.
What is a Pre-Determined Change Control Plan (PCCP)?
A PCCP is a document submitted to the MFDS as part of the authorization application that describes the types of algorithm changes the manufacturer anticipates, the validation methodology, and the monitoring protocol. Once approved, changes within the PCCP's scope can be implemented without filing a new marketing authorization.
Is regulatory approval from MFDS sufficient to use a digital health product in Korean medical settings?
No. MFDS regulatory approval is necessary but not always sufficient. Certain new digital health technologies must also undergo nHTA (new Health Technology Assessment) under the Medical Service Act (enforced by the Ministry of Health and Welfare) before they can be used in medical settings. Additionally, approval from the MOHW is required for national health insurance reimbursement eligibility.
What cybersecurity documentation is required?
Connected digital medical devices must include a cybersecurity risk assessment, threat model, vulnerability management plan, and incident response procedures. For devices with wired or wireless communication capabilities, cybersecurity documentation has been mandatory since 2026 under the updated MFDS requirements.
How does the fast-track pathway work?
The "Market Immediate Entry Medical Technology" fast-track, launched on January 26, 2026 by MOHW and MFDS, allows innovative devices (including digital medical devices, in vitro diagnostics, and medical robots) that have passed internationally enhanced clinical evaluation to enter clinical use immediately after MFDS authorization, without a separate New Medical Technology assessment. This reduces the time from approval to clinical use from up to 490 days to 80–140 days. Eligible devices must have undergone reinforced clinical evaluation during the MFDS authorization phase.
Key Takeaways
- The DMPA creates a dedicated regulatory framework for digital medical products in Korea, effective January 24, 2025, with additional requirements (including labeling and health-support device rules) taking effect January 24, 2026
- Three product categories exist: digital medical devices, digital-convergence pharmaceuticals, and digital medical/health-support devices
- AI/ML-based products must submit a Pre-Determined Change Control Plan (PCCP) and meet transparency requirements including model cards and AI-specific labeling
- Cybersecurity assessment is mandatory for all connected digital medical devices
- The February 2026 GMP update introduces four distinct GMP standards, including dedicated standards for digital and AI-driven medical devices
- MFDS regulatory approval is necessary but may not be sufficient — products may also need nHTA approval and MOHW reimbursement clearance
- The DMPA takes precedence over Korea's AI Act where requirements overlap, eliminating the need for dual compliance