ISO 13485 Medical Device Certification in Saudi Arabia: SFDA Compliance Guide (2026)

ISO 13485 Medical Device Certification in Saudi Arabia: SFDA Compliance Guide (2026)

A medical device manufacturer in Europe spent months preparing for Saudi market entry. The product was CE-marked. The documentation was solid. Their regulatory consultant submitted the MDMA application through SFDA’s GHAD portal.

It came back with a request for evidence of ISO 13485 certification under the Saudi standard SFDA.MD/GSO ISO 13485. The CE mark and the ISO 13485 certificate they held from their European notified body was not issued by a body on SFDA’s recognized list. The application stalled for three months while the company went through a supplementary audit with an SFDA-accepted certification body.

This kind of delay is common and entirely avoidable with the right preparation. This guide covers what ISO 13485 requires in the Saudi context, how it maps to SFDA’s licensing and registration requirements, what changed when SFDA introduced MDMA2, and what certification actually involves for businesses entering or expanding in Saudi Arabia’s medical device market.

What Is ISO 13485 Certification?

ISO 13485:2016 is the international standard for Quality Management Systems in the medical device industry. It specifies the requirements an organization must meet to consistently design, manufacture, store, distribute, install, and service medical devices that meet regulatory and customer requirements.

Where ISO 9001 is a general quality management standard applicable across all industries, ISO 13485 is built specifically for medical devices. It adds requirements that ISO 9001 does not cover: design and development controls, device history records, post-market surveillance, sterilization validation, and regulatory compliance documentation that treat every clause as if a regulatory requirement applies to it.

The SFDA has published a guidance document, MDS-G024, that maps ISO 13485:2016 QMS requirements with SFDA-MDS regulations, offering a streamlined approach for medical device compliance in Saudi Arabia. The guidance maps the clauses of ISO 13485:2016 to corresponding SFDA Medical Devices Sector requirements, with specific explanations on how each clause should be interpreted and implemented in the context of Saudi regulations.

This matters practically: an organization that implements ISO 13485 using MDS-G024 builds a QMS that satisfies both the international certification standard and the SFDA’s specific Saudi requirements simultaneously, rather than running two separate compliance exercises.

How ISO 13485 Connects to SFDA Licensing

Saudi Arabia’s medical device regulatory framework is built on two pillars: the Medical Device Establishment License (MDEL) and the Medical Device Marketing Authorization (MDMA). ISO 13485 sits at the foundation of both.

Medical Device Establishment License (MDEL). The SFDA licenses local medical device importers, distributors, warehouses, authorized representatives, and manufacturers. They must hold an approved Medical Device Establishment License (MDEL) and operate under an ISO 13485 certified quality management system. Without an MDEL, a company cannot legally distribute or market medical devices in Saudi Arabia. Without ISO 13485 certification under SFDA.MD/GSO ISO 13485, the MDEL application cannot be completed.

Medical Device Marketing Authorization (MDMA2). From January 2022, MDMA2 became the only option for all medical devices and in vitro diagnostics. It requires submission of a complete Technical File Application, and the previous route that accepted GHTF country approvals was cancelled.

This is the change that catches many foreign manufacturers off guard. Before 2022, a CE mark or FDA clearance provided a fast-track route to Saudi registration. That route no longer exists. All devices that require MDMA must now follow the Technical File Assessment route. Technical files for authorizations from GHTF member countries are no longer accepted as reference.

The current MDMA2 route requires complete Saudi-specific technical documentation, and a QMS certificate under SFDA.MD/GSO ISO 13485 from an SFDA-recognized certification body is part of that documentation package.

Authorized representative requirements. The Local Authorized Representative (LAR) must submit evidence of the application of a Quality Management System or an inspection report from the SFDA that confirms their compliance with the requirements of the Saudi Standard SFDA.MD/GSO ISO 13485 or its equivalent.

This means that for foreign manufacturers entering the Saudi market, not only does the manufacturer need ISO 13485 certification, but the local authorized representative they appoint must also hold an MDEL and maintain a compliant QMS. Choosing an authorized representative who does not have current ISO 13485 certification creates a compliance gap in the registration application.

Device Classification and What It Means for Your QMS

The SFDA classifies medical devices into four risk classes: Class A (low risk), Class B, Class C, and Class D (high risk). For manufacturers of Class A and B devices, a QMS certified from a Saudi Conformity Assessment Body (CAB) is required. For Class C and D devices, SFDA may also require an inspection or audit of the manufacturer’s QMS.

Understanding your device class before starting the ISO 13485 process matters because it determines the level of QMS scrutiny involved.

Class A covers low-risk devices such as bandages, non-sterile consumables, and examination gloves. ISO 13485 is still required, but the MDMA technical file is less extensive.

Class B covers moderate-risk devices including diagnostic ultrasound, infusion sets, and hypodermic needles. Full QMS certification from an SFDA-recognized CAB is required.

Class C covers medium-to-high risk devices including ventilators, infusion pumps, and orthopedic implants. Full documentation and potential QMS inspection.

Class D covers the highest-risk devices including active implantables and blood screening IVDs. Most stringent documentation requirements and QMS audit scrutiny.

The higher the class, the more your QMS needs to function as a genuine operational system, not just a documentation exercise. SFDA auditors reviewing Class D manufacturers do not just verify that procedures are written. They verify that those procedures are followed, that device history records are maintained, and that post-market surveillance is actively functioning.

ISO 13485 and Vision 2030 Healthcare Localization

Vision 2030 targets localizing 50 percent of Saudi Arabia’s medical needs. The NIDLP prioritizes ISO 13485 certified local manufacturers for MOH contracts and NUPCO supply agreements. Certified businesses move to the front of the queue for public sector healthcare procurement.

For Saudi manufacturers, this is a substantial commercial opportunity. The Ministry of Health and NUPCO (National Unified Procurement Company) procurement tenders represent billions of riyals in annual purchasing activity. ISO 13485 certification is listed as a prerequisite in these tenders. A Saudi manufacturer that holds ISO 13485 is eligible for procurement preference under Vision 2030’s localization agenda. One that does not is excluded before evaluation starts.

This is a different commercial proposition than most ISO certifications offer. ISO 13485 does not just help Saudi medical device companies compete. Under Vision 2030’s healthcare localization targets, it actively gives certified local manufacturers a procurement advantage that non-certified international competitors do not receive.

How ISO 13485 Differs from ISO 9001

Many Saudi businesses that already hold ISO 9001 ask whether it satisfies the SFDA’s QMS requirement. It does not.

ISO 9001 covers general quality management across all industries focused on customer satisfaction. ISO 13485 is specific to medical devices with mandatory requirements for ISO 14971 risk management, design controls, sterile manufacturing, post-market surveillance, and SFDA regulatory reporting. ISO 9001 cannot replace ISO 13485 for medical device regulatory purposes.

The structural foundations overlap, and organizations transitioning from ISO 9001 to ISO 13485 move faster because the management system architecture is already in place. The additional work is in the medical device-specific elements: design controls, device history records, post-market surveillance systems, and regulatory compliance documentation throughout every clause of the standard.

The Certification Process

Gap analysis (3 to 7 days). Clause-by-clause review of your current QMS against ISO 13485:2016 and SFDA MDS-G024 requirements. For organizations already holding ISO 9001, the gap analysis typically reveals that the management system structure exists but the medical device-specific procedures are missing.

Documentation development (3 to 6 weeks). Quality manual, design and development controls, device history record system, purchasing and supplier qualification procedures, production and process controls, post-market surveillance program, complaint handling and adverse event reporting procedures aligned with SFDA reporting obligations, and management review records.

Training (1 to 2 weeks). Documented training for all staff with QMS responsibilities, covering regulatory requirements, device risk classifications, and post-market reporting obligations.

Internal audit and management review. Full internal audit against all ISO 13485 clauses, corrective action closure, management review with recorded outputs.

Certification audit. Stage 1 document review, Stage 2 on-site audit. Auditors focus on design controls, device history records, post-market surveillance, and the traceability of production and distribution records. The SFDA submits the corresponding certificate and last audit report from the certification body as part of the MDMA documentation. The audit report is shared with SFDA, not just the certificate.

Timeline:

Starting pointTimeline to certificate
No existing QMS documentation75 to 100 days
Existing ISO 9001 in place45 to 65 days
Transitioning from existing ISO 1348530 to 50 days

Cost in Saudi Arabia

ISO 13485 is more expensive to implement than ISO 9001 for the same company size due to the documentation complexity and specialized audit time required.

Company sizeEmployeesEstimated total cost (SAR)
Small1 to 2014,000 to 25,000
Small-medium21 to 5020,000 to 35,000
Medium51 to 15030,000 to 50,000
Large / multi-site150 and above45,000 to 80,000+

Class C and D manufacturers sit toward the higher end regardless of headcount because audit time and documentation scope are driven by device risk, not just company size. Organizations with prior ISO 9001 certification often certify ISO 13485 at the lower end of the range for their size category.

Frequently Asked Questions

Is ISO 13485 mandatory for all medical device companies in Saudi Arabia?

Yes, in practice. The SFDA uses it as the baseline for MDEL and MDMA applications. Without a valid certificate, obtaining these licenses is extremely difficult regardless of product quality. It is also listed as a prerequisite in MOH and NUPCO procurement tenders.

Does a CE mark or FDA clearance satisfy SFDA’s ISO 13485 requirement?

No. Since January 2022, SFDA’s MDMA2 route requires Saudi-specific technical documentation and an ISO 13485 certificate from an SFDA-recognized certification body. Prior GHTF country approvals are no longer accepted as reference.

Does ISO 9001 satisfy SFDA’s QMS requirement?

No. SFDA specifically requires compliance with SFDA.MD/GSO ISO 13485. ISO 9001 does not meet this requirement for medical device registration purposes.

Which certification body should I use for SFDA purposes?

The certification body must be recognized by SFDA or accredited by an IAF member body accepted by SFDA. Verify the body’s recognition status before committing. SFDA may reject certificates from bodies it does not recognize, requiring the process to be repeated with an accepted body.

How long is an ISO 13485 certificate valid?

Three years, with annual surveillance audits. The MDMA certificate itself is typically valid for one year and must be renewed. Keeping ISO 13485 certification current is necessary for MDMA renewal.

ISO 13485 Certification in Saudi Arabia with Intellitech

Intellitech is an ISO certification consultancy headquartered in Al Jubail, serving medical device manufacturers, importers, distributors, and authorized representatives across Riyadh, Jeddah, Dammam, Al Khobar, and the Eastern Province.

For organizations entering the Saudi medical device market for the first time, Intellitech implements ISO 13485 with documentation aligned to both the certification audit and SFDA’s MDS-G024 guidance from the start. The QMS you build serves the certification auditor and the SFDA reviewer simultaneously, without needing to be adapted later.

ISO 13485 Certification Service Page | ISO 9001 Certification | ISO 45001 Certification | Get a Free Consultation

Leave a Comment

Your email address will not be published. Required fields are marked *