Korea Digital Medical Products Act: 2026 Compliance Guide

Introduction

A U.S. digital therapeutics company prepares to launch an insomnia app in Korea. The product has FDA clearance, uses cloud-based patient monitoring, and includes an AI feature that summarizes patient-reported outcomes for physicians. The commercial team assumes Korea will treat it like ordinary wellness software until a hospital partner asks whether the product has been classified under the Korea Digital Medical Products Act.

That question now matters. The Korea Digital Medical Products Act created a dedicated regulatory framework for software as a medical device, digital therapeutics, AI-enabled clinical tools, digital medical/health support devices, and drug-digital combination products. The Act entered into force in January 2025, but several practical requirements, including software labeling and rules for support devices, became especially important for 2026 launch planning.

For foreign medtech, SaaS, pharmaceutical, and health-data companies, this is more than a product registration issue. The framework affects clinical validation, cybersecurity documentation, local importer arrangements, post-market changes, reimbursement strategy, privacy governance, and investor diligence. Korea is a sophisticated digital health market, but regulators increasingly expect foreign entrants to show Korea-specific compliance rather than rely only on U.S., EU, or Singapore approvals.

Korea Digital Medical Products Act: what changed in 2026

The Act on Digital Medical Products introduced a category-specific system for products that do not fit neatly into traditional hardware-focused medical device rules. It covers three broad groups.

First, digital medical devices include software-based medical devices such as diagnostic-support tools, digital therapeutics, AI image analysis products, and software that analyzes biometric or medical image data to predict disease or guide treatment. Many products that foreign companies would describe as SaMD fall here.

Second, digital medical/health support devices are products that support health management but may not always reach the level of a full medical device. These are important for wearables, remote monitoring tools, and platform services that sit near the border between wellness and medical use.

Third, digital-convergence pharmaceuticals combine a drug with a digital medical device or digital support device. A pharmaceutical company that bundles a medication adherence app, sensor, or therapeutic software module with a drug product should analyze whether it is entering this category.

The Ministry of Food and Drug Safety (MFDS) is the main regulator. The Digital Medical Products Act requires a manufacturer or importer of regulated digital medical products to obtain MFDS authorization, certification, or notification depending on product class and risk. The Act also sits alongside the Medical Devices Act, the In Vitro Diagnostic Medical Devices Act, the Pharmaceutical Affairs Act, the Medical Service Act, and the Personal Information Protection Act.

For 2026, two points are especially practical. Article 22 of the Digital Medical Products Act introduces labeling requirements for digital medical device software. Articles 33 to 35 of the Digital Medical Products Act address digital medical/health support devices. These provisions push companies to be clearer about product identity, intended use, user instructions, safety information, and the line between medical and non-medical claims.

Korea Digital Medical Products Act classification: SaMD, AI, and wellness apps

Classification is the first major risk area. A foreign company may view its product as a productivity tool, wellness app, data dashboard, or physician workflow system. Korean regulators may see the same product as a digital medical device if the software analyzes patient-specific data to diagnose, predict, monitor, or recommend treatment for disease.

A simple example shows the difference. A mobile app that stores exercise logs and provides general wellness content may be outside the core medical device framework. By contrast, an app that analyzes heart rhythm signals to flag atrial fibrillation risk, or analyzes sleep data to deliver a structured digital therapeutic protocol for insomnia, is far more likely to require MFDS review.

AI creates additional complexity. Under Korea's digital health framework, AI or machine-learning software is assessed by intended use, risk, clinical function, data inputs, and whether the output influences clinical decisions. A product that merely retrieves general medical information is different from software that analyzes medical images or biometric signals and suggests a diagnosis or treatment direction.

The 2026 compliance lesson is that marketing language matters. Foreign companies should review Korean websites, pitch decks, app-store descriptions, physician manuals, and investor materials before launch. Words such as "diagnose," "detect," "predict," "treat," "clinical decision," and "personalized therapy" may support medical device classification.

A pre-consultation with MFDS is often sensible where classification is unclear. This is particularly true for products already approved elsewhere but newly adapted for Korea. Korea may not simply copy another jurisdiction's classification, especially if the Korean version includes different claims, localized algorithms, hospital integration, or patient-facing features.

MFDS authorization, KGMP, and cybersecurity documentation

Once a product is classified, the next issue is the approval route. The MFDS framework generally requires approval, certification, or notification depending on risk class and product type. For foreign companies, the practical question is not only "what documents are required?" but also "who will hold the Korean license and manage post-market obligations?"

Most foreign manufacturers need a Korean importer, license holder, or local regulatory partner. That party often becomes the operational bridge for MFDS submissions, Korean labeling, quality system documentation, complaint handling, and field safety communications. The commercial contract should allocate responsibility for regulatory updates, renewal work, product modifications, and costs.

Quality management is also changing. Digital products may require Korea Good Manufacturing Practice (KGMP) review tailored to software development, cybersecurity, version control, and electronic infringement security. The National Institute of Medical Device Safety Information has a role in KGMP audits for digital medical devices.

Cybersecurity is no longer a side exhibit. For software-based products, MFDS review can focus on communication security, data encryption, access controls, vulnerability handling, update procedures, and protection against data manipulation. Foreign vendors selling into Korean hospitals should expect cybersecurity questions from both regulators and procurement teams.

This is where global certifications help but do not solve everything. ISO 13485, IEC 62304, ISO 27001, SOC 2, and EU MDR documentation can support a Korean submission, but they need to be mapped to Korean requirements. A regulator or hospital buyer will want to see how the evidence applies to the specific Korean product, Korean users, Korean data flows, and Korean post-market process.

A practical compliance file should include the product description, intended use, classification analysis, clinical validation summary, software lifecycle documents, cybersecurity risk assessment, algorithm change policy, labeling materials, user training content, Korean-language instructions, and incident escalation procedures.

Data privacy, AI obligations, and hospital integration

Digital medical products usually process sensitive personal information. In Korea, health data is governed primarily by the Personal Information Protection Act (PIPA). PIPA regulates collection, use, third-party provision, outsourcing, cross-border transfer, security measures, and data subject rights.

For analytics and AI development, Article 28-2 of PIPA is especially relevant because it addresses pseudonymized information for statistical, scientific research, and public-interest archiving purposes. Pseudonymization can support model improvement and product research, but it is not a free pass. Companies still need governance around re-identification risk, access controls, purpose limitation, and data retention.

Cross-border transfer is another recurring issue. A foreign SaMD company may host Korean patient data on servers outside Korea, involve global support teams, or use overseas cloud vendors. Korean privacy documentation should explain where data goes, who receives it, why the transfer is needed, and what safeguards apply.

The AI Basic Act, formally the Act on Fostering the AI Industry and Establishing a Trust-Based AI Environment, also matters for 2026 planning. High-impact AI systems are expected to face stronger duties around risk management, transparency, documentation, and impact assessment. Medical AI that can affect life, physical safety, or fundamental rights should be reviewed early under this framework.

Hospital integration adds another layer. A digital health product may need to connect with electronic medical records, picture archiving systems, laboratory systems, or remote monitoring platforms. These integrations can trigger information security reviews, patient consent workflows, data localization questions, and contractual obligations on breach notification.

Foreign companies should avoid treating privacy as a separate legal workstream after MFDS approval. In Korea, regulatory approval, hospital procurement, reimbursement, cloud architecture, and privacy compliance move together. A product can be technically approved but commercially blocked if data handling and information security are not ready.

Reimbursement and clinical use: approval is not the whole market

MFDS authorization does not automatically mean a digital health product can be widely used and reimbursed in Korean clinical practice. The Ministry of Health and Welfare and the Health Insurance Review & Assessment Service influence market access through health technology assessment, coding, reimbursement, and post-market monitoring.

This is a critical difference from a pure software launch. A foreign SaaS company may be used to launching first and optimizing monetization later. In digital health, Korean commercialization often requires an integrated plan for regulatory approval, physician adoption, hospital procurement, clinical evidence, and reimbursement strategy.

For example, a European AI radiology company may obtain MFDS authorization for image analysis software. But if hospitals cannot recover the cost, or if the product is not clearly positioned within clinical workflow and reimbursement rules, adoption may remain limited. Investors doing diligence on Korean expansion should therefore ask whether the company has a reimbursement pathway, not merely whether it has a product license.

Digital therapeutics face a similar issue. Korea has already seen approved digital therapeutic products in areas such as insomnia, but scaling requires physician trust, clinical evidence, payer engagement, and patient onboarding. A foreign entrant should localize more than language. It should localize clinical workflow, physician training, Korean evidence generation, and support arrangements.

Practical tips for foreign digital health companies

• Start with Korea-specific classification. Do not assume FDA, CE, UKCA, or Singapore classification will control the Korean result.
• Map claims before translation. Korean marketing language, physician materials, and app-store descriptions should match the intended regulatory classification.
• Use Article 22 as a labeling checklist. Digital medical device software should have clear Korean labeling, user instructions, safety information, and version control.
• Review Articles 33 to 35 if the product is near wellness. Digital medical/health support devices can still require structured compliance even when they are not traditional medical devices.
• Build cybersecurity into the submission file. Encryption, authentication, vulnerability management, update control, and incident response should be documented before hospital procurement begins.
• Align PIPA and MFDS workstreams. Product approval, clinical data use, cross-border transfer, and cloud hosting should be reviewed together.
• Plan for reimbursement early. Market authorization is necessary, but hospital adoption often depends on reimbursement, coding, and clinical workflow fit.
• Contract carefully with Korean importers and distributors. Allocate responsibility for submissions, modifications, complaints, cybersecurity incidents, recalls, and regulatory communications.

Key takeaways

The Korea Digital Medical Products Act is now central to digital health expansion in Korea. It gives MFDS a clearer framework for SaMD, AI medical software, digital therapeutics, support devices, and drug-digital combinations.

For foreign companies, the biggest risks are misclassification, unsupported medical claims, incomplete cybersecurity documentation, weak Korean labeling, privacy gaps, and assuming that overseas approval is enough. These issues can delay launch, weaken hospital negotiations, and create diligence concerns for investors.

The best approach is an integrated Korea launch plan. Classification, MFDS authorization, KGMP readiness, Article 22 labeling, Articles 33 to 35 support-device analysis, PIPA compliance, AI governance, hospital procurement, and reimbursement should be planned as one project.

Korea Business Hub assists foreign digital health, medtech, SaaS, and life-sciences companies with Korea market-entry structuring, regulatory coordination, privacy compliance, local contracting, and investor-ready legal due diligence.