1. Transition strategy is no longer optional

TGA expects manufacturers and sponsors to:

• Identify all devices that rely on Windows 10.
  
  
• Decide whether to:
  
  
  • upgrade to Windows 11, or
    
    
  • remain on Windows 10 with ESU for a defined period, and
    
    
  • plan a full transition away from Windows 10 where feasible.

This is not presented as a “nice to have” – it is framed as necessary to maintain security and ongoing compliance with TGA’s medical device requirements.

2. Hardware limitations must be assessed and communicated

For some legacy systems, the existing hardware may not meet the requirements to run Windows 11. In such cases, the TGA explicitly states that manufacturers and sponsors must:

• Check if the current hardware can support Windows 11;
  
  
• Notify customers if it cannot; and
  
  
• Provide an alternative solution, such as upgraded hardware, replacement devices, or a defined end-of-support path.

This shifts the issue from “customer’s IT problem” to a shared responsibility between sponsor/manufacturer and the user facility.

3. OS upgrades are regulated changes, not just IT updates

Any upgrade from Windows 10 to Windows 11 is treated as a change that must still comply with the Essential Principles, particularly those relating to:

• protection of patient and user data, and
  
  
• ensuring the device continues to perform safely and effectively.

In practice, this means:

• design and development documentation should reflect the new OS version,
  
  
• verification and validation testing must confirm that the device software behaves correctly under Windows 11, and
  
  
• user documentation (IFU, user manuals, installation guides) may need updates where workflows or system behaviour are affected.

4. Requirements for newly supplied devices

For any devices newly supplied to the Australian market that use the Windows operating system, TGA expects that they are either:

• delivered with Windows 11, or
  
  
• delivered with Windows 10 + ESU, and a documented transition plan away from Windows 10.

Continuing to ship devices on unsupported Windows 10 without ESU and without a plan poses both a cybersecurity risk and a potential compliance issue.

5. Link to existing cyber security and post-market duties

The TGA ties this Windows 10 issue directly into three existing guidance areas:

Windows 10 end of support_ Pote…

1. Medical device cyber security requirements – ensuring devices with software or electronics are designed, maintained, and updated to manage cyber risks.
   
   
2. Post-market responsibilities – manufacturers and sponsors must monitor device performance and emerging risks throughout the lifecycle.
   
   
3. Recalls, product alerts and product corrections (PRAC) – where field action is required to manage safety or performance risks.

For devices that continue to use Windows 10, the TGA notes that market actions may be required, such as:

• product alerts to explain the risks of staying on Windows 10, and/or
  
  
• product corrections to inform users about changes like OS upgrades or configuration adjustments made to address safety concerns.

6. Incident reporting and compliance concerns

The TGA also reminds health professionals and users to report problems with medical devices through the Incident Report and Investigation Scheme (IRIS). These reports help the regulator monitor product performance.

If there are concerns about whether a product complies with TGA requirements—for example, if a device appears to rely on unsupported software without appropriate risk controls stakeholders can also report a perceived breach through TGA’s dedicated reporting channel.