Breaking
Saturday, July 18, 2026
Share

FDA Cyber Guidance: New Priorities for Medical Device Companies

Sarah Chen Editor-in-Chief
Reviewed by Sarah Chen Editor-in-Chief
FDA Cyber Guidance: New Priorities for Medical Device Companies
Visual context for this story · not clinical evidence

Decision brief

Answer first · skim in under a minute

The FDA's updated cyber guidance formalizes cybersecurity risk management as essential for medical device safety and effectiveness. This guidance sets new priorities for device companies, emphasizing continuous monitoring and coordinated vulnerability disclosure.

FDA cybersecurity guidance has moved from best-practice advice to a statutory premarket expectation. For connected medical device companies, section 524B cyber-device duties, SBOM completeness, and quality-system design controls now sit on the critical path beside clinical evidence.

Contents9 sections

Key Takeaways

  • Section 524B of the FD&C Act, effective March 29, 2023 for cyber devices, requires cybersecurity information in covered 510(k), PMA, De Novo, and related submissions.
  • FDA’s premarket cybersecurity guidance sets recommendations for secure design, labeling, and documentation to support efficient review and section 524B compliance.
  • Sponsors must be able to monitor postmarket vulnerabilities, maintain processes that keep devices cybersecure, and provide an SBOM covering third-party and open-source components.
  • Refuse-to-accept transition periods ended; incomplete cyber documentation is now a substantive review risk, not a paperwork courtesy.

What changed under section 524B?

FDA’s cybersecurity FAQ explains that the Consolidated Appropriations Act, 2023 added section 524B, “Ensuring Cybersecurity of Devices,” to the FD&C Act. Manufacturers of cyber devices must submit required cybersecurity information starting March 29, 2023 in 510(k), PMA, PDP, De Novo, and HDE submissions, including certain supplements.

The Agency’s refuse-to-accept policy for cyber devices expired October 1, 2023. After that date, FDA expects sponsors to arrive with 524B-ready packages. That timeline matters for 2026 product roadmaps: cybersecurity is no longer a post-clearance remediation project.

What does the premarket guidance prioritize?

FDA’s guidance page for Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions frames recommendations on device design, labeling, and documentation for devices with cybersecurity risk. It aims to promote consistency, facilitate efficient premarket review, and help ensure marketed devices are resilient to threats while addressing section 524B recommendations.

The accompanying PDF guidance (FDA media 119933) ties recommendations to cyber-device obligations: plans to monitor and address postmarket vulnerabilities; processes and procedures to provide reasonable assurance the device and related systems are cybersecure; and a software bill of materials. Connected capabilities are in scope even when connectivity is not the device’s primary marketed feature.

How should manufacturers operationalize the priorities?

  • Map threat models to architecture during design controls, not after verification
  • Treat SBOM generation as a controlled quality record updated with each software change
  • Define coordinated vulnerability disclosure and patch timelines before launch
  • Align labeling with residual risk communication for hospital IT customers

For combination products and digital therapeutics adjacent to pharma portfolios, the same expectations apply when the device constituent is a cyber device. Drug sponsors partnering with device makers should diligence 524B readiness in tech-transfer and co-promotion contracts.

What does this mean for pharma-device partnerships?

Drug sponsors increasingly bundle connected injectors, sensors, and companion apps with specialty therapies. Those constituents can meet the cyber-device definition even when the primary marketing claim is pharmacologic. Contract manufacturing and digital vendors should be obligated to maintain living SBOMs, vulnerability SLAs, and evidence packages that can be dropped into a 510(k) or PMA supplement without a six-month scramble.

Quality leaders should also align cybersecurity change control with existing CAPA and design-history file processes. A security patch that alters software versioning can trigger new documentation duties; treating patches as IT tickets rather than design changes is a common inspection finding pattern discussed in FDA educational materials.

Hospital customers will ask for architecture diagrams, update cadences, and network segmentation guidance. Premarket labeling recommendations in the guidance are therefore also commercial documents — sales engineering content, not only regulatory binders. Boards should budget multi-year secure-development lifecycle costs the same way they budget clinical trials, because postmarket monitoring and SBOM maintenance do not end at clearance day.

What remains unproven?

Guidance does not invent a numeric “cybersecurity score” that guarantees clearance. FDA assesses reasonable assurance within existing submission review. Third-party commentaries that rank vendor tools as FDA-endorsed overreach the published Agency materials cited here.

Related NovaPharma coverage

Frequently Asked Questions

What statute drives FDA medical device cybersecurity submissions?

Section 524B of the FD&C Act, added by FDORA in December 2022 and effective for cyber devices on March 29, 2023, requires sponsors of covered premarket submissions to include information ensuring devices are cybersecure.

What does FDA’s premarket cybersecurity guidance cover?

FDA’s guidance on cybersecurity quality system considerations and premarket submission content recommends design, labeling, and documentation practices for devices with cybersecurity risk and helps manufacturers meet section 524B obligations.

Is a software bill of materials required?

Section 524B requires manufacturers of cyber devices to provide a software bill of materials (SBOM), including commercial, open-source, and off-the-shelf software components, as part of ensuring cybersecurity of the device.

Primary Sources

  1. FDA guidance: Cybersecurity in Medical Devices premarket submissions
  2. FDA: Cybersecurity in Medical Devices FAQs
  3. FDA PDF: Cybersecurity QMS and premarket content guidance
Sources & references 1 primary sources
  1. news.bloomberglaw.com

Sources verified at publication. See our editorial policy and data sources.

This article follows our editorial standards. Report a correction via editorial contact.