With the FDA's June 2025 cybersecurity guidance now in effect and the ISO 13485-aligned Quality Management System Regulation (QMSR) taking effect in February 2026, connected medical device manufacturers face a stricter compliance environment than ever before. This guide breaks down what Section 524B actually requires, what the QMSR changes mean for your cybersecurity documentation, and how to build a submission-ready cybersecurity program from the start.
The Regulatory Landscape Has Changed
The FDA's updated guidance, released June 27, 2025, replaces the September 2023 version and explains how FDA expects manufacturers to meet the statutory cybersecurity requirements in Section 524B of the FD&C Act. These requirements became law via FDORA in December 2022 and have applied to cyber device submissions since March 29, 2023. The 2025 guidance operationalizes and clarifies those obligations with more specific expectations for documentation and process.
Three regulatory milestones are shaping 2026 compliance:
- Section 524B has been in force since March 29, 2023 and is now a routine part of FDA review for cyber device submissions
- The Quality Management System Regulation (QMSR) takes effect February 2026, harmonizing FDA's quality system requirements with ISO 13485 and directly mapping cybersecurity risk management to your QMS
- Stricter SBOM expectations demand machine-readable formats maintained throughout the product lifecycle
For device makers preparing 510(k), De Novo, PMA, PDP, HDE, or related submissions in 2026, this means cybersecurity documentation is no longer a last-stage checkbox. It must be integrated from the earliest design phases. FDA can refuse to accept or deny approval for applications based solely on cybersecurity deficiencies.
What Qualifies as a "Cyber Device"?
Section 524B(c) defines a cyber device as any device that:
- Includes software validated, installed, or authorized by the sponsor
- Has the ability to connect to the internet
- Has characteristics that could be vulnerable to cybersecurity threats
The FDA interprets this broadly. Devices with latent wireless modules, debug ports, or engineering interfaces can fall under the cyber device definition, even when connectivity is not part of the intended clinical use, if those features provide the ability to connect to the internet and could be vulnerable to cybersecurity threats.
If your device contains sponsor-controlled software and any capability that could enable internet connectivity, you should evaluate it against the Section 524B(c) criteria. When in doubt, assume it will be treated as a cyber device.
The Three Statutory Requirements Under Section 524B
Section 524B(b) establishes three requirements for cyber device premarket submissions. FDA guidance then elaborates these into specific documentation expectations:
1. Postmarket Cybersecurity Management Plan
You must submit a plan to monitor, identify, and address cybersecurity vulnerabilities and exploits throughout the device lifecycle. This includes:
- Coordinated vulnerability disclosure (CVD) procedures
- Intake channels for external security researchers
- Triage timelines and risk categorization
- Customer notification procedures within defined timelines appropriate to vulnerability severity and risk
- Commitment to making postmarket updates and patches available
FDA categorizes vulnerabilities based on whether the residual risk is "controlled" or "uncontrolled," with uncontrolled risks requiring more urgent remediation. Timelines vary depending on severity, often on the order of days to weeks for critical issues.
2. Reasonable Assurance of Cybersecurity
You must demonstrate that the device and related systems are designed with cybersecurity built in. The FDA points to Secure Product Development Frameworks (SPDFs) as the mechanism to achieve this. Your documentation should show how cybersecurity considerations are integrated into design controls, risk analysis, and verification testing.
3. Software Bill of Materials (SBOM)
SBOMs are mandatory for all cyber devices. Key expectations include:
- Machine-readable format (SPDX or CycloneDX preferred)
- All commercial, open-source, and off-the-shelf components listed
- Version numbers and supplier information for each component
- Support windows for components (expected by FDA and industry practice)
- Maintenance throughout the product lifecycle, not just at submission
The February 2026 QMSR Alignment
The Quality Management System Regulation (QMSR), effective February 2026, harmonizes FDA's quality system requirements with ISO 13485. For cybersecurity, this means:
- Cybersecurity risk management must map to your QMS. Your threat models, vulnerability assessments, and security controls need to integrate with your existing design control and risk management procedures.
- Change control is more critical. The 2025 cybersecurity guidance introduces a taxonomy categorizing changes as "may impact" or "unlikely to impact" cybersecurity, guiding when a new submission is required.
- Documentation must be traceable. FDA expects clear traceability between your threat model, risk assessment, SBOM, and test documentation.
What This Means for Your 2026 Submissions
If you are preparing a premarket submission in 2026, here is what FDA expects to see in your cybersecurity documentation package:
| Document | Purpose | Key Contents |
|---|---|---|
| Security Risk Management Report | Demonstrate comprehensive threat analysis | Threat model, risk assessment, residual risk conclusions, mitigation activities |
| SBOM | Provide software transparency | All components, versions, suppliers in SPDX/CycloneDX format |
| Vulnerability Management Plan | Show postmarket readiness | CVD procedures, intake channels, triage timelines, notification plan, patch commitments |
| Cybersecurity Testing Report | Verify security controls | Penetration test results, vulnerability scans, fuzz testing outcomes |
| Secure Development Documentation | Demonstrate SPDF compliance | Security requirements, design controls, verification evidence |
Common Gaps That Delay Clearance
Based on industry commentary and consultant summaries of cybersecurity-related feedback, these are the most common deficiencies that trigger Additional Information (AI) requests or Refuse to Accept (RTA) decisions:
- Incomplete SBOMs. Missing dependencies, outdated versions, or non-machine-readable formats
- Unclear threat boundaries. Failing to define what is in scope for your security analysis, especially for cloud-connected devices
- Weak patch commitment. Vague language about update availability without specific timelines or procedures
- Missing traceability. Risk assessments that do not link back to specific threat model elements or forward to test cases
- Legacy component risks. Third-party software without documented support windows or vulnerability monitoring
Cloud-Connected Devices: Additional Considerations
For devices with cloud components, the cybersecurity boundary extends beyond the physical device. Your submission must address:
- System-level risk assessment. The device, cloud platform, mobile apps, and data flows must all be analyzed as a connected system
- Shared responsibility clarity. Document which cybersecurity controls are handled by your cloud provider versus your organization
- Update mechanisms. How firmware and software updates are delivered securely, including authentication and integrity verification
- Data protection. Encryption, access controls, and audit logging for PHI and device data
Using a cloud platform designed for medical devices and accompanied by robust security documentation can significantly reduce your documentation burden. The platform provider can handle infrastructure-level security controls, SBOM generation for cloud components, and ongoing vulnerability monitoring. However, you as the manufacturer remain responsible for demonstrating overall system cybersecurity to FDA.
Action Plan for 2026 Readiness
Here is a practical checklist for manufacturers preparing submissions this year:
Immediate (This Quarter):
- Confirm cyber device status by reviewing internet connectivity capabilities and software functions against Section 524B(c)
- Generate or refresh your SBOM in SPDX or CycloneDX format
- Audit third-party components for support windows and vulnerability status
Short-Term (Next 90 Days):
- Document your vulnerability management plan with specific intake channels and triage timelines
- Map cybersecurity risks to your ISO 13485-aligned QMS procedures in preparation for QMSR
- Update change control SOPs to use the guidance's impact taxonomy
Pre-Submission:
- Complete security testing and document results with clear traceability
- Verify SBOM accuracy against current build
- Prepare cybersecurity labeling per FDA recommendations
The Bottom Line
For devices meeting the Section 524B(c) definition, FDA cybersecurity requirements are legal obligations tied directly to market authorization. The QMSR alignment in February 2026 raises the bar further by integrating cybersecurity into your quality system.
The manufacturers who will succeed are those who treat cybersecurity as a design input from day one, not a documentation exercise at the end. Start with a clear threat model, maintain your SBOM continuously, build vulnerability management into your operations, and choose cloud infrastructure partners who can provide submission-ready documentation.
For device makers building connected products, the regulatory environment demands more transparency and accountability than ever. The good news: meeting these requirements also makes your products more secure and your customers more confident.
Building a connected medical device and need help navigating cybersecurity compliance? BioT's cloud platform includes security controls designed for medical devices, automated SBOM generation, and documentation packages aligned with FDA submission expectations. Book a demo to see how we can accelerate your path to market.
