The U.S. Food and Drug Administration (FDA) has published “Cybersecurity in Medical Devices: Quality Management System (QMS) Considerations and Content of Premarket Submissions” updated guidance issued 3 February 2026.
This guidance replaces the 2025 edition and provides detailed recommendations on integrating cybersecurity into medical device design, development, and regulatory submissions to ensure devices are secure throughout their lifecycle.
🔍Key points:
Emphasises that cybersecurity is part of device safety and the quality management system, aligned with the FDA’s QMS Regulation and ISO 13485.
Recommends adopting a Secure Product Development Framework (SPDF) to systematically manage cybersecurity risks throughout the total product lifecycle.
Provides detailed guidance on security risk management, threat modelling, architecture controls, and testing as part of design/development.
Outlines what cybersecurity documentation should be included in premarket submissions (510(k), PMA, De Novo, IDE, HDE, PDP).
Defines expected security objectives (authenticity, authorization, confidentiality, availability, secure update/patching) that should be evidenced in submissions.
Applies to all connected device types, including those with software/firmware, networks, cloud components, and “cyber devices” under section 524B of the FD&C Act.
📘 Guidance document link:
https://lnkd.in/e-q5WMs