FDA Cybersecurity Guidance Updated for QMSR (February 2026): What Medical Device Manufacturers Must Change

Why the FDA Reissued the Cybersecurity Guidance

On February 3, 2026, the FDA published an updated version of its final guidance "Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions." This update replaces the June 27, 2025 version — a rapid 7-month revision cycle driven entirely by the transition from the Quality System Regulation (QSR, 21 CFR Part 820) to the Quality Management System Regulation (QMSR).

The QMSR became effective on February 2, 2026 — one day before the cybersecurity guidance update. The QMSR amends 21 CFR Part 820 and incorporates ISO 13485:2016 by reference, fundamentally changing how the FDA describes quality system expectations in all its guidance documents.

For the cybersecurity guidance specifically, this is more than a terminology swap. The update reflects a broader regulatory direction: cybersecurity expectations are now structurally connected to ISO 13485-based quality systems, and the FDA expects manufacturers to generate cybersecurity documentation through controlled QMS processes — not as standalone premarket appendices.

What Actually Changed

Structural Changes

What Stayed the Same

The core technical cybersecurity expectations are unchanged:

• Secure Product Development Framework (SPDF) remains the recommended lifecycle approach
• Five core security objectives (authenticity, authorization, availability, confidentiality, secure update) are intact
• Threat modeling requirements are identical
• SBOM requirements under Section 524B of the FD&C Act are unchanged
• Penetration testing and vulnerability scanning expectations are the same
• Architecture views (global system, multi-patient harm, updateability/patchability, security use case) remain unchanged
• Coordinated vulnerability disclosure expectations are identical

What This Means in Practice

The practical impact depends on where your organization started:

• If you were already ISO 13485 certified: You are ahead. The QMSR alignment means your existing QMS structure maps directly to the FDA's cybersecurity expectations. Focus on ensuring your cybersecurity documentation traces cleanly through your ISO 13485 design controls.

• If you were following only the old QSR (21 CFR 820): You need to transition your QMS to align with ISO 13485 and update how cybersecurity documentation is generated and controlled within your quality system.

Mapping Cybersecurity to ISO 13485 Clauses

The February 2026 guidance creates explicit connections between cybersecurity activities and ISO 13485 requirements. Here is how the key mappings work:

Design Controls (ISO 13485 Subclause 7.3)

Production and Process Controls (ISO 13485 Subclause 7.5)

Monitoring and Improvement (ISO 13485 Subclauses 8.2–8.5)

The SPDF Within Your QMS

The FDA continues to recommend a Secure Product Development Framework (SPDF) as a lifecycle approach to managing cybersecurity risk. The February 2026 update makes clear that the SPDF should not be a parallel process outside your QMS — it should be integrated into your ISO 13485 quality system.

How to Integrate SPDF into ISO 13485

SPDF Phase          → ISO 13485 Process
──────────────────────────────────────────────────────────
Security Planning   → Design planning (7.3.2) + Risk management (7.1)
Threat Modeling     → Design inputs (7.3.3)
Secure Design       → Design development (7.3.4)
Secure Coding       → Design outputs (7.3.4) + Production controls (7.5)
Security Testing    → Design verification (7.3.6) + Design validation (7.3.7)
Release             → Product release (7.5.9)
Post-Market Monitoring → Feedback (8.2.1) + Complaint handling (8.2.2)
Vulnerability Response → Corrective action (8.5.2)

Section 524B: Cyber Device Requirements

Separate from the guidance update, the statutory requirements under Section 524B of the FD&C Act (enacted as part of the Consolidated Appropriations Act of 2023) remain in full force. These requirements apply to "cyber devices" — devices that include software, can connect to the internet, and are likely to be maintained or updated.

Required Elements for Cyber Device Submissions

1. Software Bill of Materials (SBOM): Complete inventory of software components, including open-source dependencies, with version numbers and vulnerability status
2. Plan for coordinated vulnerability disclosure: Process for receiving, triaging, and disclosing security vulnerabilities
3. Process for ensuring device and software updates: Mechanism for deploying security patches and updates throughout the device lifecycle
4. Secure product development framework documentation: Evidence that cybersecurity was addressed during design and development

The February 2026 guidance explains how these Section 524B requirements map to QMSR processes, providing practical guidance on generating the required documentation through quality system activities.

Practical Steps for Manufacturers in 2026

FDA Enforcement: Deficiency Letters Are Increasing

The FDA has issued a growing number of deficiency letters to manufacturers that did not implement the security-by-design protocols required under the cybersecurity guidance and Section 524B. As Naomi Schwartz, VP of Regulatory Strategy at Medcrypt, noted: "The rules of the game have changed." Manufacturers that treat cybersecurity as a documentation exercise rather than a design discipline are receiving multi-page deficiency letters that delay market authorization.

The FDA's cybersecurity team, now celebrating its 10th anniversary, has identified 479 vulnerabilities and managed 17 safety alerts to protect patients. This enforcement trajectory is expected to accelerate as the QMSR inspection framework embeds cybersecurity into routine quality system audits.

If You Are Preparing a Premarket Submission

1. Map your cybersecurity documentation to ISO 13485 clauses: Ensure that your threat model traces to design inputs (7.3.3), your security testing traces to design verification (7.3.7), and your vulnerability handling traces to corrective action (8.5.2).

2. Update your SBOM processes: Verify that your SBOM generation is a controlled process within your QMS, not a one-time deliverable created for the submission.

3. Document your SPDF within your quality system: Your Secure Product Development Framework should be documented in SOPs and work instructions that reference ISO 13485 requirements.

4. Include cybersecurity in your risk management file: The FDA expects cybersecurity risk to be addressed alongside safety risk, connected through your ISO 14971 risk management process.

5. Prepare for QMSR inspections: FDA inspections after February 2, 2026 use the updated Compliance Program 7382.850, which references ISO 13485. Inspectors will evaluate cybersecurity through the lens of your quality system.

If You Have a Device Already on the Market

1. Review your post-market cybersecurity processes: Ensure vulnerability monitoring and response are integrated into your complaint handling (8.2.2) and corrective action (8.5.2) processes.

2. Update your SBOM maintenance process: Section 524B requires ongoing SBOM maintenance, not just a one-time submission deliverable.

3. Verify your coordinated vulnerability disclosure plan is operational: The plan must be active, not just documented in the premarket submission.

4. Assess legacy devices: Devices already on the market may not be subject to Section 524B (which applies to submissions after March 29, 2023), but the FDA expects ongoing cybersecurity risk management for all connected devices.

Implications for AI-Enabled Devices

The cybersecurity guidance update has particular relevance for AI-enabled and machine learning medical devices:

• Training data security: AI models that train on patient data must address cybersecurity controls for data pipelines and training infrastructure
• Model update security: PCCP-authorized model modifications must be deployed through secure update mechanisms
• Supply chain risks: AI model dependencies (frameworks, libraries, pre-trained components) must be captured in the SBOM
• Adversarial attack considerations: Threat models for AI devices should account for adversarial inputs, data poisoning, and model extraction attacks

The MITRE Corporation published a new discussion paper in April 2026 on "Cybersecurity Risk Analysis for Medical Devices in the Era of Evolving Technologies" that provides detailed guidance on cybersecurity risk considerations related to cloud computing, AI/ML, and post-quantum cryptography for device manufacturers.

Frequently Asked Questions

Do I need to resubmit my 510(k) if it was cleared under the old guidance?

No. The FDA has stated that the core technical expectations are unchanged. If your submission was already consistent with the June 2025 guidance, the February 2026 update does not require a new submission. However, your ongoing quality system processes should be updated to reference QMSR/ISO 13485.

Does this guidance apply to IDE submissions?

Yes. Appendix 3 of the guidance addresses IDE submissions. The cybersecurity recommendations for IDEs — including cybersecurity risks in informed consent, architecture views for safety-critical functionality, and SBOM inclusion — remain unchanged.

What is a "cyber device" under Section 524B?

A cyber device is a device that: (1) includes software (including firmware) or programmable logic, (2) can connect to the internet or another network, and (3) is likely to be maintained or updated. This covers most connected medical devices, SaMD, and devices with cloud connectivity.

Does the guidance apply to standalone software?

Yes. The guidance applies to "devices with cybersecurity considerations, including but not limited to devices that include a device software function or that contain software (including firmware) or programmable logic." It is not limited to network-enabled devices.

How does this interact with the EU Cyber Resilience Act?

The EU Cyber Resilience Act (CRA) and NIS2 Directive impose separate cybersecurity requirements for products sold in the EU. While there is significant overlap in the underlying security expectations, the specific documentation, conformity assessment, and reporting requirements differ. Manufacturers selling in both markets should build a unified cybersecurity framework that addresses both FDA and EU requirements.

Key Takeaways

• The February 2026 FDA cybersecurity guidance replaces all QSR (21 CFR 820) references with QMSR citations aligned to ISO 13485:2016, effective immediately.
• Core technical expectations — SPDF, threat modeling, SBOM, penetration testing, security architecture — are unchanged from the June 2025 version.
• The critical shift is structural: cybersecurity documentation must now trace to controlled QMS processes, not be generated as standalone premarket deliverables.
• Manufacturers should map cybersecurity activities to specific ISO 13485 clauses and ensure their SPDF is embedded in their quality system.
• Section 524B statutory requirements for cyber devices remain in force and are now explicitly connected to QMSR processes.

Sources: FDA Final Guidance "Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions" (February 2026); FDA QMSR Final Rule (89 FR 7496); Intertek analysis (April 15, 2026); DLA Piper analysis (February 27, 2026); Hattrick IT analysis (2026); Innolitics LinkedIn analysis (February 2026); MITRE "Cybersecurity Risk Analysis for Medical Devices in the Era of Evolving Technologies" (April 2026).