FDA issues revised cybersecurity premarket submission guidance to align with quality management system regulation

The United States Food and Drug Administration (FDA) has released updated cybersecurity guidance titled Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions – Guidance for Industry and Food and Drug Administration Staff (Guidance), reflecting the agency’s response to the growing integration of wireless and network connected capabilities in medical devices, which has made cybersecurity controls central to device safety and effectiveness.

FDA issued the revised Guidance as a Level 2 guidance under 21 C.F.R. Part 10, intended to address minor changes in policy or provide technical clarifications, as the update aims to align with the agency’s new Quality Management System Regulation (QMSR), which DLA Piper has discussed here. In addition, the Guidance builds on the statutory requirements established by Section 524B of the Federal Food, Drug, and Cosmetic (FD&C) Act and supersedes the agency’s initial implementing guidance finalized in June 2025, which DLA Piper has discussed here and here.

As federal and state regulators intensify focus on health data privacy and cybersecurity, medical device manufacturers are encouraged to stay attuned to evolving compliance expectations – including FDA's latest refinements to its cybersecurity guidance. Below we discuss the Guidance and highlight various compliance areas impacting cybersecurity controls for medical devices.

Updates from the 2025 Guidance

The Guidance refines and clarifies FDA’s expectations related to good manufacturing practice requirements under 21 C.F.R. Part 820 (Part 820), previously known as the Quality System Regulation. In the updated Guidance, FDA discusses its final rule amending the medical device current good manufacturing practice requirements under 21 C.F.R. Part 820 (Part 820), previously known as the Quality System Regulation. The revised Part 820 incorporates by reference the 2016 edition of ISO 13485 (ISO 13485:2016), which emphasizes risk management. The Guidance provides examples of where the ISO 13485:2016 risk management framework may be applicable to medical device security. For example, in order to comply with the software validation and risk management requirements of Subclauses 7.3.7 and 7.1 of ISO 13485:2016, respectively, software developers may need to establish cybersecurity risk management and validation processes.

FDA replaces references to specific subsections of Part 820 with references to specific subclauses of ISO 13485:2016 that have been incorporated by reference into the QMSR. Effectively, the updates formalize the long-held and widely accepted expectation that cybersecurity risk management is a component of overall quality management.

In addition, FDA removed language from its 2025 guidance in the “Implementation of Security Controls” section. This section had previously referenced requirements under 21 C.F.R. § 820.30(c) and 820.30(d). The QMSR deleted the previous section 21 C.F.R. § 820.30, which addressed risk management activities, since ISO 13485:2016 incorporates and emphasizes these activities and other risk-based decision making as elements of an effective quality system throughout.

How FDA is evaluating cybersecurity in premarket submissions

The Guidance does not mandate specific technical measures, but it identifies key cybersecurity controls that FDA generally expects manufacturers to address. While not unique to the revised Guidance, the following points summarize FDA’s stated cybersecurity expectations:

• Secure design and architecture: FDA recommends that manufacturers incorporate security by design, including architectural controls intended to reduce the exploitability of a medical device system and the associated risk of harm.


• Risk assessment and threat modeling: Manufacturers are expected to perform cybersecurity risk assessments and conduct threat modeling.


• Authentication, access control, and data protection: FDA recommends controls to ensure that only authorized users or systems can access or modify device functionality, and to protect the confidentiality and integrity of data such as encryption and event detection.


• Cybersecurity testing: The Guidance recommends that manufacturers conduct extensive cybersecurity testing, including vulnerability and penetration testing.


• Software transparency and supply chain controls: The Guidance emphasizes software transparency, including maintenance of a software bill of materials.


• Update and patch management: FDA recommends that manufacturers design devices for timely deployment of updates and patches to address cybersecurity vulnerabilities.

Health privacy and security regulation: A growing trend

The Guidance underscores FDA’s approach to cybersecurity as an integral component of medical device safety and effectiveness and its expectation that manufacturers operationalize cybersecurity controls. In addition, the Guidance operates alongside a broader set of federal and state privacy and security requirements that may apply to medical device manufacturers, digital health companies, and related service providers.

At the federal level, manufacturers are encouraged to consider the Federal Trade Commission (FTC) Act and the FTC’s updated Health Breach Notification Rule, which applies to health apps and connected technologies not covered by the Health Insurance Portability and Accountability Act and which has been reinforced through recent enforcement actions.

At the state level, an expanding patchwork of comprehensive privacy statutes may also apply to connected medical devices and associated software, including laws in California, Colorado, Connecticut, Maryland, and other jurisdictions that impose requirements related to data minimization, security safeguards, transparency, and individual rights. Certain states, such as Nevada and Washington, also maintain specific consumer health privacy laws that may be triggered by device functionality, data types collected, or downstream uses of health information.

Cybersecurity controls are not limited to FDA compliance, as they now form a part of a broader privacy and security framework shaped by overlapping federal and state requirements.

For more information or assistance navigating this changing landscape, please contact the authors.