Reference

Compare

Cross-jurisdiction and cross-format reference tables. Useful for technical-file mapping and tool selection.

FDA Section 524B vs EU MDR cybersecurity

What overlaps, what doesn't

FDA only

• Statutory SBOM (524B)
• PCCP
• eSTAR submission
• Refuse-to-Accept policy

Both

• Threat model
• CVD policy
• Pentest evidence
• Postmarket monitoring
• Risk mgmt (ISO 14971)

EU MDR only

• Notified Body review
• IEC 81001-5-1 hard tie
• Annex I §17.2
• PMS plan integration

FDA (Section 524B) vs EU MDR cybersecurity

Both regimes require evidence of secure development and postmarket vigilance, but the statutory authority, format, and review style differ. Use this as a mapping for a single global technical file.

Requirement	FDA (US)	EU MDR
Statutory cybersecurity authority	Section 524B FD&C Act (2023)	Annex I §17.2 + MDCG 2019-16 Rev.2
SBOM required in submission	Required	Expected, not statutory
Coordinated Vulnerability Disclosure (CVD) policy	Yes	Yes
Threat model in technical file	Yes	Yes
Penetration testing evidence	Independent recommended	Expected by NB
Postmarket vulnerability monitoring plan	Yes	Tied to PMS plan
VEX pairing with SBOM	Strongly encouraged	Partial
Predetermined Change Control Plan (PCCP)	Yes	No equivalent
Reference standards	AAMI TIR57, AAMI SW96, IEC 81001-5-1	IEC 81001-5-1, IEC 62304, ISO 14971

SBOM formats: SPDX vs CycloneDX

Both are accepted by FDA. The choice usually comes down to whether your priority is license compliance and standardization (SPDX) or security tooling and VEX/CBOM extensibility (CycloneDX).

Dimension	SPDX	CycloneDX
Steward	Linux Foundation	OWASP
ISO standardized	ISO/IEC 5962:2021	No
License focus	Strong	Partial
Vulnerability / VEX integration	Partial	Native VEX & VDR
Cryptographic BOM (CBOM)	No	Yes
Hardware / SaaS BOM	Partial	Yes
Common formats	tag-value, JSON, YAML, RDF	JSON, XML, Protobuf
FDA accepts in submission	Yes	Yes

Looking for the underlying terms? See the glossary for SBOM, VEX, CBOM, MDCG, PCCP and more.