Skip to main content
    MedTech Cyber Tips
    The Ultimate Guide
    Reference · 2026 edition

    FDA 524B vs EU MDR vs EU CRA - 2026 crosswalk

    Cross-jurisdiction and cross-format reference tables covering the Feb 3, 2026 FDA guidance, MDCG 2019-16 Rev.2, and the EU Cyber Resilience Act (Regulation (EU) 2024/2847). Useful for technical-file mapping and tool selection.

    Last updated · yesterday
    FDA Section 524B vs EU MDR cybersecurity

    What overlaps, what doesn't

    FDA only
    • Statutory SBOM (524B)
    • PCCP
    • eSTAR submission
    • Refuse-to-Accept policy
    Both
    • Threat model
    • CVD policy
    • Pentest evidence
    • Postmarket monitoring
    • Risk mgmt (ISO 14971)
    EU MDR only
    • Notified Body review
    • IEC 81001-5-1 hard tie
    • Annex I §17.2
    • PMS plan integration

    FDA (Section 524B) vs EU MDR cybersecurity

    Both regimes require evidence of secure development and postmarket vigilance, but the statutory authority, format, and review style differ. Use this as a mapping for a single global technical file.

    Requirement FDA (US) EU MDR
    Statutory cybersecurity authority Section 524B FD&C Act (2023) + Feb 2026 guidance Annex I §17.2 + MDCG 2019-16 Rev.2
    SBOM required in submission Required Expected, not statutory
    Coordinated Vulnerability Disclosure (CVD) policy Yes Yes
    Threat model in technical file Yes Yes
    Penetration testing evidence Independent recommended Expected by NB
    Postmarket vulnerability monitoring plan Yes Tied to PMS plan
    VEX pairing with SBOM Strongly encouraged Partial
    Predetermined Change Control Plan (PCCP) Yes No equivalent
    Reference standards AAMI TIR57, AAMI SW96, IEC 81001-5-1 IEC 81001-5-1, IEC 62304, ISO 14971
    Guided walkthrough

    Is my product in EU Cyber Resilience Act scope?

    Four short questions route you to the right rows in the crosswalk and the deep-dive topics that matter for your profile. Educational - not legal advice.

    1. 1
      Which best describes the product?

      Pick the closest fit - you can restart at any time.

    2. 2
      Is the product placed on the EU market?
    3. 3
      Does the product have 'digital elements' with data connections?

      CRA scope hinges on remote data connections (network, Bluetooth, cloud, updates).

    4. 4
      Where are you today on SBOM + coordinated vulnerability disclosure?

    EU Cyber Resilience Act (CRA) crosswalk: FDA 524B vs EU MDR vs EU CRA

    The EU Cyber Resilience Act (Regulation (EU) 2024/2847) adds a third regime for connected products. Devices already regulated as medical devices under the MDR/IVDR are generally excluded from the CRA where equivalent requirements are met - but accessories, standalone software, and companion apps can fall into scope. Vulnerability and incident reporting obligations begin Sept 11 2026; core obligations apply from Dec 11 2027.

    Dimension FDA (US) EU MDR EU CRA
    Instrument Section 524B FD&C Act Regulation (EU) 2017/745 (MDR) Regulation (EU) 2024/2847 (CRA)
    Core obligations effective Mar 29 2023 May 26 2021 Dec 11 2027
    Scope of medical devices Cyber devices All MDR-regulated devices MDR/IVDR-regulated devices largely carved out; accessories & standalone apps may apply
    SBOM expectation SPDX or CycloneDX Partial Annex I §2(1) - machine-readable
    Vulnerability handling process CVD + PSIRT Tied to PMS Annex I §2 - documented, coordinated
    Mandatory incident reporting Uncontrolled-risk criteria Vigilance 24h early warning to ENISA + CSIRT
    Actively-exploited vuln reporting Partial Partial 24h → 72h → 14d cadence
    Security updates during support period Postmarket plan Yes Min 5-yr support default
    CE marking / conformity assessment 510(k)/PMA MDR CE CRA CE, may combine with MDR
    Enforcement penalty ceiling FD&C Act enforcement Member-state fines €15M or 2.5% global turnover

    Sources: EUR-Lex - Regulation (EU) 2024/2847, European Commission - CRA, MDCG guidance index. Not legal advice - confirm scope with a notified body or regulatory counsel.

    SBOM formats: SPDX vs CycloneDX

    Both are accepted by FDA. The choice usually comes down to whether your priority is license compliance and standardization (SPDX) or security tooling and VEX/CBOM extensibility (CycloneDX).

    Dimension SPDX CycloneDX
    Steward Linux Foundation OWASP
    ISO standardized ISO/IEC 5962:2021 No
    License focus Strong Partial
    Vulnerability / VEX integration Partial Native VEX & VDR
    Cryptographic BOM (CBOM) No Yes
    Hardware / SaaS BOM Partial Yes
    Common formats tag-value, JSON, YAML, RDF JSON, XML, Protobuf
    FDA accepts in submission Yes Yes
    Looking for the underlying terms? See the glossary for SBOM, VEX, CBOM, MDCG, PCCP and more.
    FAQ

    FDA, MDR, and CRA - common questions

    Frequently asked questions

    Quick answers to the questions teams most often ask about this topic.

    FDA (Section 524B + 2026 guidance) is prescriptive about premarket artifacts: threat model, SBOM, penetration test, CVD policy, labeling. EU MDR (via MDCG 2019-16 Rev.2) frames cybersecurity as an essential requirement under Annex I with more principles-based expectations and heavier reliance on state-of-the-art standards like IEC 81001-5-1.

    The CRA carves out devices that are already regulated under MDR/IVDR at equivalent or higher rigor, but the carve-out is narrower than many manufacturers assume. Accessories, standalone software, and non-medical connected components in a MedTech portfolio may fall directly under the CRA. Use a scoping walkthrough to check per product.

    Align to IEC 81001-5-1 as your process baseline. It maps cleanly to both FDA SPDF expectations and MDR Annex I cybersecurity essential requirements, and it is the standard the CRA is expected to lean on. Then layer the FDA-specific artifacts (SBOM format, CVD policy) on top.

    FDA expects continuous monitoring, coordinated disclosure, and remediation on a risk-based cadence with public advisories via CISA/ICS-MEDICAL. EU MDR requires postmarket surveillance and vigilance reporting; the CRA (once fully in force) adds a 24-hour early-warning and 72-hour incident-reporting duty for exploited vulnerabilities.

    One CVD policy is fine if it explicitly commits to both FDA-aligned coordination (CISA) and EU-aligned notification obligations. What matters is that reporters know how to reach you, and that internal timelines meet the tightest applicable statutory deadline.