FDA 524B vs EU MDR vs EU CRA - 2026 crosswalk
Cross-jurisdiction and cross-format reference tables covering the Feb 3, 2026 FDA guidance, MDCG 2019-16 Rev.2, and the EU Cyber Resilience Act (Regulation (EU) 2024/2847). Useful for technical-file mapping and tool selection.
What overlaps, what doesn't
- • Statutory SBOM (524B)
- • PCCP
- • eSTAR submission
- • Refuse-to-Accept policy
- • Threat model
- • CVD policy
- • Pentest evidence
- • Postmarket monitoring
- • Risk mgmt (ISO 14971)
- • Notified Body review
- • IEC 81001-5-1 hard tie
- • Annex I §17.2
- • PMS plan integration
FDA (Section 524B) vs EU MDR cybersecurity
Both regimes require evidence of secure development and postmarket vigilance, but the statutory authority, format, and review style differ. Use this as a mapping for a single global technical file.
| Requirement | FDA (US) | EU MDR |
|---|---|---|
| Statutory cybersecurity authority | Section 524B FD&C Act (2023) + Feb 2026 guidance | Annex I §17.2 + MDCG 2019-16 Rev.2 |
| SBOM required in submission | Required | Expected, not statutory |
| Coordinated Vulnerability Disclosure (CVD) policy | Yes | Yes |
| Threat model in technical file | Yes | Yes |
| Penetration testing evidence | Independent recommended | Expected by NB |
| Postmarket vulnerability monitoring plan | Yes | Tied to PMS plan |
| VEX pairing with SBOM | Strongly encouraged | Partial |
| Predetermined Change Control Plan (PCCP) | Yes | No equivalent |
| Reference standards | AAMI TIR57, AAMI SW96, IEC 81001-5-1 | IEC 81001-5-1, IEC 62304, ISO 14971 |
Is my product in EU Cyber Resilience Act scope?
Four short questions route you to the right rows in the crosswalk and the deep-dive topics that matter for your profile. Educational - not legal advice.
-
1Which best describes the product?
Pick the closest fit - you can restart at any time.
-
2Is the product placed on the EU market?
-
3Does the product have 'digital elements' with data connections?
CRA scope hinges on remote data connections (network, Bluetooth, cloud, updates).
-
4Where are you today on SBOM + coordinated vulnerability disclosure?
EU Cyber Resilience Act (CRA) crosswalk: FDA 524B vs EU MDR vs EU CRA
The EU Cyber Resilience Act (Regulation (EU) 2024/2847) adds a third regime for connected products. Devices already regulated as medical devices under the MDR/IVDR are generally excluded from the CRA where equivalent requirements are met - but accessories, standalone software, and companion apps can fall into scope. Vulnerability and incident reporting obligations begin Sept 11 2026; core obligations apply from Dec 11 2027.
| Dimension | FDA (US) | EU MDR | EU CRA |
|---|---|---|---|
| Instrument | Section 524B FD&C Act | Regulation (EU) 2017/745 (MDR) | Regulation (EU) 2024/2847 (CRA) |
| Core obligations effective | Mar 29 2023 | May 26 2021 | Dec 11 2027 |
| Scope of medical devices | Cyber devices | All MDR-regulated devices | MDR/IVDR-regulated devices largely carved out; accessories & standalone apps may apply |
| SBOM expectation | SPDX or CycloneDX | Partial | Annex I §2(1) - machine-readable |
| Vulnerability handling process | CVD + PSIRT | Tied to PMS | Annex I §2 - documented, coordinated |
| Mandatory incident reporting | Uncontrolled-risk criteria | Vigilance | 24h early warning to ENISA + CSIRT |
| Actively-exploited vuln reporting | Partial | Partial | 24h → 72h → 14d cadence |
| Security updates during support period | Postmarket plan | Yes | Min 5-yr support default |
| CE marking / conformity assessment | 510(k)/PMA | MDR CE | CRA CE, may combine with MDR |
| Enforcement penalty ceiling | FD&C Act enforcement | Member-state fines | €15M or 2.5% global turnover |
Sources: EUR-Lex - Regulation (EU) 2024/2847, European Commission - CRA, MDCG guidance index. Not legal advice - confirm scope with a notified body or regulatory counsel.
SBOM formats: SPDX vs CycloneDX
Both are accepted by FDA. The choice usually comes down to whether your priority is license compliance and standardization (SPDX) or security tooling and VEX/CBOM extensibility (CycloneDX).
| Dimension | SPDX | CycloneDX |
|---|---|---|
| Steward | Linux Foundation | OWASP |
| ISO standardized | ISO/IEC 5962:2021 | No |
| License focus | Strong | Partial |
| Vulnerability / VEX integration | Partial | Native VEX & VDR |
| Cryptographic BOM (CBOM) | No | Yes |
| Hardware / SaaS BOM | Partial | Yes |
| Common formats | tag-value, JSON, YAML, RDF | JSON, XML, Protobuf |
| FDA accepts in submission | Yes | Yes |
FDA, MDR, and CRA - common questions
Frequently asked questions
Quick answers to the questions teams most often ask about this topic.
FDA (Section 524B + 2026 guidance) is prescriptive about premarket artifacts: threat model, SBOM, penetration test, CVD policy, labeling. EU MDR (via MDCG 2019-16 Rev.2) frames cybersecurity as an essential requirement under Annex I with more principles-based expectations and heavier reliance on state-of-the-art standards like IEC 81001-5-1.
The CRA carves out devices that are already regulated under MDR/IVDR at equivalent or higher rigor, but the carve-out is narrower than many manufacturers assume. Accessories, standalone software, and non-medical connected components in a MedTech portfolio may fall directly under the CRA. Use a scoping walkthrough to check per product.
Align to IEC 81001-5-1 as your process baseline. It maps cleanly to both FDA SPDF expectations and MDR Annex I cybersecurity essential requirements, and it is the standard the CRA is expected to lean on. Then layer the FDA-specific artifacts (SBOM format, CVD policy) on top.
FDA expects continuous monitoring, coordinated disclosure, and remediation on a risk-based cadence with public advisories via CISA/ICS-MEDICAL. EU MDR requires postmarket surveillance and vigilance reporting; the CRA (once fully in force) adds a 24-hour early-warning and 72-hour incident-reporting duty for exploited vulnerabilities.
One CVD policy is fine if it explicitly commits to both FDA-aligned coordination (CISA) and EU-aligned notification obligations. What matters is that reporters know how to reach you, and that internal timelines meet the tightest applicable statutory deadline.