Skip to main content
    MedTech Cyber Tips
    The Ultimate Guide
    Updates
    FDA

    FDA issues updated premarket cybersecurity guidance (Feb 3, 2026)

    The FDA's Feb 3, 2026 revision to 'Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions' is now the current final guidance. Here's what changed versus the 2023 edition and what to update in your submission templates.

    Reviewed by ·Published ·Last reviewed July 2026

    On February 3, 2026, FDA issued an updated final version of its premarket cybersecurity guidance. It replaces the September 2023 edition as the current expected reference for §524B 'cyber device' submissions. The scaffolding is unchanged - SPDF, threat modeling, SBOM, vulnerability management, labeling, and postmarket plans remain the pillars - but several sections were tightened based on two years of submission review feedback.

    What to update in your submission templates:

    1. Cite the Feb 2026 guidance version in your Cybersecurity Risk Management Report, Management Plan, and Traceability sections. Reviewers now expect the current version referenced explicitly.

    2. SBOM expectations are more prescriptive: machine-readable (SPDX or CycloneDX), version-pinned, with an accompanying VEX for known-but-non-exploitable vulnerabilities. Free-form component lists are being cited as deficiencies.

    3. Threat model rigor: STRIDE plus device-specific misuse and abuse cases; AI/ML devices are expected to include adversarial ML threats (evasion, poisoning, model inversion) where applicable.

    4. Postmarket vulnerability handling: a documented CVD policy is table stakes; reviewers want evidence of an operating PSIRT-style capability and a rehearsed disclosure workflow, not just a webpage.

    5. Labeling: expanded expectations for end-of-support communication and security update cadence disclosed to healthcare delivery organizations.

    If your device is currently mid-submission under the 2023 guidance, coordinate with your reviewer - many programs are being asked to add a short addendum aligning to the Feb 2026 version rather than restarting.

    More updates