On February 3, 2026, FDA issued an updated final version of its premarket cybersecurity guidance. It replaces the September 2023 edition as the current expected reference for §524B 'cyber device' submissions. The scaffolding is unchanged - SPDF, threat modeling, SBOM, vulnerability management, labeling, and postmarket plans remain the pillars - but several sections were tightened based on two years of submission review feedback.
What to update in your submission templates:
1. Cite the Feb 2026 guidance version in your Cybersecurity Risk Management Report, Management Plan, and Traceability sections. Reviewers now expect the current version referenced explicitly.
2. SBOM expectations are more prescriptive: machine-readable (SPDX or CycloneDX), version-pinned, with an accompanying VEX for known-but-non-exploitable vulnerabilities. Free-form component lists are being cited as deficiencies.
3. Threat model rigor: STRIDE plus device-specific misuse and abuse cases; AI/ML devices are expected to include adversarial ML threats (evasion, poisoning, model inversion) where applicable.
4. Postmarket vulnerability handling: a documented CVD policy is table stakes; reviewers want evidence of an operating PSIRT-style capability and a rehearsed disclosure workflow, not just a webpage.
5. Labeling: expanded expectations for end-of-support communication and security update cadence disclosed to healthcare delivery organizations.
If your device is currently mid-submission under the 2023 guidance, coordinate with your reviewer - many programs are being asked to add a short addendum aligning to the Feb 2026 version rather than restarting.
-
MDCG 2019-16 Rev.2 at six months: Notified Body audit patternsSix months in, Notified Body audits under MDCG 2019-16 Rev.2 show three clear failure modes - narrative-only SBOMs, CVD policies without operational evidence, and traceability gaps between security risk controls and design outputs.
-
Three years of Section 524B: the deficiencies that never went awayThree-year retrospective on Section 524B enforcement: SBOM depth, VEX justification, and CVD operational evidence remain the top three categories of cyber deficiencies. Two new patterns emerged in 2026 - AI/ML threat-model gaps and weak end-of-support labeling.
-
IEC 81001-5-1 Amendment 1 reaches FDIS - what MedTech teams should trackAmendment 1 to IEC 81001-5-1 (health software security lifecycle) is in Final Draft International Standard ballot. It sharpens SBOM, CVD, and postmarket vulnerability expectations - and it's the standard EU Notified Bodies are quietly aligning MDCG 2019-16 audits against.