Now that the February 3, 2026 premarket cybersecurity guidance has been in force for a full submission cycle, we're seeing consistent deficiency themes in recent CDRH feedback:
1. SBOM 'depth-of-field' - reviewers want transitive dependencies, not just top-level components. A CycloneDX file that stops at direct imports is being flagged as incomplete.
2. VEX statements without justification - a VEX that marks CVEs 'not affected' without a machine-readable justification code is treated as unsupported. Use the standard status justifications (component_not_present, vulnerable_code_not_in_execute_path, etc.).
3. AI/ML threat models missing adversarial ML - for cyber devices with ML components, evasion, poisoning, and model-extraction threats are now expected line items, not optional appendices.
4. CVD intake evidence - a policy page is not enough; reviewers are asking for the intake address, triage SLA, and at least a redacted example of a coordinated disclosure workflow.
5. End-of-support labeling - devices without a documented security-support horizon and communication plan are getting cited under the expanded labeling expectations.
If your submission is queued for Q3 or Q4 2026, pressure-test these five areas before you file.
-
MDCG 2019-16 Rev.2 at six months: Notified Body audit patternsSix months in, Notified Body audits under MDCG 2019-16 Rev.2 show three clear failure modes - narrative-only SBOMs, CVD policies without operational evidence, and traceability gaps between security risk controls and design outputs.
-
Three years of Section 524B: the deficiencies that never went awayThree-year retrospective on Section 524B enforcement: SBOM depth, VEX justification, and CVD operational evidence remain the top three categories of cyber deficiencies. Two new patterns emerged in 2026 - AI/ML threat-model gaps and weak end-of-support labeling.
-
IEC 81001-5-1 Amendment 1 reaches FDIS - what MedTech teams should trackAmendment 1 to IEC 81001-5-1 (health software security lifecycle) is in Final Draft International Standard ballot. It sharpens SBOM, CVD, and postmarket vulnerability expectations - and it's the standard EU Notified Bodies are quietly aligning MDCG 2019-16 audits against.