The Quality Management System Regulation (QMSR) is now in effect, replacing the legacy QSR. For cybersecurity programs, the most material shifts are scoped record requirements and tighter alignment with ISO 13485 design and risk processes.
What to update now: your design history file index, security risk management plan references, and CAPA templates that previously pointed at 21 CFR 820 sub-parts. Most controls (design inputs/outputs, V&V, supplier controls) map cleanly - only the citation language and a few records change.
Source
FDA QMSR final rule
More updates
-
MDCG 2019-16 Rev.2 at six months: Notified Body audit patternsSix months in, Notified Body audits under MDCG 2019-16 Rev.2 show three clear failure modes - narrative-only SBOMs, CVD policies without operational evidence, and traceability gaps between security risk controls and design outputs.
-
Three years of Section 524B: the deficiencies that never went awayThree-year retrospective on Section 524B enforcement: SBOM depth, VEX justification, and CVD operational evidence remain the top three categories of cyber deficiencies. Two new patterns emerged in 2026 - AI/ML threat-model gaps and weak end-of-support labeling.
-
IEC 81001-5-1 Amendment 1 reaches FDIS - what MedTech teams should trackAmendment 1 to IEC 81001-5-1 (health software security lifecycle) is in Final Draft International Standard ballot. It sharpens SBOM, CVD, and postmarket vulnerability expectations - and it's the standard EU Notified Bodies are quietly aligning MDCG 2019-16 audits against.