FDA Releases Final Guidance on Medical Device Cybersecurity

By Sade Sobande

On June 27, 2025, the U.S. Food and Drug Administration (FDA) released its final guidance on “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions”. This builds on the foundations set by the guidance and select updates issued in 2023 and 2024, respectively, providing both a consolidated framework for cybersecurity and clarifications that reflect the evolving cyber landscape.

Clarification on the definition of “cyber devices’’ and expanded scope

Further to the definition provided in Section 524B(c) of the FD&C Act, FDA considers a cyber device to be a device that contains software or is itself software. This removes ambiguity from the interpretation of manufacturers who previously would have provided a justification for why their software device did not fall under the criteria of “cyber device”; if a device contains software, the guidance applies, whether or not it is network-enabled.

Risk-based approach to premarket submission documentation

The FDA emphasizes a risk-based approach to cybersecurity documentation submitted. The documentation must correspond to the device’s risk level based on cybersecurity risks, not the documentation level or any other criteria as may have been established in other FDA guidance. An explicit statement to substantiate this (reiterated from the 2023 guidance) is provided: “For example, a device that is determined to have a greater software risk may only have a small cybersecurity risk due to how the device is designed. Likewise, a device with a smaller software risk may have a significant cybersecurity risk.”

Updated standards references

ANSI AAMI SW96 has been a recognized consensus standard for the last two years, but industry adoption has been arguably slow. Medical device manufacturers have historically approached medical device cybersecurity using a blend of ISO 14971 (for safety risk) and AAMI TIR 57 (for security risk). TIR 57, while a valuable resource, is an informal guidance document. The explicit reference to SW96 provides manufacturers with more formal, normative requirements and emphasizes the need to embed and operationalize cybersecurity principles through design controls, threat modelling and comprehensive risk assessments.

Specific requirements for cyber devices

The newly incorporated section V.II outlines specific requirements for cyber devices. These devices must include the following in their premarket submissions:

• Cybersecurity management plan, which must be continually maintained and updated as new information becomes available.
• Processes and procedures to provide a reasonable assurance of cybersecurity
• Software Bill of Materials (SBOM)

It is strongly recommended that manufacturers provide the suggested documents to avoid a refusal to accept decision and/or a technical screening hold.

Clarity on device modifications

As with any device modification, changes to cyber devices must be assessed by taking a risk-based approach. While the guidance does not redefine new submission thresholds, it reinforces established principles and recommends that documentation be provided if the change has an impact on cybersecurity. Examples of these changes are provided.

Manufacturers must demonstrate a reasonable assurance of cybersecurity

Whilst the 2023 guidance document referred to reasonable assurance in the context of the safety and effectiveness of the device, the 2025 guidance is explicit that manufacturers must demonstrate a reasonable assurance of cybersecurity of their cyber device. Further, when evaluating if a device is substantially equivalent to a predicate, if the subject device is determined to have increased cyber risks, the FDA may determine the subject device is not substantially equivalent. From a more practical perspective, medical device manufacturers of cyber devices must provide the 12 required cybersecurity documents expected as part of the eSTAR submission process.

Concluding remarks

Medical device cybersecurity cannot be implemented in a silo. It is a core technical, quality and regulatory requirement that must be woven into every phase of the medical device product lifecycle. For manufacturers implementing changes to devices already placed on the market, changes that impact a device’s security posture may trigger new submission requirements; this will require a robust reassessment of risk documentation, including revised threat modelling documentation and clear evidence that the device remains resilient in a dynamic threat environment, rather than a retrospective justification.

In addition to sharpening and clarifying the FDA's expectations for cyber devices, the guidance aligns with the International Medical Device Regulators Forum (IMDRF) “Principles and Practices for Medical Device Cybersecurity, March 2020”, reinforcing global efforts for requirement harmonization for these devices, which also fall under the umbrella of medical device software (MDSW).