On February 3, 2026, the U.S. Food and Drug Administration (FDA) issued a revised version of its cybersecurity guidance for medical devices. While the technical cybersecurity expectations remain largely consistent with the 2025 version, the 2026 update reflects a significant regulatory transition: the replacement of the Quality System Regulation (QSR) with the Quality Management System Regulation (QMSR).
This change formally aligns FDA requirements with ISO 13485:2016, which is now incorporated by reference into 21 CFR Part 820.
Below is a structured breakdown of what changed, and what remained the same.
Title and Regulatory Scope Update
2025 Version
“Cybersecurity in Medical Devices: Quality Management Systems Considerations and Content of Premarket Submissions.”
2026 Version
“Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions”
Why This Matters
The change reflects FDA’s formal transition from the legacy QS Regulation to the new QMSR, which harmonizes U.S. regulatory expectations with ISO 13485:2016. This alignment strengthens global consistency for medical device manufacturers operating in multiple regulatory jurisdiction.
Regulatory Framework Alignment
QSR (21 CFR 820) QMSR (ISO 13485:2016)
The most substantive revisions in the 2026 guidance involve updated regulatory citations. The FDA replaced references to specific sections of the old QSR with the corresponding clauses in ISO 13485:2016.
Side-by-Side Comparison
Topic | 2025 Guidance (QSR – 21 CFR 820) | 2026 Guidance (QMSR – ISO 13485:2016) |
Regulation Reference | QS Regulation | QMSR (ISO 13485 incorporated by reference) |
Design Controls | 21 CFR 820.30 (a–j) | ISO 13485 Clause 7.3 – Design and Development |
Risk Management | 820.30(g) – Risk Analysis | ISO 13485 Subclause 7.1 – Planning of Product Realization |
Purchasing / Supply Chain | 820.50 – Purchasing Controls | ISO 13485 Subclause 7.4 – Purchasing |
Verification & Validation | 820.30(f), (g) | ISO 13485 Subclauses 7.3.6 and 7.3.7 |
CAPA / Improvement | 820.100 – CAPA | ISO 13485 Subclause 8.5 (Improvement) and 8.4 (Analysis of Data) |
Documentation Files | Design History File (820.30(j)) and Device Master Record (820.181) | Design and Development Files (7.3.10) and Medical Device File (4.2.3) |
Strategic Impact
For manufacturers, this means:
- Cybersecurity activities must now be clearly mapped to ISO 13485 clauses.
- Documentation structures should reflect QMSR terminology.
Internal procedures may require updates to ensure regulatory traceability under the new framework.
Secure Product Development Framework (SPDF)
- The FDA continues to recommend implementation of a Secure Product Development Framework (SPDF).
What Changed?- 2025 Guidance: An SPDF was presented as one way to satisfy the QS Regulation.
- 2026 Guidance: An SPDF is presented as one way to satisfy the QMSR.
What Stayed the Same?The FDA’s expectation that cybersecurity be embedded throughout the product lifecycle—from design through postmarket—remains unchanged. The SPDF remains the operational mechanism for achieving this integration.
Effective Date and Regulatory History
- Rule Effective Date: February 2, 2026
- Guidance Issued: February 3, 2026
- Revision Rationale: Alignment with amendments to 21 CFR Part 820 (QMSR)
The 2026 document explicitly states that revisions were made to align with the newly effective QMSR framework.
What Did NOT Change
Despite regulatory citation updates, the core cybersecurity technical expectations remain consistent.
Security Objectives
The foundational security objectives are unchanged:
- Authenticity
- Authorization
- Availability
- Confidentiality
- Updatability
Cyber Device Requirements (FD&C Act Section 524B)
The statutory requirements for “Cyber Devices” remain intact, including:
- Cybersecurity risk management processes
- Postmarket vulnerability management plans
- Software Bill of Materials (SBOM) requirements
Premarket Documentation Expectations
Recommendations for:
- Threat Modeling
- Architecture Diagrams and Security Views
- Cybersecurity Testing (verification, validation, penetration testing)
What This Means for Medical Device Manufacturers
The 2026 update is primarily a regulatory harmonization shift, not a technical cybersecurity overhaul.
However, manufacturers should:
- Update internal SOPs to reflect QMSR terminology.
- Re-map cybersecurity processes to ISO 13485 clauses.
- Ensure SPDF activities are traceable under the QMSR framework.
- Review submission templates to align documentation language with ISO references.
Organizations that already operate under ISO 13485 will experience smoother integration, but U.S.-only manufacturers may require structural updates to their quality systems.