1. You are here:
  2. Homepage
  3. News & Insights Search
  4. FDA reissues cybersecurity guidance to align with QMSR

rf-fullcolor.png

 

Regulatory News
February 4, 2026
by Ferdous Al-Faruque

FDA reissues cybersecurity guidance to align with QMSR

The US Food and Drug Administration (FDA) has reissued a final guidance on quality system management considerations for medical device cybersecurity following the agency's transition from the Quality System Regulation (QSR) to the Quality System Management Regulation (QMSR).
 
On 4 February, FDA published the final guidance that replaces references to QSR regulations under the Code of Federal Regulations (CFR) 21 CFR part 820 with references to QMSR and, more specifically, the International Standards Organization (ISO) ISO 13485 standard. The updated final guidance comes two days after the agency transitioned from the QSR to the QMSR, which largely relies on ISO 13485 to harmonize quality system regulations with other global regulatory agencies.
 
“Revisions issued [were] under Level 2 guidance procedures (21 CFR 10.115(g)(4)), including revisions to align with the amendments to 21 CFR 820 (the Quality Management System Regulation (QMSR)),” said FDA in its new guidance explaining the update. “This guidance supersedes the final guidance titled 'Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions' and published June 2025.”
 
When discussing general cybersecurity principles, FDA refers sponsors to the QMSR, replacing the QSR, and notes that quality management system requirements are found in QMSR 21 CFR part 820. The agency also added that the updated regulation now references ISO 13485 throughout the guidance.
 
As stated in the previous guidance, FDA said the guidance is intended to explain how documentation outputs that show adherence to QMSR can be used to address cybersecurity concerns to provide a reasonable assurance of safety and effectiveness and points sponsors to specific parts of ISO 13485 for reference.
 
“For example, 21 CFR 820.10(c) requires that for all classes of devices automated with software, a manufacturer must comply with the requirements in Design and Development, Clause 7.3 and its subclauses of ISO 13485,” said FDA. “As part of design and development, '[d]esign and development validation shall be performed in accordance with planned and documented arrangements to ensure that the resulting product is capable of meeting the requirements for the specified application or intended use' (Subclause 7.3.7).
 
“Design and development validation includes validation of device software,” the agency added. “In addition, Subclause 7.1 of ISO 13485 specifies that the 'organization shall document one or more processes for risk management in product realization.'”
 
When implementing security controls, FDA has taken out a large section that refers to regulations that require manufacturers to ensure the appropriateness of their products.
 
“Under 21 CFR 820.30(c), a manufacturer must establish and maintain procedures to ensure that the design requirements relating to a device are appropriate and address the intended use of the device, including the needs of the user and patient,” the FDA stated in its previous guidance, which has now been removed. “Under 21 CFR 820.30(d), a manufacturer must establish and maintain procedures for defining and documenting design output in terms that allow an adequate evaluation of conformance to design input requirements.
 
“These output procedures shall contain or make reference to acceptance criteria and shall ensure that those design outputs that are essential for the proper functioning of the device are identified,” the agency had previously stated.
 
While the guidance is final, FDA is still taking comments from stakeholders on www.regulations.gov under docket no. FDA-D-1158.
 
Final guidance

Related topics

Digital health/SaMD/AI Medical Devices Regulatory Intelligence/Policy United States
Return to listing

Recommended content

FDA_Badge2_260326_ALF.png
01 Apr 2026

FDA warns device maker, contract testing lab for GMP violations

The US Food and Drug Administration (FDA) has cited a medical device manufacturer and a contract drug testing laboratory for violations of current good manufacturing practices (CGMP). Additionally, regulators said the medical device maker has been selling products without marketing authorization, despite the company arguing that its products should be considered pre-amendment devices and therefore not regulated by the agency.

Regulatory News

Regulatory Affairs Professionals Society (RAPS)
5635 Fishers Lane, Suite 400
Rockville, Maryland 20852

Telephone: +1 301 770 2920
Fax: +1 301 841 7956

Email:  [email protected]

Design & Development by Pixl8
Membership software by ReadyMembership

Regulatory Affairs Professionals Society (RAPS)

© 2026 Regulatory Affairs Professionals Society

×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.