FDA Guidance Update: Navigating the QMSR Cybersecurity Shift

20/02/2026

The updated guidance, "Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions" supersedes the June 2025 version. While the core cybersecurity principles remain, the structural framework has undergone a realignment.

From 21 CFR 820 to ISO 13485:2016

The most significant change is the move to the QMSR, which now incorporates ISO 13485:2016 by reference. This means your cybersecurity documentation must now map to specific ISO clauses rather than just the traditional 21 CFR 820 text.

Design and development: References have shifted from 21 CFR 820.30 to ISO 13485 Clause 7.3.
Validation: Software validation is now specifically tied to Subclause 7.3.7.
CAPA/Improvement: Corrective and preventive actions are now addressed under Subclause 8.5.

Documented risk management is no longer optional

Under the new QMSR, the FDA emphasizes that ISO 13485 Subclause 7.1 explicitly requires manufacturers to document one or more processes for risk management in product realization. This reinforces that cybersecurity risk management must be an integrated, documented part of your entire QMS.

Overview table:

Feature / Topic	2025 Framework (QS Regulation)	2026 Framework (QMSR Alignment)
Primary Regulation	21 CFR Part 820 (Quality System)	21 CFR Part 820 (Quality Management System Regulation - QMSR)
Global Standard	FDA-specific requirements	ISO 13485:2016 (Incorporated by reference)
Design & Development	21 CFR 820.30	ISO 13485 Clause 7.3
Software Validation	21 CFR 820.30(g)	ISO 13485 Subclause 7.3.7
Risk Management	General risk analysis (820.30)	Explicitly documented for product realization (Subclause 7.1)
CAPA / Improvement	21 CFR 820.100	ISO 13485 Subclause 8.5

Refined technical terminology

The 2026 update introduces more precise definitions in Appendix 5 to align with NIST and global standards:

Least privilege: Formally defined as a security principle to restrict access privileges to the absolute minimum necessary.
Threat surface: Now explicitly defined as the set of points where a cyber threat can attempt to enter or extract data.
Quality of service (QoS): Added to address measurable performance factors like bandwidth, latency, and jitter.

Mandatory requirements for ‘cyber devices’

The obligations under Section 524B of the FD&C Act remain mandatory. If your product qualifies as a "cyber device," you must provide:

A comprehensive Software Bill of Materials (SBOM).
Detailed postmarket cybersecurity plans to monitor and address vulnerabilities in a reasonable time.
Processes to provide reasonable assurance that the device and related systems are cybersecure.

At Applus+ Laboratories, we specialize in bridging the gap between technical cybersecurity and complex regulatory requirements. Whether you are remapping your QMS to ISO 13485 or preparing a new 510(k), we are here to ensure your submission is robust and compliant with the latest 2026 expectations.

Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.

Cookie settings panel

Essential cookies

They allow the operation of the website, loading media content and its security. See the cookies we store in our Cookies Policy.

Always active
Analytics cookies

They allow us to know how you interact with the website, the number of visits in the different sections and to create statistics to improve our business practices. See the cookies we store in our Cookies Policy.
Advertising cookies

Based on your behavior on the website (where you click, how long you browse, etc.) we establish parameters and a profile for you to display ads that correspond to your interests. See the cookies we store in our Cookies Policy.