The US Food and Drug Administrationâs (FDA) scrutiny around medical device cybersecurity will âintensify significantlyâ as we move into 2026, an expert has forecast.
In June 2025, the agency published its final expectations for premarket submissions and post-market lifecycle obligations for medical device cybersecurity protocols under Section 524B of the Federal Food, Drug, and Cosmetic (FD&C) Act.
Go deeper with GlobalData
Discover B2B Marketing That Performs
Combine business intelligence and editorial excellence to reach engaged professionals across 36 leading media platforms.
Justin Kozak, team lead of life science practice at technology broker Founder Shield, anticipates that the FDA will switch its focus from pre-market paperwork to active operational execution in 2026.
Kozak told Medical Device Network: âThe FDA will move beyond reviewing plans under Section 524B to auditing the real-world effectiveness of post-market security processes.”
Section 524B, whichwas enacted in December 2022 as part of the Consolidated Appropriations Act, mandates a range of cybersecurity requirements across the lifecycle for certain medical devices. Those targeted by the legislation are those that connect to the internet and include software validated, installed, or authorised by a device manufacturer.
Required details include information around a deviceâs security controls, plans for vulnerability disclosure, and the provision of a software bill of materials (SBOM).
US Tariffs are shifting - will you react or anticipate?
Donât let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataIn October 2023, the FDA implemented its refuse to accept (FTA) policy under Action 524B. The action gave the agency the authority to reject pre-market application (PMA) submissions for in scope medical device submissions that lacked comprehensive cybersecurity information.
Kozak added that the rapid integration of AI or generative AI (genAI) into devices is introducing unique security risks that demand specialised governance and secure-by-design principles to maintain patient safety.
According to GlobalData analysis, medical device companiesâ spending on cybersecurity is projected to grow at a CAGR of 12.9% to $1.2bn by 2027, up from $631.2m in 2022.
Kozak continued: âThis shift will force companies to prove their vulnerability management works in the field, not only pre-product launch.â
Given that premarket enforcement has been in effect since 2023, the industry has been bracing itself for the post-market cybersecurity requirements. For example, safety testing company UL Solutions has a page dedicated on its website to answering FAQs on how best to navigate Section 524B.
Kozak highlighted that small medtech companies face heightened risk due to resource limitations and the threat of regulatory failure.
âThey often lack the deep pockets of larger companies, resulting in a âtriple burdenâ scenario,â he noted.
To deal with the requirements promulgated under Section 524B, Kozak advises smaller companies to treat security as a core engineering requirement from day one, opposed to a documentation afterthought.
Kozak concluded: âThe most effective strategy is to embed automated security checks early in the development pipeline. The reason for this âshift leftâ strategy is that fixing vulnerabilities during coding is vastly more cost-efficient than post-market remediation.â
