Medical Device Network

Daily Newsletter

27 November 2025

Daily Newsletter

FDA could intensify focus on medtech cybersecurity in 2026

The FDA’s cybersecurity dictates around premarket applications’ have been in effect since 2023, with more post-market oversight expected next year.

Ross Law November 27 2025

The US Food and Drug Administration’s (FDA) scrutiny around medical device cybersecurity will “intensify significantly” as we move into 2026, an expert has forecast.

In June 2025, the agency published its final expectations for premarket submissions and post-market lifecycle obligations for medical device cybersecurity protocols under Section 524B of the Federal Food, Drug, and Cosmetic (FD&C) Act.

Justin Kozak, team lead of life science practice at technology broker Founder Shield, anticipates that the FDA will switch its focus from pre-market paperwork to active operational execution in 2026.

Kozak told Medical Device Network: “The FDA will move beyond reviewing plans under Section 524B to auditing the real-world effectiveness of post-market security processes."

Section 524B, whichwas enacted in December 2022 as part of the Consolidated Appropriations Act, mandates a range of cybersecurity requirements across the lifecycle for certain medical devices. Those targeted by the legislation are those that connect to the internet and include software validated, installed, or authorised by a device manufacturer.

Required details include information around a device’s security controls, plans for vulnerability disclosure, and the provision of a software bill of materials (SBOM).

In October 2023, the FDA implemented its refuse to accept (FTA) policy under Action 524B. The action gave the agency the authority to reject pre-market application (PMA) submissions for in scope medical device submissions that lacked comprehensive cybersecurity information.

Kozak added that the rapid integration of AI or generative AI (genAI) into devices is introducing unique security risks that demand specialised governance and secure-by-design principles to maintain patient safety.

According to GlobalData analysis, medical device companies’ spending on cybersecurity is projected to grow at a CAGR of 12.9% to $1.2bn by 2027, up from $631.2m in 2022.

Kozak continued: “This shift will force companies to prove their vulnerability management works in the field, not only pre-product launch.”

Given that premarket enforcement has been in effect since 2023, the industry has been bracing itself for the post-market cybersecurity requirements. For example, safety testing company UL Solutions has a page dedicated on its website to answering FAQs on how best to navigate Section 524B.

Kozak highlighted that small medtech companies face heightened risk due to resource limitations and the threat of regulatory failure.

“They often lack the deep pockets of larger companies, resulting in a ‘triple burden’ scenario,” he noted.

To deal with the requirements promulgated under Section 524B, Kozak advises smaller companies to treat security as a core engineering requirement from day one, opposed to a documentation afterthought.

Kozak concluded: “The most effective strategy is to embed automated security checks early in the development pipeline. The reason for this ‘shift left’ strategy is that fixing vulnerabilities during coding is vastly more cost-efficient than post-market remediation.”