Can we appeal an RTA decision?

RTA letters can be addressed by promptly providing the missing content. Formal appeal mechanisms exist but are rarely faster than fixing the gap and resubmitting.

Is RTA different for De Novo or PMA?

The administrative process is similar; the cybersecurity content requirements are the same under section 524B. PMA RTAs trigger a longer remediation cycle because of the higher submission complexity.

All terms

CybersecurityConnected & Cyber-Physical Devices Global MarketsRTA (cyber)

Refuse to Accept (Cybersecurity)

FDA's authority to reject a premarket submission outright when required cybersecurity content is missing.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

Refuse to Accept (RTA) is FDA's authority to reject a premarket submission before substantive review when administrative or content requirements are not met. Under section 524B, FDA began RTA enforcement on October 1, 2023 for any cyber-device submission missing the statutory cybersecurity content (vulnerability monitoring plan, secure-by-design processes, SBOM, and any other required information). An RTA stops the review clock; the sponsor must resubmit with complete content.

What the regulation says

FDA's RTA checklists for 510(k), De Novo, PMA, and HDE submissions now include explicit cybersecurity items derived from section 524B and the 2023 guidance. Reviewers run the checklist within the first 15 calendar days; missing or non-conforming cybersecurity content triggers RTA. The sponsor receives an RTA letter listing each deficiency.

What this means in practice

RTA on cybersecurity content is fast and unforgiving. Most MedTech teams that have hit it underestimated the scope of what FDA expects in the SBOM, threat model, and vulnerability management plan, or treated the section 524B requirements as guidance rather than statute. Build the cybersecurity package alongside the rest of the submission and pre-flight it against the RTA checklist.

Common pitfalls

•Submitting an SBOM that lacks the CISA minimum elements or end-of-support information.
•Including a generic vulnerability management plan with no resourcing detail.
•Missing the cybersecurity labeling content required under 524B.

Frequently asked questions

FDA's RTA review is typically completed within 15 calendar days of submission acceptance. If the package fails RTA, the clock never starts and the sponsor must resubmit.

Primary references

3 sources

Link health: 2 verified 1 bot-blocked· last checked 2026-05-09

FDA·2CISA·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: RTA (cyber)
Sources: 3
Updated: 5/5/2026

Compare with another term

Learn in 60 seconds

FDA's authority to reject a premarket submission outright when required cybersecurity content is missing.

·RTA on cybersecurity content is fast and unforgiving.
·Build the cybersecurity package alongside the rest of the submission and pre-flight it against the RTA checklist.
·An RTA stops the review clock; the sponsor must resubmit with complete content.

Remember this

Watch out: Submitting an SBOM that lacks the CISA minimum elements or end-of-support information.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.