Does 524B apply to 510(k) submissions only?

No. 524B applies to all premarket submission types - 510(k), De Novo, PMA, HDE, and PMA supplements - for any device that meets the cyber-device definition.

What happens if our 524B content is incomplete?

FDA will issue a Refuse-to-Accept (RTA) decision and the submission clock never starts. RTA is faster and less forgiving than a Major Deficiency letter, so 524B content needs to be complete on Day 1.

All terms

CybersecurityConnected & Cyber-Physical Devices Global Markets524B

Section 524B of the FD&C Act

The federal statute that gives FDA explicit premarket authority over cybersecurity for cyber devices.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

Section 524B of the Federal Food, Drug, and Cosmetic Act, added by section 3305 of the Consolidated Appropriations Act of 2023, requires sponsors of "cyber devices" to submit a cybersecurity package as part of any premarket submission (510(k), De Novo, PMA, HDE). A cyber device is defined as one that (1) includes software validated, installed, or authorized by the sponsor; (2) has the ability to connect to the internet; and (3) contains technological characteristics that could be vulnerable to cybersecurity threats. 524B took effect for submissions on or after March 29, 2023, and FDA began Refuse-to-Accept (RTA) enforcement on October 1, 2023.

What the regulation says

524B requires four things in a cyber-device submission: (1) a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits; (2) processes and procedures providing reasonable assurance that the device and connected systems are cybersecure, including coordinated vulnerability disclosure and timely patch release; (3) a Software Bill of Materials including commercial, open-source, and off-the-shelf components; and (4) any other information FDA may require to demonstrate reasonable assurance of safety and effectiveness. FDA's September 2023 final guidance translates these statutory requirements into reviewable artifacts - threat model, risk assessment, security architecture views, SBOM, vulnerability management plan, and end-user labeling.

What this means in practice

Before 524B, cybersecurity expectations were guidance-level and inconsistently enforced. Today, missing 524B content is a Refuse-to-Accept basis - the submission never reaches substantive review. Most MedTech teams now treat 524B as the spine of their premarket cybersecurity package and align internal design controls (ISO 13485 / 21 CFR 820.30) and risk management (ISO 14971, AAMI TIR57) to produce the required artifacts as a natural output of the development lifecycle.

Common pitfalls

•Assuming legacy 510(k) predicates exempt the new submission from 524B - they do not.
•Submitting a generic 'cybersecurity plan' without the underlying threat model, SBOM, and architecture views.
•Treating the postmarket vulnerability monitoring plan as boilerplate; FDA expects a real, resourced process.
•Ignoring labeling - 524B requires end-user-facing security information (e.g., MDS2-style disclosures).

Frequently asked questions

A device that (1) contains software validated, installed, or authorized by the sponsor, (2) has the ability to connect to the internet, and (3) contains technological characteristics vulnerable to cybersecurity threats. The 'ability to connect' is interpreted broadly - Wi-Fi, Bluetooth, cellular, even USB pathways into clinical networks can qualify.

Cross-references

Uses

Concepts or artefacts this term builds on.

Primary references

3 sources

Link health: 3 bot-blocked· last checked 2026-05-09

FDA·2U.S. Congress·1

Inline markers like [1] jump to the matching reference above.