Section 524B of the FD&C Act
The federal statute that gives FDA explicit premarket authority over cybersecurity for cyber devices.
Definition
Section 524B of the Federal Food, Drug, and Cosmetic Act, added by section 3305 of the Consolidated Appropriations Act of 2023, requires sponsors of "cyber devices" to submit a cybersecurity package as part of any premarket submission (510(k), De Novo, PMA, HDE). A cyber device is defined as one that (1) includes software validated, installed, or authorized by the sponsor; (2) has the ability to connect to the internet; and (3) contains technological characteristics that could be vulnerable to cybersecurity threats. 524B took effect for submissions on or after March 29, 2023, and FDA began Refuse-to-Accept (RTA) enforcement on October 1, 2023.What this means in practice
Before 524B, cybersecurity expectations were guidance-level and inconsistently enforced. Today, missing 524B content is a Refuse-to-Accept basis - the submission never reaches substantive review. Most MedTech teams now treat 524B as the spine of their premarket cybersecurity package and align internal design controls (ISO 13485 / 21 CFR 820.30) and risk management (ISO 14971, AAMI TIR57) to produce the required artifacts as a natural output of the development lifecycle.- •Assuming legacy 510(k) predicates exempt the new submission from 524B - they do not.
- •Submitting a generic 'cybersecurity plan' without the underlying threat model, SBOM, and architecture views.
- •Treating the postmarket vulnerability monitoring plan as boilerplate; FDA expects a real, resourced process.
- •Ignoring labeling - 524B requires end-user-facing security information (e.g., MDS2-style disclosures).
Frequently asked questions
Cross-references
Related terms
Shared paths + categoryA documented, risk-based set of processes that build cybersecurity into a medical device across its full lifecycle.
A machine-readable inventory of all software components, including open-source and third-party libraries, used to build a medical device.
A structured analysis that identifies how an attacker could compromise a medical device and what controls mitigate each threat.
The bundle of cybersecurity artifacts a sponsor includes in a 510(k), De Novo, PMA, or HDE submission for a cyber device.
A documented process for receiving, triaging, and responsibly disclosing security vulnerabilities reported by external researchers.
FDA's authority to reject a premarket submission outright when required cybersecurity content is missing.
Latest in MedTech
Primary references
3 sources- 1Section 524B of the FD&C Act - FDA overviewVerifiedFDAfda.gov
- 2Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (Sept 2023)VerifiedFDAfda.gov
- 3Consolidated Appropriations Act of 2023, Section 3305VerifiedU.S. Congresscongress.gov
Inline markers like [1] jump to the matching reference above.