U.S. FDA Reissues Medical Device Cybersecurity Guidance to Align with QMSR

15 Apr 2026

What the Shift to ISO 13485 Integration Means for Manufacturers Building Connected Devices in 2026

The U.S. Food and Drug Administration (FDA) has once again reinforced a message that medical device manufacturers can no longer treat cybersecurity as a standalone technical requirement or a last-minute premarket documentation exercise. Instead, cybersecurity is increasingly being framed as a core element of quality management, embedded directly into the systems manufacturers use to design, validate, release, and support devices throughout their lifecycle.

The agency recently reissued its final guidance on cybersecurity in medical devices, updating it to align with the FDA’s transition from the legacy Quality System Regulation (QSR) to the new Quality System Management Regulation (QMSR). This is more than a simple terminology update. It reflects a broader regulatory direction that cybersecurity expectations are now even more tightly connected to ISO 13485-based quality systems, global harmonization, and continuous lifecycle oversight.

(Read the Final Guidance Document at Final guidance.)

For manufacturers developing software-driven, connected, or AI-enabled devices, this shift is a clear signal. Cybersecurity is not moving into the background. It is moving deeper into the foundation.

From QSR to QMSR: Why This Update Matters

The FDA’s move from QSR to QMSR represents one of the most significant structural regulatory changes in US medical device quality oversight in decades. While the QSR framework has long been familiar to manufacturers operating in the United States, QMSR brings FDA requirements into closer alignment with ISO 13485, the internationally recognized standard for medical device quality management systems.

This transition is intended to harmonize US expectations with those of other global regulators, reducing duplication and improving consistency for manufacturers selling in multiple markets. But it also introduces an important compliance reality: the FDA is now explicitly grounding many cybersecurity-related expectations in the same quality system clauses that govern design controls, validation, and risk management.

The reissued cybersecurity guidance reflects this change by replacing references to 21 CFR Part 820 under QSR with updated references tied to QMSR and ISO 13485 throughout.

In other words, FDA is telling manufacturers: cybersecurity is not separate from quality — it is part of it.

Cybersecurity Documentation as Evidence of Quality System Control

One of the most important takeaways from the updated guidance is the FDA’s continued emphasis on documentation outputs. The agency is clear that manufacturers must be able to demonstrate cybersecurity controls through objective evidence that aligns with quality system processes.

Cybersecurity is no longer evaluated only through a checklist of security features. Instead, FDA expectations increasingly focus on whether cybersecurity risk is being systematically managed through the same design and development controls that govern safety and performance.

Under QMSR, manufacturers are expected to show that cybersecurity considerations are integrated into:

• Design planning
• Risk management processes
• Software validation
• Verification and validation activities
• Post-market surveillance and lifecycle support

This reinforces a growing regulatory truth that cybersecurity is now inseparable from the overall assurance of safety and effectiveness.

ISO 13485 Design Controls Are Now Central to Cybersecurity Readiness

In the updated guidance, FDA points manufacturers directly to ISO 13485 Clause 7.3 and its subclauses, which govern design and development controls.

This is significant because design controls have always been foundational to medical device compliance, but FDA is now making explicit that cybersecurity must be addressed within those same structured processes.

Clause 7.3.7, for example, requires that design and development validation be performed to ensure the resulting product meets the requirements for its intended use. The FDA notes that this includes validation of device software, which is increasingly where cybersecurity vulnerabilities emerge.

For manufacturers, this means cybersecurity cannot be addressed only through late-stage penetration testing or premarket submission attachments. It must be built into design validation activities from the beginning.

A connected device that performs clinically but fails under cybersecurity stress is not meeting intended use expectations in today’s regulatory environment.

Risk Management Expectations Continue to Expand

The FDA also reminds manufacturers that ISO 13485 Clause 7.1 requires documented risk management processes throughout product realization. Once again, the message is that cybersecurity risk is now being treated as part of overall product risk, not a separate IT concern.

Manufacturers must be prepared to demonstrate that they have identified cybersecurity-related hazards, assessed their potential impact, and implemented appropriate controls, all within the same risk management structure used for other safety-related risks.

For many manufacturers, this requires closer alignment between engineering, software teams, quality teams, and regulatory leadership.

Cybersecurity is no longer owned by one department. Regulators increasingly expect it to be owned by the organization.

What Changed in the Guidance — and What Stayed the Same

While the FDA’s updated guidance is largely an alignment update, it also reflects a broader maturity in how regulators are framing cybersecurity oversight.

The core principles remain consistent:

• Cybersecurity is a safety issue
• Documentation must demonstrate control
• Premarket submissions must include cybersecurity evidence
• Lifecycle support and post-market monitoring are essential

However, the updated structure makes clear that the FDA expects manufacturers to operationalize cybersecurity through their quality system. This is not about adding one more document. It is about embedding cybersecurity into the processes that generate compliant, validated, supportable devices.

That is where the regulatory trend is heading, and where inspection and enforcement will likely follow.

Practical Implications for Medical Device Manufacturers in 2026

For manufacturers preparing submissions in 2026 and beyond, the reissued guidance reinforces several practical priorities.

First, quality and cybersecurity teams must work from the same playbook. Cybersecurity cannot sit outside the QMS. It must be integrated into design controls, supplier controls, complaint handling, and change management.

Second, manufacturers should expect increased scrutiny around software validation, especially for connected devices and systems that rely on updates, cloud connectivity, or interoperability.

Third, global alignment matters more than ever. The FDA’s reliance on ISO 13485 signals that cybersecurity compliance strategies must support both U.S. and international regulatory pathways, including EU Medical Device Regulation (MDR) expectations and emerging cybersecurity frameworks globally.

Finally, documentation readiness is critical. Manufacturers should assume that cybersecurity evidence must be traceable, auditable, and sustained across the lifecycle, not assembled only at submission time.

How Intertek Supports Cybersecurity and QMSR Alignment

As regulatory expectations evolve, manufacturers need partners who understand both the technical cybersecurity landscape and the quality system structures regulators expect.

Intertek supports medical device manufacturers across the full product lifecycle, helping teams align cybersecurity, software assurance, and regulatory documentation with FDA expectations under QMSR and ISO 13485.

Our medical device cybersecurity and compliance services include support for:

• Cybersecurity risk management integration into design controls, software validation, and ISO 14971-aligned processes.
• Testing and evaluation of connected medical devices for cybersecurity resilience, interoperability, and secure performance, including compliance evaluation to IEC 81001-5-1.
• Premarket submission readiness, including documentation review, evidence generation, and alignment with FDA guidance expectations.
• Lifecycle support strategies that address post-market cybersecurity monitoring, vulnerability management, and controlled software updates.
• Quality system alignment services to help manufacturers adapt to QMSR requirements while maintaining global compliance across key markets.

A Clear Signal from FDA: Cybersecurity Is Now a Quality System Expectation

The FDA’s reissued cybersecurity guidance is a powerful signal that the agency views cybersecurity as foundational to device safety, effectiveness, and quality system maturity.

For manufacturers, the message is clear: cybersecurity must be designed, validated, documented, and sustained through the same disciplined processes that govern every other aspect of medical device compliance.

Those who treat cybersecurity as part of their quality culture and not just their submission strategy will be best positioned to meet regulatory expectations and build long-term trust in connected healthcare technologies.