← Regulatory Horizon

US Cybersecurity

FDA Section 524B cybersecurity: requirements, RTA policy & timeline

FDA Section 524B has required cybersecurity documentation for cyber devices in premarket submissions since 29 March 2023, with the Refuse to Accept policy enforced from 1 October 2023 and final guidance issued 27 June 2025. It is fully in force — an incomplete cybersecurity package can have a submission refused before review.

In force

Deadline timeline

  1. 524B takes effect · passed

    Section 524B of the FD&C Act takes effect: cyber devices must include cybersecurity information in premarket submissions.

    Applies to: Cyber devices (software + network-capable + exploitable)

    Source ↗
  2. Refuse to Accept policy · passed

    FDA begins refusing submissions outright for missing 524B cybersecurity content, rather than working through deficiencies collaboratively.

    Applies to: All cyber-device premarket submissions

    Source ↗
  3. Final guidance issued · passed

    FDA finalises 'Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions', setting out the five expected documentation elements.

    Applies to: Cyber-device manufacturers

    Source ↗

Who’s in scope

  • A 'cyber device' — software validated/installed/authorised by the sponsor, able to connect to the internet, with characteristics that could be vulnerable to cyber threats (all three conditions, cumulative)
  • All submission pathways: 510(k), PMA, De Novo, HDE, PDP

Exclusions

  • Devices that run firmware but never connect to a network may fall outside the 'cyber device' definition — but the connectivity condition catches most modern devices

Unlike the EU regimes on this page, FDA Section 524B has no future deadline — it is fully in force and has been since 2023. The dates that matter are historical but consequential: 524B took effect 29 March 2023, and from 1 October 2023 the FDA can issue a Refuse to Accept decision, declining to review a cyber-device submission that is missing required cybersecurity content. That makes the cybersecurity package a gate, not a graded section — a missing SBOM or threat model can bounce a submission at the door and restart the clock.

The 27 June 2025 final guidance set out the five documentation elements FDA expects: a secure product development framework, a threat model and cybersecurity risk assessment, security architecture views, a machine-readable software bill of materials, and cybersecurity testing evidence. The SBOM is the most common friction point because it has to be generated from your actual build and kept current as components change — it cannot be hand-assembled at submission time.

Because 524B reaches across the 510(k), PMA, and De Novo pathways, it stacks on top of whatever submission timeline you are already managing. For the documentation detail, see: What documentation FDA Section 524B actually requires.

Last reviewed . Deadlines change — always confirm against the cited primary source.