FDA Cybersecurity Guidance Gets a QMSR Refresh.
The FDA published an updated version of its premarket cybersecurity guidance on 3rd February 2026. If you spotted it and felt a familiar twinge of "what's changed now?", you're not alone. The good news: this is a terminology update, not a new set of requirements. But it's worth understanding what changed and why.
The timing wasn't coincidental. The QMSR took effect on 2nd February. The guidance was updated the very next day.
What actually changed (and what didn't)
The new guidance, "Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions," supersedes the June 2025 version. If you compare the two titles, you'll notice the change: "Quality System" has become "Quality Management System." That one word tells you most of what you need to know.
FDA amended 21 CFR Part 820 to incorporate ISO 13485:2016 by reference. The old Quality System (QS) Regulation is now the Quality Management System Regulation (QMSR), and every reference to specific 820.xx sections throughout the cybersecurity guidance has been updated to point to the corresponding ISO 13485 clauses instead.
The substantive cybersecurity requirements haven't changed. Section 524B obligations remain identical. SBOM requirements, SPDF expectations, and the TPLC approach are all as they were. This is a terminology alignment, not a new regulatory burden.
Why this matters
The QMSR background
FDA published the QMSR final rule in February 2024 (89 FR 7496), giving manufacturers a two-year compliance period. That period ended on 2nd February 2026. The cybersecurity guidance needed to align with the new regulatory language, so the FDA updated it the following day.
If you were already aligned with ISO 13485 (and if you're selling into the EU, you almost certainly were), the QMSR transition was relatively straightforward. The cybersecurity guidance update is part of that same harmonisation effort.
Cross-reference consistency
If you're updating your QMS documentation for QMSR compliance, your cybersecurity documentation should use the same ISO 13485 clause references. Internal consistency matters for audits and FDA submissions. A submission that references 820.30 in one section and clause 7.3 in another will look like it was assembled from documents of different vintages, which isn't the impression you want to give a reviewer.
No new action required
If your cybersecurity approach was compliant under the June 2025 guidance, it remains compliant. The February 2026 version supersedes the previous version but doesn't add new requirements. Your existing SPDF, threat models, and SBOM processes don't need updating on account of this change.
The practical takeaways
What to do now
Download the new version. Replace the June 2025 PDF in your reference library. The new guidance is the current version, and you'll want to cite it in future submissions.
Update your cross-references. If you cite specific guidance sections in your procedures, check whether the page numbers or section numbers have shifted. Even in a terminology-focused update, reformatting can move things around.
Align your QMS language. If you're updating documentation for QMSR compliance anyway, ensure your cybersecurity docs use ISO 13485 clause references rather than the old 820.xx references. Do it once, do it consistently.
What not to do
Don't panic about a "new FDA guidance." Don't overhaul your cybersecurity programme based on this update alone. And don't pay consultants to "analyse the changes." The changes are primarily terminological. Save the budget for when something substantive lands.
What to watch for next
The February 2026 update is housekeeping, but that doesn't mean the FDA is done with cybersecurity. Future guidance updates may incorporate more substantive changes, particularly around AI/ML in medical devices. Postmarket surveillance requirements may also see more attention as the agency continues to refine its approach.
For now, though, the message is simple. The FDA aligned its cybersecurity guidance with the new QMSR terminology because that's what consistent regulation looks like. If you've been following the premarket cybersecurity requirements, nothing about your approach needs to change.
Keep your documentation current, use the right clause references, and carry on.