In June 2025, the U.S. Food and Drug Administration (FDA) issued its updated final guidance on cybersecurity in medical devices, formally titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” This guidance supersedes the September 2023 version of the same title, reflecting the agency’s evolving expectations for how manufacturers should address cybersecurity across the total product lifecycle (TPLC).
At Rook Quality Systems, we help device manufacturers interpret and implement these requirements to ensure both compliance and patient safety. Below, we break down the FDA’s role, the purpose of this guidance, and the key differences between the 2023 guidance and the 2025 version.
The FDA has consistently recognized that cybersecurity is inseparable from medical device safety. With increasing connectivity, devices are no longer isolated; they function within broader ecosystems that include hospital networks, cloud services, and third-party software. A single cyber incident can compromise patient safety by delaying diagnoses, disrupting treatment, or rendering devices inoperable.
Through this guidance, FDA provides nonbinding recommendations that reflect its current thinking on how manufacturers should incorporate cybersecurity into their Quality System (per 21 CFR Part 820) and demonstrate safety and effectiveness in premarket submissions.
Clarify submission expectations. Manufacturers must show reasonable assurance of cybersecurity as part of demonstrating overall device safety and effectiveness in premarket submissions.
Integrate cybersecurity into the quality system. Cybersecurity is treated as a core design control and risk management responsibility across the total product lifecycle (TPLC), not as a secondary consideration.
Ensure compliance with statutory requirements. Section 524B of the FD&C Act, introduced under FDORA in 2022, requires manufacturers of “cyber devices” to develop cybersecurity plans, maintain supporting processes, and include a Software Bill of Materials (SBOM).
Promote global alignment. The guidance references and encourages adoption of recognized international standards and frameworks such as ISO 13485, NIST’s Cybersecurity Framework, IEC 81001-5-1, and AAMI SW96.
The 2025 update reinforces a shift:
Cybersecurity is no longer treated as an optional add-on but as a core safety requirement.
For medical device manufacturers, this means:
At Rook Quality Systems, we’ve guided clients through these transitions before, helping them build cybersecurity-ready QMS processes, conduct risk-based assessments, and prepare submission packages that meet FDA expectations.
The FDA’s 2025 final guidance reflects a growing recognition: protecting patients in a connected healthcare ecosystem requires cybersecurity by design. For device manufacturers, aligning early with these expectations can reduce regulatory friction, speed time to market, and most importantly, keep patients safe.
Rook Quality Systems is ready to help your team navigate this evolving landscape, whether you’re building your QMS from the ground up, updating your risk management process, or preparing a premarket submission under these new requirements.