FDA flags cybersecurity as top rejection

Medical devices are now software products with sensors, radios, cloud links, and update pipelines — and the FDA is treating them that way. That matters because a weak cybersecurity file can now stall a launch before the agency even gets to the usual safety-and-effectiveness review. The gap is that a lot of device teams still treat security as a late paperwork exercise. This week’s news hook is Blue Goat Cyber’s claim that cybersecurity has become the top reason submissions get rejected, landing just as the FDA’s February 2026 guidance starts reshaping what “submission ready” means. ### What kind of devices are we talking about? Not just flashy hospital robots. The FDA’s rules hit “cyber devices,” which means devices with software, the ability to connect to the internet, and features that could be exposed to cyber threats. That can include obvious things like imaging systems and remote monitors, but also quieter categories — readers, sensors, balances, accessories, and anything else that ships with firmware and connectivity in the loop. (natlawreview.com) ### What changed in February? The FDA updated its premarket cybersecurity guidance on February 3, 2026. The agency framed it as a revision, not a brand-new regime, but the practical effect is tighter alignment with the Quality Management System Regulation and ISO 13485-style risk management. Basically, cybersecurity is no longer sitting off to the side as a specialist appendix. It is being pulled into design controls, validation, purchasing, production, and postmarket processes. (fda.gov) ### Why does that raise the rejection risk? Because the FDA is not just asking, “Did you add security features?” It wants to see a secure product development framework in action. That means documented threat modeling, risk assessments, security architecture, testing, labeling, vulnerability-handling plans, and evidence that software updates can be managed safely over the device lifecycle. If those pieces are thin or inconsistent, the submission can look unfinished even if the device itself mostly works. (fda.gov) ### What can get a file bounced outright? For cyber devices, some items are not optional. Section 524B of the FD&C Act requires sponsors to submit information showing they can monitor and address vulnerabilities, provide patches and updates on a reasonable basis, and include a software bill of materials. The FDA’s refuse-to-accept policy for missing Section 524B material has been in force since October 1, 2023. So the catch is that a company can lose time before substantive review even starts. (fda.gov) ### Is this just an FDA paperwork fight? Not really. The FDA’s logic is that cybersecurity is part of safety and effectiveness. If a pump, scanner, monitor, or diagnostic system can be disrupted, misconfigured, or left unpatchable, that is not just an IT problem. It is a patient-risk problem. That is why the guidance keeps pushing lifecycle resilience rather than one-time penetration testing right before submission. (federalregister.gov) ### Why are companies still getting caught? Because medical-device development often splits into silos. Engineering builds the product. Regulatory writes the submission. Security comes in late. That used to be survivable more often. Now it is like trying to bolt seatbelts onto a car after the crash test. You can add documents at the end, but if the architecture, supplier controls, and update process were never designed around security, the holes show up fast. (fda.gov) ### Who feels this downstream? Manufacturers first, but buyers too. Hospitals, labs, and distributors should expect more security documentation, more questions about SBOMs and patching, and in some cases slower launches for connected products. The likely winners are companies that built cybersecurity into product design early. Everyone else may spend 2026 learning that the FDA now reads weak security as weak product quality. (natlawreview.com) ### Bottom line The news is not that the FDA suddenly cares about cybersecurity. It has for a while. The real shift is that the agency now seems far less willing to let incomplete cybersecurity work slide through as something manufacturers can tidy up later. (fda.gov) (natlawreview.com)