Does Section 524B Apply to My Auto-Injector?

Sponsors of connected auto-injectors keep arriving at the same wrong conclusion: because the primary mode of action is the drug and the lead center is CDER, the device constituent escapes FDA Section 524B. It does not. The statute is keyed to the device, not the review pathway. If the injector has firmware and a Bluetooth radio that pairs to a phone app, it is a cyber device, and the full premarket cybersecurity package attaches to the submission. The February 3, 2026 final premarket cybersecurity guidance is explicit on this point. CDER reviewers consult CDRH on cybersecurity, and the cyber consult applies the same expectations a standalone 510(k) would draw.

Key Takeaways

• Section 524B follows the device constituent of a combination product, not the lead review center. CDER-led submissions for connected injectors are 524B submissions.
• The trigger is software plus any electronic interface. BLE pairing to a companion app is the most common qualifying interface on auto-injectors.
• Purely mechanical auto-injectors with no electronics and no interface are out of scope for 524B.
• The submission must include the device-side SBOM, threat model, security risk management report, architecture views, testing evidence, and a Cybersecurity Management Plan under 524B(b)(1).
• Engaging cybersecurity at BLA prep is too late. The right entry point is the device-constituent design freeze.

Table of Contents

• When 524B Attaches to an Auto-Injector
• Why CDER-Led Doesn't Mean Cyber-Light
• What the Device-Side Package Looks Like
• Where the Documentation Lives in a BLA or NDA
• Common Deficiency Patterns on Connected Injectors
• How Blue Goat Approaches a Connected Auto-Injector Submission
• FAQ

Why this matters

Connected auto-injectors are the fastest-growing shape of drug-device combination products, and the cybersecurity deficiency rate on these submissions is higher than on equivalent standalone devices. The FDA February 3, 2026 final premarket cybersecurity guidance, "Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions," is the operative interpretation, and it applies to the device constituent of a combination product the same way it applies to any cyber device. Standards in scope include AAMI TIR57:2016/(R)2023, ANSI/AAMI SW96:2023, IEC 81001-5-1:2021, IEC 62304:2006/A1:2015, and ISO 14971:2019. CDER consults CDRH on the cyber review, which means cyber comments often land late in the BLA cycle and compress remediation timelines that a CDRH-led program would have closed at the threat-modeling stage a year earlier.

When 524B Attaches to an Auto-Injector

Section 524B(c) defines a cyber device as one that contains software (including firmware or programmable logic), has the ability to connect to the internet, and contains technological characteristics that could be vulnerable to a cybersecurity threat. Reviewers read "ability to connect" broadly. A BLE radio that pairs to a phone app counts. An NFC interface for dose logging counts. A USB service port counts. A cellular module for adherence telemetry counts. The injector does not need to talk to the open internet directly. Any path that reaches a network through a paired device or gateway qualifies.

The fastest applicability check:

• Does the injector have firmware or programmable logic? If no, 524B does not apply.
• Does the injector have any electronic interface (BLE, NFC, USB, serial, cellular, optical pairing)? If no, 524B does not apply.
• If yes to both, 524B attaches to the submission for the device constituent.

Purely mechanical spring-driven auto-injectors with no electronics are out of scope. Almost every "connected" or "smart" injector on the market is in scope.

Why CDER-Led Doesn't Mean Cyber-Light

The Office of Combination Products assigns the lead center based on the product's primary mode of action. A monoclonal antibody delivered by an injector is drug-led, so CDER leads. That assignment governs the review pathway, fee schedule, and labeling. It does not govern whether 524B applies. The statute reaches the device constituent regardless.

CDER consults CDRH on cybersecurity. In practice this means cyber comments arrive later in the review than they would in a CDRH-led program, and the sponsor has less runway to close them. The common pattern: a BLA approaches its PDUFA date and a cyber consult surfaces threat model gaps that should have been resolved during device design freeze. The remediation requires firmware changes, which require new verification, which slips the launch.

What the Device-Side Package Looks Like

The deliverables are identical in content to a standalone CDRH submission. The full mapping lives in our combination product cybersecurity guide and the FDA premarket cybersecurity deliverables and eSTAR v7.0 map. At a minimum:

• Security Risk Management Report aligned to AAMI TIR57 and ANSI/AAMI SW96, converged with the safety risk file per ISO 14971 vs AAMI TIR57.
• Machine-readable SBOM (SPDX or CycloneDX) for every component in the shipping firmware and companion app, with VEX statements for known vulnerabilities.
• Threat model (STRIDE or equivalent) tied to patient harm, covering BLE pairing, OTA update, app-to-device authentication, and telemetry endpoint exposure.
• Architecture views: global system, multi-patient harm, updateability, security use case.
• Cybersecurity testing: vulnerability scanning, software composition analysis, penetration testing of the device and the companion app, and fuzz testing of the BLE protocol stack and any other communication interface.
• Postmarket plan covering vulnerability monitoring, coordinated vulnerability disclosure intake, patch cadence, and end-of-life.
• Cybersecurity Management Plan required by 524B(b)(1).

Where the Documentation Lives in a BLA or NDA

In a BLA or NDA, the cybersecurity content most commonly lives in Module 3.2.R (regional information) with cross-references from the device description in Module 3.2.P.7. Some sponsors build a dedicated cybersecurity sub-section that reviewers can navigate without hunting. The structural choice matters less than completeness. Reviewers need to locate the SBOM, threat model, architecture views, testing report, and Cybersecurity Management Plan. A package scattered across modules with no cross-reference map draws information requests on layout alone.

See also: Documenting Update Cadence for an FDA 524B Submission, Does FDA Section 524B Apply to Legacy Devices?, and FDA Section 524B Explained Subsection by Subsection: What Each Requirement Means in 2026.

In a 510(k), De Novo, or PMA on a device-led combination product, the content lives in the standard eSTAR cybersecurity attachments.

Common Deficiency Patterns on Connected Injectors

Four patterns recur:

• Companion app treated as out of scope. The sponsor assumes the third-party app vendor owns app-side cybersecurity. The submission holder owns it. The app's authentication, in-transit data integrity, secure pairing with the device, and the mobile platform's update mechanism are all in scope for the submission's threat model and testing.
• Stale SBOM. A platform reuse submission carries an SBOM generated 18 months earlier. Reviewers expect the SBOM to be current within roughly 90 days of submission, with VEX statements reflecting today's CVE landscape.
• CDMO-supplied device with no contractual SBOM clause. The contract manufacturer does not deliver an SBOM or secure SDLC evidence, and the sponsor cannot produce one for review. "The CMO handles that" is not an acceptable response.
• Threat model missing OTA update path. Connected injectors usually support some form of firmware update through the companion app. The threat model omits the OTA path entirely, or covers it without addressing key management for the update signing keys.

How Blue Goat Approaches a Connected Auto-Injector Submission

We enter at device-constituent design freeze, not at BLA prep. Our team's prior work on connected drug-delivery systems means we know the typical attack surface on these products (BLE pairing flaws, OTA update key management, app-to-device authentication, telemetry endpoint exposure) and the deficiency patterns CDRH cyber consults raise on CDER-led submissions. We deliver the full premarket package, SBOM, threat model, security risk management report, architecture views, and testing, in a form that drops into either a CDER Module 3 or a CDRH eSTAR. Our engineers hold CISSP, OSCP, and prior military red-team credentials. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. Start with our FDA premarket cybersecurity services page, or read the combination product cybersecurity guide for the full deliverables walkthrough.

FAQ

Does Section 524B apply to a connected auto-injector reviewed by CDER?

Yes, if the device constituent contains software and any electronic interface. Section 524B follows the device, not the review center. CDER consults CDRH on cybersecurity, and the consulting reviewers apply the same February 2026 premarket guidance they apply to a standalone CDRH submission. The lead-center designation does not change applicability.

What about a purely mechanical spring-driven auto-injector?

Out of scope. With no software and no electronic interface, the injector is not a cyber device under 524B(c). Standard device controls under the quality system regulation still apply, but the premarket cybersecurity content set does not.

Is Bluetooth Low Energy pairing enough to trigger 524B?

Yes. The 524B(c) connectivity prong is read broadly. Any interface that touches device software qualifies, and BLE pairing to a phone app is the most common qualifying interface on injectors. NFC, USB service ports, cellular modules, and optical pairing all qualify the same way.

Where does the cybersecurity content go in a BLA?

Most commonly in Module 3.2.R with cross-references from the device description in 3.2.P.7. Some sponsors build a dedicated cybersecurity sub-section. The format matters less than completeness. Reviewers need to find the SBOM, threat model, architecture views, testing report, and Cybersecurity Management Plan without hunting.

My contract manufacturer makes the injector. Who owns the cybersecurity obligation?

The submission holder. The CDMO or CMO is a supplier. The sponsor must contractually require the SBOM, secure SDLC evidence, vulnerability monitoring, and patch support, and the sponsor must audit that delivery. The FDA does not accept "the contract manufacturer handles that" as a response to a deficiency letter.

Is the companion smartphone app in scope?

Yes, if it is part of the labeled use of the combination product. App authentication, in-transit data integrity, secure pairing with the device, and the mobile platform's update mechanism are all in scope for the submission's threat model and testing.

Ready to scope cyber for your connected injector?

If you are pre-submission on a connected auto-injector and the cybersecurity work is being treated as a Module 3 attachment to be written at BLA prep, the timeline math will not work. We can scope the device-constituent cyber package while the design is still open and deliver it in the format your reviewers expect. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. Schedule a discovery call.

---

About the author. Christian Espinosa, Founder, Blue Goat Cyber, CISSP. Christian leads a team focused exclusively on medical device cybersecurity for FDA premarket submissions and postmarket compliance, with deep experience on connected drug-delivery combination products under Section 524B. Read more about Christian.