%22%3E%0A%20%3Ccircle%20cx%3D%222%22%20cy%3D%222%22%20r%3D%221.2%22%20fill%3D%22rgba(255%2C255%2C255%2C0.18)%22%2F%3E%0A%20%3C%2Fpattern%3E%0A%20%3C%2Fdefs%3E%0A%20%3Crect%20width%3D%22800%22%20height%3D%22450%22%20fill%3D%22url(%23g)%22%2F%3E%0A%20%3Crect%20width%3D%22800%22%20height%3D%22450%22%20fill%3D%22url(%23dots)%22%2F%3E%0A%20%3Cg%20font-family%3D%22ui-sans-serif%2Csystem-ui%2C-apple-system%2CSegoe%20UI%2CRoboto%22%20fill%3D%22rgba(255%2C255%2C255%2C0.95)%22%3E%0A%20%3Ctext%20x%3D%2248%22%20y%3D%22380%22%20font-size%3D%2244%22%20font-weight%3D%22700%22%20letter-spacing%3D%22-1%22%3EFDA%3C%2Ftext%3E%0A%20%3Ctext%20x%3D%2248%22%20y%3D%22412%22%20font-size%3D%2216%22%20opacity%3D%220.75%22%20letter-spacing%3D%222%22%3EBLUE%20GOAT%20CYBER%3C%2Ftext%3E%0A%20%3C%2Fg%3E%0A%3C%2Fsvg%3E)
Last reviewed: May 1, 2026
Three different letters from the FDA. Three very different clocks, response windows, and risks. If you mix them up, you waste weeks — and weeks of FDA review time is the single most expensive thing in MedTech.
If you just received a letter from the FDA on your 510(k), De Novo, or PMA submission, the first question is almost never "what should we write back?" — it's "which kind of letter is this?" Sponsors regularly conflate a Refuse to Accept (RTA) decision with an Additional Information (AI) deficiency, and both with a cybersecurity Hold Letter. They are not the same. The response strategy, the deadline, and the cost of getting it wrong are different in each case.
This guide breaks down all three, side by side, and shows you how to tell which one you got.
TL;DR — quick comparison
| RTA letter | Deficiency / AI letter | Hold letter | |
|---|---|---|---|
| Stage | Before substantive review begins | During substantive review | During substantive review (cyber-specific) |
| What it means | Submission was not complete enough to accept for review | Reviewer needs more info to make a decision | Cybersecurity package has gaps that block further review |
| Review clock | Clock reset to zero on resubmission | Clock paused until you respond | Clock paused until you respond |
| Typical response window | 180 days to resubmit (15 business days to fix small acceptance gaps) | 180 days for Major; shorter for Minor | Tied to the underlying AI/deficiency window |
| What gets returned | The whole submission | Specific reviewer questions | Specific cybersecurity findings |
| Worst case if mishandled | Restart at the back of the queue | Withdrawn-and-resubmit; lose months | Submission stalls indefinitely |
1. The RTA (Refuse to Accept) letter
A Refuse to Accept letter is the FDA's way of saying "we did not even start reviewing this — your submission is missing things from the acceptance checklist." It's issued during the first 15 calendar days after a 510(k) is received, against a published RTA checklist. PMA has a similar mechanism called Refuse to File (RTF).
Key characteristics:
- Issued before substantive scientific review begins.
- The FDA gives you 180 days to resubmit. If you miss that window, the submission is withdrawn.
- When you resubmit, the review clock starts over from day zero. You don't pick up where you left off.
- It is not a comment on the quality of your science — it's a comment on whether your package is complete.
The most common cybersecurity-related RTA triggers under the February 2026 final premarket guidance: missing SBOM, no threat model, no security risk assessment, missing cybersecurity management plan, or no security testing summary. Any one of those gets you bounced.
What this letter is really telling you: "Rebuild and resubmit." This is not a defense — it's a reconstruction job.
2. The Deficiency / Additional Information (AI) letter
A Deficiency Letter — also called an Additional Information request or AI letter — is what most sponsors think of when they say "the FDA had questions." It's issued during substantive review, after your submission has been accepted. The reviewer has read your package, identified specific gaps, and wants a point-by-point response.
Key characteristics:
- Issued after acceptance, during the FDA's substantive review.
- The review clock pauses on the day the letter is issued and resumes when you respond.
- You get 180 days to respond to Major deficiencies. Miss that window and the submission is considered withdrawn.
- Responses are answered point-by-point against the reviewer's numbered list.
- Multiple rounds are possible. Each round restarts the pause/resume cycle but does not reset the review clock to zero.
The discipline that wins here is precision. Reviewers want each point closed with: (1) the question restated, (2) the technical answer, (3) the evidence (test report, updated risk assessment, revised SBOM), and (4) the location in the resubmission package where it lives.
What this letter is really telling you: "Respond point-by-point and close the file." This is a defense, not a rebuild.
3. The cybersecurity Hold Letter
A Hold Letter is a more specific case. It's the FDA telling you that your cybersecurity documentation has gaps significant enough that further review is paused until they're addressed. In practice, hold letters most often arrive as part of an AI letter where cybersecurity is the dominant finding — but the framing is different: the submission isn't just incomplete on one topic, it's frozen until cyber is resolved.
Key characteristics:
- Issued during substantive review, typically by the cybersecurity reviewer assigned to your submission.
- The review clock is paused. The submission cannot move forward on any axis (clinical, software, mechanical) until cyber is closed out.
- Response windows are tied to the underlying AI letter (usually 180 days for Major findings).
- Findings are almost always traceable to the FDA's premarket cybersecurity guidance, Section 524B, AAMI SW96, or IEC 81001-5-1.
- The cost of a weak response is high: a second hold round, or a request that you withdraw and resubmit.
What this letter is really telling you: "Your cybersecurity package is the bottleneck. Fix it and the review can continue."
How the review clock behaves under each
The clock is what sponsors care about most, because the clock is money. Here's how each letter affects it.
- RTA: Clock has not started yet. When you resubmit, it starts at day zero. Every week you spend rebuilding is a week added to your total time to clearance.
- Deficiency / AI: Clock pauses on the day the letter is sent. It resumes the day the FDA receives a complete response. The days in between do not count against the FDA's 90-day MDUFA goal — but they absolutely count against your launch timeline.
- Hold: Same pause-and-resume behavior as the AI letter, but the practical impact is bigger because the whole submission is gated on one section.
The trap: sponsors often treat a paused clock as breathing room. It isn't. Every week your clock is paused is a week your competitor is still selling.
The #1 mistake teams make with each letter
| Letter | Most common mistake |
|---|---|
| RTA | Patching only the items the FDA called out, instead of doing a full acceptance-checklist review. The next RTA finds the next gap. |
| Deficiency / AI | Treating reviewer questions as suggestions. Reviewers want closed loops, not philosophical discussions. |
| Hold | Outsourcing the response to a generalist IT security firm with no FDA submission experience. Reviewers spot it immediately. |
How to tell which one you got — a quick decision tree
- Did the letter arrive within ~15 days of submission? → RTA (or RTF for PMA).
- Does the letter come from the cybersecurity reviewer and use language like "Major" findings on threat model, SBOM, or security testing? → Hold or cyber-heavy AI letter.
- Does the letter contain numbered questions from a lead reviewer, covering multiple disciplines (clinical, software, electrical, cyber)? → Deficiency / AI letter.
- Is the document titled "Refuse to Accept Designation" or "Refuse to File"? → RTA / RTF.
If you're still not sure, the cover page of the letter and the assigned reviewer's signature line will tell you within seconds. When in doubt, send it to someone who has seen all three.
What stays the same across all three
Three things never change, regardless of which letter you got:
- Speed matters. The fastest sponsors respond in days, not months. Every paused day is launch revenue you'll never get back.
- Precision beats volume. A tight, evidence-backed response wins faster than a thick one. Reviewers grade on completeness, not weight.
- Senior eyes only. These responses are not training opportunities. Get someone who has shipped 100+ submissions reading every page before it leaves your office.
Frequently asked questions
Is an RTA the same as a deficiency letter?
No. An RTA (Refuse to Accept) is issued before the FDA begins substantive review and means the submission isn't complete enough to start. A deficiency (or AI) letter is issued during substantive review and means the reviewer has specific questions about the science. The response strategy and clock impact are completely different.
Does a hold letter restart the review clock?
No. A hold letter pauses the review clock — it doesn't reset it. The clock resumes when the FDA receives a complete response. This is the same pause-and-resume mechanism as a standard AI letter, but in a hold scenario the entire submission is gated on resolving cybersecurity findings.
How long do I have to respond to each type of letter?
RTA: 180 days to resubmit the full package (or 15 business days for minor acceptance gaps). Deficiency / AI letter: 180 days for Major deficiencies. Hold letter: tied to the underlying AI letter window, usually 180 days. Missing any of these windows results in the submission being considered withdrawn.
Can I get more than one of these letters on the same submission?
Yes — and it's common. A submission can get an RTA, be resubmitted, get accepted, and then receive an AI letter or a hold letter during substantive review. Each letter is a separate event with its own response strategy.
Who at the FDA issues each letter?
RTA letters come from the lead reviewer or RTA coordinator in the relevant review division during the acceptance phase. AI / deficiency letters come from the assigned lead reviewer during substantive review. Hold letters are typically issued by the cybersecurity reviewer assigned to your submission, often as part of a broader AI letter.
What's the worst-case outcome for each?
RTA: keep getting bounced and never start substantive review. Deficiency: the FDA considers the submission withdrawn and you start over. Hold: indefinite stall with a request to withdraw and resubmit. All three end the same way if mishandled — months lost and a clearance date pushed out.
Got one of these letters?
Whichever letter you're holding, the response strategy is specific and the clock is already running. We've shipped responses to all three across 250+ FDA submissions, and we can triage your situation under NDA in 24 hours.
- Got an RTA? → FDA Refuse to Accept response
- Got a deficiency / AI letter? → FDA Deficiency Letter response
- Got a cybersecurity hold? → FDA Hold Letter response
Or book a discovery call and we'll tell you which one you actually have and what the next 72 hours should look like.