Choosing between a 510(k), a De Novo, and a PMA is usually framed as a regulatory and clinical evidence decision. That is true, but for connected devices, it is also a cybersecurity evidence decision, especially with the FDA’s current premarket cybersecurity expectations and the statutory requirements that can apply to “cyber devices.”
This guide compares the three pathways and calls out what tends to change for cybersecurity planning, testing, and documentation. This is educational content, not legal advice.
At a glance: what each pathway is for
510(k): substantial equivalence to a predicate
A 510(k) Premarket Notification is used when you can demonstrate your device is substantially equivalent to a legally marketed predicate, and a PMA is not required. The cybersecurity question is usually: what is different about software, connectivity, update mechanisms, third-party components, and interfaces compared to the predicate, and how do those differences change risk?
De Novo: novel device with no predicate, low to moderate risk
A De Novo Classification Request is used when there is no legally marketed predicate and general controls (or general and special controls) can provide reasonable assurance of safety and effectiveness. The cybersecurity question is usually: what “good” looks like for your new category, and can you explain and verify it clearly enough that it scales with future products in that class?
PMA: higher-risk Class III devices
A Premarket Approval (PMA) is the pathway for most Class III devices and generally involves deeper scrutiny and a higher evidence burden. The cybersecurity question is usually: can you show strong secure-by-design architecture and testing, especially for high-impact functions and safety-relevant workflows?
eSTAR affects how you package your cybersecurity evidence
The FDA’s eSTAR program is an interactive template used to assemble submissions in a structured format. In practice, eSTAR pushes teams toward clearer traceability and better packaging discipline. If you have ever struggled with reviewers “not finding” your cybersecurity artifacts, a structured approach helps.
If you want a submission-ready packaging approach, Blue Goat’s FDA premarket cybersecurity services focus on turning security work into eSTAR-friendly evidence (threat model, SBOM, test evidence, and lifecycle plans) that reviewers can navigate.
Cybersecurity applies across pathways, especially for “cyber devices”
The FDA’s current premarket cybersecurity guidance, Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions, ties cybersecurity to device safety and emphasizes lifecycle processes, architecture clarity, transparency, and verification evidence.
If your device meets the definition of a “cyber device,” Section 524B can apply to your premarket submission. The FDA summarizes the practical expectations and common questions on its cybersecurity FAQs (524B) page. The important point is simple: the submission pathway changes the overall evidence burden, but it does not remove the need to show a credible cybersecurity program and submission-quality evidence.
What cybersecurity evidence usually looks like by pathway
510(k): show equivalence, and show your cybersecurity work
In a 510(k), you are mapping similarities and differences to a predicate. Cybersecurity often shows up in the “differences” discussion because changes in software, connectivity, authentication, updates, and third-party components can change risk.
In practice, most strong 510(k) packages include:
- A scoped threat model and security risk assessment that matches the device ecosystem and attack surface, often built using medical device threat modeling.
- An SBOM that covers open source and third-party components, supported by an approach like FDA-compliant SBOM services for MedTech.
- Clear rationale for controls like authentication, authorization, encryption, logging, and update integrity, aligned to the structure in the FDA’s premarket cybersecurity guidance.
- Verification evidence, including security testing that matches the attack surface, such as API penetration testing and web application penetration testing when portals or APIs are in scope.
If you want a checklist-format view of what reviewers expect to see, Blue Goat’s FDA medical device cybersecurity 2026 (524B) checklist is a useful starting point.
De Novo: you are setting a new bar, so be explicit
With a De Novo, you are often helping define what controls and evidence should look like for a new classification. That tends to raise the bar on clarity. Reviewers need to understand your system boundary (device, apps, cloud, update servers, customer networks) and how you manage cybersecurity over the lifecycle.
For De Novo, teams usually succeed when they are very clear about:
- System architecture and trust boundaries, supported by a practical threat model such as medical device threat modeling services.
- Traceability from security requirements to verification evidence, including test cases and results.
- Postmarket readiness, including update capability and a vulnerability intake and response plan, supported by FDA postmarket cybersecurity services.
PMA: expect deeper scrutiny, especially for high-impact functions
PMA devices often involve higher patient safety impact, more complex workflows, or broader clinical use. In a PMA, cybersecurity review tends to go deeper where cyber events could plausibly affect safety, essential performance, availability, or update integrity.
For PMA-scale systems, cybersecurity packages often need:
- More architecture depth around privilege separation, update trust chain, and key management, often built into the design process using secure MedTech product design consulting.
- Stronger verification evidence for high-impact attack paths, supported by FDA-compliant vulnerability and penetration testing.
- Clear operational readiness for monitoring, incident response, patching, and communications, supported by FDA postmarket cybersecurity management services.
How to choose the pathway with cybersecurity in mind
Cybersecurity does not choose the pathway for you. Risk class, intended use, novelty, and predicates do. But cybersecurity absolutely changes how painful the submission becomes if it is bolted on late.
These questions help teams avoid surprises:
- Does the device have software, connectivity, remote update capability, or third-party components that put it squarely in the scope of the FDA’s premarket cybersecurity guidance and potentially the 524B cybersecurity FAQs?
- Have you defined the real system boundary, including apps, cloud services, update infrastructure, and service tooling?
- Can you show traceability from threats to controls to verification evidence using an eSTAR-ready approach like FDA premarket cybersecurity services?
- Can you patch and update safely in the field, and can you prove it with evidence and processes like FDA postmarket cybersecurity services?
Key takeaways
- 510(k) focuses on substantial equivalence, De Novo creates a new classification, and PMA is typically the highest scrutiny pathway for Class III devices.
- eSTAR influences how you package cybersecurity evidence and makes traceability and structure more important.
- FDA’s Feb 2026 cybersecurity guidance and the 524B cybersecurity FAQs are the core anchors for submission expectations when cybersecurity is in scope.
- The fastest submissions are usually the ones where cybersecurity is designed, tested, and documented early, not retrofitted.
FAQs
Is a 510(k) an approval?
FDA generally refers to 510(k) outcomes as clearance when substantial equivalence is demonstrated, and FDA’s 510(k) overview explains when and why a 510(k) is required.
When is De Novo the right path?
De Novo is used when there is no legally marketed predicate and the device is appropriate for classification with general controls alone or general and special controls, as described on FDA’s De Novo page.
Does PMA always require clinical data?
PMA typically requires a higher level of evidence, and FDA evaluates whether there is sufficient valid scientific evidence to assure safety and effectiveness for the intended use, as explained on FDA’s PMA page.
Do cybersecurity deliverables change based on pathway?
The core deliverables are similar (threat modeling, SBOM, testing evidence, vulnerability response plan), but depth and rigor should scale with risk and complexity, consistent with FDA’s premarket cybersecurity guidance.
What is 524B and when does it matter?
Section 524B applies to “cyber devices” and affects what information FDA expects in premarket submissions for those devices. FDA summarizes this on its cybersecurity FAQs (524B) page.
Book a Discovery Session
If you are deciding between a 510(k), a De Novo, and a PMA, and you want an eSTAR-ready cybersecurity plan (threat model, SBOM, testing, and documentation), we can help.
Conclusion
The submission pathway is a regulatory strategy decision. Cybersecurity is a readiness decision. If your device has software and connectivity, the winning approach is to define the full system boundary, model realistic threats, choose controls with clear rationale, validate them with testing, and package it cleanly in a structured format like eSTAR.
Related: Medical Device Cybersecurity: A Complete Lifecycle Guide