Updated July 12, 2025
As medical devices become more connected and software-driven, cybersecurity is no longer optional—it’s foundational to patient safety and regulatory compliance. In response, the U.S. Food and Drug Administration (FDA) has introduced clear criteria to define what qualifies as a “cyber device” under Section 524B of the Federal Food, Drug, and Cosmetic Act (FD&C Act). Understanding this definition is critical for manufacturers preparing premarket submissions or managing postmarket risks.
What Is a Cyber Device?
According to the FDA’s 2025 guidance, a cyber device is a medical device that meets all three of the following conditions:
- Includes Software
The device must contain software that is validated, installed, or authorized by the manufacturer. This includes embedded software (firmware), device control software, or any other programmable logic. - Connects to the Internet
The device must have the ability to connect to the Internet—via Wi-Fi, cellular, Ethernet, Bluetooth, or any other network-capable protocol. - Is Vulnerable to Cybersecurity Threats
The device must have technological characteristics that could make it vulnerable to cybersecurity threats. These might include communication interfaces, external ports, third-party software components, update mechanisms, or wireless communication.
Why the Third Criterion Matters
While the third requirement may sound optional or rare, the reality is that nearly all connected devices with software carry some cybersecurity risk. That’s because any system that communicates, updates, or runs code can be exploited if not properly secured.
This third element ensures the FDA’s definition is appropriately focused—it avoids sweeping in devices with minimal risk, but it also emphasizes that risk is almost always present in today’s connected medical technologies. In practice, if your device meets the first two criteria, it’s highly likely to meet the third.
Why the Definition Matters
Classifying a device as a cyber device triggers specific requirements under Section 524B of the FD&C Act. These include:
- Maintaining a Software Bill of Materials (SBOM);
- Performing a third-party medical device penetration test;
- Creating and implementing cybersecurity plans and procedures;
- Ensuring the device is capable of timely and secure updates and patches;
- Submitting cybersecurity documentation as part of your 510(k), PMA, De Novo, or HDE application.
Failure to meet these expectations can delay approvals, invite regulatory scrutiny, or lead to safety concerns postmarket.
How Blue Goat Cyber Can Help
At Blue Goat Cyber, we help medical device manufacturers identify whether their products meet the cyber device criteria—and ensure compliance from development through submission. Our proven cybersecurity strategies, technical assessments, and regulatory expertise streamline the process, reduce risk, and improve outcomes.
Check out our FDA Premarket Cybersecurity Service.