Does FDA Section 524B apply to all submission pathways?

Yes. Section 524B of the FD&C Act applies to every premarket submission for a 'cyber device,' including 510(k), De Novo, PMA, IDE, and BLA. The cybersecurity package required by the 2026 guidance is the same in scope for each pathway.

Which pathway is hardest for cybersecurity?

PMA submissions demand the deepest architectural and manufacturing evidence, but 510(k) submissions experience the highest rate of cybersecurity-related Refuse-To-Accept holds because the eSTAR Acceptance Review enforces format strictly.

How is IDE cybersecurity different from 510(k)/De Novo/PMA?

IDE reviewers focus on whether unresolved cybersecurity risks could expose study subjects to unreasonable risk under 21 CFR 812.30(b)(4). The artifact list is similar (threat model, SBOM, risk assessment, pen test) but scoped to the investigational use case and the clinical study environment. Inadequate evidence triggers a Clinical Hold under 21 CFR 812.42 that stops enrollment until concerns are addressed. The 30-day FDA clock is much shorter than 510(k)/De Novo/PMA, so the cybersecurity package needs to be reviewer-ready at submission.

510(k) vs De Novo vs PMA vs IDE: cybersecurity comparison

Quick answer

What are the cybersecurity differences between 510(k), De Novo, PMA, and IDE submissions?

All four pathways must satisfy FD&C Act Section 524B and the FDA's 2026 premarket cybersecurity guidance, so the artifact list - threat model, SBOM, SPDF documentation, architecture views, risk assessment, pen test, and monitoring plan - is largely shared. Differences come down to review clock (30 days for IDE, up to 180+ for PMA), the depth of architectural and manufacturing evidence (deepest for PMA), how strictly Acceptance Review enforces format (strictest for 510(k) eSTAR), and the highest-severity outcome - RTA hold for 510(k)/De Novo, Major Deficiency for PMA, and Clinical Hold under 21 CFR 812.42 for IDE.

Sources: FD&C Act §524B (Section 3305 of CAA 2023); FDA premarket cybersecurity guidance; 21 CFR Part 812 (IDE regulations)

Dimension	510(k)	De Novo	PMA	IDE
Statutory/regulatory basis	21 USC 360(k); 21 CFR Part 807, Subpart E.	FD&C Act §513(f)(2); 21 CFR Part 860, Subpart D.	FD&C Act §515; 21 CFR Part 814.	FD&C Act §520(g); 21 CFR Part 812.
Typical device class	Class II (some Class I).	Novel low/moderate risk (Class I or II) with no predicate.	Class III (high risk, life-supporting/sustaining).	Significant-risk investigational devices (any class) entering a clinical study.
Cybersecurity statutory hook	Section 524B applies in full.	Section 524B applies in full.	Section 524B applies in full.	Section 524B applies; reviewers also assess unreasonable risk to subjects under 21 CFR 812.30(b)(4).
Cybersecurity submission format	eSTAR cybersecurity section (mandatory since Oct 2023).	eSTAR cybersecurity section (mandatory since Oct 1, 2025).	PMA modular content; cybersecurity package per 2026 guidance.	IDE application cybersecurity sections; eCopy or CDRH portal upload (no eSTAR yet).
Required artifacts (2026 guidance)	SPDF documentation, threat model, SBOM, security architecture views, risk assessment, pen test, postmarket plan, labeling.	Same seven-section package as 510(k); plus special-controls justification.	Same seven-section package; plus deeper architecture, manufacturing, and quality-system evidence.	Threat model, security risk assessment, SBOM, architecture views, pen-test evidence sized to investigational risk, mid-study monitoring plan.
Review clock	90 FDA days (substantive review).	150 FDA days.	180 FDA days; can be longer with panel review.	30 FDA days; the study may begin if FDA does not place it on hold within that window.
Highest-severity cyber outcome	Refuse-To-Accept (RTA) hold - most-cited reason for cyber-driven RTAs.	Acceptance-Review hold - checklist mirrors 510(k).	Major Deficiency Letter - frequently cites cyber.	Clinical Hold under 21 CFR 812.42 - stops enrollment until cybersecurity concerns are resolved.
Postmarket cyber expectations	Postmarket plan + CVD process + SBOM updates.	Same as 510(k).	Same plus PMA annual reports must address cybersecurity changes.	Mid-study security event reporting to investigators / IRB / FDA; IDE supplements for security patches and scope changes.

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.

Book strategy session Explore services

510(k) vs De Novo vs PMA vs IDE: cybersecurity comparison

Related

Get FDA cleared without the cybersecurity headaches.