
On this page
Key Takeaways
- Section 524B has three operative subsections: (a) refusal authority, (b) required submission content, and (c) the cyber-device definition.
- 524B(a) grants the FDA explicit authority to refuse-to-accept any noncompliant cyber device submission.
- 524B(b) enumerates three required deliverables: postmarket plan, SPDF narrative, and SBOM.
- 524B(c) sets the three-part cyber-device test: software-containing, internet-capable, cybersecurity-vulnerable technological characteristics.
- Every submission section should cite the exact subsection it addresses so reviewers can map artifact to statute.
Index of every Section 524B subsection with short descriptions and links - 524B(a) applicability, (b)(1)-(4) requirements, (c) cyber device definition, and combination products (BLA/IND).
Use this page as a directory to every Section 524B subsection. Each entry has a short description and a link to the deep-dive content. Combination products are included at the end because the device cybersecurity work is the same scope even when it lands in a BLA or IND.
Section 524B of the Federal Food, Drug, and Cosmetic Act is the binding cyber device statute. The FDA's February 3, 2026 final premarket cybersecurity guidance is the operative interpretation reviewers apply when measuring a submission against it. Both are referenced throughout the entries below.
Section 524B timeline
- December 29, 2022 - 524B became law, signed as part of the Consolidated Appropriations Act, 2023 (Pub. L. 117-328), the FDORA provisions, Section 3305.
- March 29, 2023 - The law took effect, 90 days later, per the effective-date clause in Section 3305(c) of Pub. L. 117-328. The FDA's refuse-to-accept authority attached on this date.
- October 1, 2023 - The FDA actually began issuing refuse-to-accept decisions based on 524B, per the FDA "Refuse to Accept Policy for Cyber Devices" guidance (March 30, 2023), which stated the agency would not issue RTAs based solely on 524B before October 1, 2023. This is the real start-of-rejections date.
Section 524B subsections
524B(a): Applicability
Section 524B(a) attaches 524B's requirements to marketing submissions filed under FD&C Act sections 510(k), 513, 515(c), 515(f), and 520(m) - in plain language, 510(k), De Novo, PMA, PDP, and HDE. IDE submissions (520(g)) are not enumerated. Reviewers determine applicability from the device description and the 524B(c) cyber device test.
524B(b)(1): Postmarket vulnerability plan
Requires a written plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and timely patch release. The plan ships with the premarket submission and must be operational at clearance, not a placeholder.
- 524B(b)(1) deep dive
- Postmarket cybersecurity readiness plan
- Coordinated vulnerability disclosure and VDP workflows
524B(b)(2): Processes, updates, and patchability
Requires designed-in processes to provide reasonable assurance that the device and related systems are cybersecure, plus the ability to make security updates and patches available. This is the SPDF requirement in operational form: secure design, patchable architecture, authenticated update channels, rollback, and the operational link to incident response.
- 524B(b)(2) deep dive
- Medical device cybersecurity SPDF playbook
- Medical device incident response plan: FDA expectations 2026
524B(b)(3): Software Bill of Materials
Requires a software bill of materials covering commercial, open-source, and off-the-shelf components. The FDA expects an SBOM in a machine-readable standard format (CycloneDX or SPDX), accompanied by VEX statements for known vulnerabilities and a monitoring plan.
524B(b)(4): Additional requirements by regulation
Authorizes the FDA to add cybersecurity requirements through regulation (rulemaking), not guidance. As of June 2026 no (b)(4) regulations have been issued. The February 3, 2026 guidance is nonbinding and interprets the existing (b)(1)-(3) obligations; it is not the (b)(4) expression.
524B(c): Cyber device definition
A "cyber device" is a device that (1) includes software validated, installed, or authorized by the sponsor, (2) has the ability to connect to the internet, and (3) contains technological characteristics that could be vulnerable to cybersecurity threats. The connectivity prong is broad - any interface to device software counts (Wi-Fi, BLE, NFC, USB service port, companion app, gateway-mediated cloud path).
Combination products: BLA and IND
Section 524B is a device statute. It does not reach Biologics License Applications (BLA) or Investigational New Drug applications (IND). But the FDA's February 3, 2026 final premarket cybersecurity guidance is broader than 524B - it covers devices with cybersecurity considerations generally, including 510(k)-exempt devices, IDE, BLA, and IND submissions. For combination products, the cybersecurity content for the device constituent (delivery device, connected manufacturing system, dosing companion app) lives inside the BLA or IND, scoped and rigored the same way as any other device cybersecurity package.
- Combination products: when device cybersecurity content lands in a BLA or IND
- FDA cybersecurity guidance summary 2026
Where this fits in our content
- FDA Section 524B subsections explained - the long-form walkthrough.
- Section 524B compliance checklist - clause-by-clause submission deliverables.
- FDA pathway cybersecurity differences - how 524B and the guidance attach to 510(k), De Novo, PMA, PDP, HDE, IDE, BLA, and IND.
- FDA cybersecurity guidance summary 2026 - what the February 3, 2026 final guidance changed.
Frequently asked questions
What are the three main parts of Section 524B?
524B(a) enumerates which FD&C Act pathways the cybersecurity requirements apply to. 524B(b) lists the four substantive obligations: cybersecurity plan, secure design and maintenance processes, SBOM, and any additional requirements added by regulation. 524B(c) defines what makes a device a "cyber device" (software plus internet-connectable plus vulnerable technological characteristics, all three).
Does Section 524B apply to devices already on the market?
Only for the postmarket obligations that flow from Section 524B(b)(2) via the February 3, 2026 final guidance. Devices cleared before Section 524B took effect (March 2023 for the statutory obligation) do not need to be resubmitted, but manufacturers of legacy connected devices still carry ongoing postmarket cybersecurity responsibilities under existing FDA authority.
Which subsection carries the "refuse to accept" teeth?
Section 524B does not itself grant RTA authority; 21 U.S.C. 360c(a)(3) and the FDA's existing acceptance-review authorities do. What Section 524B does is add cybersecurity to the mandatory content list, so an incomplete cybersecurity package now triggers the same RTA machinery that missing 510(k) elements have always triggered.
Is 524B(b)(4) already in effect?
524B(b)(4) authorizes the FDA to add additional cybersecurity requirements through rulemaking. As of publication no formal rulemaking under (b)(4) has been finalized. The February 2026 guidance is not (b)(4) rulemaking; it interprets the existing (b)(1) through (b)(3) obligations. Any (b)(4) expansion would go through notice-and-comment rulemaking with its own effective date.
Does 524B(c)'s "cyber device" definition include BLAs and INDs?
The definition itself is device-facing, but the February 2026 guidance clarifies that its cybersecurity expectations apply to combination products submitted under BLAs and INDs where the device constituent meets the cyber device definition. Sponsors of drug-device combination products should treat the cyber device analysis as required for the device constituent.
Where do the 524B statutory citations live in the FD&C Act?
Section 524B is codified at 21 U.S.C. 360n-2. Subsection (a) covers scope, (b) covers requirements, and (c) covers definitions. The full statutory text is publicly available on the House Office of the Law Revision Counsel's site and on the FDA's Section 524B resource page. Cite by both the FD&C Act section (524B) and the U.S. Code citation (360n-2) in formal submissions.
How Blue Goat Cyber helps
We map your device to every applicable 524B subsection, draft the artifacts each one requires, and stay through deficiency response. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. See FDA premarket cybersecurity services.
Sources & primary references
- Section 524B of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 360n-2)
- FDA, Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions (final guidance, February 3, 2026)
- Consolidated Appropriations Act, 2023, Section 3305
Sources & references
Primary sources cited in this article. Links open in a new tab.



