Use this page as a directory to every Section 524B subsection. Each entry has a short description and a link to the deep-dive content. Combination products are included at the end because the device cybersecurity work is the same scope even when it lands in a BLA or IND.
Section 524B of the Federal Food, Drug, and Cosmetic Act is the binding cyber device statute. The FDA's February 3, 2026 final premarket cybersecurity guidance is the operative interpretation reviewers apply when measuring a submission against it. Both are referenced throughout the entries below.
Section 524B timeline
- December 29, 2022 - 524B became law, signed as part of the Consolidated Appropriations Act, 2023 (Pub. L. 117-328), the FDORA provisions, Section 3305.
- March 29, 2023 - The law took effect, 90 days later, per the effective-date clause in Section 3305(c) of Pub. L. 117-328. The FDA's refuse-to-accept authority attached on this date.
- October 1, 2023 - The FDA actually began issuing refuse-to-accept decisions based on 524B, per the FDA "Refuse to Accept Policy for Cyber Devices" guidance (March 30, 2023), which stated the agency would not issue RTAs based solely on 524B before October 1, 2023. This is the real start-of-rejections date.
Section 524B subsections
524B(a): Applicability
Section 524B(a) attaches 524B's requirements to marketing submissions filed under FD&C Act sections 510(k), 513, 515(c), 515(f), and 520(m) - in plain language, 510(k), De Novo, PMA, PDP, and HDE. IDE submissions (520(g)) are not enumerated. Reviewers determine applicability from the device description and the 524B(c) cyber device test.
524B(b)(1): Postmarket vulnerability plan
Requires a written plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and timely patch release. The plan ships with the premarket submission and must be operational at clearance, not a placeholder.
- 524B(b)(1) deep dive
- Postmarket cybersecurity readiness plan
- Coordinated vulnerability disclosure and VDP workflows
524B(b)(2): Processes, updates, and patchability
Requires designed-in processes to provide reasonable assurance that the device and related systems are cybersecure, plus the ability to make security updates and patches available. This is the SPDF requirement in operational form: secure design, patchable architecture, authenticated update channels, rollback, and the operational link to incident response.
- 524B(b)(2) deep dive
- Medical device cybersecurity SPDF playbook
- Medical device incident response plan: FDA expectations 2026
524B(b)(3): Software Bill of Materials
Requires a software bill of materials covering commercial, open-source, and off-the-shelf components. The FDA expects an SBOM in a machine-readable standard format (CycloneDX or SPDX), accompanied by VEX statements for known vulnerabilities and a monitoring plan.
524B(b)(4): Additional requirements by regulation
Authorizes the FDA to add cybersecurity requirements through regulation (rulemaking), not guidance. As of June 2026 no (b)(4) regulations have been issued. The February 3, 2026 guidance is nonbinding and interprets the existing (b)(1)-(3) obligations; it is not the (b)(4) expression.
524B(c): Cyber device definition
A "cyber device" is a device that (1) includes software validated, installed, or authorized by the sponsor, (2) has the ability to connect to the internet, and (3) contains technological characteristics that could be vulnerable to cybersecurity threats. The connectivity prong is broad - any interface to device software counts (Wi-Fi, BLE, NFC, USB service port, companion app, gateway-mediated cloud path).
Combination products: BLA and IND
Section 524B is a device statute. It does not reach Biologics License Applications (BLA) or Investigational New Drug applications (IND). But the FDA's February 3, 2026 final premarket cybersecurity guidance is broader than 524B - it covers devices with cybersecurity considerations generally, including 510(k)-exempt devices, IDE, BLA, and IND submissions. For combination products, the cybersecurity content for the device constituent (delivery device, connected manufacturing system, dosing companion app) lives inside the BLA or IND, scoped and rigored the same way as any other device cybersecurity package.
- Combination products: when device cybersecurity content lands in a BLA or IND
- FDA cybersecurity guidance summary 2026
Where this fits in our content
- FDA Section 524B subsections explained - the long-form walkthrough.
- Section 524B compliance checklist - clause-by-clause submission deliverables.
- FDA pathway cybersecurity differences - how 524B and the guidance attach to 510(k), De Novo, PMA, PDP, HDE, IDE, BLA, and IND.
- FDA cybersecurity guidance summary 2026 - what the February 3, 2026 final guidance changed.
How Blue Goat Cyber helps
We map your device to every applicable 524B subsection, draft the artifacts each one requires, and stay through deficiency response. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. See FDA premarket cybersecurity services.
Sources & primary references
- Section 524B of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 360n-2)
- FDA, Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions (final guidance, February 3, 2026)
- Consolidated Appropriations Act, 2023, Section 3305
Sources & references
Primary sources cited in this article. Links open in a new tab.