Blue Goat CyberBlue Goat CyberSMMedical Device Cybersecurity
    K
    Guide · FDA

    FDA Section 524B & eSTAR Cybersecurity: The Walkthrough

    The hub for FDA Section 524B cybersecurity and eSTAR submissions. Statute, the February 3, 2026 guidance, eSTAR v6.2 to v7.0 cybersecurity fields, deliverables, and the order to build them.

    Hero illustration for the article: FDA Section 524B & eSTAR Cybersecurity: The Walkthrough
    On this page
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Key Takeaways

    • The eSTAR cybersecurity section has six required cybersecurity attachments mapped to Section 524B(b).
    • Each field expects a specific artifact, reviewers do not accept combined PDFs across fields.
    • Cross-references between attachments must be explicit; implicit links are treated as missing evidence.
    • The walkthrough mirrors the technical-screen checklist so authors can validate field mapping before upload.
    • Final review inside the eSTAR portal, not offline, catches substitution errors that trigger RTA rejection.
    TL;DR

    The hub for FDA Section 524B cybersecurity and eSTAR submissions. Statute, the February 3, 2026 guidance, eSTAR v6.2 to v7.0 cybersecurity fields, deliverables, and the order to build them.

    Use this page as the single entry point to our Section 524B and eSTAR cybersecurity content. The statute, the February 3, 2026 final guidance, and the eSTAR fields where the artifacts get attached are all linked from here in the order a submission team actually works through them.

    Section 524B of the FD&C Act, the FDA's February 3, 2026 final premarket cybersecurity guidance, and the eSTAR template are not three separate workstreams. They are one stack: 524B sets the obligation, the guidance defines the artifacts that prove it, and eSTAR is where those artifacts attach in the submission. This page links to the deep-dive guide for each layer in the order a submission team works through them.

    1. Start with the statute

    2. Read the guidance the FDA actually applies

    3. Build the eSTAR-ready package

    4. Operationalize postmarket

    eSTAR cybersecurity documentation: where each artifact lives {#estar-cybersecurity-documentation}

    "eSTAR cybersecurity documentation" is not one deliverable, it is the set of artifacts the template requires across the cybersecurity subform. Use the map below to jump straight to the guide that covers each piece.

    If you were looking for a single "eSTAR cybersecurity documentation guide," start with the field-by-field mapping and use the deliverables map as the packing list.

    Frequently asked questions

    Which sections of the FD&C Act does 524B(a) actually cover?

    Section 524B(a) enumerates FD&C Act sections 510(k), 513, 515(c), 515(f), and 520(m). In plain terms: 510(k), De Novo, PMA, Product Development Protocol (PDP), and Humanitarian Device Exemption (HDE). Investigational Device Exemptions under 520(g) are not a 524B pathway, but the February 3, 2026 final guidance still applies cybersecurity expectations to IDE submissions.

    Is the February 2026 guidance legally binding?

    No. The guidance carries the standard "Contains Nonbinding Recommendations" header. What makes it operative is that reviewers use it as the interpretation of the binding statute (Section 524B). Failing to follow it produces real RTAs and deficiencies. Treat the statute as the obligation and the guidance as the standard the FDA measures against.

    What are the four requirements in Section 524B(b)?

    Four discrete obligations for every cyber device: (1) a cybersecurity plan to monitor, identify, and address postmarket vulnerabilities and exploits, (2) design, develop, and maintain processes to provide a reasonable assurance of cybersecurity, (3) a Software Bill of Materials (SBOM), and (4) any other requirements the FDA may add by regulation. The February 2026 guidance describes how (1) through (3) are demonstrated.

    What is the definition of a "cyber device" under Section 524B(c)?

    A device that (i) includes software validated, installed, or authorized by the sponsor, (ii) has the ability to connect to the internet, and (iii) contains any technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats. All three conditions must be met. Most modern connected Class II devices qualify.

    How does the eSTAR template enforce Section 524B?

    The eSTAR cybersecurity subform contains discrete required fields mapped to each 524B(b) obligation. The template blocks submission if required fields are empty. This is why cybersecurity RTA holds are mechanical rather than discretionary: the eSTAR either accepts the package or it does not.

    Do we need a Predetermined Change Control Plan (PCCP) for cybersecurity updates?

    A PCCP is required when you want to make specific modifications post-clearance without a new 510(k). For pure cybersecurity patches that fall within the existing letter-to-file thresholds, a PCCP is not typically required. For AI/ML devices with periodic retraining or firmware devices with planned functional changes, include cybersecurity impact in the PCCP scope.

    How Blue Goat Cyber helps

    We map your device to every applicable 524B subsection, draft the artifacts the February 2026 guidance expects, and assemble the eSTAR-ready package. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. See FDA premarket cybersecurity services.

    Sources & primary references

    • Section 524B of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 360n-2)
    • FDA, Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions (final guidance, February 3, 2026)
    • FDA eSTAR templates (non-IVD v7.0, IVD v7.0)
    Suggested reading

    Related guides

    Guide
    Cybersecurity for IVD Devices: The FDA & Section 524B Guide
    Guide
    FDA Section 524B Subsections: Index of Every Topic
    Guide
    Section 524B Compliance Checklist: FDA Cybersecurity Requirements for Cyber Devices
    Guide
    Section 524B Post-Market Retrofit Guide
    Related 524B & eSTAR resources

    Keep going: the 524B and eSTAR working set

    Start with the walkthrough hub, then drill into the statute, the eSTAR field map, SBOM monitoring, postmarket planning, and deficiency response. Use these as the playbook behind every cyber device submission.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.