Medical device cybersecurity regulatory tracker.
A dated, structured log of FDA, CISA, AAMI, EU, and supply-chain changes that move the cybersecurity bar - with what changed and what to do about it.
20 of 20 tracked changes
-
Dec 11, 2027·EU Commission · Regulation (applies)ScheduledHigh impact
EU Cyber Resilience Act becomes fully applicable
The CRA's core obligations - secure-by-design, SBOM, vulnerability handling, and 24-hour incident reporting - apply to products with digital elements placed on the EU market.
Applies to:Products with digital elements sold in the EUConnected medical devicesRead details -
Jun 30, 2026·Red Hat · End-of-support clockScheduledHigh impact
RHEL 7 Extended Life Support ends - legacy device fleets need a memo
RHEL 7 ELS reaches end of support on 30 June 2026. Devices that still ship or service with RHEL 7 need a compensating-controls memo in their postmarket file.
Applies to:Legacy devices running RHEL 7Read details -
Apr 22, 2026·CISA · KEV updateActiveHigh impact
CISA adds Linux kernel netfilter use-after-free to KEV (CVE-2026-0511)
A use-after-free in Linux kernel netfilter (CVE-2026-0511) was added to the Known Exploited Vulnerabilities catalog, affecting many embedded Linux device platforms.
Applies to:Devices on Linux kernelEmbedded Linux platformsRead details -
Apr 15, 2026·CISA · KEV updateActiveHigh impact
CISA adds widely embedded BLE pairing bypass to the KEV
CISA added a BLE pairing bypass affecting an embedded Bluetooth stack used across consumer and medical wearables to the Known Exploited Vulnerabilities catalog.
Applies to:WearablesConnected devicesBluetooth-enabled SaMDRead details -
Mar 31, 2026·AAMI · Standards draftDraftMedium impact
ANSI/AAMI SW96 Amendment 1 draft circulated for member review
Draft amendment clarifies threat modeling traceability, security risk evaluation, and the relationship between SW96 and AAMI TIR57.
Applies to:All cyber devicesRead details -
Mar 18, 2026·FDA · Enforcement signalActiveMedium impact
FDA postmarket cybersecurity 'update letter' cadence increases
Blue Goat Cyber tracking shows a year-over-year jump in postmarket cybersecurity update letters citing missing CVD URLs, stale SBOMs, and lack of triage SLAs.
Applies to:Marketed cyber devicesRead details -
Feb 3, 2026·FDA · Final GuidanceActiveHigh impact
FDA finalizes 2026 premarket cybersecurity guidance
FDA's 2026 final guidance replaces the 2023 document and sets binding expectations for SBOM, VEX, threat modeling, security testing, postmarket plans, and CVD for every cyber device submission.
Applies to:510(k)De NovoPMASection 524BRead details -
Feb 3, 2026·FDA · Guidance supersededWithdrawnMedium impact
FDA 2023 premarket cybersecurity guidance superseded
The September 2023 premarket cybersecurity guidance is superseded by the February 3, 2026 final guidance. Citing the 2023 document in new submissions is now a stale reference.
Applies to:Premarket submissionsRead details -
Feb 2, 2026·FDA · Final RuleActiveHigh impact
FDA Quality Management System Regulation (QMSR) takes effect
The QMSR formally aligns 21 CFR Part 820 with ISO 13485:2016. Cybersecurity design controls, risk management, and supplier controls must now be documented under the harmonized framework.
Applies to:All medical device manufacturersRead details -
Jan 8, 2026·CycloneDX · Specification errataActiveMedium impact
CycloneDX 1.6.1 errata clarifies VEX status semantics
1.6.1 errata clarifies how to express 'not_affected' justifications and how VEX statements should reference SBOM components by bom-ref or PURL.
Applies to:SBOM / VEX producersRead details -
Oct 31, 2025·ISO/IEC · Standard transitionActiveMedium impact
ISO/IEC 27001:2022 transition deadline passes
Organizations still certified to ISO/IEC 27001:2013 lost certification on 31 October 2025. Hospitals expect the 2022 control set (including A.8 secure development, A.5.7 threat intelligence) in procurement.
Applies to:MedTech vendors holding ISO 27001 certificationRead details -
Oct 21, 2025·CISA · Pledge expansionActiveMedium impact
CISA Secure by Design pledge expanded with VEX publication expectation
CISA expanded the Secure by Design pledge so signatories are expected to publish VEX statements alongside SBOMs for shipped products.
Applies to:Pledge signatoriesRead details -
Jul 1, 2025·MDCG (EU) · GuidanceActiveHigh impact
MDCG 2019-16 Rev. 2 - cybersecurity expectations for MDR/IVDR submissions
Revised MDCG cybersecurity guidance details security risk management, IT environment assumptions, and basic UDI/postmarket cybersecurity expectations for Notified Body review.
Applies to:EU MDREU IVDRRead details -
Apr 1, 2025·HHS 405(d) · Practices updateActiveMedium impact
HHS 405(d) HICP 2025 edition updates medical device practices
Health Industry Cybersecurity Practices (HICP) 2025 refresh expands medical device practices and adds AI-specific considerations, raising the bar hospitals use during vendor risk reviews.
Applies to:Health Industry vendorsMedTech providers selling into hospitalsRead details -
Dec 4, 2024·FDA · Final GuidanceActiveHigh impact
FDA finalizes Predetermined Change Control Plans (PCCP) guidance
Final PCCP guidance lets manufacturers pre-authorize specified modifications to AI/ML-enabled device software functions without a new submission, provided cybersecurity impacts are scoped up front.
Applies to:AI/ML-enabled SaMDRead details -
May 30, 2024·NIST · Special PublicationActiveMedium impact
NIST SP 800-216 - federal CVD recommendations finalized
NIST SP 800-216 finalizes recommendations for federal vulnerability disclosure programs. While federal in scope, MedTech CVD programs are increasingly being benchmarked against it.
Applies to:Vendors with CVD programsRead details -
Apr 15, 2024·SPDX (Linux Foundation) · SpecificationActiveMedium impact
SPDX 3.0 final published - adds AI and dataset profiles
SPDX 3.0 introduces profiles (Software, Security, AI, Dataset) that align directly with SaMD and PCCP cybersecurity expectations.
Applies to:SBOM producersAI/ML SaMDRead details -
Feb 26, 2024·NIST · FrameworkActiveMedium impact
NIST Cybersecurity Framework 2.0 published
CSF 2.0 adds the Govern function and broadens scope beyond critical infrastructure, becoming the de facto baseline hospitals reference in MDS2 / HSCC procurement questionnaires.
Applies to:MedTech security programsHospital procurement responsesRead details -
Mar 29, 2023·FDA · StatuteActiveHigh impact
FD&C Act Section 524B - cyber device requirements in effect
Section 524B (Omnibus 2023) made cybersecurity submission content mandatory for cyber devices. The FDA has issued Refuse to Accept decisions for non-compliant submissions since October 2023.
Applies to:Cyber devices (FD&C Act §524B)Read details -
Dec 1, 2021·IEC · StandardActiveHigh impact
IEC 81001-5-1 - secure software lifecycle for health software
IEC 81001-5-1 defines the secure development lifecycle for health software and is the foundational standard for the security risk management activities the FDA and Notified Bodies expect.
Applies to:Health softwareSaMDRead details
Spotted something we missed? Email info@bluegoatcyber.com with a link and we'll add it.
Get FDA cleared without the cybersecurity headaches.
30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.