Blue Goat CyberSMMedical Device Cybersecurity
    K
    All regulatory tracker entries
    Feb 2, 2026·FDA · Final RuleActiveHigh impact

    FDA Quality Management System Regulation (QMSR) takes effect

    The QMSR formally aligns 21 CFR Part 820 with ISO 13485:2016. Cybersecurity design controls, risk management, and supplier controls must now be documented under the harmonized framework.

    What changed

    • Part 820 is restructured to reference ISO 13485:2016 directly.
    • Cybersecurity activities (threat modeling, SBOM, postmarket surveillance) must trace into the QMS - not live in a parallel binder.
    • Supplier controls must cover third-party software components and their VEX cadence.

    Action for manufacturers

    Map your cybersecurity SOPs, threat models, and SBOM/VEX processes into the QMSR clause structure. Any cyber activity that isn't traceable into design controls or supplier management is a gap.

    Primary sources

    Related Blue Goat Cyber resources

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.