Mar 29, 2023·FDA · StatuteActiveHigh impact

FD&C Act Section 524B - cyber device requirements in effect

Section 524B (Omnibus 2023) made cybersecurity submission content mandatory for cyber devices. The FDA has issued Refuse to Accept decisions for non-compliant submissions since October 2023.

What changed

Cyber devices must submit a cybersecurity plan, SBOM, and evidence of secure design.
RTA authority empowers the FDA to reject incomplete cyber-device submissions at intake.

Action for manufacturers

If your device meets the §524B 'cyber device' definition, the cybersecurity package is a gating RTA item - not an optional appendix.

Primary sources

FDA cyber device definition (§524B)

Related Blue Goat Cyber resources

FDA Section 524B requirements explained

Entry metadata

Date: Mar 29, 2023
Agency: FDA
Type: Statute
Status: Active
Impact: High
Last reviewed: Jun 5, 2026

Applies to

Cyber devices (FD&C Act §524B)

What changed

Action for manufacturers

Primary sources

Related Blue Goat Cyber resources

Get FDA cleared without the cybersecurity headaches.