Medical device classes & cybersecurity requirements
| Class | Risk level | Examples | Pathway | 524B applies? | Cybersecurity artifacts required |
|---|---|---|---|---|---|
| Class I | Low risk; general controls only. | Bandages, manual stethoscopes, exam gloves. | Most are 510(k)-exempt; a small number require 510(k). | Only if the device meets the FD&C Act §524B definition of 'cyber device' (validated software + internet/network capability). | Most pure Class I devices have no software and fall outside Section 524B; if they do contain software the full 2026 cybersecurity package applies. |
| Class II | Moderate risk; general + special controls. | Infusion pumps, patient monitors, most SaMD, surgical robots. | 510(k) or De Novo (eSTAR mandatory). | Yes for any device meeting the Section 524B 'cyber device' definition - the dominant case. | Full 2026 package: SPDF documentation, threat model, SBOM, security architecture views, cybersecurity risk assessment, penetration test, postmarket plan, labeling. |
| Class III | High risk; life-sustaining or life-supporting. | Implantable cardioverter-defibrillators, deep-brain stimulators, mechanical heart valves. | PMA (or HDE). | Yes - Section 524B applies; reviewers expect deeper architectural and manufacturing evidence. | Full 2026 package plus expanded architecture views, supply-chain controls, manufacturing-environment security evidence, and PMA annual reports addressing cyber changes. |
Related
Ready when you are
Get FDA cleared without the cybersecurity headaches.
30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.