Introduction For more than a decade, we have had a singular focus on cybersecurity testing of medical device targets. During this time, our teams have executed thousands of medical device security assessments, including more than 600 penetration tests that directly...
QMSR: FDA Replaced 21 CFR Part 820 with ISO 13485:2016 – What does this mean for cybersecurity?
Summary
The FDA's Quality Management System Regulation (QMSR) took effect this week, replacing 21 CFR Part 820 with ISO 13485:2016 alignment. While this represents a major shift in quality management requirements for medical device manufacturers, it does not fundamentally change cybersecurity obligations. The FDA's updated Premarket Cybersecurity Guidance, released February 3, 2026, reflects this transition with primarily administrative changes—new definitions for terms like "TPLC" and "risk transfer," expanded glossary entries, and updated cross-references to ISO 13485. Some of these alignments feel like a stretch (equating "quality of data" with security architecture views), and the removal of the NIST 800-160 reference may raise eyebrows, but the core cybersecurity expectations remain intact. Manufacturers should update their documentation to reflect the new terminology while maintaining their existing security programs unchanged.
This week marks a significant milestone in medical device regulation. The FDA’s Quality Management System Regulation (QMSR) officially took effect on February 2, 2026, replacing the longstanding 21 CFR Part 820 Quality System Regulation (QSR). This harmonization aligns the U.S. regulatory framework with ISO 13485:2016, the international standard for quality management systems in the medical device industry.
What Is the QMSR?
The QMSR represents the FDA’s effort to harmonize its quality system requirements with global standards. Rather than maintaining a separate U.S.-specific regulation, medical device manufacturers operating under FDA jurisdiction must now align their quality management systems with ISO 13485:2016. This change has been years in the making and is intended to reduce regulatory burden for manufacturers who already operate under international standards while maintaining the safety and effectiveness expectations for devices sold in the United States.
For manufacturers who have already implemented ISO 13485-compliant quality management systems, this transition should be relatively straightforward. For those operating solely under the previous QSR framework, the adjustment will require updates to documentation, processes, and potentially organizational structures.
Does This Affect Cybersecurity Requirements?
The short answer is no, the QMSR transition does not fundamentally change cybersecurity requirements for medical devices. The FDA’s premarket cybersecurity expectations, postmarket guidance, and the statutory requirements under Section 524B remain substantively unchanged.
However, the QMSR transition has triggered updates to how cybersecurity guidance documents reference quality management concepts. The FDA released an updated Premarket Cybersecurity Guidance on February 3, 2026, replacing the June 2025 version. According to a detailed analysis of the changes, the majority of updates were administrative in nature, specifically to support the cutover from QMRs (Quality Management Regulations) to the ISO-aligned QMSRs.
Where Cybersecurity Guidance Has Been Updated
The February 2026 cybersecurity guidance includes several notable updates that reflect the QMSR alignment:
New Definitions Added:
The guidance now includes a formal definition for “TPLC” (Total Product Life Cycle), clarifying that TPLC processes include design and development, manufacturing, postmarket monitoring, delivering device software and firmware updates, and servicing, among others. A definition for “risk transfer” has also been added, describing it as actions taken to manage risk that shift some or all of the risk to another user, asset, system, network, or geographic area. This definition is adapted from the DHS Risk Lexicon.
Glossary Expansions:
The glossary has been updated to include new terms such as Denial of Service, Least Privilege, and Quality of Service. These additions help standardize terminology used throughout the guidance.
ISO 13485 Cross-References:
The updated guidance attempts to tie cybersecurity concepts to ISO 13485 requirements. For example, security architecture view documentation is now referenced alongside Subclause 8.5 of ISO 13485, which addresses improvement, corrective action, and preventive action.
What Manufacturers Should Do
For medical device manufacturers with cybersecurity obligations, the practical implications are limited. Your core cybersecurity activities—threat modeling, security risk assessments, SBOM maintenance, vulnerability management, and secure development practices remain unchanged.
However, manufacturers should:
- Review updated guidance documents to ensure your quality management documentation reflects the new ISO 13485 alignment and updated terminology.
- Update internal references from QMR to QMSR in any documentation that references FDA quality system requirements.
- Verify glossary alignment to ensure your cybersecurity documentation uses terminology consistent with the updated FDA definitions.
- Monitor for further updates as the FDA may release additional clarifications as the industry adapts to the new framework.
Outstanding Questions
The updated guidance leaves some questions unanswered. For instance, the FDA did not take the opportunity to provide detailed guidance on the “Interoperability Verification and Validation Report” referenced in eSTAR. Manufacturers must still rely on the limited help text within eSTAR for direction on what the agency expects in this area.
The Bottom Line
The QMSR transition represents a significant step toward global regulatory harmonization, but it does not alter the fundamental cybersecurity obligations for medical device manufacturers. The recent updates to the Premarket Cybersecurity Guidance are primarily administrative, ensuring consistent references to the new quality management framework. Manufacturers should view this as an opportunity to review and refresh their quality management documentation while maintaining their existing cybersecurity programs unchanged. The substance of what the FDA expects for medical device cybersecurity remains the same, only the regulatory scaffolding around those expectations has shifted.
