Background A late-stage medical device manufacturer faced a major regulatory setback after the FDA questioned their premarket cybersecurity submission. Their Software Bill of Materials (SBOM) listed nearly 100 unfixed vulnerabilities spanning embedded firmware, cloud...
Do Legacy Medical Devices Require Ongoing Cybersecurity Monitoring and Annual Testing
Summary
Legacy medical devices that were approved before the FDA’s 2023 and 2025 Premarket Cybersecurity Guidance still require ongoing cybersecurity monitoring and annual testing if they remain commercially distributed. The FDA’s 2016 Postmarket Guidance already established that all marketed devices must be continuously monitored for vulnerabilities and verified through periodic testing to ensure safety and effectiveness. Compliance is based on a product’s commercial status, not its approval date, meaning only active, non–end-of-life releases need to be maintained. ELTON simplifies this process by organizing vulnerabilities and test results per release, ensuring manufacturers meet FDA expectations for both legacy and new products with clear, regulator-ready evidence.
A common question among medical device manufacturers is whether products approved before the FDA’s 2023 and upcoming 2025 Premarket Cybersecurity Guidance must still undergo cybersecurity monitoring and annual testing. The answer is yes. If a product is still commercially distributed, the manufacturer is obligated to maintain continuous cybersecurity oversight, regardless of when it was originally approved.
The 2016 Postmarket Guidance Still Governs Legacy Devices
The FDA’s 2016 Postmarket Management of Cybersecurity in Medical Devices guidance remains the foundation for ongoing cybersecurity obligations. It requires manufacturers to monitor, identify, and address vulnerabilities throughout a device’s lifecycle, assess their impact on safety and effectiveness, and maintain a coordinated vulnerability disclosure and remediation process. These expectations apply to all marketed devices, not just those cleared under newer frameworks.
2023 and 2025 Guidance Reinforce, Not Replace
The FDA’s 2023 Premarket Cybersecurity Guidance and forthcoming 2025 update do not exempt older products; instead, they reinforce that cybersecurity is a lifecycle obligation. Manufacturers must continuously manage vulnerabilities, track metrics, and validate exploitability within each commercial release. Together, the premarket and postmarket guidances establish that all active devices must demonstrate ongoing cybersecurity control and risk management.
Compliance Depends on Commercial Status, Not Approval Date
The FDA evaluates cybersecurity compliance based on whether a product remains commercially active, not on when it was approved. Once a device is on the market, manufacturers are responsible for ensuring that its security posture remains effective. This includes performing periodic (typically annual) penetration testing and continuous vulnerability monitoring for each supported release.
If a product has reached End of Life (EOL) and is no longer distributed or supported, ongoing testing is no longer required.
Audit Expectations and Industry Practice
FDA inspections and industry audits have increasingly focused on legacy devices. Findings are often issued when manufacturers lack evidence of recent penetration testing or when vulnerabilities are not managed per release. Regulators expect to see documented cybersecurity processes, traceable vulnerability records, and annual testing that aligns with the specific commercial version of the product.
How ELTON Simplifies Legacy Device Compliance
ELTON was built for this challenge. The platform continuously monitors active commercial releases, catalogs vulnerabilities by version, and provides defensible, regulator-ready reports for each product still on the market. Only non-EOL versions are tested and monitored annually, reducing unnecessary cost while ensuring full compliance with FDA expectations.
With ELTON, manufacturers can confidently maintain cybersecurity compliance across both new and legacy devices, demonstrating continuous control, lifecycle accountability, and regulatory readiness.
