Blog

Making Medical Device Cybersecurity Simple (Well, Simpler).

Get practical insights, compliance tips, and expert guidance tailored for QA/RA professionals tackling FDA, MDR, and global cybersecurity requirements.

FDA reviewers are now asking for VEX/VDR files with your SBOM

Recently a manufacturer received an AINN request asking for VEX and VDR data alongside their CycloneDX SBOM. This isn't in the premarket guidance, but you're almost certainly already doing the work. You just aren't packaging it in the format the FDA now wants.

Alan ParkinsonAlan Parkinson

The EU Cyber Resilience Act and medical devices: what's in scope and what isn't

The EU Cyber Resilience Act (CRA) excludes medical devices under MDR. But health apps, wellness products, and companion apps without medical device claims? They're in scope. If you're using the 'launch as wellness first' strategy, cybersecurity regulation still applies from December 2027

Alan ParkinsonAlan Parkinson

What is an SBOM? Think food labels, but for software

An SBOM (Software Bill of Materials) is essentially an ingredients list for software. Just like checking food labels for allergens, an SBOM lets you scan for known cybersecurity vulnerabilities in your product's third-party components.

Alan ParkinsonAlan Parkinson
RSS Feed

Blog posts

Alan ParkinsonAlan Parkinson

FDA Cybersecurity Guidance Gets a QMSR Refresh

The FDA published an updated version of its premarket cybersecurity guidance on 3rd February 2026, one day after the QMSR took effect. If you spotted it and felt a familiar twinge of "what's changed now?", the short version: this is a terminology update, not a new set of requirements.

Alan ParkinsonAlan Parkinson

UK medical device cybersecurity: where the rules stand (and don't)

The UK Medical Devices Regulations 2002 contain no explicit cybersecurity requirements. The word doesn't appear once. Yet new postmarket surveillance rules now require reporting security incidents within 15 days and treating security patches as Field Safety Corrective Actions. Where UK medical device cybersecurity stands in 2026, and where it doesn't.

Alan ParkinsonAlan Parkinson

Illumina's £9.8M DoJ Settlement: A Cybersecurity Wake-Up Call for Medical Device Manufacturers

The first-of-its-kind cybersecurity settlement shows the DoJ is serious about backing up FDA requirements with real consequences. Here's what QA and RA teams need to know.