Blog
Get practical insights, compliance tips, and expert guidance tailored for QA/RA professionals tackling FDA, MDR, and global cybersecurity requirements.
Recently a manufacturer received an AINN request asking for VEX and VDR data alongside their CycloneDX SBOM. This isn't in the premarket guidance, but you're almost certainly already doing the work. You just aren't packaging it in the format the FDA now wants.
Alan ParkinsonThe EU Cyber Resilience Act (CRA) excludes medical devices under MDR. But health apps, wellness products, and companion apps without medical device claims? They're in scope. If you're using the 'launch as wellness first' strategy, cybersecurity regulation still applies from December 2027
Alan ParkinsonAn SBOM (Software Bill of Materials) is essentially an ingredients list for software. Just like checking food labels for allergens, an SBOM lets you scan for known cybersecurity vulnerabilities in your product's third-party components.
Alan ParkinsonAlan ParkinsonThe FDA published an updated version of its premarket cybersecurity guidance on 3rd February 2026, one day after the QMSR took effect. If you spotted it and felt a familiar twinge of "what's changed now?", the short version: this is a terminology update, not a new set of requirements.
Alan ParkinsonThe UK Medical Devices Regulations 2002 contain no explicit cybersecurity requirements. The word doesn't appear once. Yet new postmarket surveillance rules now require reporting security incidents within 15 days and treating security patches as Field Safety Corrective Actions. Where UK medical device cybersecurity stands in 2026, and where it doesn't.
Alan ParkinsonThe first-of-its-kind cybersecurity settlement shows the DoJ is serious about backing up FDA requirements with real consequences. Here's what QA and RA teams need to know.
