Medical device SBOMs: FAQ

Question 1

Do I need an SBOM for my medical device?

Accepted Answer

If your device contains software and you place it on the US, EU, or UK market, the answer is effectively yes. The FDA has required an SBOM in cyber-relevant premarket submissions since the 2023 refuse-to-accept policy took effect. The EU expects equivalent evidence under MDR Annex I cybersecurity requirements and the harmonised standard IEC 81001-5-1. The UK MHRA aligns with the same expectations in its cybersecurity guidance.

Question 2

Which SBOM format should we produce — SPDX or CycloneDX?

Accepted Answer

Either is acceptable to the FDA and EU regulators today. SPDX is the older ISO-standardised format and is common in open-source ecosystems. CycloneDX has stronger native support for vulnerability and VEX data, which makes downstream maintenance easier. Pick one and apply it consistently across products; the cost of switching later is high.

Question 3

How often should an SBOM be regenerated?

Accepted Answer

Every released build. An SBOM is only useful if it matches the binary that ships, so generation should be wired into your CI pipeline alongside the build itself. For maintained devices already on the market, expect to re-issue the SBOM and a corresponding VEX update whenever a component changes or a new vulnerability becomes relevant.

Question 4

Who in our organisation should own the SBOM?

Accepted Answer

Engineering owns generation; QA/RA owns the regulatory artefact. In practice, the SBOM file is produced by the build pipeline (engineering), and a named regulatory or product-security lead is accountable for the evidence package that goes into the submission and the post-market vulnerability process. The two sides need to agree on tooling early — late integration is where teams burn the most time.

Frequently asked.

Never miss an insight.
Subscribe to The Notebook.

Never miss an insight.Subscribe to The Notebook.

Never miss an insight.
Subscribe to The Notebook.