News Center

Home / News

US: Guidance gives FDA authority to reject devices due to poor cybersecurity

2023/03/31  US FDA

On December 29, 2022, the Consolidated Appropriations Act, 2023 (“Omnibus”) was signed into law. Section 3305 of the Omnibus — “Ensuring Cybersecurity of Medical Devices” —amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices. The Omnibus states that the amendments to the FD&C Act shall take effect 90 days after the enactment of this Act on March 29, 2023. As provided by the Omnibus, the cybersecurity requirements do not apply to an application or submission submitted to the Food and Drug Administration (FDA) before March 29, 2023.

FDA generally intends not to issue “refuse to accept” (RTA) decisions for premarket submissions submitted for cyber devices based solely on information required by section 524B of the FD&C Act before October 1, 2023, but instead, work collaboratively with sponsors of such premarket submissions as part of the interactive and/or deficiency review process. Beginning October 1, 2023, FDA expects that sponsors of such cyber devices will have had sufficient time to prepare premarket submissions that contain information required by section 524B of the FD&C Act, and FDA may RTA premarket submissions that do not.

This guidance is being implemented without prior public comment because the Agency has determined that prior public participation is not feasible or appropriate (see section 701(h)(1)(C) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 371(h)(1)(C)) and 21 CFR 10.115(g)(2)). FDA has determined that it is not feasible to obtain public comment prior to the 90-day statutory timeframe for the effective date of section 524B of the FD&C Act. Although this policy is being implemented immediately without prior comment, FDA will consider all comments received and revise the guidance document as appropriate.

To continue reading this article please go to US FDA .