Introduction: The Regulatory Landscape

Medical device cybersecurity is regulated through three layers: binding legal requirements in the FD&C Act, FDA guidance documents that are technically voluntary but practically required, and industry standards that supply the implementation detail. The rules moved from voluntary recommendations to legal requirements in roughly a decade, and knowing which layer you're dealing with shapes every compliance decision.

The regulatory framework consists of three main layers:

1. Legal Requirements - What you must do by law
2. FDA Guidance - What FDA expects (technically voluntary, but practically required)
3. Industry Standards - Best practices and detailed implementation guidance

Think of it this way: the law tells you where you need to go, FDA guidance shows you the route, and industry standards provide the detailed map and driving instructions.