Understanding the Legal Landscape

For cyber devices, the law requires three things under Section 524B: a cybersecurity management plan, a software bill of materials, and evidence that the device meets the statutory cybersecurity requirements. Everything else in FDA's guidance is technically a recommendation, but reviewers treat most of it as expected. The gap between "required" and "recommended" is much narrower in practice than on paper.

2.4.1 What's Legally Required vs. Recommended

This distinction is critical for manufacturers to understand:

Legally Required (for Cyber Devices under Section 524B):

• Cybersecurity management plan
• Software Bill of Materials (SBOM)
• Meeting specific cybersecurity requirements
• Applies to: 510(k), PMA, De Novo, HDE, and PDP submissions

FDA "Recommendations" (but expect deficiencies if not followed):

• All other cybersecurity documentation in the 2025 guidance
• Applies to ALL devices with software, not just "cyber devices"

Important Note: Even if your device doesn't meet the Section 524B definition of a "cyber device," FDA still expects you to follow the cybersecurity guidance if your device contains any software or programmable logic.

2.4.2 The Enforcement Reality

While FDA guidance documents state they contain "nonbinding recommendations," the practical reality is different:

1. Review Expectations: FDA reviewers expect to see cybersecurity documentation
2. Deficiency Letters: Missing cybersecurity information triggers requests
3. Clearance Delays: Inadequate cybersecurity can delay or prevent clearance
4. Post-Market Actions: Poor cybersecurity can lead to recalls or warnings

Think of FDA guidance like building codes - while some aspects might technically be recommendations, inspectors expect to see them implemented.