Last year, Congress passed a law requiring medical device makers to include cybersecurity information in their FDA premarket submissions. If the agency receives a submission without the required information, it can issue the applicant a “refuse to accept notice.” Although the law officially took effect on March 29, the FDA says it isn’t planning to issue any notices until October 1.
In holding off on “refuse to accept” notices, the agency is recognizing the difficulties device makers face in preparing cybersecurity plans and giving them “sufficient time” to comply, according to a final guidance document the agency released in March.
Under the law—Section 3305 of the Consolidated Appropriations Act, 2023—the FDA is required to report on what device companies are doing to beef up cybersecurity in June and provide updated compliance guidance to the industry by December 2024.
Look for more coverage of this and other cybersecurity topics in upcoming issues of Lab Compliance Advisor.