Category: Uncategorized

How EU and US Cybersecurity Regulations Are Aligning

Posted on by Brandon Miller

As connected medical devices become more prevalent, cybersecurity regulations are evolving rapidly across global markets. Manufacturers must now navigate complex requirements from both the United States Food and Drug Administration (FDA) and the European Union (EU) to ensure compliance and protect patient safety. Fortunately, recent updates show promising signs of alignment between these regulatory bodies, making it easier for companies to adopt unified cybersecurity strategies.

 

Understanding the Regulatory Landscape

The FDA has introduced new cybersecurity requirements under Section 524B of the Omnibus Law, mandating Software Bill of Materials (SBOMs), coordinated vulnerability disclosure, and secure product development practices. Meanwhile, the EU is updating its Medical Device Regulation (MDR) and introducing the Cyber Resilience Act, which, although not directly applicable to medical devices, sets the tone for broader cybersecurity expectations.

 

Key Areas of Alignment

Both the FDA and EU regulators emphasize the importance of early threat modeling, SBOM transparency, and postmarket vulnerability management. They also encourage manufacturers to adopt global cybersecurity standards such as ISO/IEC 27001 and IEC 62443 to ensure consistent security practices across markets.

 

Benefits of Regulatory Harmonization

As the FDA and EU move toward harmonized cybersecurity expectations, manufacturers can benefit from streamlined product development, reduced compliance costs, and faster market access. Unified standards also help improve device security and patient trust across international markets.

 

How to Stay Ahead of Regulatory Changes

To stay ahead, manufacturers should monitor regulatory updates, engage in early cybersecurity planning, and collaborate with experts who understand both FDA and EU requirements. Proactive planning and secure design practices are essential for meeting current and future cybersecurity expectations.

 

Partner with Regulatory Compliance Associates®

Navigating the evolving cybersecurity landscape requires deep regulatory expertise and strategic planning. Regulatory Compliance Associates® (RCA) specializes in helping medical device companies align with global cybersecurity regulations, from SBOM development and threat modeling to FDA submissions and EU MDR compliance.

 

Contact RCA today to schedule a consultation and ensure your connected medical device is secure, compliant, and ready for global market access.

How to Reduce Cybersecurity Costs Through Early Planning

Posted on by Brandon Miller

In today’s connected healthcare landscape, cybersecurity is not just a technical requirement, it’s a strategic investment. For medical device manufacturers, early planning can significantly reduce cybersecurity costs while improving compliance, product safety, and time to market. In this blog, we explore how proactive cybersecurity planning can help companies avoid costly mistakes and meet evolving regulatory expectations in both the U.S. and EU.

 

1. Start Cybersecurity at the Concept Phase

Waiting until the end of development to address cybersecurity can lead to expensive redesigns and regulatory delays. By integrating cybersecurity from the concept phase, manufacturers can identify risks early and design secure systems from the ground up.

 

2. Build Threat Modeling into Your Design Process

Threat modeling helps identify potential vulnerabilities before they become embedded in the product. This proactive approach reduces the need for costly post-development fixes and supports FDA and EU compliance.

 

3. Develop a Comprehensive SBOM Early

A complete Software Bill of Materials (SBOM) is now a regulatory requirement. Creating it early ensures transparency, streamlines vulnerability management, and avoids last-minute compliance issues.

 

4. Align with Global Cybersecurity Standards

Following international standards like ISO/IEC 81001-5-1 and FDA premarket guidance from the start helps reduce rework and ensures smoother regulatory submissions across markets.

 

5. Collaborate with Cybersecurity Experts

Partnering with experienced cybersecurity consultants can help identify risks, implement best practices, and avoid costly missteps. Expert guidance ensures your team stays ahead of evolving regulations and industry expectations.

 

Partner with Regulatory Compliance Associates®

Early cybersecurity planning is not just cost-effective, it’s essential for regulatory success and patient safety. By embedding cybersecurity into every stage of product development, medical device manufacturers can reduce costs, accelerate time to market, and build more secure, compliant products.

 

Regulatory Compliance Associates® (RCA) helps medical device companies reduce cybersecurity costs through early planning, threat modeling, SBOM development, and global regulatory strategy. Contact RCA today to learn how our experts can support your secure product development journey.

Top Cybersecurity Risks Facing Connected Medical Devices

Posted on by Brandon Miller

As the healthcare industry continues to embrace digital transformation, connected medical devices are becoming more common—and more vulnerable. From insulin pumps and pacemakers to remote monitoring systems and diagnostic tools, these devices are increasingly exposed to cyber threats that can compromise patient safety, data integrity, and regulatory compliance.

 

In this blog, we explore the top cybersecurity risks facing connected medical devices and share expert insights on how manufacturers can stay ahead of evolving threats and meet global regulatory expectations.

Listen to this podcast where we take a deeper dive into the Cybersecurity risks associated with Connected Medical Devices

Late Integration of Cybersecurity in Product Development

One of the most frequent mistakes medical device manufacturers make is waiting too long to address cybersecurity. Cybersecurity should be embedded early in the medical device development lifecycle, not added as an afterthought. Delayed integration can lead to vulnerabilities that are costly to fix and may result in regulatory delays or denials.

 

Tip: Begin threat modeling immediately after defining device features to ensure secure design specifications and reduce remediation costs.

 

Incomplete Software Bill of Materials (SBOM)

A comprehensive Software Bill of Materials (SBOM) is now a regulatory requirement in both the U.S. and EU. Many companies still submit SBOMs that lack depth, omitting nested components or failing to meet machine-readable format standards. This can lead to compliance issues and increased risk exposure.

 

Tip: Include all software layers—components of components—and ensure your SBOM is both human- and machine-readable.

 

Legacy Devices with Outdated Security

Legacy medical devices often lack modern cybersecurity features such as patching capabilities, logging, and threat detection. These devices pose a significant risk, especially when integrated into hospital networks.

 

Tip: Conduct a full cybersecurity assessment of legacy devices and plan for updates or redesigns that meet current FDA cybersecurity guidance and EU MDR requirements.

 

Lack of Threat Modeling and Vulnerability Management

Without proper threat modeling, manufacturers may overlook critical vulnerabilities. Additionally, failing to maintain a coordinated vulnerability disclosure program can result in non-compliance and reputational damage.

 

Tip: Implement a secure product development framework that includes threat modeling, penetration testing, and vulnerability traceability.

 

Overexposed Physical and Network Interfaces

Ports like USB, Bluetooth, and Wi-Fi can be exploited if not properly secured. Devices with exposed service ports or debug features are particularly vulnerable to unauthorized access.

 

Tip: Use physical controls (e.g., security screws, access doors) to limit exposure. Disable unnecessary ports and implement strong authentication protocols.

 

Misalignment with Global Regulatory Requirements

With evolving guidance from the FDA, EU MDR, UK MHRA, and the Cyber Resilience Act, companies must ensure their cybersecurity practices align across markets. Misalignment can lead to costly redesigns and delayed market access.

 

Tip: Stay informed on global cybersecurity regulations and work with experts who understand regional differences and harmonization efforts.

 

Final Thoughts

Cybersecurity in connected medical devices is no longer optional—it’s a regulatory and ethical imperative. By addressing these risks early and thoroughly, manufacturers can protect patients, ensure compliance, and maintain trust in their products.

 

Ready to Strengthen Your Cybersecurity Strategy?

Regulatory Compliance Associates® (RCA) specializes in helping medical device companies navigate the complex world of cybersecurity compliance, from SBOM development and threat modeling to FDA submissions and global market access. Contact RCA today to schedule a consultation with our cybersecurity experts and ensure your device is secure, compliant, and ready for market.

FDA Expands Unannounced Inspections for Foreign Manufacturing Facilities

Posted on by Brandon Miller

Regulatory Compliance Associates® (RCA) Executive Pharma Compliance Expert & Principal Consultant, Anita Michael, recently shared important FDA updates impacting pharmaceutical manufacturers. With over 25 years of global regulatory and quality experience—including 16 years as the FDA’s Global Pharmaceutical Expert—Anita emphasizes the need for heightened inspection readiness.

 

Key FDA Updates

  • Unannounced Inspections Abroad: The FDA will now conduct unannounced inspections at foreign manufacturing facilities, similar to those already performed in the U.S. This expansion ensures drug substances, finished products, and critical excipients entering the U.S. meet safety and quality standards.
  • Rigorous Reviews: Expect science-based audits across manufacturing operations and quality systems. Companies should ensure their
  • six quality systems (Quality, Production, Laboratory, Facilities & Equipment, Materials, and Packaging/Labeling) are fully inspection-ready.
  • Pre-Approval Program Updates: The FDA has refined its pre-approval inspection focus to include:
    • Readiness for commercial manufacturing (QMS and six systems)
    • Conformance to application and data integrity requirements
    • Commitment to quality and pharmaceutical development
    • Audit preparedness and documentation management

Preparing for Compliance

  • To stay ahead, companies should:Conduct robust internal and external audits
  • Maintain a centralized FDA document repository
  • Ensure subject matter experts are prepared to address complex regulatory questions

 

Why It Matters

These changes highlight the FDA’s commitment to protecting U.S. patients by ensuring consistent global manufacturing standards. Proactive preparation will be critical for pharmaceutical companies with international facilities or partnerships.

 

Need support preparing for FDA inspections or audits? Contact RCA today to speak with our compliance experts and ensure your organization is inspection-ready.

A Regulatory Roadmap for Combination Product Submissions

Posted on by Brandon Miller

Combination product submissions require a tailored regulatory strategy that blends device, drug, and biologic requirements. The complexity increases when multiple FDA centers could be involved.

 

The journey begins with identifying the product’s primary mode of action (PMOA). This determines which FDA center will lead the review:

  • CDER: Center for Drug Evaluation and Research
  • CBER: Center for Biologics Evaluation and Research
  • CDRH: Center for Devices and Radiological Health

If the PMOA is unclear, companies can submit a Request for Designation (RFD) to the Office of Combination Products.

 

Once the lead center is determined, companies must ensure their submission addresses the regulatory requirements of both drug/biologic and device frameworks. This includes integrating device GMPs (21 CFR Part 820) with existing pharma QMS (21 CFR Part 210/211).

 

Key requirements typically include:

  • Quality system alignment with 21 CFR Part 4
  • Documentation of design controls, CAPA, and purchasing controls
  • Evidence of human factors testing for design validation
  • Management responsibility and risk management processes

Recent FDA draft guidance (e.g., on essential performance outputs) further clarifies what must be demonstrated in combination product submissions. The focus is shifting toward system-level outputs that directly impact drug delivery and therapeutic performance.

 

For companies planning international expansion, the regulatory roadmap extends beyond the U.S. CE marking under the EU MDR often requires a Notified Body Opinion confirming that the device component is adequately controlled.

 

Success starts with early planning and cross-functional alignment. Regulatory, quality, and product development teams must work together to:

  • Identify regulatory gaps
  • Align SOPs and systems
  • Develop submission-ready documentation
  • Engage proactively with regulatory bodies

Navigating the regulatory maze of combination product submissions is complex but manageable—with the right roadmap, tools, and expertise in place.

 

Work with RCA to Streamline Your Submission Process Regulatory Compliance Associates helps companies navigate the complexities of combination product submissions in both U.S. and global markets. From regulatory strategy to documentation support, RCA is your trusted partner. Reach out today to get started.

Do You Actually Have a Combination Product? Here’s How to Know

Posted on by Brandon Miller

Many companies don’t realize they have a combination product until it’s too late. With increased regulatory scrutiny from the FDA, properly identifying your product type is not just important—it’s essential for compliance, market access, and patient safety.

 

A combination product, as defined by the FDA, is a therapeutic and diagnostic product that combines drugs, devices, and/or biological products. These products can take multiple forms, including:

  • Prefilled syringes (drug + delivery device)
  • Drug-eluting stents (device coated with a drug)
  • Convenience kits (e.g., vials packaged with filters and needles)
  • Cross-labeled products (e.g., drug and device sold separately but intended for combined use)

Some of these combinations are obvious, but many are not. A product that seems like simple packaging may actually trigger combination product regulations under FDA’s 21 CFR Part 4, effective since 2013. The FDA began strict enforcement in 2014, prompting many companies to reevaluate their portfolios.

 

One of the biggest risks is operating under outdated assumptions. If your company has historically marketed a device or drug in conjunction with another regulated product, you may already be in combination product territory without knowing it.

 

If there’s uncertainty, the FDA allows companies to submit a Request for Designation (RFD). This formal process helps determine which regulatory center (CDER, CBER, or CDRH) will have primary jurisdiction over your product based on its primary mode of action (PMOA).

 

Identifying whether your product qualifies as a combination product is a foundational step. Doing so early allows for proper planning of your development pathway, avoids regulatory surprises, and helps build a robust compliance strategy.

 

Partner with Regulatory Experts Regulatory Compliance Associates (RCA) has extensive experience helping companies identify and navigate combination product requirements. Contact RCA today to ensure you’re on the right path from the start.