The FDA's Section 520(4)(b) statute fundamentally transforms medical device cybersecurity from voluntary guidance to mandatory compliance for new pre-market submissions. "Reasonable assurance of cybersecurity" is now directly linked to safety and effectiveness determinations - giving FDA authority to deny market authorization for devices with inadequate security. This disrupts the legacy device cycle by requiring manufacturers to demonstrate vulnerability management capabilities, coordinated disclosure procedures and software bills of materials before authorization. Devices with the ability to connect to the internet - even if unused - qualify as cyber devices under these requirements.

In this session, Dr. Suzanne Schwartz, director, Office of Strategic Partnerships and Technology Innovation, Center for Devices and Radiological Health, FDA, will share insights on:

• Navigating pre-market cybersecurity documentation requirements under the 520(4)(b) statute;
• Understanding modification thresholds triggering expanded versus abbreviated submissions;
• Implementing coordinated vulnerability disclosure and demonstrating safe patching capabilities for authorization.