Medical Device Cybersecurity: A State of the Union for the First Half of 2026

From QMSR to the EU CRA: How the Regulatory and Threat Landscape Shifted in Six Months

‍

Executive Summary

The first six months of 2026 rebuilt the framework medical device manufacturers spent the last three years learning. QSIT gave way to QMSR. The FCC's IoT labeling program lost its anchor tenant. The EU Cyber Resilience Act moved from theory into compliance calendars. FDA issued its first publicly visible warning letter explicitly citing a cybersecurity vulnerability handling failure. FDA leadership turned over mid-stream. And AI inserted itself into both the products being regulated and the regulators reviewing them, while simultaneously lowering the barrier for attackers to find and exploit vulnerabilities.

‍

This post breaks down what happened across three lenses (regulatory, financial, technical), then looks ahead to what the second half of 2026 will demand.

‍

Regulatory: The Year QSIT Died and Everything Got Renumbered

QMSR took effect on February 2, 2026

The single largest regulatory event was the Quality Management System Regulation (QMSR) effective date. FDA published a substantially rewritten Compliance Program Manual (CP 7382.850) to replace QSIT, with direct cybersecurity implications:

‍

• Cyber devices are explicitly called out for review against Section 524B(b)(2) of the FD&C Act in both domestic and foreign inspections.
• SBOMs, SPDF artifacts, and vulnerability handling are now standard inspection elements.
• Data from the first 100 QMSR inspections put risk management as the number-one citation area.

‍

Documentation that was "good enough" under the old framework may not survive a read through the ISO 13485 and ISO 14971 lens. FDA's premarket cybersecurity guidance was also updated to align references, though substantive policy appears largely unchanged.

Two other developments worth flagging

The FCC's IoT labeling program lost UL after the new administration opened an investigation into UL's China operations, leaving the Cyber Trust Mark program's future unclear.

‍

The EU Cyber Resilience Act (CRA) compliance clock is also ticking loudly. MDR/IVDR-regulated devices are excluded, but the ecosystem around them generally is not. Companion apps, cloud dashboards, OTA servers, and most peripherals are in scope, and mandatory vulnerability reporting begins September 11, 2026.

State and federal action filled in the gaps

• Texas issued guidance expecting hospitals to assess medical device cybersecurity against FDA guidance, a state-level expectation cascading down to HDOs.
• The bipartisan Health Care Cybersecurity and Resilience Act cleared Senate HELP.
• The updated HIPAA Security Rule remains expected, though its initial May 2026 target date has come and gone with no clear signal on revised timing.
• NIST is openly rethinking the NVD's role. If your vulnerability triage depends on NVD enrichment, that pipeline is changing under you.

‍

Financial: Workload, Workforce, and a Warning Letter That Bites

Workforce strain is the financial subtext of 2026

Reports described "cracks showing" at CDRH. Industry pressed for FDA staffing transparency in MDUFA discussions, and Commissioner Marty Makary resigned in May. None of this helps predictable review timelines.

‍

On the EU side, an EU-commissioned study found more than half of EU medical device companies have reduced product portfolios to cope with MDR/IVDR complexity and 17% have stopped producing devices entirely — the macroeconomic backdrop against which every additional EU obligation, CRA included, now lands.

The Beta Bionics warning letter changed the cost-of-non-compliance math

The Beta Bionics warning letter, published January 28, is, as far as we can tell, the first publicly visible FDA warning letter to explicitly cite a cybersecurity-related failure. The specifics:

‍

• Beta Bionics fixed a Limited Access vulnerability in the iLet ACE Pump via software version 1.4.3.
• The company failed to submit a Report of Correction or Removal within the 10-working-day window required under 21 CFR 806.10(b).

‍

The legal substrate matters. Failure to comply with cybersecurity requirements under Section 524B is a prohibited act under 21 U.S.C. §331(q)(3), enforceable through injunction, seizure, and criminal prosecution. The cost-of-compliance versus cost-of-non-compliance math just got more concrete.

‍

Separately, FDA started asking for VEX and VDR files alongside CycloneDX SBOMs post-shutdown, pushing manufacturers toward continuously maintained vulnerability statements rather than point-in-time submissions.

‍

Technical: SBOMs Grow Up, AI Gets a Warning Letter, and PQC Gets a Date

Three trends defined the technical half.

Trend 1: SBOM tooling and vulnerability transparency continued to mature

 MITRE published new resources on SBOM normalization and cybersecurity risk analysis for medical devices in the era of cloud, AI/ML, and PQC. The G7 Cybersecurity Working Group released a positioning paper on AI-BOM. CISA published guidance on OpenEoX for communicating software lifecycle stage, dovetailing with BOD 26-02 on end-of-support edge devices. Germany's BSI published TR-03185-2 on open-source software lifecycle management. The connecting thread: transparency about what is in a device, what state it is in, and wha

Trend 2: AI/ML moved from edge case to central regulatory concern

FDA recognized AAMI CR515 on cybersecurity for AI/ML-enabled medical devices. In a notable first, FDA issued a warning letter to Purolea Cosmetics Lab explicitly citing the use of AI to generate "product specifications, procedures, and master production or control records" without process validation. 

‍

The reverse case matters too: if AI tooling becomes standard for Notified Body review, expect 100% inspection of submitted documentation — every fault caught, not just sampled ones.

‍

Trend 3: Post-quantum cryptography got a concrete migration timeline

The UK NCSC published timelines requiring PQC migration for all systems, services, and products by 2035, with priority migration by 2031 and migration goals set by 2028. That is the first hard date many manufacturers will have seen on PQC.

‍

Looking Ahead: What the Next Six Months Will Demand

If the first half of 2026 was about transitions taking effect, the second half is about their consequences converging.

AI tooling adoption will accelerate on both sides of the regulatory table

Regulators and Notified Bodies will increasingly run AI-assisted reviews of technical documentation, and small inconsistencies previously missed will be flagged systematically. Invest in AI tooling of your own to pre-flight submissions, and treat consistency and traceability across the dossier as a first-class engineering concern. The Purolea warning letter is the preview.

Data integrity will become the cybersecurity-adjacent problem regulators care most about

The targeted HIPAA Security Rule update and the steady drumbeat of state privacy laws (Alabama, Oklahoma, and Kentucky all moved in early 2026) point the same direction. Cybersecurity controls need to extend beyond confidentiality and availability into demonstrable integrity. That means logging, signing, attestation, and auditability of both product data and submission data.

Regulatory trends will pivot toward postmarket and toward harmonization

Several forces are converging on the postmarket side:

‍

• The EU CRA September 11 deadline will force many manufacturers to operationalize disclosure pipelines they have been talking about but not running.
• Texas-style state-level expectations on HDOs are likely to spread.
• The Joint Commission's Cyber Resilience Readiness certification will create demand for vendor-supplied evidence of secure design.
• IEC 80001-1 being redesignated as ISO 81001-4-1 signals standards consolidation rather than further fragmentation.
• FDA's consolidation of adverse event reporting into AEMS, replacing MAUDE, will reshape how cybersecurity-related adverse events get reported.

‍

Buyer-side pressure is already showing up in the numbers. RunSafe's 2026 Medical Device Cybersecurity Index found that 84% of healthcare organizations now build cybersecurity requirements into procurement and 56% have rejected devices on security grounds, up from 46% a year ago. For manufacturers, that means the evidence package that satisfies FDA increasingly has to do double duty as a sales asset.

Frontier AI will lower the hurdle for vulnerability discovery, and patch cadence will have to follow

Capable general-purpose reasoning models (Anthropic's Mythos being the most-discussed recent example, with OpenAI and others moving the same direction) can now pinpoint and build working exploits for software vulnerabilities as a side effect of broader reasoning gains, not as a dedicated capability.

‍

The practical implication, laid out by Oleg Yusim, is that LLM-based systems make vulnerability discovery easier and accessible to everybody, leading to rapid development of new zero-day exploits. Anthropic's own Project Glasswing update has since echoed the same warning.

‍

The defensive math does not survive this unchanged:

‍

• Current baseline: A 30 to 60-day patch cycle for highs and criticals, the current FDA-enforced standard, assumes attackers move on human timescales.
• Realistic target: Once attackers operate on machine-enabled timescales, the realistic target moves toward 24-hour, fully tested, securely delivered patches.

‍

For medical device manufacturers, that is not a tooling change. It is a re-architecting of the entire release pipeline, with testing, validation, regulatory documentation, and secure over-the-air delivery all on the critical path. Treat that work as a 2026–2027 program, not a 2028 one.

Four things to put on the roadmap

If they are not already there:

‍

1. A CRA gap assessment for any non-medical-device product in the EU portfolio, with September 11 as the binding constraint.
2. PQC migration planning that takes the NCSC timeline seriously. 2028 is only two budget cycles away.
3. An AI use inventory and validation plan covering both AI in your products and AI in your development and quality processes.
4. An honest assessment of your patch pipeline against a 24-hour delivery target. What would have to change in testing, validation, release engineering, and OTA delivery to actually hit it, and how much of that work can start now rather than after the threat lands.

‍

Closing Thought

A recurring observation this half: "you're always responsible for the code, whether your cat wrote it, your LLM wrote it, or your team wrote it." That principle applies cleanly to the broader cybersecurity posture of a medical device organization in 2026.

‍

The regulatory machinery is being rebuilt. The standards landscape is being consolidated. The enforcement tools are being tested in public. The technical demands are expanding into AI provenance and post-quantum readiness simultaneously. None of that changes the underlying obligation. All of it changes what discharging that obligation looks like in practice.

‍

The work is the same. The scrutiny is not.

‍