While final guidance gives the US Food and Drug Administration (FDA) the authority to deny a new product application the product’s cybersecurity measures don’t pass muster, regulators say they will wait until October before they will exert that authority.
On 29 March, FDA published a much-anticipated cybersecurity final guidance that allows it to issue refuse to accept (RTA) decisions to medical device sponsors if the agency is concerned their product doesn’t meet its cybersecurity requirements. It also published an FAQ for sponsors to get more information on when the agency plans to issue RTAs. The guidance was mandated by the 2023 Consolidated Appropriations Act, also known as the Omnibus budget bill, passed by Congress last year.
While the guidance is in effect immediately, it does not affect products already on the market…