IEC 62304 vs FDA Cybersecurity
What's actually different between the QMS regulations medical device manufacturers must follow — clause-by-clause comparison from the Kelsey Quality crosswalk library.
kelseyqms.com/crosswalk/compare/iec-62304-vs-cybersecurity
COMPARE
vs
11IEC 62304 REQUIREMENTS
0SHARED IN BOTH
11NEW IN IEC 62304
5RETIRED FROM FDA CYBER
SIDE-BY-SIDE COMPARISON
What's actually different
DIMENSIONIEC 62304FDA CYBERSECURITY
OVERVIEW
StatusCurrent — recognized consensus standardCurrent — guidance document, not regulation
Effective period2006 – present (Amd 1:2015)Sep 2023 – present
Total requirements1113
SCOPE
Risk integrationSoftware-specific risk via ISO 14971; class drives requirement depthExploitability-based risk; cybersecurity threats traceable to ISO 14971 file
Plan maintenanceSoftware development plan updated throughout lifecyclePatch management plan with severity-based SLAs required
Document approvalVerification records required per phase and safety classThreat model, SBOM, and vulnerability assessment required at submission
OPERATIONAL
Most common gapInternal software controls used to lower safety classificationIncomplete threat models lacking system context; static SBOMs missing transitive deps
Audit focusClassification rationale, SOUP list currency, plan update recordsThreat model interface coverage, SBOM currency, vulnerability assessment at submission date
COVERAGE BREAKDOWN
What's shared, what's distinct
0SHARED IN BOTH
- No items.
11ONLY IN IEC 62304
- • Software Safety Classification
- • Software Development Planning
- • Software Requirements Analysis
- • Software Architectural Design
- • Software unit implementation
- • Software System Testing
- + 5 more
5ONLY IN FDA CYBER
- • Threat Model Documentation
- • Cybersecurity Risk Assessment
- • Coordinated Vulnerability Disclosure
- • End-of-Life Cybersecurity Plan
- • Penetration Testing Evidence
OTHER COMPARISONS