QMSR / ISO 13485 vs FDA Cybersecurity
What's actually different between the QMS regulations medical device manufacturers must follow — clause-by-clause comparison from the Kelsey Quality crosswalk library.
kelseyqms.com/crosswalk/compare/qmsr-vs-cybersecurity
COMPARE
vs
49QMSR REQUIREMENTS
0SHARED IN BOTH
49NEW IN QMSR
10RETIRED FROM FDA CYBER
SIDE-BY-SIDE COMPARISON
What's actually different
DIMENSIONQMSR / ISO 13485FDA CYBERSECURITY
OVERVIEW
StatusCurrent (effective Feb 2, 2026)Current — guidance document, not regulation
Effective periodFeb 2026 – presentSep 2023 – present (updated Feb 2026)
Total requirements4923
SCOPE
Risk integrationRequired (links to ISO 14971 throughout design)Cybersecurity risk assessment integrated with ISO 14971 risk file
Plan maintenanceRequired throughout developmentTotal product lifecycle security — maintained through end-of-life
Document approvalExplicit approval signatures requiredPremarket submission package reviewed and approved before filing
OPERATIONAL
Most common gapRisk management file weak or unlinked to designSBOM incomplete or not monitored against CVE databases post-release
Audit focusRisk file integrity and design-control linkageThreat model, SBOM completeness, patch management plan, CVD policy
COVERAGE BREAKDOWN
What's shared, what's distinct
0SHARED IN BOTH
- No items.
49ONLY IN QMSR
- • Risk Control Option Analysis
- • Design and Development Planning
- • Design and Development Inputs
- • Design and Development Review
- • Risk Management
- • Management Review
- + 43 more
10ONLY IN FDA CYBER
- • Authentication Controls for Medical Devices
- • Authorization Controls and Least Privilege
- • Cryptography Selection and Implementation
- • Code, Data, and Execution Integrity
- • Confidentiality of Device Data and Credentials
- • Security Event Detection and Logging
- + 4 more
OTHER COMPARISONS