QMSR / ISO 13485 vs FDA Cybersecurity
What's actually different between the QMS regulations medical device manufacturers must follow — clause-by-clause comparison from the Kelsey Quality crosswalk library.
kelseyqms.com/crosswalk/compare/qmsr-vs-cybersecurity
COMPARE
vs
39QMSR REQUIREMENTS
0SHARED IN BOTH
39NEW IN QMSR
0RETIRED FROM FDA CYBER
SIDE-BY-SIDE COMPARISON
What's actually different
DIMENSIONQMSR / ISO 13485FDA CYBERSECURITY
OVERVIEW
StatusCurrent (effective Feb 2, 2026)Current — guidance document, not regulation
Effective periodFeb 2026 – presentSep 2023 – present (updated Feb 2026)
Total requirements3913
SCOPE
Risk integrationRequired (links to ISO 14971 throughout design)Cybersecurity risk assessment integrated with ISO 14971 risk file
Plan maintenanceRequired throughout developmentTotal product lifecycle security — maintained through end-of-life
Document approvalExplicit approval signatures requiredPremarket submission package reviewed and approved before filing
OPERATIONAL
Most common gapRisk management file weak or unlinked to designSBOM incomplete or not monitored against CVE databases post-release
Audit focusRisk file integrity and design-control linkageThreat model, SBOM completeness, patch management plan, CVD policy
COVERAGE BREAKDOWN
What's shared, what's distinct
0SHARED IN BOTH
- No items.
39ONLY IN QMSR
- • Risk Control Option Analysis
- • Design and Development Planning
- • Design and Development Inputs
- • Design and Development Review
- • Risk Management
- • Management Review
- + 33 more
0ONLY IN FDA CYBER
- No items.
OTHER COMPARISONS