FDA to Issue Final Cybersecurity Rule for Medical Devices on June 2, CMS to Follow With Coverage Ban

Rule Clears Final Review, June 2 Publication Set

The U.S. Food and Drug Administration will publish a final rule requiring standalone cybersecurity certification for networked medical devices on June 2, 2026, after the White House Office of Management and Budget completed its regulatory review on May 15, according to two FDA officials familiar with the rule. The rule, titled "Cybersecurity of Medical Devices: Quality System Considerations and Content of Premarket Submissions," will mandate that manufacturers submit a Software Bill of Materials, third-party vulnerability audit, and signed attestations before receiving 510(k) clearance or premarket approval for any device that connects to a network, the officials said.

The FDA officials said the Office of Management and Budget review concluded at 4:47 p.m. on May 15, when FDA received a notice allowing the agency to schedule the Federal Register filing. The rule will appear as an economically significant regulation, the officials said, because the agency estimates industry-wide first-year implementation costs at roughly $310 million. A Justice Department official with knowledge of the filing said the agency expects at least two trade associations to file a lawsuit challenging the rule within days of publication, arguing that the FDA exceeded its statutory authority under the Federal Food, Drug, and Cosmetic Act.

CMS Coverage Ban to Follow Within Days

A senior CMS official with knowledge of the parallel action said the agency plans to issue a proposed national coverage determination by June 9 that would bar Medicare reimbursement for noncompliant devices. The official said CMS expects to publish the determination in the Federal Register on the same day and to accept public comments for 30 days. The move would tie payment to the FDA standard, a linkage device makers have warned would force rapid redesigns of infusion pumps, patient monitors, and imaging systems.

A hospital administrator briefed on the rule said the CMS coverage determination would create immediate procurement pressure even before the FDA rule takes effect. The administrator, who oversees supply chain decisions at a 412-bed hospital in the Midwest, said large health systems are already asking vendors to certify future devices against the draft standard. The administrator added that the hospital's chief information security officer warned board members on May 14 that any device without the forthcoming FDA cybersecurity label could be excluded from Medicare reimbursement by early 2028.

Small Device Makers Face $14 Million Compliance Burden

The FDA and CMS actions mark the culmination of a multi-year push to treat medical device cybersecurity as a patient safety issue rather than an information technology concern, officials and industry representatives said. A lobbyist for device makers present at a May 12 briefing in a Marriott Bethesda ballroom said FDA staff informed attendees that the rule would take effect 18 months after publication, meaning most new submissions would need to comply by December 2027. The lobbyist said the same briefing included a slide deck listing a $14 million estimated annual compliance burden for small manufacturers with fewer than 100 employees.

Under the final rule, manufacturers must document every software component in a device, including third-party libraries, and provide evidence of penetration testing by an accredited auditor, according to the FDA officials and a draft summary circulating among industry groups. Devices that do not connect to networks or that contain only fixed-function software would be exempt, the officials said. The rule also requires firms to maintain a vulnerability disclosure program and to report critical security patches within 30 days of discovery. The FDA officials said the agency modeled portions of the standard on the European Union Cyber Resilience Act, which took full effect in December 2027.

Industry Pushback and Implementation Timeline

The device lobbyist said industry groups intend to argue during the CMS comment period that the coverage ban duplicates FDA enforcement and will disrupt product launches. The lobbyist said representatives of three major trade associations met on May 11 in Washington to coordinate strategy and to draft a comment letter citing the $14 million small-business cost estimate. The lobbyist said the letter will ask CMS to delay the coverage determination by at least 90 days and to exempt Class I devices such as thermometers and bed rails from the network-device definition.

The FDA officials said the agency is preparing a June 3 webinar for manufacturers to explain the submission requirements, with registration opening through the Center for Devices and Radiological Health website. They said the agency also plans to release a template for the Software Bill of Materials and a list of accredited third-party auditors by July 1. The officials said FDA Commissioner staff will brief House and Senate health committee aides during the week of May 25, though no hearing has been scheduled.

What to watch: The Federal Register filing on June 2 will include the exact compliance date and the scope of exemptions. CMS will follow with its proposed national coverage determination by June 9, triggering a 30-day comment window. Industry lawyers expect litigation to be filed in the U.S. Court of Appeals for the Fifth Circuit or the District of Columbia Circuit by June 5. The hospital administrator said the next 48 to 72 hours will determine whether any manufacturer obtains a last-minute exemption through congressional outreach before the rule is locked at the printer.