United States medical device QA/RA blog

News and commentary on regulatory changes.

FDA Adds UL 2900 for Medical Device Cybersecurity to List of Recognized Standards


  • The US FDA has now officially recognized the UL 2900 cybersecurity standard for medical devices.
  • UL 2900-1 covers general cybersecurity requirements for network-connectable devices.
  • FDA medical device applicants may now declare conformity to UL 2900-1 in order to address cybersecurity requirements as part of their US market registration.

US FDA recognizes UL 2900 standard for medical device cybersecurity 2017US medical device regulators have officially included a new cybersecurity standard from UL to their list of recognized standards for use in premarket reviews.

The UL standard, now published in the US Federal Register, is UL 2900-1 Ed. 1 2017, Standard for Software Cybersecurity Network-Connectable Products, Part I: General Requirements. The standard covers evaluations and tests of network-connectable devices in terms of vulnerabilities, malware and software weaknesses.

As Emergo previously reported, UL 2900-1 was developed to enable US medical device market registrants to demonstrate that their products meet pre- and post-market cybersecurity requirements found in FDA guidance. Now, FDA registrants may declare conformity to UL 2900-1 in order to address cybersecurity issues related to US market access.

Related FDA and cybersecurity information from Emergo

  • US FDA 510(k) consulting support for medical device companies
  • Medical device design, process and software validation support
  • Regulatory consulting support for mobile medical and telehealth apps
  • Webinar: Mapping cybersecurity standards to FDA guidance

Read by 50,000+ device professionals worldwide.

Stay updated on changes to global medical device regulations.RADAR