The OR Is Now a Compliance Battlefield

Connected OR devices now face unified cybersecurity and quality obligations under FDA rules effective February 2026

21 May 2026

Updated cybersecurity guidance for medical devices arrived from the US Food and Drug Administration on 4 February 2026, two days after the Quality Management System Regulation came into force. The timing was deliberate. By anchoring security requirements to specific clauses of ISO 13485, including Clause 7.3, which governs software-automated devices, the FDA has made security-by-design a formal quality obligation for surgical robots, AI planning platforms, and networked imaging systems.

Manufacturers must now carry cybersecurity controls through design, supplier qualification, complaint handling, and change management from the outset. FDA inspectors operating under compliance programme CP 7382.850 have explicit authority to examine records that were previously outside their remit. Quality and cybersecurity teams, long accustomed to working in parallel, must now operate from a single integrated framework.

From early 2025 into the first weeks of 2026, the FDA issued a wave of deficiency letters to manufacturers lacking security-by-design protocols. Non-compliance now carries greater legal exposure than at any prior point in US device quality history.

A compliance gap has caught many vendors off guard. ISO 13485 certification, long treated as the international benchmark for device quality, does not guarantee full QMSR compliance. Inspectors examining previously exempt design history files and supplier audit records are finding gaps that certification had obscured.

Every connected operating-room device must be supported by a software bill of materials, an active vulnerability management programme, and documented incident response capability, all embedded within the formal quality system. Smaller vendors face a steeper compliance curve than large ISO-accredited multinationals, a disparity regulators have acknowledged without adjusting enforcement timelines.

Vendors who commit early to unified quality and security frameworks will carry a defensible regulatory position. Compliance laggards are unlikely to close the gap quickly.