Schedule a Consultation
Join Our Team!

Security Standards

Security Standards That Regulators Expect—and Adversaries Exploit

Cybersecurity is no longer a check-the-box requirement for connected products. Whether you’re building medical devices, industrial control systems, or IoT-enabled platforms, regulators now expect provable security-by-design, continuous risk management, and operational readiness across the full product lifecycle.

At Device Recon Labs, we track the frameworks, laws, and standards that matter most—because attackers already do.

The standards and regulations below define today’s cybersecurity baseline for medical devices, health IT, operational technology (OT), and industrial automation systems. They shape FDA submission outcomes, market access in the EU and UK, and how organizations are expected to prevent, detect, and respond to real-world exploitation. Failure to align doesn’t just increase risk—it can halt approvals, trigger refusals to accept, and expose organizations to postmarket enforcement and liability.

This curated list highlights the most critical cybersecurity guidance, international standards, and regulatory mandates governing modern connected systems—so engineering, security, and compliance teams can design, build, and defend products that stand up to both regulators and attackers.

Below you’ll find the foundations regulators rely on… and attackers look for when they’re assessing your exposure.

Standards for Medical Devices

  • FDA guidance ‘Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions’ (June 2025, updated February 2026). 
  • FDA guidance Postmarket Management of Cybersecurity in Medical Devices (Dec. 2016) 
  • 524B of FD&C Act 
    • Plan for Postmarket Security: Develop a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits in a reasonable time. 
    • Coordinated Vulnerability Disclosure: Establish procedures for dealing with vulnerabilities responsibly. 
    • Security by Design: Develop processes for maintaining, designing, and updating the device and its related systems, including making updates and patches available. 
    • Software Bill of Materials (SBOM): Include a comprehensive list of commercial, open-source, and off-the-shelf software components. 
    • Application Scope: These rules apply to applications submitted on or after March 29, 2023, and to significant modifications of previously authorized devices. 
    • Refuse to Accept (RTA) Policy: The FDA will refuse to accept submissions that do not meet these cybersecurity requirements 
  • IEC 81001-5-1:2021 – Health software and health IT systems safety, effectiveness and security 
  • IEC/TR 60601-4-5:2021 – Safety-related technical security specifications 
  • ANSI/AAMI SW96 
    • Based on TIR57 and TIR97 
  • Medical Device and Health IT Joint Security Plan version 2 (JSP2) (Link)

Standards for Operational Technology (OT) and Industrial Automation and Control Systems (IACS)

  • IEC 62443 Series 
  • EU Cyber Resilience Act   
    • a mandatory regulation designed to improve the security of products with digital elements (both hardware and software) sold in the EU market. It enforces security-by-design, mandatory vulnerability management, and CE marking to ensure products are safe and secure throughout their lifecycle, with main obligations applying from December 2027 
  • NIST IR 8259 / NIST IR 8425: Defines foundational cybersecurity activities for IoT device manufacturers and creates a baseline for consumer IoT security 
  • ETSI EN 303 645: A widely adopted European standard for IoT security, focusing on top-level security requirements like no default passwords, secure storage, and vulnerability reporting. 
  • ISO 15408 (Common Criteria): Used for evaluating the security properties of IT products and systems 
  • UK Product Security and Telecommunications Infrastructure Act 2022: Mandates minimum security requirements for connected products in the UK.