Medical device regulation is an imperative yet cumbersome process that spans throughout a product’s lifecycle, from initial development and premarket approval and ending with post-market surveillance. Since 1978, the FDA has steadily improved U.S.-centered regulations governing medical device manufacturing to ensure companies remain compliant with an array of evolving safety requirements.
On February 2, 2026, the Food and Drug Administration (“FDA”) promulgated a new Quality Management System Regulation (“QMSR”) in 21 C.F.R. Part 820, which reflects a groundbreaking shift in medical device regulation. Abandoning the Quality System Regulation (“QSR”), the QMSR harmonizes domestic standards of medical device quality management with international standards established by the International Organization of Standardization (“ISO”). While the QMSR aligns with the foundational requirements under the ISO, it also contains “FDA-specific requirements” that yield various implications for companies entering the medical device space.
One of the most prominent changes under the QMSR in its effort to align with ISO standards is the adoption of a risk-based inspection approach. Essentially, medical device inspections will now orbit around patients and users throughout a product’s lifecycle, making risk management paramount. Under this new model, FDA investigators will review medical device products “based on product-specific risks, complaint histories, prior compliance issues, and other risk indicators.” Additionally, FDA investigators can access company “audit reports, management review documentation, and supplier audit reports” to evaluate the company, its leadership, and its internal approaches to mitigating risk.
Another key shift under the QMSR is the FDA’s emphasis on post-market surveillance, which works in-tandem with the risk-based inspection model. The heightened degree of oversight regarding post-market evaluation holds companies to more stringent expectations, as FDA investigators will now closely monitor recall trends, design changes, supplier conflicts, and ongoing compliance concerns. This robust escalation requires companies to move beyond managing risk-based decisions and instead show post-market responsiveness to field changes and various emerging risk factors.
Lastly, in response to rapid technological advancements, the FDA will also inspect “cyber devices” and other digital software installations. Specifically, the FDA seeks to verify that cyber devices have a sufficient structural design and maintain a requisite degree of security and threat management. Cyber devices and software will also be viewed from a patient-focused lens, and companies are encouraged to modernize internal technology throughout the manufacturing process.
Ultimately, this regulatory paradigm shift, coupled with the recent increase in warning letters, signals an expansive pivot in medical device regulation. FDA’s new patient-centered requirements are sweeping, effectively requiring companies to implement a holistic approach to product development, active risk-management, and post-market review. The FDA’s position under the QMSR heavily emphasizes that quality radiates throughout a company and is perpetuated by effective management that oversees continuous risk-based decisions. FDA advises against treating quality as merely a “compliance exercise for inspection day.” Failure to adhere to new QMSR requirements poses substantial risks, including potential denial of product applications.
In response to these instrumental changes, leading FDA regulatory attorneys advise medical device companies to continue evaluating their current manufacturing and development practices with a gap analysis (a corporate comparison of current practices and future goals) to ensure they are compliant with the new QMSR requirements. Companies should also consider scheduling pre-approval FDA inspections earlier to avoid discovering inadequacies late in the approval process, which can decrease investor confidence, derail market entry timelines, and even result in FDA’s denial of the application. In addition, companies are encouraged to collaborate with stakeholders, suppliers, and advisors to show a proactive quality culture and acknowledge FDA’s heightened risk-based analysis that demands more than only preparing for inspection day.