FDA / EU / Regulatory Updates
Key Points:
- Remove Barriers to Threat Information Sharing Between Government and the Private Sector (The Executive Order (EO) ensures that IT Service Providers are able to share information with the government and requires them to share certain breach information.)
- Modernize and Implement Stronger Cybersecurity Standards in the Federal Government (The EO helps move the Federal Government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption within a specific time period.)
- Improve Software Supply Chain Security (The EO will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. In addition, the EO creates a pilot program to create an “energy star” type of label so the government – and the public at large – can quickly determine whether software was developed securely.)
The EO includes requirements for sharing software bill of materials (SBOM)information when software is being delivered. The term “Software Bill of Materials” or “SBOM” means a formal record containing the details and supply chain relationships of various components used in building software.
- Establish a Cyber Safety Review Board (The EO establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.)
- Create a Standard Playbook for Responding to Cyber Incidents (The EO creates a standardized playbook and set of definitions for cyber incident response by federal departments and agencies.)
- Improve Detection of Cybersecurity Incidents on Federal Government Networks (The EO improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the Federal government.)
- Improve Investigative and Remediation Capabilities (The EO creates cybersecurity event log requirements for federal departments and agencies.)
FDA issued 2 new draft guidances related to postmarket activities:
1. Procedures for Handling Post-Approval Studies Imposed by Premarket Approval Application Order
Evaluation of premarket approval applications (PMA) by FDA is a multi-step process in which FDA evaluates whether reasonable assurance of device safety and effectiveness has been demonstrated.
To provide reasonable assurance, or the continued assurance, of safety and effectiveness of an approved device, FDA may require a post-approval study (PAS) as a condition of approval of the PMA. A PAS is usually a clinical or non-clinical study, as specified in the PMA approval order, and is typically intended to gather specific data to address questions about the post-market performance of or experience with an approved medical device.
FDA may consider it acceptable to collect certain data in the post-market setting, rather than premarket under certain circumstances when FDA has uncertainty regarding certain benefits or risks of the device, but the degree of uncertainty is acceptable in the context of the overall benefit-risk profile of the device at the time of premarket approval.
2. Postmarket Surveillance Under Section 522 of the Federal Food, Drug, and Cosmetic Act
Section 522 of the Federal Food, Drug, and Cosmetic Act (FD&C Act) provides the FDA with the authority to require manufacturers to conduct postmarket surveillance at the time of approval or clearance or at any time thereafter of certain class II or class III devices. Postmarket surveillance is the active, systematic, scientifically valid collection, analysis, and interpretation of data or other information about a marketed device. The data collected under a surveillance order help to address important public health questions on the safety and effectiveness of a device.
This draft guidance document, when finalized, will assist manufacturers of devices subject to section 522 post-market surveillance orders (522 orders) by providing:
- an overview of section 522 of the FD&C Act;
- information on how to fulfill section 522 obligations, including:
- when postmarket surveillance should be considered commenced;
- recommendations for achieving an approved postmarket surveillance plan in a timely manner; and
- recommendations for enrollment schedules to help achieve timely completion of postmarket surveillance;
- recommendations on the format, content, and review of postmarket surveillance plan and report submissions, including revised FDA review times for postmarket surveillance-related submissions; and
- updated surveillance status categories to better reflect progress.
26 May 2021 is the application date for the EU MDR. After this date MDR is applicable for all medical devices sold (developed or imported) in the European Union. The In-Vitro Diagnostic Medical Device Regulation (IVDR) is set to follow in May of next year.