top of page
Search

USFDA Guidance: UDI Requirements for Combination Products and Cybersecurity for Medical Devices

In June 2025, the FDA released two impactful draft guidances that significantly affect medical device and combination product manufacturers. These clarifications address:

Together, these documents underpin the FDA’s push for enhanced product traceability, patient safety, and cybersecurity resilience.


ree

What Is a Combination Product?

A combination product integrates two or more regulated components—such as a drug, a device, or a biologic—into a single product or package. Examples include pre-filled syringes, drug-device co-packages, or cross-labeled products intended for combined use.

A UDI is composed of two parts:

  • Device Identifier (DI): A mandatory, fixed portion that identifies the specific version or model of a device and its labeler.

  • Production Identifier (PI): A conditional, variable portion that identifies information such as the lot number or expiration date.

Key UDI Requirements:

  • Applicability: The UDI rule generally requires that the label and device package of every medical device, including those that are part of a combination product, bear a UDI unless an exception applies.

  • Types of Combination Products:

    • Single-Entity: One product (e.g., a pre-filled injector). Device-led single-entity products must bear a UDI; drug- or biologic-led products may use a National Drug Code (NDC) instead of a UDI if properly labeled.

    • Co-Packaged: Multiple components packaged together (e.g., a drug and a device in one box). Device-led co-packaged products require a UDI on the package; for drug- or biologic-led products, each device constituent part should bear a UDI, but the overall package may use an NDC.

    • Cross-Labeled: Components distributed separately but intended for combined use. Each device constituent must bear a UDI unless exempted.

  • Labeling Best Practices: The FDA recommends using only one primary identifier (either UDI or NDC) on the combination product’s label to minimize confusion and streamline supply chain activities. However, both identifiers may appear if necessary for regulatory or logistical reasons.

  • Database Submission: Labelers must submit relevant information to the FDA’s Global Unique Device Identification Database (GUDID) to support device traceability and post-market surveillance.


Summary Table of UDI Requirements for Combination Products:

Product Type

UDI on Product

UDI on Device Part(s)

NDC Allowed?

Single-Entity, Device-led

Yes

N/A

No

Single-Entity, Drug/Biologic-led

No (if proper NDC)

N/A

Yes

Co-Packaged, Device-led

Yes

Optional

No

Co-Packaged, Drug/Biologic-led

No (if proper NDC)

Yes

Yes

Cross-Labeled

N/A

Yes

N/A

As medical devices become more interconnected and software-driven, cybersecurity risks have emerged as a critical concern. The FDA’s guidance on cybersecurity provides a framework for manufacturers to address these risks throughout the device lifecycle, especially for premarket submissions.


Key Cybersecurity Expectations:

  • Quality System Integration: Manufacturers must incorporate cybersecurity risk management into their quality systems, ensuring that device design, production, and post-market activities address potential threats and vulnerabilities.

  • Premarket Submission Content: Submissions should include detailed information on:

    • Threat modeling and risk assessments

    • Security controls and architecture

    • Plans for software updates and patch management

    • Post-market surveillance and vulnerability disclosure policies

  • Lifecycle Management: Cybersecurity is not a one-time activity. Manufacturers are expected to monitor, assess, and respond to emerging threats throughout the product’s use in the field.

Why This Matters:

Effective cybersecurity protects patient safety, safeguards sensitive health data, and ensures device functionality. The FDA’s guidance aims to foster a proactive, systematic approach to cybersecurity, reducing the likelihood of adverse events linked to cyberattacks or software failures.


By aligning with these evolving standards, industry stakeholders can help ensure that medical innovations remain safe, effective, and resilient in a rapidly changing healthcare environment

I Sometimes Send Newsletters

Thanks for submitting!

  • LinkedIn
  • Facebook
  • Twitter
  • Instagram

DISCLAIMER

The views expressed in this publication do not necessarily reflect the views of any guidance of government, health authority, it's purely my understanding. This Blog/Web Site is made available by a regulatory professional, is for educational purposes only as well as to give you general information and a general understanding of the pharmaceutical regulations, and not to provide specific regulatory advice. By using this blog site you understand that there is no client relationship between you and the Blog/Web Site publisher. The Blog/Web Site should not be used as a substitute for competent pharma regulatory advice and you should discuss from an authenticated regulatory professional in your state.  We have made every reasonable effort to present accurate information on our website; however, we are not responsible for any of the results you experience while visiting our website and request to use official websites.

bottom of page