Every year, people ask whether FDA enforcement is “getting tougher.” There’s no denying that things are changing at the agency, but the data suggests something a little more subtle is happening.
In FY24, FDA issued 672 Form 483 observations. In FY25, that number rose to 791. Yet warning letters remain comparatively rare — just 44 in FY24 and 54 in FY25.
For context, that’s hundreds of inspections, thousands of registered establishments, and only a few dozen warning letters. The escalation ladder is still intact – 483, response, second response, warning letter, consent decree – but the top citations haven’t changed much:
- Design controls and risk management
- CAPA
- Complaints
- Production controls
- MDR/recalls
The constancy is telling. Industry isn’t being surprised — it’s repeating the same mistakes. And with the QMSR transition in effect, those same weaknesses are now being evaluated through an ISO 13485 lens and FDA risk-based inspection technique.
Unfortunately, companies struggling with 1996-era QSR language won’t find relief in newer lifecycle risk expectations because FDA is already auditing with increasing emphasis on risk management around patients and users under the lens of public health.
So yes, the fundamentals do remain stable, but reviewing warning letters can provide insight into how FDA is going to structure feedback to industry during and after the transition.
The Rise of “Inherent Use”
The WHOOP warning letter last year is one of the more interesting inflection points.
WHOOP marketed a blood pressure feature as a general wellness function. FDA disagreed with their claims, asserting that blood pressure inherently relates to diagnosing hypertension — and therefore constitutes medical use.
The concept of “inherent use” isn’t defined language. But it reflects a regulatory stance that public knowledge alone can imply intended use.
This isn’t an entirely new concept. We saw COVID-era enforcement lean heavily into the idea that functionality — even if not explicitly claimed — can signal medical intent.
But here’s where it gets really interesting. Apple submitted a 510(k) for a hypertension feature in February 2025, yet WHOOP received its warning letter in July. Apple later obtained clearance — and remains the only cleared product under that product code.
Then, in January 2026, FDA updated its General Wellness guidance to explicitly include wrist-worn blood pressure monitoring as eligible for enforcement discretion
In parallel, FDA launched the TEMPO pilot program to support digital health products for chronic conditions using a risk-based, real-world evidence approach. If you line up the timeline, it’s hard not to see a broader shift in how FDA regulates device software that monitors patient vitals or other inputs:
- Enforcement when a predicate pathway exists
- Clearance granted
- Policy expansion to encourage broader access
That’s not inconsistency. It’s evolution, and the TEMPO initiative proves that by emphasizing lifecycle evidence and real-world performance rather than static premarket documentation.
In other words: FDA is real-time updating their policies to reflect how software is developing at an exponential rate. Regulatory professionals who still think of approval as a one-time event are missing where the agency’s posture is heading.
Warning Letters and Registration & Listing: How Administrative Priorities Shape Enforcement
This one was a real head-scratcher for anyone who pays attention to this type of thing: in one day, FDA issued 12 warning letters related to chest binders.
This was an unprecedented move, because these binders were largely Class I, GMP- and 510(k)-exempt products.
So what triggered the warning letters? The binders were marketed for use in gender dysphoria, and that is what caught the FDA’s eye. FDA considers gender dysphoria a medical condition. Once you invoke a disease state in your claims, you trigger device classification — and with it, registration and listing obligations.
This wasn’t just a gray-area design control issue; FDA really does review manufacturer websites. The issue is that they were issuing warning letters without a formal 483. I have never seen a warning letter issued for registration and listing where that is the only finding, and even the new risk-based inspection technique states that registration and listing alone doesn’t warrant a warning letter. But this type of finding is easy to enforce because it isn’t subjective – you either registered your device or you didn’t – and when enforcement resources are limited, “clear and clean” violations are efficient.
Foreign Labs and the Biosecure Act
The agency’s scrutiny of foreign testing labs and retrospective review of data from these labs marks another meaningful trend.
We’ve seen multiple foreign labs receive warning letters for GLP violations, including data integrity concerns and procedural deficiencies.
Separately, WuXi AppTec faced action under the Biosecure Act, with FDA signaling that data generated under certain ownership structures could face heightened scrutiny or non-acceptance.
That is not routine regulatory friction. It is geopolitical, and the agency is recalibrating its oversight model by rolling out unannounced foreign inspections.
The practical challenges are obvious — visas, host-country coordination, resource limitations. But the directional message is clearer: domestic production and domestic data chains are increasingly strategic considerations.
Supply chain geopolitics weren’t on the 510(k) checklist ten years ago. They are now. And as enforcement becomes more strategic, many organizations are turning to AI tools to keep pace.
What Doesn’t Change
Despite the headlines — digital health pilots, deregulation rhetoric, geopolitical tension — the bulk of enforcement remains remarkably stable.
Design controls. CAPA. Complaints. Production controls. MDR – these subsystems are still fundamental for effective quality management systems. With QMSR in effect they will likely be scrutinized more than ever.
The companies that struggle are rarely confused about what the regulation says. They struggle with operational discipline, which may be the most durable truth of all.
FDA’s posture shifts at the margins. The fundamentals remain. And when the agency knocks, it is rarely about something exotic. It’s about whether your systems work when no one is looking.
Get all the details here: https://youtu.be/ERr9Yml-7HQ
