FDA compliance means meeting the rules set by the U.S. Food and Drug Administration for any product the agency regulates, including food, drugs, medical devices, cosmetics, biologics, tobacco, and even certain software. These rules are codified in Title 21 of the Code of Federal Regulations and cover everything from how a product is manufactured and labeled to how safety problems are reported after it reaches consumers. If your business makes, imports, or distributes any of these products in the United States, FDA compliance is a legal obligation, not a voluntary standard.
What the FDA Actually Regulates
The FDA’s authority spans a surprisingly wide range of industries. Title 21 of the Code of Federal Regulations is organized into subchapters, each covering a distinct product category: food for human consumption, human drugs, animal drugs and feeds, biologics (like vaccines and blood products), cosmetics, medical devices, mammography equipment, radiological health products, and tobacco products. A separate chapter covers controlled substances under the Drug Enforcement Administration, which works alongside the FDA but operates independently.
For any company in these industries, compliance starts with understanding which subchapter applies to your product. A sunscreen, for example, is regulated as an over-the-counter drug, not a cosmetic. A health app on your phone may qualify as a medical device. These classifications determine the specific rules you need to follow.
Manufacturing Under Good Manufacturing Practice
One of the most fundamental pieces of FDA compliance is Current Good Manufacturing Practice, commonly abbreviated as CGMP. These regulations require manufacturers to build quality into every stage of production rather than just testing the finished product and hoping it passes. For drug manufacturers, CGMP covers the design and monitoring of manufacturing processes, the quality of raw materials, standard operating procedures, product quality deviation investigations, and the reliability of testing laboratories.
The goal is to guarantee four things about every drug product: its identity (it’s actually what the label says), its strength (the dose is accurate), its quality (it was made under controlled conditions), and its purity (it’s free from contamination). Similar manufacturing standards apply to medical devices and food products, though the specific requirements differ. Failing to meet CGMP is one of the most common findings during FDA inspections.
Food Safety Requirements Under FSMA
For the food industry, the Food Safety Modernization Act (FSMA) reshaped compliance by shifting the focus from responding to contamination after it happens to preventing it in the first place. FSMA introduced several major rules that food facilities must follow. These include hazard analysis and risk-based preventive controls for human food, standards for growing, harvesting, and packing produce, verification programs for companies that import food into the U.S., requirements for sanitary transportation of food, and strategies to protect food against intentional tampering.
If you operate a food facility, compliance means conducting a formal hazard analysis of your products, identifying the points where contamination could occur, and implementing preventive controls with documentation to prove the system is working. Importers have their own set of obligations: they must verify that their foreign suppliers meet U.S. food safety standards, even if the supplier’s home country has different rules.
Medical Device Classification and Approval
Medical devices are sorted into three classes based on risk, and the compliance pathway gets more demanding as the risk increases. Class I devices (like tongue depressors or bandages) face the least regulation, typically requiring only general manufacturing controls. Class II devices (like powered wheelchairs or pregnancy tests) usually need a 510(k) submission, which demonstrates the device is substantially equivalent to one already on the market. Some lower-risk novel devices that don’t match an existing product can go through the De Novo pathway to be classified as Class I or II.
Class III devices are the highest-risk category. These are products that sustain human life, prevent serious health impairment, or pose an unreasonable risk of illness or injury. Think pacemakers, implantable defibrillators, or artificial hearts. Class III devices require Premarket Approval (PMA), which the FDA describes as its most stringent type of marketing application. A PMA submission includes non-clinical laboratory data (biocompatibility testing, toxicology, stress and wear testing, shelf life studies) and clinical investigation results with patient-level safety and effectiveness data. The lab studies themselves must follow Good Laboratory Practice standards.
Labeling Rules for Drugs and OTC Products
Labeling compliance is detailed and specific. Prescription drugs must carry the “Rx only” statement, the recommended dosage, the route of administration (if it’s not taken by mouth), the quantity of each active ingredient, a list of inactive ingredients, and a lot or control number for traceability. The labeling must also include a summary of essential scientific information needed for safe and effective use.
Over-the-counter drugs follow a different format built around the “Drug Facts” panel. This panel must list the active ingredients with their quantities, the purpose of each ingredient, approved uses, warnings, directions for use, other relevant information, and inactive ingredients. The order and formatting of these elements are prescribed by regulation, not left to the manufacturer’s discretion. Getting any of this wrong, whether it’s a missing warning or an unapproved health claim, is a compliance violation.
Facility Registration
Before you can legally produce or distribute FDA-regulated products in the U.S., your facility typically needs to be registered with the agency. Medical device establishments involved in production or distribution, including facilities that handle imports, must register annually with the FDA and list the devices they handle along with the activities they perform. Drug manufacturing facilities and food facilities have their own registration requirements with different schedules and procedures. Registration puts your facility on the FDA’s radar for inspections and ensures there’s a record connecting every product to its source.
Software as a Medical Device
Software that performs a medical function on its own, without being part of a physical device, falls under a category called Software as a Medical Device (SaMD). This is distinct from software embedded inside a medical device (like the firmware in an insulin pump) and software used to manufacture or maintain devices. If your app or algorithm is intended to diagnose a condition, recommend a treatment, or inform a clinical decision, the FDA may regulate it as a medical device, with compliance requirements that match the level of risk it presents.
The FDA recognizes three types of software related to medical devices. SaMD is the category that catches many tech companies off guard, because a product that looks like a standard app can trigger full medical device regulation based on its intended use.
How the FDA Enforces Compliance
The FDA enforces its rules through a tiered system that starts with inspections. During a facility inspection, investigators look for conditions that violate FDA requirements. When they find problems, they document them on an FDA Form 483, which is a list of specific observations the investigator considers objectionable. Receiving a 483 is not a fine or a penalty, but it signals that the FDA has identified compliance gaps that need to be corrected.
If a company doesn’t adequately address the issues on a 483, or if the violations are serious enough, the next step is typically a Warning Letter. This is a more formal notice that puts the company on record and often becomes public. Beyond Warning Letters, the FDA can pursue import alerts (blocking products at the border), product seizures, injunctions, and criminal prosecution. Most companies resolve problems at the 483 or Warning Letter stage, but the escalation path exists for repeat or willful violations.
Post-Market Reporting Obligations
Compliance doesn’t end once a product reaches the market. Drug and biologic manufacturers must report serious, unexpected adverse events to the FDA within 15 calendar days of first learning about them. If an adverse event during a clinical trial is both unexpected and fatal or life-threatening, the reporting window shrinks to 7 calendar days. These reports feed into the FDA’s safety surveillance systems and can trigger label changes, safety communications, or product withdrawals.
Medical device manufacturers have parallel reporting obligations through a separate system. The purpose is the same: catching safety signals early so the FDA can act before a problem becomes widespread.
The Cost of Compliance
Compliance carries significant financial costs, particularly for drug and device manufacturers. Under the Prescription Drug User Fee program, a new drug application requiring clinical data carries a fee of $4,310,002 for fiscal year 2025, rising to $4,682,003 in FY 2026. Applications that don’t require clinical data cost roughly half that. On top of application fees, companies pay annual program fees that fund the FDA’s review operations, set at $403,889 for FY 2025 and $442,213 for FY 2026. These fees cover only the regulatory review itself, not the underlying research, testing, and quality systems needed to prepare a compliant submission.
For smaller companies, particularly in the food and cosmetics industries, the costs are lower but still meaningful. Building a compliant quality system, training staff, maintaining documentation, and preparing for inspections all require sustained investment. The cost of non-compliance, however, including product recalls, import holds, and reputational damage, almost always exceeds the cost of getting it right from the start.