Beginner’s Guide: How are medical devices regulated in the EU?

Manufacturers of medical devices looking to sell their products in the European Union (EU) will need to understand and comply with the regulatory requirements of the EU. This can be a complex and daunting process, especially if you are new to the field. In this article, we will provide a beginner’s guide to EU regulatory compliance for medical devices.

The EU Medical Device Regulation

The EU Medical Device Regulation 2017/745 (MDR) came into force on 26 May 2017 after it was published in the Official Journal of the European Union (OJEU) with a Date of Application (DoA) set for 26 May 2020. However, due to the COVID-19 outbreak, this DoA was postponed and the Regulation became fully applicable from 26 May 2021. The MDR represents the new state-of-the-art in terms of regulating medical devices in the EU and has a great impact on the operations of medical device manufacturers all over the world.

You can get a copy of the EU MDR at the following link, but make sure that this is the current consolidated version: EU MDR.

Device Qualification

First things first. Is your product really a medical device?

This step is critical and is known as ‘Device Qualification’ whereby the manufacturer compares the intended purpose of their device to the legal definition of a medical device, as shown below:

‘medical device’ means any instrument, apparatus, appliance, software, implant, reagent, material or other article intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the following specific medical purposes:

  • diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease,
  • diagnosis, monitoring, treatment, alleviation of, or compensation for, an injury or disability,
  • investigation, replacement or modification of the anatomy or of a physiological or pathological process or state,
  • providing information by means of in vitro examination of specimens derived from the human body, including organ, blood and tissue donations,

and which does not achieve its principal intended action by pharmacological, immunological or metabolic means, in or on the human body, but which may be assisted in its function by such means.

The following products shall also be deemed to be medical devices:

  • devices for the control or support of conception;
  • products specifically intended for the cleaning, disinfection or sterilisation of devices as referred to in Article 1(4) and of those referred to in the first paragraph of this point.
Article 2(1), MDR

Alternatively, your product may fall under the definition of an ‘accessory to a medical device’, which Article 2(2) defines as: “an article which, whilst not being itself a medical device, is intended by its manufacturer to be used together with one or several particular medical device(s) to specifically enable the medical device(s) to be used in accordance with its/their intended purpose(s) or to specifically and directly assist the medical functionality of the medical device(s) in terms of its/their intended purpose(s)”.

However, it is not always so clear-cut, with some products considered “borderline”. What’s important in these scenarios is a well-defined intended purpose for the device taking into account:

  • What is the device intended to be used for?
  • On whom or on what will the device be used?
  • What are the indications of the device?
  • What are the marketed claims?
  • How does the device meet its intended purpose?
  • Who is using the device?

The EU’s Medical Device Coordination Group (MDCG) has released some helpful guidance which might be able to point you in the right direction. See the below resources:

Apart from medical devices and their accessories, there are some other types of products which fall under the scope of the EU MDR, those being custom-made devices and devices which are indicated in Annex XVI (products without a medical intended purpose). Check out their respective links to learn more.

Once you are confident that your product fits under the scope of the EU MDR, you must apply a risk classification to it. If you’re not so confident, have an expert like Specculo look into it for you. In either case, we recommend you put together a rationale to justify whether your product is a medical device or not. This will come in handy if you are ever challenged.

Device Classification and Rules

The EU has a classification system for medical devices that ranges from Class I (lowest risk) to Class III (highest risk). Device classification is important because it determines the regulatory requirements that must be met to obtain CE marking and EU market access. The classification rules are based on factors such as intended use, duration of use, invasiveness, and potential harm. Each classification has its own set of requirements that must be met, such as conformity assessment procedures, technical documentation, and quality management system requirements.

You can find more information on the classification system and how to use it to assign a risk class to your device in our dedicated article, Medical Device Classification System in the EU. If you’re having trouble classifying your product, you could also consult MDCG 2021-24 or have our team look into it.

Conformity Assessment Procedures

Once you have successfully identified your device classification, it is time to find out which route of conformity you will need to follow. Article 52 of the MDR indicates several pathways which shall be chosen based on the risk classification of your device. For example, a Class IIa device manufacturer may choose between a conformity assessment in line with Chapters I and III of Annex IX or as specified in Annex XI. When a choice is given, the decision shall be made based on device production and what is more appropriate for that manufacturer’s operations.

Regardless of the path chosen, most of the requirements in the MDR will apply to all devices including requirements related to technical documentation, declaration of conformity, quality management systems, UDI and registration. The assessment itself is carried out by a Notified Body, a third-party organization which has been designated by the EU to carry out conformity assessments.

For class I devices without a sterile or measuring function and which are not reusable surgical instruments, a third-party Notified Body will not be involved. Instead, class I manufacturers go down a self-certification route culminating in the declaration of conformity which claims that that organization has complied with all the appropriate requirements and obligations of the regulation.

Notified Bodies and Different CE Certificates

Notified Body (NB) assessment typically begins with a conversation to determine the type of assessment required and an understanding of that particular NB’s processes. Selecting an NB for your device’s assessment is a crucial step and you may choose from the following official list of EU-designated organizations: NANDO EU NBs.

Selecting your EU MDR Notified Body

When selecting an NB, manufacturers should take into account the following considerations:

  • Cost.
  • Timelines.
  • Expertise.
  • Resources and support.
  • Reputation.
  • Designated tasks.

During the selection process, you should first identify which tasks that NB has been designated for. This highlights what in-house expertise is available and which types of devices they are able to assess (MDR codes). Following that, we recommend that you get in touch with the NBs able to assess your device and compare using the considerations indicated above.

Keep in mind that whilst the processes of each NB may be different, the result is the same: An EU MDR Certificate (or CE Certificate) which allows you to place your product on the market. Once selected, ensure you understand the whole process and what it entails; this will help you avoid any surprises and potentially expose hidden costs.

In any case, you will be asked to submit your MDR-compliant technical documentation for review, typically performed remotely. The NB will then schedule an assessment of your quality management system, which is usually performed in two stages: remotely, to ensure you have the appropriate documentation in place, and on-site to ensure that you are following your procedures and are compliant with the MDR requirements. Following the initial assessment, the NB will schedule surveillance audits of your QMS and documentation which will focus on another product (if you have a larger portfolio).

The NB may issue non-conformities against the documentation or your QMS which will need to be addressed prior to obtaining your certificate. Handling multiple rounds of non-conformities (if allowed) can get extremely expensive and time-consuming; this is why we recommend that you contact experts in the field who have dealt with these sorts of assessments and non-conformities. Unfortunately, interpretations of the regulations may differ from one NB to another, sometimes even internally between assessors. We have dealt with and resolved these issues before by challenging these interpretations to ensure that our clients always get a fair assessment.

Upon passing your assessment, the NB will then issue a type of certificate based on the conformity assessment route chosen, including:

  • EU quality management system certificate.
  • EU technical documentation assessment certificate.
  • EU type-examination certificate.
  • EU product verification certificate.
  • EU quality assurance certificate.

The certificate is a confirmation that your medical device and organization meet the requirements of the MDR, allows you to affix the CE mark to your device, and allows you to place your device on the EU market.

Quality Management System Requirements

As part of the manufacturer’s obligations (see Medical Device Manufacturers: What are your obligations in the EU?), a Quality Management System (QMS) must be set up, the extent of which shall depend on the device and scope of the organization.

Although it is not directly referred to in the MDR, the QMS shall be compliant with the latest version of EN ISO 13485 (currently EN ISO 13485:2016+A11:2021). The prospect of setting up a QMS may sound daunting, and in most cases, it is quite a significant investment. But most of all, establishing and maintaining a QMS is a commitment.

A Quality Management System (QMS) is a structured framework designed to ensure that an organization consistently produces medical devices that meet customer and regulatory requirements. ISO 13485:2016 is a standard that specifies the requirements for a QMS in the medical device industry. The standard emphasizes the importance of risk management and product safety, and requires that organizations document, implement, and maintain their QMS processes to ensure they are effective and continuously improving. By complying with ISO 13485:2016, organizations can demonstrate their commitment to quality and gain a competitive advantage in the global marketplace.

To set up an ISO 13485:2016-compliant QMS, an organization should follow these general steps:

  1. Obtain a copy of the ISO 13485:2016 standard and review its requirements to ensure a clear understanding of what is expected.
  2. Identify the scope of the QMS, including the types of medical devices or related services the organization will provide.
  3. Establish a Quality Policy and objectives that align with the organization’s mission, values, and regulatory requirements.
  4. Create a QMS manual (Quality Manual) that documents the QMS processes, procedures, and responsibilities, and outlines how they will be implemented and maintained.
  5. Conduct a gap analysis to determine any areas where the organization does not meet the ISO 13485:2016 requirements and create an action plan to address these gaps.
  6. Develop and implement a risk management process that identifies potential risks associated with the organization’s products or services and defines how those risks will be mitigated.
  7. Train employees on the QMS processes, procedures, and their responsibilities, and provide ongoing training and education to ensure ongoing compliance.
  8. Establish a process for monitoring and measuring the effectiveness of the QMS, and use this information to continually improve the system.

It is important to note that the specific steps involved in setting up a QMS in accordance with ISO 13485:2016 may vary depending on the organization’s size, complexity, and type of medical devices or services provided.

Unless you have the in-house expertise, complying with these requirements can be very time-consuming and expensive. This is why in most cases, it will be more cost-effective for you to hire a third party to carry out the work required on your behalf. Get in touch to discuss your QMS needs and check out our QMS service page for more information.

Manufacturer Obligations in Article 10 of the MDR

Article 10 of the MDR sets out the obligations of manufacturers of medical devices. These include obligations related to the design and manufacture of the device, labelling and instructions for use, post-market surveillance, and reporting of incidents and field safety corrective actions:

  1. Ensuring that the device is designed and manufactured in accordance with the MDR and any other applicable regulations and that it meets the essential requirements for safety and performance.
  2. Establishing and maintaining a quality management system (QMS) that complies with the MDR, and ensuring that all relevant employees are trained in the QMS procedures.
  3. Conducting a risk assessment for the device, and implementing appropriate measures to minimize any identified risks.
  4. Ensuring that the device is appropriately labelled and accompanied by instructions for use, and that any advertising or promotional material is accurate and not misleading.
  5. Keeping a register of complaints, non-conformities, and any corrective or preventive actions taken, and reporting serious incidents to the competent authorities.
  6. Conducting post-market surveillance activities to monitor the safety and performance of the device and taking appropriate corrective or preventive actions if necessary.
  7. Ensuring that the device is traceable through the supply chain by affixing a unique device identification (UDI) code, and providing sufficient information to enable the device to be identified and traced.
  8. Cooperating with the competent authorities, including providing them with any necessary information or access to facilities.
  9. Appointing a person responsible for regulatory compliance (PRRC), who must have appropriate qualifications and experience.

These obligations apply to all medical device manufacturers selling their products in the European Union, regardless of where they are based. Failure to comply with these obligations can result in serious consequences, such as product recalls, fines, or legal action. See our full-length article on the manufacturer’s obligations in the EU.

EU Authorized Representative

If you are a manufacturer based outside of the EU, you are required to appoint an EU Authorized Representative (AR) who acts as your regulatory representative in the EU. The AR has its own set of obligations and requirements to meet such as verifying you have all the necessary technical documentation in place and acting as a contact point between you and the EU Competent Authorities. If you’re curious to find out more about the role of the AR, check out our article here.

Identifying and appointing an appropriate AR is not always straightforward as there isn’t an official list to choose from. However, designating an AR who can guide you through the regulatory framework is key to your success in the EU. When choosing your AR, take into account:

  • Cost and Included Services: Beware hidden costs and ensure you know exactly what you’re paying for. Some ARs will charge extra for run-of-the-mill activities. AR services are typically charged annually, so ensure that any services or guidance you may require in a given year are included or provided at a reasonable rate.
  • Experience and Reliability: Company age and size do not equal experience or reliability. Choose a company whose employees have the appropriate experience to guide you through complex regulatory and market-related issues.
  • Responsiveness: You will want to choose a company that can get back to you within at least 24 hours for urgent requests such as vigilance.
  • Communication: Being able to communicate easily with your AR is crucial in ensuring you understand your obligations in the EU.

If you’re looking for an Authorized Representative who ticks all these boxes and throws in additional monthly consulting hours, get in touch with Specculo. We would like to hear about your requirements and guide you to success.

PRRC Requirements

The EU MDR introduced several new requirements and obligations for manufacturers to comply with. One of these is that the organization must appoint a person responsible for regulatory compliance (PRRC), a role which intends to strengthen the accountability of medical device manufacturers for compliance with regulatory requirements. The PRRC is a person within the manufacturer’s organization who is responsible for ensuring that the company complies with the MDR and related legislation.

The PRRC must have sufficient knowledge and expertise in the field of medical devices and must be involved in the manufacturer’s QMS. They are responsible for ensuring that the QMS is in compliance with the MDR and that it is effective in identifying and addressing any non-conformities or risks related to the manufacturer’s devices.

The PRRC must also be involved in the conformity assessment process and must ensure that the manufacturer has applied the appropriate conformity assessment procedures and has obtained the necessary certificates or declarations of conformity.

In summary, the PRRC is a key person within a medical device manufacturer’s organization who has the responsibility to ensure that the company complies with the EU MDR and related regulations. The role is an important aspect of the MDR’s efforts to strengthen the safety and effectiveness of medical devices sold in the EU, by ensuring that manufacturers have a dedicated person responsible for regulatory compliance within their organization.

What is a PRRC and what are their Responsibilities?

If you don’t have anyone in-house who has the appropriate knowledge of the EU MDR, we can provide them with the training required to be able to be eligible for the role. The manufacturer must ensure that the PRRC is always close at hand, and therefore we always recommend appointing in-house personnel as the PRRC, even though it is possible to subcontract a PRRC.

Device Registration Obligations

In addition to the above-mentioned requirements, manufacturers of medical devices must also register their devices with the competent authorities in the EU member states where the devices will be sold. This requirement applies to all medical devices, regardless of their classification.

Device registration can now be conducted through the European Database for Medical Devices (Eudamed) by either the manufacturer or a subcontracted entity. Successful registration means that the manufacturer can place their device on the EU market, but they must ensure that all information inputted into Eudamed is kept up to date.

Registration of your devices on Eudamed involves you entering device-specific data into the online database, including information on the classification, size, warnings, and packaging.

Eudamed can be a tough nut to crack. This is why we register our clients on Eudamed to acquire their SRN as part of our AR service or as a separate consulting service. We can also provide you with the guidance you need to ensure that you register your devices appropriately and maintain your information in Eudamed.

Importers and Distributors

You have met the Regulation’s requirements, appointed an AR, and obtained your certificate. What’s next?

In order to place your CE-marked devices on the EU market, you will require an importer. An importer is not simply an entity which physically imports your product into the EU. The MDR lists a number of obligations and requirements which must be met by an organization taking on this responsibility. We have covered these requirements here.

Traditionally, the importer did not need to be so aware of how devices are regulated in the EU; they mainly took into account local legislation. However, the EU’s new requirements have led some importers to abandon their role in favour of the less regulatory-intensive distributor role.

If you are dealing with an entity that is struggling to meet these obligations, Specculo does offer an Import Assist package which helps importers carry out their various verifications and answer their burning regulatory questions.

Once the importer has performed their required checks, they “release” the product to be placed on the market. They may also make the product available on the market, i.e. they may be selling it to the end users too, which also makes them the distributor of the product.

It is crucial that both your importer and distributor understand their obligations in the EU. One way of doing this is to draw up an agreement with them which clearly indicates these requirements. If you need any help putting together an Importer or Distributor Agreement, get in touch with our team.


EU regulatory compliance for medical devices is a complex and ever-changing field. It is essential for manufacturers to understand and comply with their regulatory requirements to ensure the safety and efficacy of their products and to avoid regulatory sanctions or product recalls.

In this article, we have provided a beginner’s guide to EU regulatory compliance for medical devices, covering the basics you need to know for success in the EU. By following these requirements and working with experienced regulatory professionals, manufacturers can ensure that their medical devices meet the necessary standards for sale in the EU.

We’re always here to help and would be happy to hear about your experiences with the EU regulatory framework.

If you’re looking for a chat about how we can help you succeed in the EU, just send over an email or give us a call.