EU MDR (2017/745): Understanding EU’s Medical Device Regulation

6  min read | 02/08/2023

Shlomit Cymbalista
Shlomit Cymbalista
Igal Zeifman
Igal Zeifman

What is EU MDR

The EU MDR, also known as Regulation (EU) 2017/745, is a regulatory framework that sets out the requirements for the design, manufacture, and marketing of medical devices within the European Union. It replaces the previous medical device directive (MDD) and the active implantable medical device directive (AIMDD), aiming to provide a more transparent, and future-proof regulatory environment for medical devices.

The EU MDR is a complex regulation, covering a wide range of issues, from clinical evaluation and post-market surveillance to labeling and packaging requirements. It aims to ensure the highest level of safety and performance of medical devices in the EU market. The regulation not only applies to medical devices but also to certain accessories and products without a medical purpose, such as aesthetic devices, which were previously outside the scope of EU regulation.

History and Background of EU MDR

Previous Regulations

The EU MDR is not the first attempt by the EU to regulate medical devices. The medical device directive (MDD) and the active implantable medical device directive (AIMDD) were the primary regulatory frameworks prior to the implementation of the MDR. These directives focused on ensuring the safety and performance of medical devices, but they fell short in several areas, including their scope, transparency, and ability to keep pace with technological advancements in the medical device industry.

Reasons for the Update to EU MDR (2017/745)

The EU MDR was introduced to address these shortcomings and to enhance the level of health and safety protection for EU citizens. The PIP (Poly Implant Prothese) breast implant scandal, where implants were fraudulently filled with industrial-grade silicone instead of medical-grade material, was a significant driver for the reform. This incident highlighted the need for stricter controls and greater transparency in the medical device sector.

Furthermore, the rapid evolution of medical technologies necessitated a more adaptable regulatory framework. The MDR is designed to be a dynamic regulation that can accommodate advances in technology, changes in medical practice, and emerging knowledge about the long-term safety and performance of medical devices.

Overview of EU MDR Requirements

Strengthened Requirements for Clinical Evidence

Under the EU MDR, there is a greater emphasis on the need for robust clinical evidence to demonstrate the safety and performance of medical devices. Manufacturers are required to conduct more vigorous clinical evaluations and post-market clinical follow-up studies to support the claims made about their devices. The evidence must be periodically updated and must reflect the current state of scientific knowledge.

Increased Transparency and Traceability

The EU MDR introduces new requirements for transparency and traceability. A new EU database, known as EUDAMED, will provide a central repository for information about medical devices on the EU market. This will include details of clinical investigations, conformity assessment procedures, certificates issued, and incidents reported.

Furthermore, each medical device will need to be assigned a unique device identifier (UDI), enabling the tracking and tracing of devices throughout their lifecycle. This will significantly enhance the ability to monitor the safety and performance of devices on the market and take swift action in case of a problem.

Expanded Definition of Medical Devices

The EU MDR expands the definition of a medical device to include products that have a medical purpose but do not achieve their primary intended action by pharmacological, immunological, or metabolic means. This brings a range of products, such as aesthetic devices and certain software, under the scope of EU regulation for the first time.

In particular, classification rule 11 states that stand-alone software that is a medical device, and serves diagnostic or therapeutic purposes, could be assigned to class IIa, IIb, or III, depending on the impact of the medical decisions based on its output. This could make it much more difficult to receive regulatory approval for many types of medical software in the EU.

Enhanced Post-Market Surveillance

The EU MDR places a greater emphasis on post-market surveillance, requiring manufacturers to actively monitor the performance of their devices once they are on the market and to take corrective action if necessary. This includes the requirement to establish a comprehensive post-market surveillance system, to periodically update the clinical evaluation of the device, and to report serious incidents and field safety corrective actions.

Requirements for a Person Responsible for Regulatory Compliance (PRRC)

Under the EU MDR, each manufacturer must have at least one person responsible for regulatory compliance (PRRC) within their organization. This person must possess the necessary expertise in the field of medical devices and must be permanently at the manufacturer’s disposal. Their responsibilities include ensuring the safety and performance of the device, its conformity to terms of manufacture and labeling, and the implementation and maintenance of the manufacturer’s quality management system.

Implications for Medical Device Manufacturers

The sweeping changes brought about by EU MDR have profound long-term implications for medical device manufacturers. These include:

Impact on Product Development and Testing Processes

EU MDR introduces stringent requirements for clinical evidence, necessitating a comprehensive review of product development and testing processes. Under EU MDR, manufacturers need to demonstrate a higher level of clinical evidence to support the safety and performance claims of their devices.

The increased focus on clinical evidence affects not only new products but also existing ones, requiring manufacturers to re-evaluate their portfolio and possibly conduct additional clinical trials.

Changes to Labeling and Documentation

Another significant area of impact is labeling and documentation. EU MDR demands more detailed device labeling, with explicit information on usage, risks, and clinical evidence. It also introduces the notion of a unique device identifier (UDI), which must be incorporated into device labels, facilitating traceability throughout the device’s lifecycle.

The responsibility for maintaining up-to-date technical documentation has also increased, calling for manufacturers to provide comprehensive information on device design, manufacturing, and performance.

Enhanced Post-Market Surveillance Responsibilities

The new regulation extends manufacturers’ responsibilities into the post-market phase. Under EU MDR, manufacturers must establish a proactive post-market surveillance system, capturing and analyzing device performance and safety data from real-world use. This data must then be used to continually update risk assessments and clinical evaluations, ensuring that the device remains safe and effective throughout its lifecycle.

Necessity for Updating Quality Management Systems

The changes necessitated by EU MDR have far-reaching implications for manufacturers’ quality management systems (QMS). The regulation demands a higher level of integration between QMS and other processes, including clinical evaluation, risk management, and post-market surveillance. This requires updating existing QMS to ensure they are compliant with the new requirements.

Potential Market Access Delays

With the increased scrutiny and more rigorous approval processes, manufacturers may face delays in getting their devices to market. The transition to EU MDR can be time-consuming and complex, potentially affecting manufacturing timelines and market access strategies. According to the MDR Transition Timelines published by the European Commission, from 26 May, 2024, new devices placed on the market must conform to the new MDR requirements. Certificates previously issued under the MDD may continue to be valid for up to 4 years after this deadline.

Preparing for EU MDR Compliance

Here are the general steps manufacturers can take steps to prepare for compliance with EU MDR:

  1. Conduct a gap analysis: This involves assessing your current state of compliance against the requirements of EU MDR, identifying any deficiencies, and planning actions to address them.
  2. Securing resources: Compliance with EU MDR requires significant resources, both in terms of personnel and financial investment. Manufacturers must ensure they have the necessary resources to implement the changes required by the regulation.
  3. Update documentation and processes: A key requirement of EU MDR is the updating of technical documentation, labeling, and QMS. This requires a thorough review of existing documentation and processes, followed by revisions to ensure compliance with EU MDR.
  4. Strengthen post-market surveillance: Given the increased post-market surveillance responsibilities under EU MDR, manufacturers must strengthen their systems for capturing and analyzing real-world data. This involves developing a robust post-market surveillance plan, implementing systems for data capture and analysis, and ensuring processes for updating risk assessments and clinical evaluations based on this data.
  5. Engage a notified body: Under EU MDR, manufacturers must engage with a notified body (organizations designated by an EU Member State to assess medical devices and documentation for conformity with the regulation). This requires identifying a suitable notified body, preparing for the assessment, and working closely with the body throughout the process.
  6. Train staff: The transition to EU MDR requires a shift in mindset and culture within the organization. To ensure successful compliance, staff training is essential, ensuring that everyone understands the requirements of EU MDR and how they impact their role.

The introduction of the EU MDR marks a significant shift in the regulatory landscape for medical device manufacturers. While the implications are profound, with careful planning and preparation, manufacturers can navigate this transition and seize the opportunities it presents. The focus on patient safety and clinical evidence will continue to shape the future of medical device regulation in Europe.

How We Can Help

Sternum is an IoT security and observability platform, which enables device manufacturers to meet and exceed the security requirements of standards and regulations such as EU MDR, UL 2900, TIR 57, and the FDA Cybersecurity Guidance.

Embedded in the device itself, Sternum provides deterministic protection from known and unknown (zero-day) threats, including software supply chain vulnerabilities. These patented security features are complemented by robust observability features that granularly monitor and log all device functions, provide real-time operational and business intelligence, and leverage AI for rapid anomaly detection and alerting.

Sternum operates at the bytecode level, making it universally compatible with any IoT device or operating system, including RTOS, Linux, OpenWrt, Zephyr, Micirum, and FreeRTOS. Plus, it has a low overhead of only 1-3%, even on legacy devices.

To learn more about how we help MDMs streamline compliance and build scalable and reliable products, check out this customer webinar we did with Medtronic.

Related content: Read our guide to NIST cybersecurity


Enter data to download case study

By submitting this form, you agree to our Privacy Policy.