V5 Ultimate
Compliance · The complete guide

EU MDREU Medical Device Regulation (2017/745)

TL;DR

Regulation (EU) 2017/745 modernizes Europe’s device regime with lifecycle controls, stronger clinical evidence, UDI and EUDAMED transparency, expanded Notified Body scrutiny, and explicit duties for manufacturers, authorised representatives, importers, and distributors across the Single Market.

Reviewed · By V5 Ultimate compliance team· 2,111 words · ~10 min read
AI · Explain it for MY operation

How does EU MDR apply to your shop floor?

Pick your industry and scale — Ask V5 rewrites the definition in your context, gives a worked example, and shows what V5 does on day one.

Your scale

01What the EU MDR is and why it matters

Regulation (EU) 2017/745 on medical devices (the MDR) is the central legal framework that governs the placing on the market, making available, and putting into service of medical devices in the European Union. It applies directly in Member States and replaced the Medical Devices Directive (93/42/EEC) and the Active Implantable Medical Devices Directive (90/385/EEC) on 26 May 2021. The Regulation introduces a rigorous, lifecycle-based model aimed at improving patient safety and system transparency.

The MDR reclassifies many products upward under Annex VIII, strengthens the clinical evidence rules in Article 61 and Annex XIV, and establishes a unified system for device identification and registration through Unique Device Identification and the EUDAMED database. It also recasts post-market surveillance and vigilance with detailed expectations for continuous performance verification, trend reporting, and rapid incident communication to competent authorities.

A defining feature of the MDR is shared accountability. Manufacturers, authorised representatives, importers, and distributors are each assigned concrete obligations in Articles 10–14. Every manufacturer must appoint a Person Responsible for Regulatory Compliance under Article 15 to oversee technical documentation, conformity assessment, and post-market activities. Conformity for most medium and higher-risk devices is assessed by Notified Bodies designated under Articles 35–50 and relevant assessment annexes.

The MDR’s increased scrutiny has practical consequences. Technical documentation must be deeper and more cross-referenced, clinical evaluation has tighter reliance and equivalence criteria, and post-market data must be proactively planned and analyzed. For teams building or remediating files, our guide on EU MDR technical documentation readiness and the role of a Notified Body is an essential starting point.

02Scope and applicability: who and what the MDR covers

The MDR applies to a broad range of medical devices and accessories, including active implantables formerly covered by a separate directive. Its scope captures systems and procedure packs, reprocessed single-use devices, and certain groups of products without an intended medical purpose listed in Annex XVI, for which Common Specifications may apply. In vitro diagnostic devices are outside the MDR and are regulated by the IVDR (Regulation (EU) 2017/746).

Economic operators both inside and outside the EU fall within the Regulation’s reach. Non‑EU manufacturers require an EU‑established authorised representative, importers have verification and registration duties, and distributors must perform checks before making devices available on the market. Each operator’s obligations are independent and enforceable, which materially changes risk allocation compared to the prior directive regime.

Classification follows Annex VIII rules, which have led to significant up‑classification, particularly for software under Rule 11. Standalone software is often Class IIa or higher depending on clinical impact, which brings Notified Body involvement and a more robust conformity assessment pathway. Developers of software as a medical device should also consider IEC 62304 and risk management alignment during design and maintenance, alongside the MDR’s post‑market controls.

In practice, determining whether a product is a medical device, an accessory, or outside scope requires careful review of the intended purpose, mechanism of action, and claims. Borderline cases warrant early dialogue with a competent authority or Notified Body to avoid misclassification that could derail timelines.

  • Medical devices (non‑in vitro) intended by the manufacturer for diagnosis, prevention, monitoring, treatment, or alleviation of disease or injury
  • Active implantable devices and their accessories
  • Standalone software meeting the device definition, including clinical decision support under Rule 11
  • Systems and procedure packs assembled for a specific medical purpose
  • Reprocessed single‑use devices placed back on the market
  • Annex XVI products without medical purpose subject to Common Specifications
  • Custom‑made devices, with specific documentation and post‑market expectations

Software teams should align MDR expectations with software lifecycle practices. For development and maintenance discipline under harmonized standards, see IEC 62304 medical device software readiness.

03How conformity assessment works under the MDR

The MDR sets out several conformity assessment routes that culminate in CE marking and an EU Declaration of Conformity. For most Class IIa, IIb, and III devices, a Notified Body assesses conformity under Annex IX (quality management system with technical documentation assessment), Annex X (type examination), Annex XI (product conformity verification), or combinations of these. Class I devices without sterility or measuring functions are generally self‑declared, but remain subject to the Regulation’s full lifecycle obligations.

Technical documentation must conform to Annex II and Annex III. It includes device description, design and manufacturing information, the General Safety and Performance Requirements (GSPR) checklist against Annex I, benefit‑risk analysis, verification and validation evidence, and the clinical evaluation plan and report. Post‑market surveillance planning is embedded in the file, including the PMCF plan where applicable, and interfaces with risk management and vigilance reporting.

A robust quality management system aligned to Article 10(9) and harmonized standards such as EN ISO 13485 typically underpins Annex IX assessments. The MDR also requires instructions for use and labeling that meet content, legibility, and language obligations, together with UDI carrier placement, Basic UDI‑DI assignment, and EUDAMED registration obligations once modules are mandatory.

Manufacturers should map their device class to the correct route early, model certificate lead times, and reserve adequate capacity for iterative Notified Body questions. Proactive readiness shortens cycles and reduces the risk of nonconformities that can cascade into market delays.

  1. Confirm intended purpose and determine risk class under Annex VIII
  2. Select the applicable conformity assessment route (Annex IX, X, XI) and identify the Notified Body
  3. Implement and operate the QMS per Article 10(9), typically aligned with EN ISO 13485
  4. Compile Annex II/III technical documentation and GSPR evidence, including labeling and instructions for use
  5. Complete clinical evaluation under Article 61 and Annex XIV, including PMCF planning
  6. Assign Basic UDI‑DI, plan UDI carriers, prepare the EU Declaration of Conformity, affix CE marking, and register in EUDAMED when required

04Clinical evaluation, PMCF, and clinical investigations

Clinical evaluation under Article 61 and Annex XIV is the linchpin of MDR conformity. It requires a plan, a systematic appraisal of clinical data, a reasoned demonstration of conformity with Annex I General Safety and Performance Requirements, and a living strategy for maintaining evidence over time. The Regulation tightens reliance on equivalence, especially for higher‑risk and novel devices, and expects transparent traceability to device‑specific evidence.

Post‑Market Clinical Follow‑up (PMCF), part of Annex XIV Part B, extends clinical evaluation into the market phase. PMCF proactively confirms safety and performance, detects rare or long‑term risks, and refines the benefit‑risk profile. For devices with limited premarket data or evolving technology, PMCF can be decisive in sustaining certificates and satisfying iterative Notified Body scrutiny.

Clinical investigations must be designed and conducted in line with ethical and scientific principles and, in practice, are expected to align with EN ISO 14155. They should be anchored to clinically meaningful endpoints, with risk‑appropriate monitoring and data integrity controls. Early engagement with competent authorities and ethics committees streamlines start‑up and minimizes protocol amendments that erode timelines.

Real‑world evidence from registries, pragmatic studies, and post‑market data can support both initial evaluation and PMCF when methodologically robust. Signal detection, confounding control, and bias mitigation are critical to preserving evidentiary value. Teams should maintain a continuous evidence generation plan that links premarket study outputs to post‑market learning objectives.

For detailed expectations and study conduct, see ISO 14155 clinical investigation. For non‑interventional designs and registry strategies, explore approaches to real‑world evidence.

05Post-market surveillance, vigilance, and lifecycle reporting

The MDR transforms post‑market controls into an active, data‑driven obligation. Articles 83–86 require a PMS plan proportionate to the device class and risk, supported by continuous data collection, trending, and corrective actions. Class I manufacturers prepare a PMS Report (Article 85), while Class IIa, IIb, and III prepare a Periodic Safety Update Report (PSUR) at defined intervals (Article 86) and, for higher‑risk devices, submit it via EUDAMED to the Notified Body and relevant authorities.

Vigilance obligations in Articles 87–92 mandate reporting of serious incidents and field safety corrective actions within prescribed timelines, trend reporting of non‑serious incidents, and communication through Field Safety Notices. Root cause analysis, benefit‑risk re‑assessment, and verification of effectiveness are integral, especially where device modifications or labeling updates are implemented in response to safety signals.

Operationally, PMS must be embedded in the QMS and linked to risk management and clinical evaluation updates. Proactive collection mechanisms include user feedback programs, literature surveillance, registry participation, and targeted PMCF activities. Trending should be statistically justified, sensitive enough to detect emerging patterns, and documented for Notified Body review.

  • A risk‑based PMS plan describing data sources, methodologies, and statistical approaches
  • Signal detection and investigation procedures aligned with risk management
  • PSUR or PMS Report schedules, content, and approval workflows
  • Vigilance reporting criteria, timelines, and EUDAMED submission pathways
  • Field action governance, including FSCA decision trees and effectiveness checks
  • Feedback loops to design controls, labeling, and clinical evaluation updates

06UDI, registration, and EUDAMED transparency

The MDR institutionalizes Unique Device Identification under Article 27 and Annex VI to enable end‑to‑end traceability. Each device family is assigned a Basic UDI‑DI, which anchors certificates and EUDAMED registrations. Production units carry a UDI composed of a Device Identifier (UDI‑DI) and a Production Identifier (UDI‑PI) that together support recalls, vigilance, and supply chain control. Issuing entities such as GS1 provide standards for barcodes and data carriers used on labels and, where applicable, direct part marking.

EUDAMED is the EU’s electronic system that will centralize actor registration, UDI/device registration, certificates, clinical investigations, vigilance, and market surveillance. Once all modules are fully functional and the mandatory date takes effect, actors must register, associate devices with their Basic UDI‑DI, upload certificates, and route vigilance submissions through the platform. The system strengthens transparency, enables PSUR access for authorities, and streamlines cross‑border oversight.

Manufacturers should architect master data, labeling, and ERP handoffs so the UDI‑DI, UDI‑PI, and Basic UDI‑DI remain consistent across technical documentation, certificates, and EUDAMED. Early alignment with an issuing entity’s data structures reduces rework during scale‑up and mitigates mismatch findings during Notified Body audits.

07Legacy devices and the MDR transition under Regulation (EU) 2023/607

Regulation (EU) 2023/607 amended the MDR to extend the transition for certain devices certified under the old directives, provided strict conditions are met. The extension addresses system capacity constraints and allows continued market availability while manufacturers complete MDR conformity assessment. It does not relax MDR’s post‑market obligations, which apply to legacy devices during the extension.

Key conditions include an MDR‑compliant quality management system by 26 May 2024, a formal application to a Notified Body for MDR assessment by the same date, and a signed written agreement with the Notified Body by 26 September 2024. No significant changes in design or intended purpose are permitted, devices must not present an unacceptable risk, and PMCF, PMS, vigilance, and market surveillance must follow MDR rules throughout.

Deadlines vary by device class, reflecting risk. High‑risk implants transition earlier, while lower‑risk classes have a longer runway. Manufacturers should map their portfolio to these dates, document condition fulfilment, and maintain rigorous change control to avoid inadvertently ending the extension by triggering a significant change.

Device category (legacy MDD/AIMDD)Last valid placing on the marketSelected conditions (non‑exhaustive)
Class III and Class IIb implantable (other than sutures, staples, dental fillings, dental braces, tooth crowns, screws, wedges, plates, wires, pins, clips and connectors)31 Dec 2027MDR‑compliant QMS by 26 May 2024; MDR NB application by 26 May 2024; NB agreement by 26 Sep 2024; no significant change; MDR PMS/vigilance applies
Other Class IIb and Class IIa31 Dec 2028Same core conditions; change control to avoid significant changes; continued directive surveillance by NB where applicable
Up‑classified Class I (self‑declared under MDD, NB involvement under MDR)31 Dec 2028Same core conditions; label and IFU updates without significant change permissible under guidance

Portfolio‑level transition plans should incorporate buffer for Notified Body capacity and potential nonconformities. For a concise overview of the amendment and its implications, see MDR extension Regulation 2023/607.

09Implementing MDR effectively with V5 Ultimate

Operationalizing MDR is a cross‑functional exercise. Teams must maintain current technical documentation, control labeling and UDI data, trend post‑market signals, and prepare clean, reviewable packages for Notified Body assessment. Fragmented spreadsheets, email‑based change control, and unstructured file shares are frequent sources of delay, rework, and nonconformities.

V5 Ultimate centralizes MDR‑relevant records into governed workflows. Documented evidence for Annex II and III, change histories, risk files, and PMS artifacts are linked so reviewers can navigate from GSPR claims to underlying test reports and clinical appraisals. UDI master data can be associated with labels, manufacturing batches, and distribution records for rapid field action execution and precise PSUR tabulations.

On the post‑market front, teams can structure feedback channels, trend events, and route investigations with clear ownership. Dashboards surface leading indicators, enabling earlier interventions and better‑informed PMCF updates. Supplier controls, internal audits, and training completeness feed management reviews, closing the loop expected under Article 10(9).

Whether you are remediating a legacy portfolio under the transition extension or building a first‑time CE strategy, a systematized approach reduces surprises at Notified Body audits and speeds iteration. Start by mapping your MDR responsibilities to owned workflows, then connect the artifacts that demonstrate conformity. Our QMS capability provides the backbone to do exactly that.

Frequently asked questions

Q.What did the MDR change compared to the previous directives?+

It raised clinical evidence expectations, expanded post‑market surveillance and vigilance, introduced UDI and EUDAMED transparency, tightened equivalence, and made all economic operators legally accountable with clear duties and a required Person Responsible for Regulatory Compliance.

Q.When do legacy MDD/AIMDD certificates expire under the MDR extension?+

Under Regulation (EU) 2023/607, most high‑risk legacy devices may remain on the market until 31 December 2027, with many others until 31 December 2028, if strict conditions are met, including an MDR QMS and Notified Body engagement.

Q.How is software classified under the MDR?+

Annex VIII Rule 11 often places standalone software into Class IIa or higher depending on clinical impact. Up‑classification typically triggers Notified Body involvement and strengthens clinical evidence and post‑market surveillance expectations.

Q.What does the MDR require for clinical evidence?+

Article 61 and Annex XIV require a planned clinical evaluation with robust, device‑specific data and, where applicable, PMCF to maintain evidence post‑market. Reliance on equivalence is constrained, especially for higher‑risk and innovative devices.

Q.What are the MDR’s UDI and EUDAMED obligations?+

Manufacturers must assign Basic UDI‑DI and device UDI‑DIs, carry UDI on labels or the device, and register actors and devices in EUDAMED once mandatory. UDI supports traceability, vigilance, and efficient field actions.

Q.How frequently are PSURs required?+

For Class IIa devices at least every two years, and for Class IIb and III at least annually, or as specified by guidance or Notified Body. PSURs must synthesize PMS and PMCF findings and update the benefit‑risk profile.

Q.Who is the Person Responsible for Regulatory Compliance (PRRC)?+

The PRRC oversees compliance with technical documentation, release controls, and post‑market obligations. Manufacturers must designate at least one PRRC; micro and small enterprises may contract one externally if availability and authority are ensured.

Primary sources

Further reading

Explore this topic

EU MDR sits inside this topic cluster in our glossary. Every neighbour is one click away.

See EU MDR working on a real shop floor

V5 Ultimate ships with the EU MDR controls already wired in — audit trail, e-signatures, validation evidence. Free trial, no credit card, onboard in days, not months.