EU Medical Device Regulation (Regulation (EU) 2017/745)
EU MDR regulates medical devices, including software as a medical device, requiring classification, conformity assessment, clinical evidence, and lifecycle post-market surveillance. Non-conformity can lead to fines and loss of EU market access.
What EU MDR Is
Regulation (EU) 2017/745, the Medical Device Regulation (MDR), governs how medical devices are designed, evaluated, and placed on the European market. It replaced the older Medical Device Directive to raise safety and transparency standards after high-profile device failures. MDR explicitly covers software as a medical device (SaMD) and embedded device software, and it reclassifies many software products into higher risk classes that demand more rigorous oversight.
MDR strengthens clinical evidence requirements, mandates lifecycle post-market surveillance, and introduces unique device identification (UDI) and the EUDAMED database for traceability.
Who It Applies To
MDR applies to manufacturers, authorized representatives, importers, and distributors that place medical devices on the EU market, regardless of where they are based. It covers physical devices, in-vitro accessories where relevant, and standalone medical software. Developers of clinical decision support, diagnostic, or therapeutic software frequently fall in scope when their product has a medical purpose.
Key Requirements
- Classification — Determine the device's risk class (I, IIa, IIb, III); software often classifies higher under MDR's Rule 11.
- Conformity assessment — Obtain Notified Body involvement for most classes and apply CE marking.
- Technical documentation — Maintain comprehensive design, risk, and verification records.
- Clinical evaluation — Provide clinical evidence of safety and performance, updated over the lifecycle.
- Risk management — Apply a continuous risk management process across design and use.
- Post-market surveillance — Collect field data, report incidents, and conduct post-market clinical follow-up.
- UDI and EUDAMED — Assign unique device identifiers and register in the EU database.
Penalties for Non-Compliance
Penalties are set by individual member states and can include fines, suspension or withdrawal of products from the market, recalls, and loss of CE certification. Selling non-conforming devices exposes manufacturers to liability, enforcement by competent authorities, and serious reputational harm. Certificate withdrawal can effectively block EU market access.
How to Comply
Classify the device correctly early, because class drives the entire compliance burden. Build a quality management system (commonly aligned to ISO 13485), maintain rigorous technical documentation, and establish a robust risk management and clinical evaluation process. Engage a Notified Body where required, implement UDI labeling, and register in EUDAMED. Stand up an active post-market surveillance system with vigilance reporting and post-market clinical follow-up, and treat software updates as changes that may require reassessment.