Frequently Asked Questions | MDR 2017/745

The MDR is the European Union Medical Device Regulation 2017/745 that were released in 2017 which essentially govern the clinical investigation, design, development, production, sales, and distribution of medical devices in Europe. The MDR applies since 26 May 2021, it repeals Directive 93/42/EEC (MDD) on medical devices and the Directive 90/385/EEC on active implantable medical devices.

The aim of the MDR is to address some inherent weaknesses in the old directives while assuring reliability, safety and innovation in the field of medical devices. Compared to the MDD, MDR introduces more emphasis on the life-cycle approach to medical devices.

Much higher demands on manufacturers. Generally, Conformity assessment procedures by the Notified body are more complex. Product equivalence will be more stringently interpreted. Clinical data and Clinical Evaluation Report (CER) will face heavy scrutiny and require frequent updates. Manufacturers must also fulfill increased post-market surveillance requirements, perform more Post-Market Clinical Follow-up (PMCF) studies, and deliver Period Safety Update Reports (Class IIa devices and above). Transitioning to the MDR might seem overwhelming and many companies don’t know where to start. The process will require certain capacity, financial investments, and strengthen expertise by the manufacturers.

• The first step is to assess your current level of compliance. A thorough gap analysis will generate a task list for updating your procedures and documentation.
• Make sure your marketing claims are covered by clinical data.
• Portfolio assessment should be carried out to determine which products you want to transition and invest in.
• Check the ability of your Notified Body of serving you with MDR certification, in time for the full applicable scope of your devices.
• Check if the Classification of your devices will change. Manufacturers need to determine whether new conformity assessment routes are now applicable to their product portfolio.
• Make sure that you have full technical documentation for all devices you market including the post-market clinical data as part of the on-going assessment.
• Make sure IT processes ready. MDR might also be an opportunity to upgrade tools and systems. Manufacturer to make sure there is a process for the UDI requirements and keep an eye on the developments and requirements for EUDAMED.

MDR introduced several key enforcements compared to MDD, among them:

• Stricter control for high-risk devices via a new pre-market scrutiny mechanism with the involvement of a pool of experts at EU level
• The inclusion of certain aesthetic devices which present the same characteristics and risk profile as analogous medical devices under the scope of these Regulations.
• Improved transparency through the establishment of a comprehensive EU database on medical devices and of a device traceability system based on Unique Device Identification
• The introduction of an “implant card” containing information about implanted medical devices for a patient.
• The reinforcement of the rules on clinical evidence, including an EU-wide coordinated procedure for authorization of multi-center clinical investigations
• The strengthening of post-market surveillance requirements for manufacturer
• Improved coordination mechanisms between EU countries in the fields of vigilance and market surveillance

The MDR entered into force in May 2017 and became applicable on 26 May 2021. For medical devices covered by a certificate or a declaration of conformity issued before 26 May 2021, the transition period to the new rules is extended from 26 May 2024 to 31 December 2027 for higher risk devices and until 31 December 2028 for medium and lower risk devices. The extension will be subject to certain conditions, so that only devices that are safe and for which manufacturers have already taken steps to transition to the rules provided for by the Medical Devices Regulation will benefit from the additional time.

The proposal introduces a transition period until 26 May 2026 also for class III implantable custom-made devices, giving their manufacturers more time to obtain certification by a notified body. Also in this case, the transition period is subject to the application of the manufacturer for MDR conformity assessment of devices of this type before 26 May 2024. Several conditions need to be met before the products can take advantage of the extended timelines.

Please find all details in the published Regulation amending Regulation (EU) 2017/745 on the EU commission website: eur-lex.europa.eu

• The “sell-off” provision was intended to limit the time during which devices that are compliant with the Directives and have already been placed on the market may be made available.
• Based on the amended regulation, In Article 120(4) MDR, the deadline for the further making available on the market of devices placed on the market in accordance with the previously applicable Directives has been deleted.
• That means that medical devices that have been placed on the market prior to 26 May 2021 in accordance with the MDD or after 26 May 2021 during the transitional period provided for in Article 120 MDR (i.e., until 31 December 2027 or 31 December 2028, as applicable) may continue to be made available on the market or put into service without any limitation in time without prejudice to the device’s possible shelf-life or expiry date. 

Please find more information such as QNA’s and factsheets on the EU Commissions website: health.ec.europa.eu

Yes, state of the art means to utilize the most recent version of the standard. However, products designed and manufactured according to applicable harmonized European standards the references to which are published in the Official Journal of the European Union (OJEU) benefit from a presumption of conformity with the relevant legal requirements. Once the standards are published in the OJEU they are considered as MDR harmonized standards.

Please find the MDCG 2021-5 Guidance on standardization for medical devices.

Note that Standards are voluntary, and the manufacturer could present a suitable justification for not using the most recent version of the standard.

Particular standards amend or provide additional requirements to those in the general standard. Therefore, it may not be practical to use the latest version of the general standard with a particular standard that is aligned with the previous version.

It is not yet defined in any regulation. Usually, the transition time or stability time defined by the new version of the standard and the standard organization would be taken into consideration. For those immediately replacing the old version, at least a plan and gap analysis should be considered or justification.

A number of the standards that have been harmonized under the MDR were 2021 versions so this may not be the case for the first listing of the standard.

No, PSURs are not required for products defined as class I (Only Class IIa devices and above).

The new cybersecurity requirements of the MDR went into effect in May 2021. These requirements aim to ensure the secure and safe use of medical devices in the EU.

In general, the new obligations include:

• Incorporating cybersecurity as an integral part of the device design and development process.
• Implementing appropriate measures to manage cybersecurity risks throughout the device's entire lifecycle.
• Providing information on cybersecurity risks and measures in the instructions for use and the technical documentation of the device.
• Keeping the device updated and secure throughout its lifecycle.

The MDCG guidance Table 1 lists all the General Safety and Essential Performance Requirements (GSPRs) related to cybersecurity in MDR Annex I. Manufacturers should take into consideration state-of-the-art when designing and producing their devices, and even when making future updates. Manufacturers should also consider state-of-the-art when addressing their decision-making as proportionate to the potential security risks (based on current standards, guidance, proprietary knowledge and publicly available information).

Important GSPRs noted in MDR Annex I include performance of the device, reducing risk, risk management systems, control measures, combination/connection of devices and systems, and all interactions between software and IT environments. Critical cybersecurity requirements are documented in MDR Annex I Section 17.2. This requires software in medical devices or software that is deemed a device in itself to be created and produced with state-of-the-art and to consider the development life cycle, risk management, and information security during verification and validation.

Article 15 of the MDR requires manufacturers (and authorized representatives) to have at least one person responsible for regulatory compliance (PRRC) available within their organization to make sure the company is meeting the requirements of the MDR. This includes the implementation and keeping up to date the post-market surveillance system in accordance with Article 83. Organizations with more than one legal manufacturer under the parent company would need to ensure that each legal manufacturer has its own PRRC.

The PRRC must be employed by the manufacturer. Only companies with fewer than 50 employees and an annual turnover under EUR 10 million (falling within the definition of micro and small enterprises as per Commission Recommendation 2003/361/EC) are allowed to outsource their PRRC to an outside expert, under the conditions that the PRRC fulfils the qualification criteria and is permanently and continuously at their disposal.

Please find MDCG 2019-7 for more guidance.

MDCG 2022-14 lists several actions for notified bodies, to enhance the capacity and to help streamline the notified bodies. This includes encouraging notified bodies to conduct hybrid audits to speed conformity assessments. The MDCG also advised Notified Bodies to use past experiences from auditing products to avoid redoing much of the work and to combine MDD and MDR audits, where possible.

Medical Device certification under the MDR is offered through our legal entity Intertek Medical Notified Body AB (IMNB AB), Notified Body Number NB 2862.

The headquarters for IMNB AB is in Stockholm, Sweden. We continue to have our teams based around the globe, including but not limited to North America, China, India, United Kingdom, and Sweden.