EU MDR 2017/745
European Medical Devices Regulation — Regulation (EU) 2017/745
Standard Introduction
The European Medical Devices Regulation (EU MDR) 2017/745 is the comprehensive regulatory framework governing the safety and performance of medical devices placed on the EU market. Replacing the previous Medical Devices Directive (MDD 93/42/EEC), the MDR became fully applicable on May 26, 2021, and represents a fundamental overhaul of EU medical device regulation. The MDR introduces stricter requirements for clinical evidence, post-market surveillance, risk management, and traceability through Unique Device Identification (UDI). It applies to medical devices ranging from simple bandages (Class I) to life-sustaining implants (Class III), covering an estimated 500,000 types of medical devices on the EU market.
MDR compliance requires manufacturers to implement a quality management system (typically ISO 13485), prepare comprehensive technical documentation, conduct clinical evaluations with sufficient clinical evidence, establish post-market surveillance systems including Periodic Safety Update Reports (PSURs), assign UDI codes to devices, register in the EUDAMED database, and obtain CE marking through conformity assessment. Higher-risk devices (Class IIa, IIb, III) require involvement of Notified Bodies — accredited organizations that audit and certify device compliance. The transition from MDD to MDR has been extended multiple times, with final deadlines reaching 2027-2028 for certain device classes. The regulation also introduces new scrutiny procedures for high-risk devices, mandatory clinical investigations for Class III implantables, and the concept of the Person Responsible for Regulatory Compliance (PRRC).
Risk-Based Classification
Classifies medical devices into Class I (lowest risk), Class IIa, Class IIb, and Class III (highest risk), with increasingly stringent conformity assessment requirements.
Unique Device Identification
Requires a Unique Device Identification (UDI) system for traceability. Devices must be registered in the European Database on Medical Devices (EUDAMED).
Clinical Evidence
Mandates clinical evaluation for all devices. Higher-risk devices typically require clinical investigations. Post-market clinical follow-up (PMCF) is mandatory for all classes.
list_alt Key Obligations
- Device classification (Rule 1-22 in Annex VIII)
- Quality Management System (ISO 13485)
- Clinical evaluation and clinical investigations
- Technical documentation per Annexes II and III
- Unique Device Identification (UDI-DI and UDI-PI)
- Post-market surveillance and PMCF
- Serious incident reporting (vigilance)
- Notified Body conformity assessment for Class IIa+
Who Needs to Comply?
Manufacturers of medical devices placed on the EU market, including authorized representatives for non-EU manufacturers. Covers a vast range of products from bandages to implants, surgical instruments, and in-vitro diagnostic accessories.
Key Requirements
Device Classification
Classify your medical device using the 22 classification rules in Annex VIII. Classification determines the conformity assessment route, clinical evidence requirements, and Notified Body involvement.
Technical Documentation
Prepare comprehensive technical documentation per Annex II (device description, design, manufacturing, risk management, clinical evaluation, labeling) and Annex III (post-market surveillance plan).
Clinical Evaluation
Conduct and document a clinical evaluation per Article 61 and Annex XIV. Demonstrate safety and performance through clinical data — literature review, clinical experience, and/or clinical investigations.
Post-Market Surveillance
Establish a post-market surveillance system proportionate to device risk class. Conduct post-market clinical follow-up (PMCF). Report serious incidents to competent authorities within 15 days (or 10/2 for trends/serious threats).
EUDAMED Registration
Register as an economic operator, register devices with UDI codes, submit safety and clinical data, and report vigilance data through the European Database on Medical Devices (EUDAMED).
Implementation Roadmap
Prepare scope, ownership and regulatory context
Define the medical device regulatory compliance system scope across device classification, clinical evaluation, technical documentation, quality management, UDI, EUDAMED obligations, post-market surveillance, vigilance, and economic operators. Assign accountable owners, identify applicable legal, customer, certification, or market-access drivers, and agree the evidence model before remediation starts.
Gap analysis and risk-based planning
Assess current practices against EU MDR expectations and risk context. Review general safety and performance requirements, conformity assessment, notified body engagement, clinical evidence, risk management, PMS, PMCF, vigilance reporting, labeling, UDI, and supply-chain responsibilities, then prioritize gaps by legal exposure, customer impact, safety or privacy risk, and audit or submission readiness.
Implement controls, documentation and evidence
Deploy the required processes, controls, reviews, training, supplier controls, and documented information. Build traceable evidence around technical documentation, GSPR checklists, clinical evaluation reports, risk management files, PMS plans, PMCF reports, vigilance records, declarations of conformity, UDI records, and QMS procedures.
Review, audit and maintain compliance
Complete internal reviews, readiness checks, and corrective actions before the notified body conformity assessment or competent authority review. Keep the program current after product, supplier, legal, customer, incident, or operational changes.
Compliance Checklist
checklist Scope and accountability
checklist Controls and records
checklist Monitoring and improvement
Penalties & Enforcement
Non-compliant devices are withdrawn from the EU market. Member states can impose fines (e.g., up to EUR 500,000 in Ireland). Criminal sanctions apply in some member states. Notified Bodies can suspend or withdraw CE certificates.
Frequently Asked Questions
Who needs EU MDR?
expand_more
EU MDR is relevant for organizations whose activities fall within device classification, clinical evaluation, technical documentation, quality management, UDI, EUDAMED obligations, post-market surveillance, vigilance, and economic operators. It is commonly driven by regulation, customers, procurement requirements, market access, or the need to demonstrate disciplined control over high-impact risks.
What is the core purpose of EU MDR?
expand_more
The core purpose is to create a repeatable program for general safety and performance requirements, conformity assessment, notified body engagement, clinical evidence, risk management, PMS, PMCF, vigilance reporting, labeling, UDI, and supply-chain responsibilities. The details vary by sector, but the practical goal is to make obligations visible, assign ownership, operate controls, and keep evidence current.
What should be done first?
expand_more
Start by confirming scope and ownership. Many failures come from unclear boundaries, missing accountable owners, or evidence that does not match the actual product, service, system, or data flow.
How long does implementation take?
expand_more
A focused implementation can take several months. Timelines depend on maturity, number of products or sites, supplier involvement, technical complexity, test evidence, and the depth of external review required.
What evidence is most useful?
expand_more
Useful evidence includes technical documentation, GSPR checklists, clinical evaluation reports, risk management files, PMS plans, PMCF reports, vigilance records, declarations of conformity, UDI records, and QMS procedures. Auditors, regulators, customers, or reviewers usually expect evidence that controls are operating, not only that policies exist.
How should suppliers be handled?
expand_more
Supplier responsibilities should be defined contractually and operationally. High-risk suppliers need due diligence, flow-down requirements, evidence requests, performance monitoring, and escalation routes for findings or incidents.
How often should the program be reviewed?
expand_more
Review frequency should follow risk and change. Annual reviews are common, but product releases, incidents, regulatory changes, customer requirements, major suppliers, or audit findings should trigger targeted review sooner.
Can this be integrated with other compliance programs?
expand_more
Yes. EU MDR can often share governance, training, supplier management, document control, issue tracking, internal audit, and management review with related standards, while keeping its specific legal or technical evidence separate.
Official Documentation
EU MDR 2017/745 Official Text
EUR-Lex • Full Regulation Text • All EU Languages
EUR-Lex MDR Portal
External Link • eur-lex.europa.eu • Official EU Law
EC MDR Guidance Documents
External Link • ec.europa.eu • Implementation Guidance & MDCG Documents