EU AI Act and Medical Devices: What SaMD Developers Need to Know (2026)

March 9, 2026

Diego Rodriguez Muñoz

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and is being phased in progressively through 2026 and beyond. For companies developing AI-powered Software as a Medical Device (SaMD), it introduces a second, overlapping regulatory obligation that runs alongside, and interacts with, the existing requirements of EU MDR and IVDR.

This is not a distant compliance horizon. The provisions most relevant to medical device AI became applicable from August 2026. Companies that have not yet assessed their AI systems against the AI Act risk gaps in their technical documentation and conformity processes at exactly the moment Notified Bodies are beginning to incorporate AI Act considerations into their assessments.

This guide explains what the AI Act requires from SaMD developers, how it interacts with MDR and IVDR, and what practical steps manufacturers should be taking now.

For general SaMD MDR compliance, see our SaMD EU MDR Compliance Guide

Timeline Update: April 2026

Since this article was originally published, two important milestones have passed and one critical deadline distinction has been clarified. If you are planning your AI Act compliance roadmap as a SaMD developer, your timeline may need adjusting.

February 2026: Commission published guidelines on Article 6

The European Commission met its deadline under Article 6(5) of the AI Act and published practical guidelines on how to classify AI systems as high-risk, including concrete examples of what qualifies and what does not. If your team has not yet reviewed these guidelines as part of your classification assessment, this is a priority action, they directly affect how you document your high-risk determination in your technical file.

2 August 2026 :Most high-risk AI obligations now apply, but with a critical exception for medical devices

As of 2 August 2026, the majority of high-risk AI obligations under the AI Act entered into application. However, there is an important split that is directly relevant to SaMD developers:

Article 6(1) the provision that covers AI systems embedded in products subject to third-party conformity assessment under EU harmonisation legislation, does not apply until 2 August 2027. This is the provision that governs CE-marked medical devices and IVDs regulated under MDR and IVDR, where Notified Body involvement is required.

In practical terms, this means that manufacturers of Class IIb/III medical devices (MDR) or Class C/D IVDs (IVDR) that incorporate AI have until August 2027, not August 2026, to comply with the Article 6(1) high-risk classification pathway. The 2026 deadline applies primarily to AI systems listed in Annex III of the AI Act that are not subject to Notified Body conformity assessment under other EU legislation.

There is also a transitional provision worth noting: AI systems already placed on the market before 2 August 2026 are only subject to the new obligations if they undergo significant design changes after that date.

The full official timeline is available at the EU AI Act implementation timeline.

Revised compliance milestones for SaMD developers

February 2025: AI literacy requirements and prohibitions on unacceptable-risk AI applied
August 2025: GPAI model obligations applied (relevant if your SaMD is built on a foundation model)
February 2026: Commission guidelines on Article 6 classification published
2 August 2026: Most high-risk AI obligations apply (Annex III systems without NB assessment)
2 August 2027: Article 6(1) applies: key deadline for CE-marked MDR/IVDR SaMD

We recommend beginning compliance preparation now regardless of which deadline applies to your device. Notified Bodies are already incorporating AI Act expectations into their MDR and IVDR assessments ahead of the legal deadline, and the documentation work involved, training data governance, bias assessment, human oversight design, takes considerable time to complete properly.

The rest of this article describes what the high-risk AI obligations require in practice. Read it with the above timeline in mind.

1. Does the AI Act Apply to Your Software?

The AI Act applies to AI systems placed on the market or put into service in the EU. An AI system is defined as a machine-based system that, given explicit or implicit objectives, infers from inputs how to generate outputs such as predictions, content, recommendations, or decisions that can influence real or virtual environments.

This definition is intentionally broad. It covers:

Machine learning models (supervised, unsupervised, reinforcement learning)
Deep learning systems including convolutional neural networks used in medical imaging
Natural language processing tools used in clinical documentation or decision support
Bayesian classifiers and other probabilistic inference systems

It does not cover:

Traditional rule-based software with no learning or inference component
Software that executes fixed logic without adaptive behaviour

If your SaMD uses any form of machine learning or statistical inference to generate clinical outputs, the AI Act almost certainly applies.

2. High-Risk AI Classification for Medical Devices

The AI Act categorises AI systems by risk level. For medical device manufacturers, the critical category is high-risk AI.

Under Annex III of the AI Act, AI systems intended to be used as safety components of medical devices, or which are themselves medical devices regulated under MDR or IVDR, are automatically classified as high-risk AI.

This means: if your SaMD is a CE-marked medical device or IVD, or is a software component that performs a safety function within one, it is high-risk AI under the AI Act. There is no further classification analysis required, the medical device status determines it.

High-risk AI systems are subject to the full obligations of the AI Act, including:

Risk management system: an AI-specific risk management process, documented and integrated with the ISO 14971 risk management already required under MDR
Data and data governance: training, validation, and testing datasets must be relevant, representative, free of errors, and sufficiently complete; demographic and geographic representativeness must be documented
Technical documentation: a detailed record of the AI system’s design, development process, training methodology, validation approach, and performance characteristics
Transparency and instructions for use: users must be provided with clear information about the AI system’s capabilities, limitations, accuracy metrics, and circumstances under which human oversight is required
Human oversight: the system must be designed to allow human oversight and intervention; it must not undermine the ability of the operator or user to override, disregard, or reverse outputs
Accuracy, robustness, and cybersecurity: performance must be declared and validated; the system must be resilient to errors, faults, and adversarial manipulation
Conformity assessment: high-risk AI systems must undergo a conformity assessment before being placed on the market

3. How the AI Act Interacts with MDR and IVDR

This is where the compliance picture becomes complex, and where early planning pays off.

The AI Act does not replace MDR or IVDR. Both regulatory frameworks apply simultaneously to AI-powered SaMD. However, the EU has designed a streamlined pathway for medical devices that are already subject to Notified Body review under MDR or IVDR.

Under Article 11 and Annex II of the AI Act, AI systems that are regulated as medical devices benefit from a single technical documentation approach meaning the AI Act technical documentation requirements can be integrated into the existing MDR/IVDR technical file rather than creating a separate document set.

Similarly, for Class IIb and III medical devices (MDR) and Class C and D IVDs (IVDR) which are the most likely to contain high-risk AI the Notified Body involvement already required under MDR/IVDR can cover the AI Act conformity assessment. The Notified Body acts as the relevant conformity assessment body for both frameworks.

In practice this means:

What changes for AI-powered SaMD under the AI Act:

Technical documentation must now explicitly address AI-specific elements: training data governance, model validation across subgroups, bias assessment, explainability approach, and human oversight mechanisms
Post-market monitoring must include AI performance monitoring tracking model drift, accuracy degradation over time, and distribution shift in real-world data
Transparency obligations require new IFU content describing AI limitations and human oversight requirements
A fundamental rights impact assessment may be required for certain high-risk AI applications in healthcare

What does not change:

The MDR/IVDR conformity assessment route remains the primary pathway
The Notified Body relationship established for MDR/IVDR CE marking remains the relevant body
ISO 14971 risk management, IEC 62304 lifecycle management, and clinical evaluation requirements are unchanged AI Act risk management is additive, not a replacement

4. General Purpose AI (GPAI) Models in Medical Devices

A separate and increasingly relevant category is General Purpose AI (GPAI) large foundation models or multimodal AI systems that can be adapted or fine-tuned for specific applications.

If a SaMD developer is building on top of a GPAI model: for example, fine-tuning a large language model for clinical documentation, or adapting a vision foundation model for medical image analysis both the GPAI model provider and the SaMD developer have obligations under the AI Act.

GPAI model providers must publish technical documentation and comply with copyright and transparency requirements. SaMD developers who deploy or fine-tune GPAI models are responsible for ensuring the resulting system meets all high-risk AI obligations, including data governance, validation, and clinical performance claims. The validation methodology for fine-tuned GPAI models in medical contexts is an area where regulatory guidance is still developing, early engagement with your Notified Body is strongly recommended.

5. Key Timelines

August 2024: AI Act enters into force.

February 2025: Prohibitions on unacceptable-risk AI systems apply. Not directly relevant for medical SaMD, but important for any AI used in patient-facing administrative processes.

August 2025: GPAI model obligations apply. SaMD developers building on foundation models must assess their exposure now.

August 2026: High-risk AI obligations fully apply. This is the key deadline for medical device AI. From this date, new AI-powered SaMD placed on the EU market must comply with all high-risk AI requirements.

Post-2026: Notified Bodies designated under the AI Act will begin conducting AI Act-specific conformity assessments. The intersection with MDR/IVDR NB assessments will become a standard part of the conformity process.

6. What to Do Now: A Practical Checklist

Classify your AI systems. Identify every AI component in your SaMD portfolio and confirm whether it meets the EU’s definition of an AI system. For each, document the risk classification and the rationale.

Assess your technical documentation gaps. Review your existing MDR/IVDR technical files against the AI Act Annex IV requirements. Identify where AI-specific content, training data documentation, bias assessment, explainability approach, is missing or insufficient.

Review your data governance. The AI Act’s requirements for training data representativeness and bias documentation are more explicit than anything in MDR. If your training data governance is not documented at the level the AI Act requires, this is a gap that needs addressing before your next Notified Body audit.

Update your IFU and labelling. Transparency obligations mean users must be explicitly informed about AI limitations, performance metrics across relevant subgroups, and circumstances requiring human override. Most current SaMD IFUs are not written to this standard.

Engage your Notified Body. Ask your NB directly how they are approaching AI Act integration into MDR/IVDR assessments. Different NBs are at different stages of readiness, and early clarity on what they will expect prevents last-minute documentation gaps.

Build AI performance monitoring into your PMS. Post-market surveillance for AI-powered SaMD must now track model performance over time. If your PMS plan does not include AI-specific monitoring metrics, update it before August 2026.

Frequently Asked Questions: EU AI Act and Medical Devices

What is the difference between the EU AI Act and the MDR for medical device AI?

The MDR (Medical Device Regulation) governs the safety, efficacy, and quality of medical devices, including those powered by AI. The EU AI Act is a separate regulatory framework that addresses the risks and accountability of AI systems themselves. The AI Act focuses on how the AI system was built, trained, validated, and deployed, while MDR focuses on the clinical performance of the device. Both apply simultaneously to AI-powered SaMD from August 2026 onwards.

Does the AI Act apply to all machine learning models in medical devices?

Yes, if you use any form of machine learning, deep learning, or statistical inference to generate clinical outputs, the AI Act applies. This includes supervised learning, convolutional neural networks for medical imaging, natural language processing for clinical documentation, and Bayesian classifiers. It does NOT apply to traditional rule-based software with fixed logic and no learning or inference capability

What does ‘high-risk AI’ mean under the EU AI Act?

High-risk AI includes AI systems that are themselves medical devices or safety components of medical devices regulated under MDR, or AI systems regulated under IVDR. If your SaMD is CE-marked or classified as a medical device, it is automatically classified as high-risk AI. High-risk AI must comply with all AI Act obligations: risk management, data governance, technical documentation, transparency, human oversight, and conformity assessment.

What are the data governance requirements under the AI Act?

The AI Act requires explicit documentation that training, validation, and testing datasets are relevant, representative, free of errors and bias, and sufficiently complete. Demographic and geographic representativeness must be documented, particularly important for medical AI to ensure performance across age, sex, ethnicity, and geography. This is more explicit than MDR alone.

What are the human oversight requirements under the AI Act?

High-risk AI systems must be designed to enable human oversight and intervention. Users must be able to override, disregard, or reverse the AI’s decision, and the system must not undermine this ability. For clinical SaMD, this typically means the AI operates in decision-support mode and clinicians retain authority to override recommendations.

When do I need to comply with the AI Act?

August 2026 is the key deadline for medical device AI. From this date, all new AI-powered SaMD placed on the EU market must comply with high-risk AI requirements, Notified Bodies will incorporate AI Act assessments into MDR/IVDR reviews, and technical documentation must include AI-specific content.

Master Artificial Intelligence (AI) in Medical Devices

Medical professionals at a webinar discussing AI in medical devices, focusing on clinical evaluation, evidence, and regulatory compliance for SaMD development.

Join regulatory experts Alberto Bardají (Quixano) and Diego Rodríguez Muñoz (MDx) for a practical live webinar on building evidence for AI-powered medical device compliance.

What you’ll learn:

Regulatory pathways: How to navigate both MDR and AI Act requirements simultaneously
Data generation strategies: Building pre-clinical and clinical evidence for AI/ML models
Bias assessment & documentation: Demographic and geographic representativeness requirements
Real-world case studies: Lessons from companies navigating the August 2026 deadline
Best practices: How to integrate AI Act requirements into your existing MDR technical file

Session format: Live interactive Q&A | Duration: 60 minutes | When: Upcoming date via LinkedIn

Diego Rodríguez Muñoz, PhD

RA Specialist

Regulatory affairs specialist & CRA with expertise in EU MDR/IVDR, CE marking, Biological Evaluations (dental), and clinical investigations & technical documentation for MDs & IVDs.

Industry Insights & Regulatory Updates

Researchers conducting advanced medical technology experiments in a laboratory setting, focusing on clinical research and innovative solutions for healthcare.

Making IVDR Work in Combined Studies: Scientific & Operational Lessons from 40+ Programs

Automated manufacturing of medical vials in a cleanroom environment, highlighting MedTech advancements by MDX for medical device and pharmaceutical industries.

ISO 14155:2026 What’s Changed and What It Means for Your Clinical Investigation

Close-up of a scientist handling a test tube with DNA strands and digital medical data overlays, emphasizing advanced medical technology and research.

Portugal’s New Clinical Trials Law No. 9/2026: What Sponsors Need to Know

A tall stack of organized medical device documentation and regulatory papers against a blue background, emphasizing compliance and regulatory standards in MedTech.

IMDRF Draft N91 2026: New Clinical Evidence Requirements for IVDs Explained

EU MDR 2017/745 for Dental Devices: Complete Guide (2026)

SaMD Compliance Guide: Navigating Regulations for Software as a Medical Device

January 8, 2026

Software as a Medical Device (SaMD) occupies a unique position in the regulatory landscape. Unlike physical devices, software can be updated continuously, deployed across borders instantly, and embedded into clinical workflows in ways that are difficult to audit or reverse. These characteristics make it one of the most complex categories to bring to market under the EU Medical Device Regulation (MDR, Regulation (EU) 2017/745).

This guide covers what SaMD developers, digital health companies, and regulatory teams need to understand to achieve and maintain CE marking under EU MDR, from initial classification through to post-market surveillance.

For companies developing AI-powered SaMD, see our companion guide: EU AI Act and Medical Devices: What SaMD Developers Need to Know

1. Does Your Software Qualify as SaMD?

Not all medical software is a medical device. The first and most important step is determining whether your software falls within the MDR’s scope.

The International Medical Device Regulators Forum (IMDRF) defines SaMD as:
“Software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.”

Under MDCG 2019-11 the EU guidance document on software qualification and classification, software qualifies as a medical device when the manufacturer’s intended purpose includes one or more of the following: diagnosis, prevention, monitoring, prediction, prognosis, treatment, or alleviation of disease or injury in individual patients.

The key word is intended. It is not the capability of the software that determines its regulatory status, it is how the manufacturer positions, labels, and markets it.

Software that qualifies as SaMD:

An AI-based image analysis tool that assists radiologists in detecting tumours
A mobile app that predicts hypoglycaemic events for diabetic patients
A cloud algorithm that classifies ECG signals to detect arrhythmias
A clinical decision support tool that recommends treatment options based on patient data

Software that does not qualify as SaMD:

Scheduling, billing, or administrative healthcare software
General wellness or fitness apps not marketed for disease diagnosis or monitoring
General-purpose image viewers used in clinical settings but not intended for diagnosis
Software that drives or controls a hardware medical device (classified as software in a device, not as a device)

If there is genuine uncertainty about whether your software qualifies, document the reasoning explicitly. This is one of the first things a Notified Body will look for.

2. Classification Under MDR Rule 11

Once software is confirmed to be a medical device, it must be classified according to Annex VIII, Rule 11 of the MDR. This is the rule specifically designed for software, and it determines whether you need a Notified Body and which conformity assessment route applies.

Rule 11 classification depends on the intended purpose and the consequences of error:

Class III — Software intended to provide information used to make decisions for diagnosis or therapy of life-threatening conditions, where an error could cause immediate deterioration or irreversible harm. Examples: software diagnosing acute MI from ECG, cancer detection algorithms used in surgical planning.

Class IIb — Software intended to provide information for diagnosis or therapy of serious conditions where an error could cause significant deterioration. Examples: software classifying radiology images for treatment planning, AI tools supporting oncology staging.

Class IIa — Software intended to provide information for diagnosis or monitoring, where errors are unlikely to cause serious harm. Examples: chronic disease monitoring apps, software flagging abnormal lab values for clinical review.

Class I — Software intended only for administrative purposes, or software that monitors physiological processes in non-critical contexts. Class I requires no Notified Body involvement (unless sterile, with a measurement function, or reusable surgical).

The critical implication: the majority of clinically meaningful SaMD — any tool that informs a clinical decision, will land in Class IIa or above, requiring Notified Body review. Plan for this from the start of development.

3. The MDR Compliance Roadmap for SaMD

Achieving CE marking for SaMD under MDR requires a structured process across multiple technical and quality domains. These are not sequential checkboxes — they must be built in parallel and integrated throughout the software development lifecycle.

Intended Purpose and Use Context

Define the intended medical purpose with precision: who the users are, in what environment the software will be used, what inputs it processes, and what outputs or decisions it supports. This definition drives classification, clinical evidence requirements, labelling, and risk management. Changes to intended purpose late in development are expensive and disruptive.

Risk Management (ISO 14971)

Software-specific hazards go beyond physical failure. For SaMD, risk management must address algorithm drift (model performance changing over time on real-world data), cybersecurity vulnerabilities, data input errors, interoperability failures, and the consequences of false positives and false negatives in different clinical scenarios. Risk management is a lifecycle activity — it does not end at submission.

Quality Management System (ISO 13485)

A QMS certified to ISO 13485 is mandatory. For software, the QMS must specifically address design control, configuration management, version control, change control, software validation, and CAPA processes for software defects. Many software organisations transitioning from commercial development processes (Agile, DevOps) find that adapting these to ISO 13485 requirements is one of the most significant operational challenges.

Software Lifecycle (IEC 62304 and IEC 82304-1)

IEC 62304 is the harmonised standard for medical device software lifecycle processes. It requires software safety classification (Class A, B, or C based on the severity of harm if the software fails), and mandates specific documentation, verification, and validation activities proportionate to that class. IEC 82304-1 extends this to standalone health software. Compliance with these standards, evidenced in the technical documentation, significantly streamlines Notified Body review.

Clinical Evaluation (MDCG 2020-1)

SaMD must demonstrate clinical benefit not just technical performance. Under MDCG 2020-1, clinical evaluation for software must include a systematic literature review, analysis of clinical data from studies or real-world evidence, and a clear demonstration that the software’s outputs lead to measurable benefit in the intended patient population. “The algorithm is accurate” is not sufficient. The evaluation must show that clinical accuracy translates to clinical benefit.

Cybersecurity

Cybersecurity is a GSPR requirement (Annex I, section 13.6) and is assessed as part of conformity. Requirements include: ensuring confidentiality, integrity, and availability of data throughout the lifecycle; defining minimum IT requirements and secure configurations; implementing and validating security controls; providing clear IFU guidance on data protection, updates, and decommissioning; and maintaining a post-market security plan that tracks vulnerabilities and manages patches. The MDCG 2019-16 guidance and the IMDRF cybersecurity framework are the primary references.

Technical Documentation (Annex II and III)

SaMD technical documentation must include software architecture documentation, the software development plan and lifecycle records, risk management file, usability engineering file (IEC 62366), verification and validation records, clinical evaluation report, and labelling. For AI-based SaMD, documentation of training data, model validation methodology, and performance across demographic subgroups is increasingly expected by Notified Bodies.

Conformity Assessment and CE Marking

For Class IIa and above, a Notified Body must review the QMS and technical documentation. Once conformity is demonstrated, the manufacturer issues a Declaration of Conformity and applies the CE mark. Post-CE marking, the technical documentation must be kept current and the Notified Body must conduct periodic surveillance audits.

Post-Market Surveillance and Software Updates

PMS for SaMD is not passive. Manufacturers must actively monitor real-world performance data, including clinical outcomes where available, algorithm performance metrics, user feedback, and incident reports. Critically, every software update must be assessed to determine whether it constitutes a significant change requiring re-assessment or Notified Body notification. Changes to the algorithm, training data, intended use, or clinical claims are most likely to trigger this requirement.

4. Common Pitfalls and How to Avoid Them

Underestimating classification. Many developers initially classify their software as Class I, expecting to self-certify, only to discover during technical documentation preparation that the intended purpose clearly falls under Rule 11 Class IIa or above. Classification should be confirmed with regulatory input before development begins, not after.

Clinical evidence left to the end. Clinical evidence for SaMD takes time prospective studies, real-world performance evaluations, and literature reviews cannot be conducted in parallel with Notified Body submission. Build the clinical evidence strategy into the development plan from the start.

Treating the QMS as a documentation exercise. Notified Bodies now conduct in-depth QMS audits that test whether processes are genuinely embedded in the organisation. A QMS that exists only in documentation will not survive an audit.

Ignoring post-market obligations. The MDR’s post-market surveillance requirements for software are active and ongoing. Failure to establish functioning PMS processes before launch is a common finding in post-certification audits.

5. SaMD Under IVDR

If the software is intended to process data from in vitro diagnostic tests for example, software that interprets NGS data for clinical decision-making, or a companion diagnostic algorithm — it may be regulated under IVDR (2017/746) rather than MDR. The classification rules differ (IVDR uses Annex VIII Rules 1–7), and the clinical evidence requirements under IVDR are in some ways more stringent, requiring performance evaluation under ISO 20916 and, for Class D IVD software, EMA consultation. Read more about NGS bioinformatics validation.

If your software sits at the boundary of MDR and IVDR, an early regulatory opinion is essential. Getting the regulatory framework wrong at the start can require complete rework of technical documentation.

Challenges, Risks & Strategic Recommendations for SaMD

Challenge	Mitigation / Best Practice
Unclear intended purpose or software classification	Define the medical purpose at project initiation. Align IFU, labeling, marketing, and technical files with intended use and Rule 11 logic.
Insufficient clinical/performance evidence	Use prospective studies or robust real-world performance evaluations aligned with MDR Annex XIV and, where applicable, AI Act testing provisions.
Data quality and representativeness	Implement data governance for acquisition, preprocessing, and validation. Ensure datasets represent the intended patient population and use context.
Transparency and user comprehension	Provide clinically interpretable outputs. Explain functionality, limitations, and user responsibilities in the IFU and training materials.
Traceability gaps between requirements, risks, and tests	Maintain a requirements-to-verification traceability matrix that links requirements, risk controls, verification results, and clinical claims.
Software updates and regulatory impact	Establish change management to evaluate whether updates are significant and require re-assessment. Integrate these controls into the QMS.
Regulatory and Notified Body capacity constraints	Engage early with a qualified Notified Body. Provide clear, harmonized documentation to streamline assessments.
Evolving standards and regulatory guidance	Monitor new EU and MDCG guidance and standards (ISO 14971, ISO 13485, IEC 62304, IEC 81001-5-1) and the EU AI Act. Review QMS procedures periodically to stay aligned.

Where to Start: step-by-step for SaMD Manufacturers

Delivering safe and compliant Software as a Medical Device (SaMD) requires a structured approach that integrates regulatory, technical, and quality considerations across the lifecycle. Compliance with the EU MDR ensures that safety, performance, and clinical benefit remain clear and consistently supported.

Advanced technologies, including AI, can enhance SaMD functionality; however, they should not overshadow the core principles of safety, effectiveness, and human oversight. The same regulatory rigor and lifecycle management practices apply to all SaMD, regardless of the underlying technology.

Manufacturers should:

Define a clear intended purpose aligned with clinical benefit
Maintain a QMS that addresses MDR and, where relevant, AI Act obligations
Engage early with Notified Bodies and keep documentation, risk, and cybersecurity controls consistent
Treat post-market surveillance and maintenance as continuous improvement

By embedding these principles, manufacturers can reach compliance efficiently and deliver trustworthy, clinically valuable SaMD solutions.

Plan your SaMD strategy with MDx

Diego Rodríguez Muñoz, PhD

RA Specialist

Regulatory affairs specialist with expertise in EU MDR/IVDR, CE marking, SaMD & AI for MDs & IVDs.

Industry Insights & Regulatory Updates

Making IVDR Work in Combined Studies: Scientific & Operational Lessons from 40+ Programs

ISO 14155:2026 What’s Changed and What It Means for Your Clinical Investigation

Portugal’s New Clinical Trials Law No. 9/2026: What Sponsors Need to Know

IMDRF Draft N91 2026: New Clinical Evidence Requirements for IVDs Explained

Advanced digital health technology showcasing human body and medical device integration for MedTech innovation.

EU AI Act and Medical Devices: What SaMD Developers Need to Know (2026)

Spanish IVD Regulation 2025 – New Royal Decree Updates for IVD Manufacturers, Sponsors, and Labs

October 21, 2025

On 21 October 2025, the Council of Ministers approved Spain’s new Royal Decree for in vitro diagnostic devices. AEMPS confirmed the approval and explained that the decree complements IVDR (EU) 2017/746, strengthens patient protection, and adds national rules on language, in-house manufacturing, performance studies, and vigilance. This development anchors the Spanish IVD Regulation 2025 and sets clear obligations for manufacturers, sponsors, and laboratories. (Official announcement: AEMPS)

Spanish IVD Regulation 2025: What Changed and Why It Matters

The Spanish IVD Regulation 2025 replaces Royal Decree 1662/2000. It clarifies how IVDR applies in Spain and fills Member-State choices, including competent authority, language regime, Article 5(5) in-house devices, genetic testing and counseling, a national marketing register, performance study authorization, and vigilance and market control.

The regulation aims to raise quality, ensure traceability, and speed up corrective actions. It also improves access to certain self-tests through pharmacy channels.

Quick Guide for Busy Teams (Manufacturers, Sponsors, Labs)

Confirm what the Spanish IVD Regulation 2025 changes for your role.
Map licensing, registration, language, Article 5(5), ISO 15189, performance studies, and vigilance to owners and deadlines.
Prepare Spanish-language materials and set up traceability and incident reporting workflows.
Labs should plan ISO 15189 and Article 5(5) notifications to AEMPS.

Competent Authority and Language Rules under the Spanish IVD Regulation 2025

AEMPS is the competent authority for IVDs in Spain. Under the Spanish IVD Regulation 2025, user-facing materials for devices marketed in Spain must appear in Spanish. That includes labels, IFU, and safety notices. Regulatory submissions to AEMPS should include Spanish content. Co-official languages may be added, but Spanish is mandatory.

Action: Audit labeling, IFU, FSNs, PMS templates, and performance study files. Plan translations and version control.

Facility Licensing: Manufacturers, Sterilizers, and Importers

The Spanish IVD Regulation 2025 requires operating licenses for manufacturers, sterilizers, and importers before they place devices on the market. AEMPS evaluates facilities, personnel, and quality systems.

Each site must appoint a Technical Responsible Person (national role) and meet IVDR oversight led by a PRRC. One qualified person can cover both if they meet the criteria.

Transitional rule: Existing third-party manufacturers get up to one year from entry into force to secure the new license. Existing licenses remain valid until renewal or change, which then follow the new procedure.

Action: Confirm license status, designate the responsible person, and prepare for renewal under the new framework.

Marketing Register and Traceability

The decree creates a Spanish marketing register for devices placed on the market. Manufacturers, authorized representatives, and importers must notify product information to support traceability and market surveillance. The register complements EUDAMED and UDI.

Transitional rule: Spain will activate notifications when the register is operational. Until then, use existing national channels.

Action: Build a clean data set for device identifiers, certificates, and supply chains. Prepare to submit once AEMPS opens the register.

In-House Devices (Article 5(5) IVDR): What Labs Must Do Now

Scope and intent

The Spanish IVD Regulation 2025 regulates in-house IVDs made and used within the same health institution. Labs must justify need: a commercial CE-marked device cannot meet the specific clinical need. No industrial-scale production. No commercial supply to third parties.

Quality and documentation

In-house devices must meet IVDR GSPRs. Labs should keep a technical file (intended purpose, risk management, analytical and clinical performance, V&V, SOPs, and labeling for internal use).

ISO 15189 accreditation

Labs that manufacture in-house devices must obtain ISO 15189 accreditation for the manufacturing scope. Spain ties this to the transitional schedule.

Notification to AEMPS

Before starting in-house manufacture, labs must notify AEMPS and submit the Article 5(5) declaration. They must designate a responsible person for the in-house manufacturing process.

Action for labs: Launch ISO 15189 projects, finalize Article 5(5) templates, and prepare the AEMPS notification package.

Genetic Testing: Information and Counseling

The Spanish IVD Regulation 2025 requires clear information and appropriate counseling for genetic testing. Health professionals must explain limits, implications, and result interpretation. This duty applies before and after testing.

Health professionals and centers must obtain explicit informed consent from individuals before performing a genetic test. The patient must be made aware of the nature and purpose of the test and consent in writing (except where law may exempt certain public health screening). This goes beyond standard consent, recognizing the personal and familial implications of genetic data.

Before the test, patients should be informed about what the test can and cannot tell them, and after the test, a qualified professional should explain the results and any recommended follow-up. This requirement ensures genetic tests (such as those for hereditary disease risk) are not delivered without context or support, helping patients make informed decisions.

These obligations apply to genetic IVDs regardless of whether they are done in-house or as commercial tests. For example, a direct-to-consumer genetic test kit (if allowed on the market) would need to be accompanied by processes that ensure the purchaser gets necessary information and counseling. However, most genetic tests are administered in clinical settings; the decree effectively standardizes the practice of genetic counseling as part of testing.

Action: Update consent forms, patient information sheets, and SOPs for genetic counseling, including training for staff.

Performance Studies in Spain

All performance studies in Spain must first obtain a favorable opinion from an accredited Research Ethics Committee (REC) and authorization from the health center’s management where the study will be conducted. This applies to any study using human specimens or data for evaluating an IVD’s performance, ensuring ethical considerations (informed consent, data protection, etc.) are addressed early.

When you need authorization

Interventional clinical performance studies and other studies involving risks require AEMPS authorization before first participant. Ethics approval remains mandatory.

What sponsors must prepare

Spanish protocol (CPSP), Investigator’s Brochure, and informed consent.
Insurance/indemnity for participants and a clear liability framework. The decree explicitly requires compensation for damages and defines the liability regime for sponsors. Sponsors should budget for a clinical trial insurance policy and follow the decree’s rules on coverage minimums and conditions (similar to drug trial insurance requirements in Spain).
Monitoring, data management, and safety reporting plans aligned with IVDR. Upon study completion, results (whether positive, negative, or inconclusive) should be documented and may need to be reported in the public database or to AEMPS.

Studies with CE-marked devices

If the study adds invasive or burdensome procedures or goes outside intended use, sponsors should request authorization and notify AEMPS.

Action for sponsors: Build a Spain-ready dossier, confirm insurance, and align timelines with AEMPS and ethics reviews.

Vigilance and Market Control

The Spanish IVD Regulation 2025 reinforces vigilance. Manufacturers must report serious incidents and FSCAs to AEMPS. Healthcare professionals and institutions should also report incidents. Authorities will coordinate inspections and market control actions.

For instance, if an IVD test yields false results that lead to patient harm, the manufacturer has to notify AEMPS and submit a Spanish-language safety notice so that users in Spain can be adequately informed. This ensures critical safety information is effectively communicated and mitigated in the local context.

The decree emphasizes that healthcare professionals, health institutions, and even patients/users have a responsibility to report any suspected serious incidents to AEMPS. Spain is thus bolstering a culture of vigilance: a lab that encounters a device malfunction or a clinician who notices a pattern of erroneous results should alert the authorities. The more comprehensive the reporting, the better AEMPS can intervene to prevent harm.

Action: Maintain robust PMS plans, trend analysis, Spanish FSNs, and clear internal reporting lines. Hospitals should assign a vigilance lead and train teams.

Self-Test Access and Pharmacy Channels

Notably, the new rules remove the prescription requirement for at-home self-testing kits (e.g. self-tests for glucose, pregnancy, COVID-19, etc.), making them more accessible. However, even without needing a prescription, these self-diagnostic products can only be sold through pharmacies (in-store or via an official pharmacy website) to ensure proper guidance on use. High-risk tests or those used for critical decisions may still require a prescription or professional administration.

Action: Manufacturers should confirm packaging, leaflets, and e-commerce pharmacy guidance in Spanish.

Transitional Timelines You Should Track

Entry into force: The decree takes effect after BOE publication.
Licensing: Existing third-party manufacturers have up to one year to obtain the new operating license.
Marketing register: Notification duties start when the register goes live.
In-house devices: Spain applies the IVDR timelines. Labs must meet Article 5(5) conditions and ISO 15189 by the dates set in the transitional provisions and related guidance.
Legacy devices: Spain honors the IVDR transition for legacy IVDs and preserves specific old-rule processes until systems fully switch over.

Action: Put a dated compliance tracker in place for licensing, Article 5(5), ISO 15189, registry readiness, and vigilance.

Implications by Stakeholder

IVD manufacturers

Secure or update operating licenses.
Localize labels/IFU into Spanish.
Prepare marketing register data.
Strengthen PMS and vigilance interfaces with AEMPS.

Hospital and private labs

Confirm Article 5(5) eligibility and prepare technical documentation for the in-house test.
Achieve ISO 15189 for manufacturing scope.
Notify AEMPS and assign the in-house responsible person.
Update genetic testing consent and counseling SOPs.

How MDx CRO Helps You Execute

Regulatory strategy and submissions

We align IVDR with the Spanish IVD Regulation 2025 and prepare AEMPS submissions (licenses, notifications, marketing register onboarding when live).

ISO 15189 and Article 5(5)

We run gap assessments, build SOPs, and guide labs to ISO 15189 accreditation for in-house manufacture. We prepare the Article 5(5) declaration and AEMPS notification package.

Performance studies

We plan and manage interventional and risk-involving performance studies in Spain. We handle AEMPS authorization, ethics submissions, monitoring, and safety reporting. MDx can also act your IVD performance study legal representative in the EU.

Vigilance and PMS

We design Spanish-compliant PMS frameworks, incident workflows, and FSNs. We help you interface with AEMPS and prepare for inspections.

Contact MDx CRO

Written by:

David Tomé

President

Clinical research leader and MedTech entrepreneur with deep expertise in medical devices, IVDs & precision medicine, with global study experience.

Industry Insights & Regulatory Updates

Making IVDR Work in Combined Studies: Scientific & Operational Lessons from 40+ Programs

ISO 14155:2026 What’s Changed and What It Means for Your Clinical Investigation

Portugal’s New Clinical Trials Law No. 9/2026: What Sponsors Need to Know

IMDRF Draft N91 2026: New Clinical Evidence Requirements for IVDs Explained

EU AI Act and Medical Devices: What SaMD Developers Need to Know (2026)

MDx to Present ESMO 2025 Poster on IVDR CE Marking for Large Germline NGS Panels

October 7, 2025

Announcement

MDx will present a peer-reviewed poster at the ESMO Congress 2025 in Berlin detailing how our team helped secure IVDR CE marking for a large, service-based germline NGS solution that integrates wet-lab workflows with a validated bioinformatics pipeline. The poster distills a practical, audit-proven pathway that labs and IVD developers can apply when scaling evidence, validating software, and navigating notified-body reviews for complex NGS offerings.

What the poster covers

Regulatory strategy and intended use: How to right-size scope for very large panels while planning for future expansion.
Technical documentation: Building Annex II/III files that stand up to Stage I/II audits, including labeling/IFU for service-based models.
Software validation: Applying IEC 62304/82304 rigor to a bioinformatics pipeline (architecture, V&V, cybersecurity, change control).
Evidence at scale: A tiered approach to scientific validity and clinical performance, plus a pragmatic PMPF plan to mature low-prevalence evidence.
Operationalization: Supplier controls, change management, and QMS integration to sustain post-market scalability.

Fulgent and MDx ESMO 2025 poster about Certifying Large-Scale NGS panels for hereditary cancer

Why this matters

Large NGS panels pose unique IVDR hurdles: non-uniform clinical evidence across thousands of genes, evolving variant knowledge, third-party components without CE marking, and the need to validate bioinformatics as SaMD. By sharing a repeatable pathway and the pitfalls we overcame, this poster offers concrete guidance to shorten timelines without compromising quality or compliance.

When and where to find us

ESMO Congress 2025 takes place 17–21 October in Berlin, Germany. We will publish our poster board number and presentation time here as soon as the session logistics are confirmed by the organizers. If you’re attending, we’d love to meet to discuss your IVDR roadmap.

Read the background

For context on the underlying program and its market impact, explore the public write-ups:

Fulgent press release on the CE mark for FulgentExome and Fulgent PLM (wet lab + software)
Citeline case study on pushing IVDR to its limits with next-generation sequencing
MDx case study with Fulgent on IVDR CE marking for NGS platforms

Ready to talk IVDR CE marking for your NGS product?

Use our contact form to request a 30-minute slot with our regulatory and bioinformatics leads during ESMO 2025, or schedule a virtual follow-up the week after the congress.

Industry Insights & Regulatory Updates

Making IVDR Work in Combined Studies: Scientific & Operational Lessons from 40+ Programs

European Union flags waving in front of modern office buildings representing MedTech innovation and regulatory environment.

MDx CRO at MPP 2025: Aligning Companion Diagnostics and Drug Development under IVDR

MDx CRO at ESMO 2025 (Berlin): Advancing IVDR Transitions & Combined Clinical Trials

ISO 14155:2026 What’s Changed and What It Means for Your Clinical Investigation

Portugal’s New Clinical Trials Law No. 9/2026: What Sponsors Need to Know

IVDR CE marking NGS: MDx Case Study with Fulgent

October 7, 2025

Case Study: How MDx Helped Fulgent Genetics Achieve CE Marking for One of the World’s Largest Germline NGS Panels under IVDR

IVDR CE marking NGS at a glance

Outcome: CE mark granted by TÜV SÜD for an end-to-end Class C germline NGS solution (wet lab + bioinformatics).
Scope: Furthermore, panel covering 4,600+ clinically relevant genes with a validated PLM (Pipeline Manager) software component; later expanded to >7,000 genes using a new probe set.
What we did: Specifically, we built an ISO 13485 QMS from the ground up, prepared full Annex II + III technical documentation, validated bioinformatics under IEC 62304/82304, split documentation into two Basic UDI-DIs (wet lab vs. software), and guided Stage I/II audits.
Why it matters: Ultimately, this demonstrates a repeatable pathway to IVDR certification for large NGS services and software, something that hadno clear precedent.

Read the announcements: For details, read the Fulgent press release and Citeline case study.

Genes Certified

Class C

IVDR Classification

0 mo

To CE Mark

Post-Cert Scale

The challenge: certifying a service-based, large-scale NGS system under IVDR

To begin with, FulgentExome is a service-based NGS solution that integrates wet-lab workflows with the Fulgent PLM bioinformatics pipeline. As a result, pursuing IVDR certification meant converting a mature CLIA/CAP testing service into a CE-marked IVD system with robust evidence across scientific validity, analytical performance, and clinical performance, for thousands of genes. In particular, key hurdles included: defining intended use at scale; validating third-party components; proving scientific validity across 4,600+ genes; above all fully validating the bioinformatics pipeline under medical device software standards.

MDx approach: a playbook for complex NGS + software

1) Build the right QMS, fast

First, we performed an IVDR GAP assessment. Next, we designed and implemented an ISO 13485-compliant QMS with risk management, supplier control, document control, internal audits, and management review—migrating from a CLIA/CAP model to IVDR-ready operations.

2) Engineer a defensible intended use

Meanwhile, the intended-use statement evolved iteratively, from an initial ~300-gene scope to whole-exome, finally landing on 4,600+ genes aligned to available clinical and analytical evidence. In the end, the final language was future-proofed to support rapid updates as evidence expands.

3) Split wet lab and software into two regulated products

Afterward, following round 1 review feedback, we separated the documentation into two Basic UDI-DIs, FulgentExome (wet lab) and Fulgent PLM (software) to align with IVDR expectations for traceability and lifecycle control. Consequently, this restructuring sharpened conformity assessment and accelerated subsequent approvals.

4) Validate the informatics stack like a medical device

In parallel, we validated PLM under IEC 62304/82304, including architecture, version control, cybersecurity, verification/validation, and integration with external databases. Therefore, the result was a fully evidence-backed bioinformatics pipeline capable of reproducible, high-confidence variant calling and reporting.

5) Make “evidence at scale” practical

First, Scientific validity: Three-tier strategy combining validation of exome sequencing as an approach, reliance on curated public databases, and deep exemplars for a large subset of genes.
Second, Clinical performance: Leveraged routine testing experience (thousands of positives) to focus clinical evidence on high-prevalence genes, and instituted a robust PMPF strategy to continuously strengthen low-prevalence areas.

6) Orchestrate TÜV SÜD audits to success

Initially, Stage I confirmed documentation readiness, scope, Basic UDI-DIs and integration of IVDR processes into daily practice.
Subsequently, Stage II verified on-the-floor implementation of SOPs, training, competence, CAPA and change control—closing findings on short cycles to hit NB timelines.

Results that move the market

CE mark granted for FulgentExome & Fulgent PLM, among the first end-to-end Class C germline NGS solutions under IVDR.
Certified scope covers 4,600+ genes, positioning Fulgent as a reference lab for comprehensive hereditary disease testing serving European patients.
Post-certification, the platform scaled to >7,000 genes using a new probe set, demonstrating the inherent scalability built into the certified system (process, documentation, and change control).
Strengthened competitive standing in the EU diagnostics market; public communications highlight the magnitude of this achievement for large NGS panels.

Read more in the Fulgent press release and Citeline’s in-depth article.

What this means for labs and IVD developers planning large NGS submissions

If you operate an LDT today: you’ll need to translate CLIA/15189 practices into an ISO 13485 framework, document design controls, and produce a full PER (PEP/PER), APR, SVR, PMS/PMPF, SSP, and labeling/IFU aligned to GSPR. Expect to validate any bioinformatics pipeline as SaMD with IEC 62304/82304 and cybersecurity controls.

If your panel is “large”: you likely won’t have uniform clinical data across every gene. A structured tiered evidence model + PMPF can satisfy Notified Bodies while keeping your roadmap scalable.

If you combine wet lab + software: plan for separate Basic UDI-DIs and documentation sets. Treat the pipeline as a product with its own requirements, verification, and risk controls.

Why MDx

End-to-end IVDR expertise: From regulatory strategy & classification to Annex II/III technical files, PER/SVR/APR, training, and mock NB reviews. Read more about our NGS regulatory services.
Clinical performance studies: We design, run, and report ISO 20916 studies (protocols, eTMF, monitoring, biostats, PER alignment), and we can act as delegated sponsor for multi-country submissions—100% submission success rate to date.
Operational scale: ISO 9001 clinical QMS, EU/US partner network, multilingual CRAs, and a repeatable process honed on 60+ performance study submissions for top IVD and pharma clients.

Project timeline

Our joint project with Fulgent spanned July 2023–July 2025, with overlapping tracks for QMS creation, technical documentation, NB review, and Stage I/II audits, a coordinated plan that allowed rapid closure of findings and post-certification scaling.

Client perspective

The program demanded evening/weekend execution across regulatory, documentation, and project management to meet Notified Body timelines, effort that, in the client’s words, “made all the difference” in achieving what initially “seemed almost impossible.”

Planning IVDR for your NGS panel? Here’s a quick readiness checklist

Intended use aligned to evidence (and future updates)
ISO 13485 QMS with software lifecycle integration
PER (PEP/PER), SVR, APR mapped to gene-level strategy
PLM/DR pipeline validated per IEC 62304/82304 (+cybersecurity)
Separate documentation/UDI for wet lab vs. software (if applicable)
PMS/PMPF plan to mature low-prevalence evidence post-market
Mock NB review + Stage I/II audit readiness

(Our team can lead or co-author each artifact above.)

Talk to us

Whether you’re certifying a focused oncology panel or pushing the limits with exome-scale content, MDx brings the cross-functional regulatory, clinical, quality, and software depth to make it possible—on a timeline that keeps your business competitive.

Let's discuss your IVDR roadmap

How long does IVDR CE marking take for an NGS panel?

For a large, complex NGS panel (thousands of genes, wet lab + bioinformatics software), expect 18 to 24 months from project kickoff to CE mark, assuming you need to build a QMS from scratch. If you already have an ISO 13485-certified QMS and partial technical documentation, the timeline can shorten to 12 to 16 months. The main variables are: the scope of the panel (more genes = more validation work), whether the bioinformatics pipeline needs IEC 62304 validation from zero, Notified Body capacity and review cycles, and the maturity of your clinical evidence. In the Fulgent case, the full project spanned 24 months (July 2023 to July 2025), including QMS creation, full Annex II/III technical documentation, and TÜV SÜD Stage I and Stage II audits.

What IVDR class are NGS diagnostic panels?

Most NGS-based IVDs classify as IVDR Class C under Annex VIII classification rules, because they typically provide information used to determine patient predisposition or individual risk for serious conditions (e.g., hereditary cancer panels, germline disease testing). NGS panels intended for infectious disease detection with high public health risk (e.g., HIV, hepatitis) may classify as Class D. Companion diagnostic NGS panels co-developed with a therapeutic product also typically fall under Class C. Classification depends on the specific intended use and clinical claims, not the technology itself. All Class C and D IVDs require Notified Body conformity assessment.

Do you need separate UDI identifiers for NGS software under IVDR?

Yes, when the bioinformatics pipeline qualifies as standalone software (SaMD) or is a distinct regulated component, IVDR requires a separate Basic UDI-DI. In the Fulgent case, MDx split the documentation into two Basic UDI-DIs: one for FulgentExome (the wet-lab component) and one for Fulgent PLM (the bioinformatics pipeline). This separation aligns with IVDR expectations for traceability, lifecycle control, and independent conformity assessment. Each Basic UDI-DI has its own technical documentation, risk management file, and performance evaluation. This approach also makes post-market updates easier, a software update does not trigger re-review of the entire wet-lab documentation.

Can a CLIA/CAP-accredited laboratory use its existing QMS for IVDR CE marking?

No, CLIA/CAP accreditation and ISO 15189 certification are not equivalent to ISO 13485, which is the QMS standard required for IVDR CE marking. While CLIA/CAP provides a strong operational foundation (proficiency testing, personnel qualifications, quality control), it does not cover medical device design controls, supplier management, CAPA, post-market surveillance, or the device lifecycle documentation that IVDR demands. Laboratories transitioning from CLIA/CAP to IVDR must implement an ISO 13485-compliant QMS and document design inputs, outputs, verification, validation, and change control for each IVD product.

What is the tiered evidence strategy for scientific validity of large NGS panels?

For panels targeting thousands of genes, it is typically not feasible to generate individual clinical evidence for every gene-disease association. A tiered approach addresses this: Tier 1 validates the underlying sequencing technology (e.g., exome sequencing as a methodology) with evidence from published literature and peer-reviewed validation studies. Tier 2 relies on curated public databases such as ClinVar, OMIM, and HGMD to establish gene-disease associations at scale. Tier 3 provides deep exemplar evidence (including analytical and clinical performance data) for a representative subset of high-prevalence genes. Genes with limited data are supported through a Post-Market Performance Follow-up (PMPF) plan that progressively strengthens evidence after CE marking. This strategy was accepted by TÜV SÜD in the Fulgent certification.

Written by:

Carlos Galamba

CEO

Senior regulatory leader and former BSI IVDR reviewer with deep experience in CE marking high-risk IVDs, companion diagnostics, and IVDR implementation.

Industry Insights & Regulatory Updates

Making IVDR Work in Combined Studies: Scientific & Operational Lessons from 40+ Programs

ISO 14155:2026 What’s Changed and What It Means for Your Clinical Investigation

Portugal’s New Clinical Trials Law No. 9/2026: What Sponsors Need to Know

IMDRF Draft N91 2026: New Clinical Evidence Requirements for IVDs Explained

EU AI Act and Medical Devices: What SaMD Developers Need to Know (2026)

MedTech Companies in Europe: Hubs, Opportunities, and What You Need to Know

October 2, 2025

Europe is one of the world’s most significant medical technology markets, and one of its most complex. With more than 38,000 MedTech companies operating across the continent, a rigorous regulatory framework under EU MDR and IVDR, and a network of world-class research and manufacturing clusters, it represents both a major opportunity and a substantial challenge for manufacturers, diagnostics companies, and pharma organisations looking to operate here.

This guide covers what the European MedTech landscape actually looks like: where the key hubs are, what kinds of companies operate here, and what any organisation, whether entering the EU market for the first time or scaling an existing presence, needs to understand about the environment they’re entering.

The Scale of Europe’s MedTech Industry

According to MedTech Europe, the sector directly employs over 930,000 people across the continent and generates annual revenues estimated at roughly €170 billion (2024). It is one of the largest life sciences industries in the world, second only to the United States in terms of market size.

A few figures that put the landscape in context:

38,000+ companies: operating in medical devices, IVDs, and digital health
Over 90% are SMEs: the sector is dominated by small and mid-sized innovators, not large multinationals
Europe accounts for roughly 27% of global MedTech revenue
The EU is the world’s second-largest medical device market after the US
More than 2,000,000 medical technology products and services currently available in the European market

For US manufacturers, Asian diagnostics companies, and global pharma organisations, Europe is not a single market — it is a collection of national healthcare systems, procurement processes, and regulatory pathways that sit under a shared EU framework. Understanding where the industry is concentrated, and how it operates, is the starting point for any effective market strategy.

Europe’s Major MedTech Hubs

Germany: The Largest Market in Europe

Germany is the single largest MedTech market in Europe, accounting for roughly €40 billion in annual revenue and home to major global players including Siemens Healthineers, B. Braun, Dräger, and Karl Storz, alongside thousands of specialist mid-sized manufacturers (the Mittelstand).

Key clusters include:

Tuttlingen (Baden-Württemberg): The surgical instruments capital of the world. Over 400 MedTech companies operate within a 20km radius, manufacturing more than half of the world’s surgical instruments.
Munich: A hub for medical imaging, digital health, and life sciences, anchored by Siemens Healthineers and a growing startup ecosystem.
Hamburg and the Rhine-Ruhr region: Strong in diagnostics, laboratory technology, and healthcare IT.

Germany also hosts two of Europe’s most important MedTech trade events: MEDICA in Düsseldorf (the world’s largest medical trade fair) and COMPAMED, its companion event for medical technology suppliers.

For IVD and diagnostics companies, Germany is particularly significant, it is one of the largest markets for in vitro diagnostics globally and home to companies such as Roche Diagnostics and Qiagen.

The Netherlands: Diagnostics and Digital Health Innovation

The Netherlands punches well above its weight in MedTech. Philips Healthcare is headquartered in Amsterdam and Eindhoven, and the country has developed a strong ecosystem around medical imaging, point-of-care diagnostics, and health technology.

The Brainport Eindhoven region is one of Europe’s most productive technology clusters, with Philips and ASML as anchors and a dense network of high-tech suppliers and spin-offs. Dutch MedTech companies benefit from strong R&D infrastructure, close ties between university medical centres and industry, and an internationally oriented business environment.

The Netherlands is also a significant European gateway market, its logistics infrastructure (Rotterdam port, Schiphol Airport) and the presence of major European headquarters make it a preferred entry point for non-EU manufacturers registering their first EU presence.

France: A Major Market with Growing Innovation

France is the third-largest MedTech market in Europe, with a sizeable domestic industry and a healthcare system that is one of the continent’s largest public purchasers of medical technology.

Key companies include Stryker’s European operations, Guerbet, Servier Medical, and a growing cluster of digital health and AI-powered diagnostics startups concentrated around Paris, Lyon, and Grenoble. Lyon in particular has emerged as a strong hub for minimally invasive surgery and interventional cardiology, building on the presence of bioMérieux (a global diagnostics leader headquartered nearby in Marcy-l’Étoile).

France’s national innovation agency Bpifrance and the health innovation programmes under France 2030 have significantly increased investment in digital health and MedTech startups, making it an increasingly dynamic market for early-stage companies and international partners alike.

Spain: A Fast-Growing Hub with Iberian Reach

Spain is one of Europe’s most dynamic and fast-growing MedTech markets, with a strong concentration of companies in Barcelona, Madrid, and the Basque Country. The Spanish sector has historically been strong in orthopaedics, dental technology, and hospital equipment, but it is increasingly significant in IVDs, molecular diagnostics, and digital health.

Barcelona is home to a thriving life sciences ecosystem anchored by the Barcelona Health Hub, the proximity of world-class research institutions (IRB, CRG, ISGlobal), and a growing cluster of diagnostics and genomics companies. Madrid is the commercial and regulatory centre, with strong connectivity to Latin American markets — a route often used by global manufacturers to establish a dual EU/LATAM presence.

For companies targeting the Spanish and Portuguese-speaking world, Spain also serves as a strategic gateway to Latin America, with regulatory knowledge and commercial networks that extend to Brazil, Mexico, Colombia, and beyond.

A landmark development for the Spanish regulatory environment is Royal Decree 192/2023, which introduced specific requirements for clinical investigations with medical devices and IVDs in Spain, bringing national legislation into closer alignment with EU MDR and IVDR.

United Kingdom: Post-Brexit Reconfiguration

The UK remains one of Europe’s most important MedTech markets, even outside the EU. With a market value exceeding £10 billion, the UK is home to major global players (Smith+Nephew, Oxford Instruments, Consort Medical), a world-leading academic research base, and a concentration of MedTech companies around London, Cambridge, Oxford, and the M4 corridor.

The critical development for any manufacturer is the post-Brexit regulatory divergence. The UKCA mark (UK Conformity Assessed) is now required for devices placed on the Great Britain market, separate from the EU CE mark. While the UK has extended the period during which CE-marked devices can be sold in Great Britain, the timelines for full UKCA compliance are firm and require planning.

The MHRA (Medicines and Healthcare products Regulatory Agency) has been active in shaping post-Brexit regulatory guidance, and the UK has also signalled ambitions to develop faster, innovation-friendly pathways — including the ILAP (Innovative Licensing and Access Pathway) for combination products.

For manufacturers already CE-marked, the UK requires a separate regulatory strategy. For those entering from outside Europe, the question of CE + UKCA sequencing is an important early strategic decision.

Switzerland: Precision and High-Value Manufacturing

Switzerland is not an EU member but operates under a mutual recognition agreement for medical devices and is deeply integrated into the European MedTech ecosystem. It is home to some of the world’s most significant MedTech and diagnostics companies: Roche (Basel), Novartis (Basel), Straumann (dental), Ypsomed (drug delivery), and a dense cluster of precision manufacturing suppliers in the watch-making tradition that has transferred into surgical robotics, implants, and microfluidics.

Switzerland’s combination of engineering excellence, multilingual workforce, and proximity to major EU markets makes it a significant hub for high-value device development and manufacturing, and a frequent base for global companies establishing their European regulatory presence.

The Regulatory Landscape: What It Means in Practice

Understanding the MedTech industry in Europe is inseparable from understanding its regulatory framework. The introduction of EU MDR (2017/745) and EU IVDR (2017/746) represents the most significant overhaul of European medical device regulation in 25 years, and it has reshaped how companies of all sizes operate.

For manufacturers entering the EU market for the first time, the key requirements include:

CE marking through a conformity assessment route appropriate to the device’s risk classification
Technical documentation demonstrating safety and performance, including clinical evidence
Quality Management System (QMS) certified to ISO 13485
EUDAMED registration, the EU’s centralised database for devices, manufacturers, and clinical investigations, which becomes mandatory from May 2026
Notified Body involvement for Class IIa, IIb, III (MD) and Class B, C, D (IVD) devices
EU Authorised Representative (EU AR) for manufacturers based outside the EU

For IVD and diagnostics companies specifically, IVDR introduced a significant reclassification of products — the vast majority of IVDs that were previously self-certified under the old IVDD now require Notified Body review under IVDR, including companion diagnostics, oncology markers, and infectious disease assays. The transition timelines vary by device class and certification status.

For pharma companies developing companion diagnostics, the EU framework requires co-development alignment between the drug and its accompanying IVD, with specific submission pathways for Class D companion diagnostics (EMA consultation required).

Opportunities in the European MedTech Market

Despite, and in some ways because of, its regulatory complexity, Europe offers compelling opportunities for manufacturers and diagnostics companies with the right preparation.

Market access across 27 EU member states through a single CE mark remains one of the most powerful aspects of the European regulatory system. A device approved in Germany can be sold in France, Spain, Italy, Poland, and beyond without separate national approvals in most cases.

The SME ecosystem creates partnership opportunities. With over 90% of European MedTech companies being SMEs, there is a substantial market for contract research, regulatory outsourcing, clinical study support, and quality management services — particularly as regulatory demands increase under MDR and IVDR.

Growing demand in IVDs and molecular diagnostics is accelerating across Europe, driven by population ageing, oncology precision medicine, and the lessons of COVID-19 for diagnostic infrastructure. Countries including Spain, Portugal, Germany, and the Netherlands are investing significantly in laboratory infrastructure and point-of-care testing capacity.

The Spanish and Portuguese-speaking corridor (Spain, Portugal, and by extension Latin America) represents a particularly underexploited route for companies seeking both EU certification and access to a combined market of over 600 million people. Regulatory expertise that spans the EU and LATAM is rare and commercially valuable.

What Companies Operating in Europe Need to Get Right

Three things consistently determine whether a MedTech company navigates the European environment successfully:

1. Regulatory strategy from day one. The classification of a device under MDR or IVDR determines the entire development and approval pathway. Getting this wrong early, misclassifying a device, choosing the wrong conformity assessment route, or underestimating the clinical evidence requirements, creates delays that are expensive and difficult to recover from.

2. Clinical evidence that meets the standard. Both MDR and IVDR have raised the bar for clinical evidence significantly. For medical devices, clinical evaluation is an ongoing process, not a one-time submission. For IVDs, performance evaluation under ISO 20916 must be designed to satisfy both EU and, where applicable, FDA requirements.

3. A Notified Body relationship that works. With only a limited number of IVDR-designated Notified Bodies currently active, access to conformity assessment is a genuine constraint. Early engagement, well-prepared technical documentation, and experience managing the review process are not optional, they are the difference between a smooth approval and a two-year delay.

About MDx CRO

MDx CRO is a full-service MedTech CRO specialising in clinical research, regulatory affairs, and technical documentation for medical devices and IVDs. With offices in Barcelona, Madrid, Lisbon, and London, and a team operating across Europe, MDx supports manufacturers, diagnostics companies, and pharma organisations at every stage, from early regulatory strategy to Notified Body submission and post-market compliance.

Explore our services or get in touch to discuss your European regulatory and clinical strategy.

IVD & Medical Device clinical trials
Regulatory affairs under MDR/IVDR
Risk management & documentation
Software as a Medical Device (SaMD) compliance
ISO-standard training & quality support

We partner with both large diagnostic leaders and agile SMEs to deliver compliant, high-quality, and market-ready solutions.

A Pan-European Presence

With offices in Barcelona, Madrid, Lisbon, and London, and a network of CRAs and regulatory experts across Europe, MDx provides localized insight with global reach—helping MedTech companies meet requirements faster and smarter.

The European MedTech sector is growing—but so are its regulatory challenges. Whether you’re launching a new diagnostic product or preparing for a Notified Body audit, MDx CRO is here to support your success every step of the way.

Let’s talk about your next clinical or regulatory challenge.

ISO 13485 Implementation Guide: How to Stand Up a World-Class QMS (and Win Faster Market Access)

September 28, 2025

For MedTech and diagnostics companies, ISO 13485:2016 is the operating system for quality. It’s the globally recognized standard that regulators and notified bodies expect you to use to design, manufacture, and maintain safe, effective devices across the full lifecycle. Implement it well and you accelerate technical documentation, reduce rework, and shorten time-to-market. Implement it poorly and every audit, change, and submission becomes harder than it should be.

There’s an additional strategic reason to act now: the U.S. FDA’s Quality Management System Regulation (QMSR) formally converges 21 CFR 820 with ISO 13485:2016. The QMSR’s effective date is February 2, 2026, with a two-year transition from the legacy QS Reg—so a robust ISO 13485 QMS positions you for both EU and U.S. expectations. (QMSR overview PDF).

What ISO 13485 actually requires (and how to build it right)

At its core, ISO 13485 demands a documented, controlled set of interrelated processes that meet regulatory requirements for medical devices—from design and production to post-market activities. Success is not about templates; it’s about process architecture, risk-based decision-making, and evidence you can defend. (ISO 13485 handbook preview).

1) Map your process architecture

Start with a top-level map that shows how design & development, purchasing/supplier control, production & service provision, software validation (for QMS and process software), vigilance, and post-market processes interact. Keep ownership clear; keep inputs/outputs traceable.

2) Make risk management the backbone

ISO 13485 expects risk-based controls throughout realization and post-market feedback. Operationalize ISO 14971:2019 (and ISO/TR 24971 guidance) so hazards, risk controls, and residual risk tie directly into design inputs, verification/validation, and change control.

3) Design controls that satisfy NB and FDA reviewers

Build a single D&D framework that covers planning, inputs/outputs, reviews, verification, validation (including clinical/performance where applicable), transfer, and DHF/Design History File traceability. Link your design plans to intended purpose/indications so your technical documentation aligns with MDR/IVDR and (when applicable) FDA submissions.

4) Supplier & software rigor

Qualify and monitor critical suppliers with risk-based controls; embed incoming inspection and performance metrics. Validate QMS/production software proportional to risk and document configuration management so you can pass objective evidence reviews.

5) Document control that scales

Use a lean document hierarchy (policy → process → work instruction → form) and number it so auditors can navigate quickly. Automate change control and training effectiveness checks; link each controlled record to the process requirement it satisfies.

6) Post-market surveillance that drives improvement

Your PMS loop should systematically capture complaints, feedback, vigilance, field actions, and real-world performance. Close the loop with CAPA and management review using trend analysis and risk re-evaluation.

7) Internal audits and management review that add value

Audit for process performance (not just procedural conformance). Track effectiveness KPIs and feed them into management review alongside regulatory metrics (e.g., NB queries, submission outcomes, vigilance timelines).

EU alignment matters: harmonized EN ISO 13485 and MDR/IVDR

In Europe, EN ISO 13485:2016 (including A11:2021 and AC:2018) is recognized as a harmonized standard supporting MDR/IVDR requirements—useful for presumption of conformity where applicable. Aligning your QMS to the harmonized edition reduces friction in notified body assessments and surveillance.

Implementation roadmap (what works in the real world)

Phase 1 — Gap Assessment & Plan: Benchmark current practices against ISO 13485 clauses, ISO 14971 integration points, and your market strategy (EU MDR/IVDR, FDA QMSR). Produce a prioritized remediation plan with owners and dates.
Phase 2 — Process Build & Evidence: Draft/revise procedures; pilot them with one product line to generate real records (design plan, risk files, supplier files, software validation, training, internal audit).
Phase 3 — System Activation: Roll out across programs; execute internal audit cycle and management review with measurable outcomes.
Phase 4 — NB/FDA Readiness: Run a mock audit; fix systemic findings; align technical documentation index to QMS records; confirm personnel qualification and training effectiveness.

Avoid the top 5 pitfalls we see

Building dozens of procedures without a process map (auditors get lost; so do teams).
Treating risk management as a document, not a process that drives design and post-market decisions.
Weak supplier controls for critical components and software.
Software validation that stops at IQ/OQ and misses real-world configurations.
“One-and-done” internal audits that don’t test effectiveness or feed CAPA.

How MDx CRO makes ISO 13485 implementation faster (and audit-proof)

MDx CRO designs right-sized 13485 systems for MedTech and diagnostics teams—from first-time implementations to remediation before NB or FDA inspections. We build the process architecture, author and train on lean SOPs, integrate ISO 14971 risk into day-to-day decision-making, and generate submission-ready evidence. Then we run mock audits that mirror NB/FDA styles so you walk into the real thing prepared.

Explore Regulatory & Quality Services and Clinical & Post-Market Support, or contact MDx CRO to scope your ISO 13485 program.

Industry Insights & Regulatory Updates

Making IVDR Work in Combined Studies: Scientific & Operational Lessons from 40+ Programs

ISO 14155:2026 What’s Changed and What It Means for Your Clinical Investigation

Portugal’s New Clinical Trials Law No. 9/2026: What Sponsors Need to Know

IMDRF Draft N91 2026: New Clinical Evidence Requirements for IVDs Explained

EU AI Act and Medical Devices: What SaMD Developers Need to Know (2026)

A Step-by-Step Guide to IEC 62366 and Usability Engineering

September 28, 2025

The usability of medical devices is not just a matter of convenience. It is a matter of safety, effectiveness, and regulatory compliance. Poor design that confuses or frustrates users can lead to use errors, adverse events, and even patient harm. To address this, the international standard IEC 62366-1:2015/Amd 1:2020 establishes a structured framework for usability engineering in medical device development.

For medical device manufacturers, understanding and applying IEC 62366 is essential. Compliance demonstrates that usability risks have been identified, reduced, and documented, which is essential for all medical devices including IVDs and Software as a Medical Device (SaMD).

What Is IEC 62366?

IEC 62366 is the internationally recognised standard that defines how to integrate usability into the design and development process.

It has two main parts:

IEC 62366-1:2015/Amd 1:2020 Medical devices – Application of usability engineering to medical devices: The core standard describing the usability engineering process.

IEC/TR 62366-2:2016 Medical devices – Guidance on the application of usability engineering to medical devices: A technical report providing guidance and examples to support implementation.

The goal is to ensure that usability engineering is applied consistently so that devices can be used safely and effectively by intended users, in intended use environments, while ensuring that use errors that could lead to harm are identified, reduced, and controlled through structured usability activities.

Why Usability Engineering Matters

Use-related errors are a leading cause of device-related adverse events. By embedding usability engineering into product development, manufacturers can:

Reduce use errors that could lead to harm
Improve patient safety and treatment outcomes
Satisfy regulatory requirements from the MDR, IVDR, and FDA
Increase user acceptance and market success
Lower long-term costs by avoiding redesigns or recalls

In short, usability is both a compliance requirement and a competitive advantage.

Step-by-Step Guide to Applying IEC 62366

The usability engineering process defined in IEC 62366 is systematic and iterative. It integrates into the overall product development lifecycle and risk management process in line with ISO 14971. Below is a step-by-step breakdown.

Step-by-step visual guide illustrating the IEC 62366 usability engineering process for medical devices, covering intended use definition, hazard identification, risk analysis, user interface requirements, formative evaluations, and summative usability validation, aligned with EU MDR and FDA human factors guidelines.

1. Establish the Usability Engineering File (UEF)

The UEF is the central documentation repository for all usability activities. It includes intended use, user profiles, use scenarios, hazard analysis, test results, and risk control measures. In practice, the records and other documents that form the UEF may also form part of the product design file (ISO 13485) or the risk management file (ISO 14971).

Think of the UEF as both a project management tool and evidence for regulators.

2. User Research

Prepare the Use Specification. This is where you define:

The intended medical purpose of the device
The user groups (e.g. clinicians, patients, laypersons, caregivers)
The use environments (hospitals, homes, ambulances, clinics)
Any training or expertise required

This forms the foundation of all subsequent usability activities.

3. Analysis

Once you know who will use your device and where, the next step is to analyse how things could go wrong.

Activities include:

Identifying safety-related user interface characteristics (e.g. readability of displays, button layout, alarm visibility).
Reviewing post-production data and public databases for known usability issues with similar devices.
Identifying hazards and hazardous situations.
Identifying and describing hazard-related use scenarios, which describe exactly how use errors might occur and what consequences they could have.
Selecting hazard-related use scenarios for Summative Evaluation.

These scenarios are then prioritised to decide which will be evaluated in summative testing.

4. Design and Formative Evaluation

This is where design and usability testing happen in iterative cycles.

Key steps:

Establish the User Interface Specification – the blueprint of all UI elements.
Develop the User Interface Evaluation Plan – define how formative and summative testing will be performed.
Iterative cycles of concept, prototype, and testing

The point of formative evaluation is to find usability issues early, before final validation, so changes are cheaper and less disruptive.

5. Summative Evaluation

The final stage is a summative usability validation. This is a formal test that demonstrates to regulators that the device can be used safely and effectively by the intended users.

Test the hazard-related use scenarios identified earlier.
Use representative users in realistic environments.
Collect both objective performance data (task completion, error rates) and subjective feedback (ease of use, confidence).
Confirm that residual risks are acceptable in line with ISO 14971.

This stage provides the objective evidence regulators require to ensure compliance.

6. Maintain Usability Post-Market

Usability engineering does not end at product launch. Post-market surveillance should collect feedback on usability issues, adverse events, and complaints. Updates or design changes may be required if new risks emerge.

Common Challenges in Applying IEC 62366

Many manufacturers encounter difficulties such as:

Underestimating resources needed for usability testing
Recruiting representative users for formative and validation studies
Defining realistic use scenarios that reflect actual clinical environments
Integrating usability with development timelines
Documenting evidence properly in the UEF

Failing to address these challenges can result in regulatory rejection, delays, or costly redesigns.

Best Practices for Success

Start usability engineering early in the design process
Involve multidisciplinary teams including engineers, clinicians, and usability experts
Use a mix of qualitative and quantitative methods in evaluations
Prioritise hazard-related use scenarios in validation testing
Document everything thoroughly in the Usability Engineering File
Where possible involve regulators early for alignment
Leverage specialist expertise such as a Medical Device and IVD Consultancy with usability engineering experience

FAQs

Does the FDA also recognise IEC 62366?

Yes. The latest versions of the IEC 62366 standards are recognised by the FDA as consensus standards. However, the FDA has also published specific human factors engineering guidances with minor differences to IEC 62366 so it is recommended that these are also considered for FDA submissions.

When should usability testing be performed?

Throughout development. Formative evaluations identify and correct issues early, while summative validation confirms safe and effective use before market approval.

Can simulated environments be accepted in usability validation?

Yes, provided they are representative of real-world conditions and cover all critical tasks and hazard-related use scenarios.

What is the difference between IEC 62366-1 and IEC 62366-2?

EC 62366-1 is the main normative standard that defines the usability engineering process manufacturers must follow. IEC 62366-2 is a companion informative document that provides guidance and rationale to help apply IEC 62366-1 in practice. For regulatory submissions, compliance with IEC 62366-1 is what notified bodies and regulators assess — IEC 62366-2 is a supporting resource, not a requirement.

What must be included in a Usability Engineering File?

The Usability Engineering File (UEF) is the core documentation output of the IEC 62366-1 process. It must document the intended use and user groups, use scenarios and user interface specification, formative evaluation records, summative evaluation plan and results, and risk-related findings and how they were addressed. It should be structured to allow a notified body or regulatory reviewer to trace the full usability engineering process from start to finish.

Does IEC 62366 apply to IVDs?

Yes. IEC 62366-1 applies to all medical devices, including in vitro diagnostic devices (IVDs). Under the EU IVDR and MDR, manufacturers are expected to demonstrate that human factors and usability have been considered as part of the design and development process. This is particularly relevant for IVDs used at the point of care or by lay users, where use errors can have direct patient safety implications.

How many participants are needed for a summative usability study?

There is no fixed number mandated by IEC 62366-1, but common practice — and FDA guidance — typically expects a minimum of 15 participants per user group for summative evaluations. The number should be justified based on the diversity of the user population, the complexity of the device, and the number of critical tasks being evaluated. For high-risk devices or large user populations, a larger sample may be required.

What is the difference between a formative and summative evaluation?

Formative evaluations are iterative assessments carried out during device development to identify and resolve usability problems early. They are exploratory in nature and do not need to meet a pre-defined pass/fail criterion. Summative evaluations, also called validation testing, are conducted on a near-final or final version of the device to confirm that users can operate it safely and effectively without being coached or corrected. Summative results are what get submitted to regulators.

How MDx CRO Can Help

Implementing IEC 62366 in-house can strain resources. At MDx CRO we can provide:

Protocol development and study design for usability testing
Recruitment of representative users across geographies
Moderation of formative and validation studies
Integration of usability engineering with regulatory strategy
Preparation of all usability documentation required for submissions including FDA submissions

As a trusted Medical Device and IVD consultancy, we support manufacturers in implementing IEC 62366, running usability studies, and preparing documentation that satisfies both EU and US regulators. Whether you are starting a new project or updating an existing device, our team helps you achieve compliance and deliver safer devices to market.

Request our Usability engineering services for medical devices and IVDs.

Need help with IEC 62366 compliance?

Talk to our usability engineering team.

Written by:

Floella Otudeko

Senior QARA Specialist

Senior QA/RA consultant with MDR, IVDR, Usability/Human Factors and MDSW expertise, supporting MedTech and IVD innovation globally.

Industry Insights & Regulatory Updates

Making IVDR Work in Combined Studies: Scientific & Operational Lessons from 40+ Programs

ISO 14155:2026 What’s Changed and What It Means for Your Clinical Investigation

Portugal’s New Clinical Trials Law No. 9/2026: What Sponsors Need to Know

IMDRF Draft N91 2026: New Clinical Evidence Requirements for IVDs Explained

EU AI Act and Medical Devices: What SaMD Developers Need to Know (2026)

Understanding the MDCG 2023-4 Guidance on Medical Device Software and Hardware Combinations

October 20, 2023

The world of medical device regulation is constantly evolving, with regulatory bodies introducing new guidances to keep up with the technological advances in the sector. One such pivotal guidance is the MDCG 2023-4, focusing on Medical Device Software (MDSW) intended to work in combination with hardware or hardware components.

What is MDCG 2023-4?

The Medical Device Coordination Group (MDCG) released the guidance MDCG 2023-4. This document provides detailed insights into the considerations and regulatory requirements for MDSW that is intended to be used in combination with hardware or its components.

Key Highlights of MDCG 2023-4

1. The Prominence of Hardware in MDSW

For many MDSW, hardware components directly link their effectiveness by feeding them with necessary data. Devices such as wearables, smartwatches, or augmented reality goggles utilize sensors and cameras to collect data. This data is then processed by MDSW applications for medical outcomes.

In some cases, these hardware components are crucial to general consumer electronics, emphasizing the importance of convergence between MDSW and hardware. Especially with integrated sensors, understanding their qualification and the suitable regulatory pathways becomes essential.

2. Regulatory Scope of MDCG 2023-4

Hardware components significantly contribute to the medical functionality of specific MDSW through data and signals. Understanding the regulatory implications when combining MDSW with associated hardware is essential. This guidance sheds light on the regulatory considerations for hardware components when they either function as medical devices or their accessories. However, it’s crucial to note that areas like clinical evaluation or cybersecurity are not covered by this guidance.

3. MDSW-Hardware Synergy

The medical intent of numerous MDSW apps is closely tied to the data from the associated hardware. This hardware serves as data input sources and occasionally even controls the MDSW. For optimal functionality, the hardware must guarantee precision, reliability, and performance. There are various scenarios, such as:

A single manufacturer producing both a dermal patch with sensors and a corresponding MDSW app.
A wearable device, like a watch with sensors, requiring a user to download a corresponding MDSW app from the same manufacturer.

However, situations where the hardware and MDSW app manufacturers differ introduce complex interoperability considerations.

4. Regulatory Considerations

As per MDR’s Article 2 and MDCG 2023-4, a medical device’s purpose can either be achieved independently or in conjunction with other devices or accessories. From the scenarios provided, it’s evident that the MDSW and hardware components are interdependent for medical functionality. If a manufacturer claims a medical purpose for the software, they need to provide evidence of compliance with the MDR, ensuring that the interaction between the MDSW and hardware produces safe and effective results.

5. Market Placement

For the initial scenarios, where both the MDSW and hardware are categorized as medical devices or their accessories, MDR compliance is crucial, focusing on safety, interoperability, and performance. This involves comprehensive clinical evaluations and post-market surveillance. However, if the hardware isn’t MDR compliant, the responsibility of ensuring safety and performance lies with the MDSW manufacturer.

Frequently Asked Questions (FAQ)

Is the MDCG 2023-4 guidance binding for manufacturers? The guidance offers insights and best practices. However, always consult with specific regulatory authorities for mandatory requirements.
Does this guidance apply to software-only medical devices? The primary focus is on software working with hardware. Some sections might still be relevant for software-only devices in terms of risk management.
What penalties are in place for non-compliance? Penalties vary based on regional regulations. It’s essential to stay updated with regional medical device regulatory guidelines.

Conclusion

The MDCG 2023-4 guidance is a significant step in clarifying the regulatory framework for medical device software and hardware combinations. Adhering to the guidance ensures innovations in the field are both groundbreaking and compliant, safeguarding patient welfare. Stakeholders and manufacturers are encouraged to familiarize themselves with the MDCG 2023-4 document to stay ahead in the ever-evolving medical device industry.

Written by:

Andre Moreira

Regulatory Director, Medtech

Senior quality & regulatory expert, ISO 13485/MDR/IVDR auditor with expertise in CE marking MDs/IVDs, incl. dental, implantables, drug delivery, genomic tests, & MDR/IVDR implementation.

Industry Insights & Regulatory Updates

EU AI Act and Medical Devices: What SaMD Developers Need to Know (2026)

FDA QMSR: How the 2026 Regulation Shift Transforms MDSAP Audits and FDA Compliance Inspections

High-tech European Parliament building with EU flag, modern glass architecture, representing advanced government infrastructure and innovation.

Navigating the IVDR CDx Certification Pathway

iso 20916 2024 ivdr harmonization ivd studies Detailed image of female researcher examining samples through a microscope in a modern laboratory, demonstrating advancements in MedTech innovation and research in healthcare technology.

ISO 20916:2024 What You Need to Know for Clinical Performance Studies in 2026

IVDR Lab Readiness: Step-by-Step Transition Checklist

EU AI Act and Medical Devices: What SaMD Developers Need to Know (2026)

Timeline Update: April 2026

February 2026: Commission published guidelines on Article 6

2 August 2026 :Most high-risk AI obligations now apply, but with a critical exception for medical devices

Revised compliance milestones for SaMD developers

1. Does the AI Act Apply to Your Software?

2. High-Risk AI Classification for Medical Devices

3. How the AI Act Interacts with MDR and IVDR

4. General Purpose AI (GPAI) Models in Medical Devices

5. Key Timelines

6. What to Do Now: A Practical Checklist

Frequently Asked Questions: EU AI Act and Medical Devices

Master Artificial Intelligence (AI) in Medical Devices

Further Reading

Diego Rodríguez Muñoz, PhD

SaMD Compliance Guide: Navigating Regulations for Software as a Medical Device

1. Does Your Software Qualify as SaMD?

2. Classification Under MDR Rule 11

3. The MDR Compliance Roadmap for SaMD

Intended Purpose and Use Context

Risk Management (ISO 14971)

Quality Management System (ISO 13485)

Software Lifecycle (IEC 62304 and IEC 82304-1)

Clinical Evaluation (MDCG 2020-1)

Cybersecurity

Technical Documentation (Annex II and III)

Conformity Assessment and CE Marking

Post-Market Surveillance and Software Updates

4. Common Pitfalls and How to Avoid Them

5. SaMD Under IVDR

Challenges, Risks & Strategic Recommendations for SaMD

Where to Start: step-by-step for SaMD Manufacturers

Further Reading

Diego Rodríguez Muñoz, PhD

Spanish IVD Regulation 2025 – New Royal Decree Updates for IVD Manufacturers, Sponsors, and Labs

Spanish IVD Regulation 2025: What Changed and Why It Matters

Quick Guide for Busy Teams (Manufacturers, Sponsors, Labs)

Competent Authority and Language Rules under the Spanish IVD Regulation 2025

Facility Licensing: Manufacturers, Sterilizers, and Importers

Marketing Register and Traceability

In-House Devices (Article 5(5) IVDR): What Labs Must Do Now

Genetic Testing: Information and Counseling

Performance Studies in Spain

Vigilance and Market Control

Self-Test Access and Pharmacy Channels

Transitional Timelines You Should Track

Implications by Stakeholder

IVD manufacturers

Sponsors

Hospital and private labs

How MDx CRO Helps You Execute

David Tomé

MDx to Present ESMO 2025 Poster on IVDR CE Marking for Large Germline NGS Panels

Announcement

What the poster covers

Why this matters

When and where to find us

Read the background

Ready to talk IVDR CE marking for your NGS product?

IVDR CE marking NGS: MDx Case Study with Fulgent

Case Study: How MDx Helped Fulgent Genetics Achieve CE Marking for One of the World’s Largest Germline NGS Panels under IVDR

IVDR CE marking NGS at a glance

The challenge: certifying a service-based, large-scale NGS system under IVDR

MDx approach: a playbook for complex NGS + software

1) Build the right QMS, fast

2) Engineer a defensible intended use

3) Split wet lab and software into two regulated products

4) Validate the informatics stack like a medical device

5) Make “evidence at scale” practical

6) Orchestrate TÜV SÜD audits to success

Results that move the market

What this means for labs and IVD developers planning large NGS submissions

Why MDx

Project timeline

Client perspective

Planning IVDR for your NGS panel? Here’s a quick readiness checklist

Talk to us

Carlos Galamba

MedTech Companies in Europe: Hubs, Opportunities, and What You Need to Know

The Scale of Europe’s MedTech Industry