Skip to content
Inovasense
← Back to Glossary Regulation

MDR — Medical Device Regulation

MDR (EU 2017/745) governs medical devices: requires Notified Body certification for Class IIa+ and mandates strict post-market surveillance obligations.

The Medical Device Regulation (MDR, EU 2017/745) is the EU legislation governing medical devices and their accessories. It replaced the Medical Devices Directive (MDD, 93/42/EEC) and the Active Implantable Medical Devices Directive (AIMDD, 90/385/EEC), applying in full from May 2021 (with transitional extensions for legacy MDD devices until December 2027 for Class IIb/III and December 2028 for Class IIa). A companion regulation, the IVDR (EU 2017/746), governs in vitro diagnostic devices (blood tests, PCR, immunoassays).

Unlike most CE marking directives, the MDR is a Regulation (directly applicable law in all EU Member States without transposition) and imposes the most stringent conformity assessment requirements of any CE marking framework — including mandatory Notified Body involvement for all but the lowest-risk devices.

Device Classification

The MDR classifies devices into four classes based on risk:

ClassRisk levelExamplesConformity assessment
Class ILowest riskNon-sterile non-measuring devices (stethoscopes, examination gloves, glasses frames)Self-declaration (Module A); NB required only if sterile, measuring function, or reusable surgical instrument
Class IIaLow-medium riskHearing aids, surgical gloves, dental filling materials, blood pressure monitorsModule A + NB Conformity Check (structural assessment)
Class IIbMedium-high riskVentilators, infusion pumps, diagnostic X-ray equipment, most active implantsModule B (Type Examination) + Module D or F
Class IIIHighest riskHeart valves, drug-eluting stents, hip implants, neural stimulatorsModule B + Module D (with QMS)

Classification follows the rules in Annex VIII of the MDR — 22 classification rules based on duration of contact, invasiveness, active vs passive, and whether the device administers substances or uses ionising radiation.

Qualified Persons for Regulatory Compliance (QPRC)

The MDR introduces the role of at least one natural person responsible for regulatory compliance (QPRC) within the manufacturer’s organisation. This person must have expertise in the relevant fields and is legally named on the manufacturer’s quality management system. This is a significant difference from other CE directives where no named individual is required.

Quality Management System Requirement

For Class IIa, IIb, and III devices, the manufacturer must implement a Quality Management System (QMS) certified to EN ISO 13485 — the medical device-specific QMS standard. The Notified Body audits this QMS as part of the conformity assessment process. An ISO 9001 QMS, while transferable in many elements, does not satisfy the MDR QMS requirement.

Software as a Medical Device (SaMD)

Software that is intended to be used as a medical device — including embedded firmware with diagnostic or therapeutic purpose — is classified as a medical device under the MDR. Software classification follows specific rules under Annex VIII Rule 11:

  • Software intended to provide therapeutic or diagnostic decisions of a serious nature: Class III
  • Software intended to monitor physiological processes, provide diagnosis (non-serious): Class IIa or IIb
  • Software with other intended purposes: Class I

Software lifecycle must comply with IEC 62304 (medical device software lifecycle processes), which defines software safety classes (A, B, C) and corresponding development, testing, and documentation requirements.

Cybersecurity Under MDR

The MDR explicitly requires that medical devices incorporating software (including firmware) be designed and manufactured to maintain confidentiality, integrity, and availability of information — hardware, networks, and software:

  • MDR Annex I §17: devices must be designed to prevent unauthorised access
  • MDCG 2019-16: guidance document explicitly references IEC 62443 and EN 303 645 for network-connected medical devices
  • For Software as a Medical Device: IEC 62304 software safety class drives the extent of cybersecurity testing

As the CRA comes into force (December 2027), connected medical devices will need to satisfy both MDR cybersecurity requirements and the CRA for the digital elements aspect — the two frameworks must be addressed together.

Practical Timeline Considerations

MDR certification timelines for Class IIb/III devices are among the longest in CE marking:

  • Notified Body designation and selection: 3–6 months (limited NB capacity for MDR — there are fewer notified NBs than under MDD)
  • QMS audit and initial certification (ISO 13485): 6–12 months
  • Technical documentation and NB review: 12–24 months
  • Total time to first CE mark: Typically 2–4 years for new Class IIb/III products

This means MDR compliance must be planned from the first concept gate of a medical device project — it cannot be addressed at the engineering validation stage.

Note: Inovasense assesses MDR projects individually. MDR engagement is subject to project scope review and applicable quality system requirements. We do not hold ISO 13485 certification as a manufacturer — we can support MDR-related hardware design, embedded security architecture (IEC 62304 cybersecurity), and technical documentation, in collaboration with the client’s MDR-certified QMS.

Official References

Related Terms

CE-MARKING NOTIFIED-BODY CONFORMITY-ASSESSMENT TECHNICAL-FILE POST-MARKET-SURVEILLANCE