Medical Device Regulation Update

by K&L Gates LLP

K&L Gates LLP

On 5 May 2017, the Medical Device Regulation ("MDR") was published in the Official Journal of the European Union and comes into effect on 26 May 2017.[1] The Commission proposed back in 2012 to revise the existing regulatory regime for medical devices that has been in force since 1993. In particular, the MDR replaces the existing Directive 93/42/EEC on medical devices (“MDD”) and Directive 90/385/EEC on active implantable medical devices.

The MDR will impact businesses that are already placing medical devices on the EU market and those that intend to do so in the future. The MDR is designed to improve the quality, safety and reliability of medical devices, strengthen transparency of information for consumers and enhance vigilance and market surveillance. Some of the changes introduced by the MDR are further discussed below.

Obligations of Economic Operators Clarified
The MDR redefines a number of parties in the supply chain as well as placing additional regulatory duties on certain parties not previously subjected to strenuous regulatory obligations. In particular the MDR sets out requirements and obligations for manufacturers, importers and distributors.

In respect of manufacturers, the MDR makes clear that own brand labelers ("OBL") are also considered to be manufacturers, meaning that they will be subject to the same regulatory requirements as manufacturers. This could cause a significant shift in duties for some OBL's and they may wish to ensure that their commercial agreements with the original manufacturer of the medical device accounts for the increased regulatory burden.

One of the most important changes is that the MDR requires that the manufacturer (including OBLs) designates a person who is responsible for regulatory compliance (a similar requirement can be found in EU legislation on medicinal products). This person must have the requisite level of experience in the medical devices field, which can be shown through a combination of experience in medical device regulatory affairs and education. The person responsible for regulatory compliance should be employed with the manufacturer except where they are a micro or small enterprise who may employ a contractor. This contractor must be permanently and continuously at their disposal.

Further, the manufacturer that is not established in the EU must designate a sole authorised representative before its device can be placed on the EU market. While the manufacturer can mandate the tasks that the authorised representative can carry out, the MDR provides that certain tasks must be included in the mandate, including cooperation with the competent authorities. The authorised representative is legally liable for defective devices in the event that a manufacturer established outside the Union has not complied with its general obligations. This does not exclude legal liability being imposed on manufacturers and importers.

The manufacturer must also, in a manner that is proportionate to the risk class, type of medical device and the size of the company, put measures in place to provide that it has sufficient financial coverage in respect of their potential liability.

In respect of importers and distributors, they must ensure that they are only making available MDR compliant medical devices. The role of importers and distributors in recalls and product safety monitoring have also been clarified.

Stricter Quality and Risk Management System Requirements
While quality management systems were required under the MDD, the MDR specifies what the system must include and how the manufacturer must operate it. A quality management system should cover all elements of a manufacturer's organisation dealing with the quality of processes, procedures and devices. For example, robust methods should be set up and used by the manufacturer to address the strategy for regulatory compliance, identifying applicable general safety and performance, and the risk management system.

In respect of the risk management system, it should be carefully aligned with and reflected in the clinical evaluation for the medical device. In carrying out risk management manufacturers must:

  • establish and document a risk management plan for each medical device;
  • identify and analyse the known and foreseeable hazards associated with each medical device;
  • estimate and evaluate the risks associated with, and occurring during, the intended use and during reasonably foreseeable misuse, as well as eliminate or control such risks;
  • evaluate the impact of information from the production phase and from the post-market surveillance system, on hazards and the frequency of occurrence thereof, on estimates of their associated risks, as well as on the overall risk, benefit-risk ratio and risk acceptability; and
  • based on the evaluation of the impact of the information, if necessary amend control measures.

As part of their quality management system, manufacturers must also establish a post-market surveillance system, which should be proportionate to the risk class and the type of medical device in question.

Small Changes to Medical Device Classification
Medical devices will still be classified based on four risk-based classes: Class I, Class IIa, Class IIb and Class III. The classification of medical devices remains largely unchanged from the MDD, with some exceptions:
  • some devices that come into contact with the spinal column are upgraded into Class III; and
  • devices that penetrate the body through mucus membranes are included in the definition of "surgically invasive devices".

Similar to the previous regime under the MDD, conformity assessment will depend on the classification of the device.

A comprehensive, publicly available EU database on medical devices and UDI
To improve the access to information on medical devices marketed in the EU, non-confidential information held in the European database on medical devices (“Eudamed”) will be made available to the public. For example, manufacturers, authorised representatives and importers must publish their details on Eudamed.

The database will also include, for example:

  • an electronic system for registration of devices;
  • an electronic system on notified bodies and on certificates;
  • Summaries of safety and clinical performance for implantable medical devices and for class III medical devices;
  • an electronic system on clinical investigations;
  • an electronic system on vigilance and post-market surveillance; and
  • an electronic system on market surveillance.

To achieve better traceability throughout the supply chain, the manufacturer is required to assign the EU unique device identifier ("UDI") to the medical device before it is placed on the market. UDIs are a series of numeric or alphanumeric characters that allow for identification of specific devices on the market. These numbers will include a device and a production identifier which are placed on the label of the device or its packaging for traceability purposes. The MDR establishes a UDI database in order to make this data available to the public. This database will also be part of Eudamed. The UDI database should allow prompt reaction and satisfactory solutions to safety issues.

Entry into Force and Transitional Periods
The MDR enters into force on 26 May 2017, however, the majority of the new rules will only apply after a transitional period, which will be three years after entry into force. Transitional periods will allow manufacturers to comply with the MDR. For example, manufacturers of Class I medical devices will not be required to place a UDI on a device label for eight years after the date of entry into force of the MDR. The transitional period for Class III medical devices will be four years and six years for Class IIa and Class IIb.

There will also be a transitional period during which certificates granted under the previous regime will remain valid. The period of validity for each certificate varies depending on when it was granted. This means that during this transition period, companies marketing a product that has changed class will continue to hold a valid certificate, but they will have to apply for certification under a different class during the transition period. If a certificate was issued prior to the MDR coming into force then it will become invalid two years from the date of application of the MDR. If a certificate was issued during the transition period then it will become invalid four years from the date of application. Manufacturers should take steps to examine their proposed and future devices in light of the new classification rules.

[1] Along with MDR, the Regulation on in vitro diagnostic medical devices has also been published in the Official Journal of European Union, which repeals Directive 98/79/EC on in vitro diagnostic medical devices.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© K&L Gates LLP | Attorney Advertising

Written by:

K&L Gates LLP

K&L Gates LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.