The New EU Regulation on Medical Devices Aims at Enhanced Product Safety and Further Harmonization

by McDermott Will & Emery

McDermott Will & Emery

In Depth

On May 5, 2017, the new Regulation on Medical Devices (MDR) and the new Regulation on In Vitro Diagnostics (IVDR) were published in the European Official Journal. The Regulations will become effective 20 days after publication (i.e., on May 26, 2017) and will be fully applicable after a transition period of three years for the MDR regulation and five years for the IVDR regulation, respectively. 
The European market for medical devices is large and diverse–including products as different as contact lenses, pacemakers, breast implants and ultrasound machines, plus in vitro diagnostics such as HIV tests, pregnancy tests and blood sugar monitoring systems. In total, there are over 500,000 different types of medical devices on the European Union (EU) market. Under the current framework, medical devices are classified into the following classifications based on risk: (1) class 1 (low risk); (2) class IIa and IIb (moderate risk); (3) class III (high risk). This regime is similar to the US Food and Drug Administration’s (FDA) device classification regulations, with some distinctions in the types and categories of device that belong to each class. 

The existing EU regulatory framework for medical devices consists of three directives that were issued in the 1990s: (1) the Directive on Medical Devices (Dir. 93/42/EC), (2) the Directive on Active Implantable Medical Devices (Dir. 90/385/EEC), and (3) the Directive on In Vitro Diagnostic Medical Devices (Dir. 98/79/EC). These three directives will now be replaced by only two regulations, as active implantable medical devices will be covered by the MDR. The primary objectives of the new law are to improve quality, safety and reliability of medical devices. Reform efforts were triggered by the Poly Implant Prothèse (PIP) breast implant scandal, where breast implants made of industrial silicone were marketed as medical devices and received a European Conformity (CE) certificate from a renowned notified body. The new Regulations impose additional requirements on notified bodies and set higher standards for clinical evaluation of medical devices. However, the general processes for obtaining market authorizations have remained largely unaffected. 

Significant Changes

Clinical Evaluation and Post-Marketing Surveillance: The new Regulations place greater emphasis on clinical data to support medical device registration and post-market safety. Under the MDR, manufacturers have to create a clinical development plan that includes a plan for post-marketing surveillance. As part of the technical documentation, manufacturers have to provide a report on the clinical evaluation. Once devices are available for use on the market, manufacturers will be required to collect data about their performance and EU countries will coordinate more closely in the field of market surveillance. Documentation will be required on a regular basis, i.e., under certain conditions, manufacturers will have to provide a Post Market Surveillance Plan/Report (PMS), a Post Market Clinical Follow-up Report (PMCF), Periodic Safety Update Report (PSUR) and/or a Summary of Safety and Clinical Performance (SSCP). Furthermore, for more medical devices and in vitro diagnostics, clinical trials will have to be performed–and regulatory requirements for such clinical trials will be stricter, including but not limited to the new obligation of the sponsor to provide damage compensation insurance for participants (Article 69 MDR / Article 65 IVDR).

Supervision and Advisory of Notified Bodies: The MDR rules will impose stricter controls on high-risk devices. Similar to the FDA Advisory Committees that provide recommendations to the FDA regarding the approval of certain devices for the US Market, the MDR provides that a pool of experts at the EU level will have to be consulted before placing certain devices on the market. This requirement applies to class III implants and class IIb products that deliver a medicinal product (e.g., certain drug delivery devices or combination products). Furthermore, according to Article 35 of the MDR / Article 31 IVDR, each Member State has to appoint an authority that will be responsible for the oversight and review of notified bodies. This authority is entitled to review whether notified bodies comply with the requirements for notified bodies listed in Annex VII MDR. Under the new Regulations, notified bodies can start to be re-certified six months after the date they become applicable–i.e., from end-November 2017. Three years after first notification, and again every four years thereafter, a re-assessment will take place. Furthermore, the competent authority is entitled to review an appropriate number of notified body assessments of manufacturers’ technical documentation.

The Unique Device Identifier (UDI): The UDI requirement introduces greater parity between the FDA and EU requirements. Like the recently implemented FDA requirements, the MDR and the IVDR require a unique product number to be assigned once for each medical device. The UDI consists of UDI device identifier (UDI-DI) specific to a manufacturer and a device, providing access to the information described in Part B of Annex VI and UDI production identifier (UDI-PI) that identifies the unit of device production and, if applicable, the packaged devices, as specified in Part C of Annex VI. This information must be stored in an electronic system for Unique Device Identification (UDI database) in accordance with Article 28 MDR / Article 25 IVDR. 

Furthermore, it is noteworthy that the MDR extends the applicability of the medical devices regime to certain products that do not have a medical purpose but are considered equivalent in terms of risk. These products are listed in Annex XVI of the MDR and include, among other things, cosmetic contact lenses and skin fillers. Some of the classification rules in Annex VIIIthe Annex providing the rules for risk classification—have changed. As a result, several medical devices have been reclassified into a higher risk class. One example of this reclassification is mobile medical apps for smartphones and other mobile devices. According to Rule 11 in Annex VIII MDR, software for diagnostic or therapeutic purposes is generally risk class IIa, but under certain conditions can be risk class IIb or III. While under the old regime, medical apps were mostly in class I, hence manufacturers could self-certify without the involvement of a notified body, keeping the procedure simple and costs low; it is likely that in the future, a notified body will often be required for registration of a medical app. 

Next Steps

Because the new legal framework was issued as regulations, the individual EU Member States are not required to issue their own implementing laws to codify the MDR and IVDR. Instead, both regulations will be directly applicable in the 28 Member States of the EU. Furthermore, the Member States will have less discretion to interpret their national laws to impose different or new requirements because these Regulations are more detailed and proscriptive than the current medical device regime based on the Directives. 

Upon expiry of the transition periods in 2020 (MDR) and 2022 (IVDR), the new Regulations will become fully applicable. During the transition periods, manufacturers may choose whether they want a medical device to be certified under the old or the new regime. However, four years after the effective date of the MDR, i.e., in 2024, all CE-certificates issued under the old rules of the MDR will expire. By then at the latest, all medical devices marketed in the EU will have to comply with the new regime. The transition periods are not as long as some would have hoped, given the significance of the changes. These changes will require medical device manufacturers to review and evaluate current operations and systems to ensure compliance with new and enhanced requirements. While the new Regulations reflect a trend toward greater harmonization of EU and US requirements, companies with global operations, distributions and products should take a holistic approach to compliance and implement regulatory and compliance processes that are appropriate, adaptable and scalable for a global marketplace.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McDermott Will & Emery | Attorney Advertising

Written by:

McDermott Will & Emery

McDermott Will & Emery on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.