Compliance Guide

What is the EU MDR (European Union Medical Device Regulation)?

The EU MDR medical device regulations are a set of regulations that govern the production and distribution of medical devices in the European Union. These regulations aim to ensure that medical devices have no negative impact on human health. The EU MDR is the successor of the previous Medical Device Directive (MDD).

The MDR has been in force since May 2021. By 2024, any existing medical device products certified under the MDD needed to be recertified under the MDR, if they wish to continue to be sold within the European Economic Area (EEA).

Under the MDR, in order for a medical device to be legally sold in the EU market, it must have a CE marking. In order to receive a CE marking, the medical device is subjected to a conformity assessment, which determines whether the device complies to the necessary requirements under the MDR.

Table of contents

  1. 1. Why were the new Medical Device Regulations (MDR) needed?
  2. 2. How does the MDR differ from the MDD?
  3. 3. Risk classes and MDR software
  4. 4. How are risk classes determined under the MDR?
  5. 5. Who needs to comply with the MDR?
  6. 6. What does the MDR mean for your medical device solution?
  7. 7. How can you speed up your path to MDR compliance?
  8. 8. Why Extra Horizon?

Why were the new Medical Device Regulations (MDR) needed?

The MDD is a much older regulation than the MDR. Back when the MDD was created in 1994, the concept of Software as a Medical Device (SaMD) did not exist. The medical monitoring apps that are so widely used today had yet to be invented, so the MDD was not created with these solutions in mind. Thus, the MDD is now largely considered to be outdated.

Advancements in medical devices and SaMD

Since 1994, there have been significant advancements in the use of medical devices and SaMD. Thus, there was a need for updated regulations that better meet the needs of this ever-evolving market.

How does the MDR differ from the MDD?

Both the MDR and the MDD establish a regulatory framework for medical devices, but the MDR builds on certain aspects of the MDD, and goes into much greater detail. In fact, the MDR is four times longer than the MDD!

!

It's important to note: nothing from the MDD has been removed from the MDR!

Notable updates included in the MDR include:

  • Greater post-market surveillance.
  • An expanded scope to include other devices that were not previously covered under the MDD. This includes devices that might not have a strictly medical function, such as materials used in cosmetic surgery (implants, fillers etc.), contact lenses, and body hair removal devices.
  • Clearer requirements for documentation and product labelling.
  • Implementation of Unique Device Identification (UDI), which help to track devices in the supply chain. This will be required on all labels.
  • Stricter requirements for conformity assessments and registration.
  • All notified bodies that carry out conformity assessments must be accredited.
  • All devices must be registered in EUDAMED, the European Database on medical devices.

Risk classes and MDR software

The MDR also introduces changes to how medical software products are classified, including the introduction of a new high risk software class, which covers software that can cause death or irreversible damage to a patient.

The risk class of a medical device product is based on the perceived risk. The perceived risk refers to the potential impact the device can have on the human body. Here is a summary of the software safety classes under the MDR:

Class I Lowest perceived risk

In a lot of cases, it is possible for manufacturers to self-certify as a Class I device without the involvement of a notified body. However, three Class I subcategories have a higher perceived risk and require notified body involvement:

  • Class Is: Products that must be presented as sterile. Examples include syringes, examination gloves, colostomy bags, and stethoscopes.
  • Class Im: Medical devices that have a measuring feature. Examples include thermometers, measuring syringes, and blood pressure measuring devices.
  • Class Ir: Devices that are reprocessed or reusable. This includes surgical instruments, which are cleaned and sterilised before being used again.
Class IIa Medium perceived risk

For these devices, it is essential for manufacturers to receive a declaration of conformity from a notified body in order to receive a CE marking. Examples include hearing aids, catheters, dental crowns, and ultrasound equipment.

Class IIb Medium to high perceived risk

For a Class IIb product to receive a CE marking, a notified body must be involved. Examples include ventilators, insulin pens, and intensive care monitoring equipment.

Class III High perceived risk

Subjected to the most stringent requirements, including the clinical evaluation stage. Class III devices tend to require permanent monitoring throughout the lifetime of the patient. Examples include pacemakers, breast implants, and prosthetic heart valves.

How are risk classes determined under the MDR?

Under the EU MDR, a rules-based system is used to determine the risk class of a medical device. These rules can be found in Annex VIII of the MDR. There are 22 rules in total, divided into four sections:

Rules 1–4: non-invasive devices

These devices do not penetrate the body through any surface or orifice.

Rules 5–8: invasive devices

These devices penetrate the body completely or partially, through any surface or orifice.

Rules 9–13: active devices

These devices rely on a source of energy that cannot be generated by the human body in order to work.

Rules 14–22: special

These rules cover any devices that do not fit into the first three categories.

In each category, the duration of the device's intended use is also used to determine which rules apply. There are three duration types specified in the MDR:

  • Transient: Intended for continuous use for less than 60 minutes.
  • Short-term: Intended for continuous use for between 60 minutes and 30 days.
  • Long-term: Intended for continuous use for more than 30 days.

Who needs to comply with the MDR?

If you are:

  • A manufacturer, authorised representative, importer, or distributor of medical devices in the EU; or
  • A regulatory affairs or quality management professional involved with medical devices,

you need to know how to comply with the MDR.

i

When it comes to applications, it is important to remember that only medical apps fall under MDR legislation. Wellness or wellbeing apps are not covered by the MDR.

What does the MDR mean for your medical device solution?

If your product was certified under the MDD, and you still wish for your product to be sold within the European Economic Area (EEA), you will need to have your product recertified under the MDR.

How can you speed up your path to MDR compliance?

The process of making sure your product is compliant to the MDR can be long and tedious, and can significantly increase the time it takes to make your medical device market-ready.

Being compliant with the MDR places significant requirements on your cloud infrastructure. For instance, you need to ensure that you have a suitable quality management system (QMS) in place throughout the entire product lifecycle. This can be demonstrated by following the guidelines for ISO 13485:2016 and IEC 62304:2006.

It is also essential for your cloud infrastructure to be GDPR-compliant.

So why are we, a Medical Backend-as-a-Service provider, writing about the MDR?

We know that adhering to all of these different rules and regulations involves a lot of time and effort; effort that could be used in other important areas, such as defining your business logic. It is for this reason that regulatory compliance, particularly concerning the MDR, is one of the biggest hurdles to overcome before going to market. When developing Software as a Medical Device, MDR compliance is vital, and should never be overlooked.

We are well-aware of the importance of regulatory compliance, which is why we undergo independent verification of security, privacy, and compliance controls. Our medical Backend-as-a-Service (mBaaS) is compliant and certified to a number of global standards, including the MDR and its related requirements. Using a certified medical BaaS does not mean your solution becomes automatically certified, but it does make the path to compliance a lot smoother.

Extra Horizon

Accelerate your MDR compliance journey

Extra Horizon is certified to ISO 13485:2016 and IEC 62304:2006 — the two standards most critical for MDR compliance. Our platform gives your digital health solution a regulatory-ready foundation from day one.

Talk to us → Our certifications →

Contact us

Get in touch, we're eager to discuss your project

Have a question, want a demo, or just want to explore what Extra Horizon can do for your product? Drop us a message and we'll get back to you quickly.

Follow our journey