FAQ`s
Frequently Asked Questions
What Is the Role of ISO 13485 Under the EU MDR?
ISO 13485 plays a central role in the EU MDR conformity assessment process for medical device manufacturers. While ISO 13485 certification itself does not automatically grant CE marking, it provides the structured Quality Management System required for EU MDR certification.
Under Regulation EU 2017/745, manufacturers of Class IIa, IIb and III medical devices must undergo conformity assessment by a notified body. A compliant QMS is a mandatory component of this process. ISO 13485 is widely recognized as the harmonized international standard that fulfills the QMS expectations under EU MDR.
During the conformity assessment, the notified body evaluates:
• Implementation of the Quality Management System
• Design and development controls
• Risk management and clinical evaluation processes
• Post market surveillance and vigilance systems
• Technical documentation in line with MDR Annex II and III
In practice, ISO 13485 certification significantly facilitates EU MDR certification and CE marking for medical devices, as it demonstrates systematic regulatory compliance and audit readiness.Is ISO 9001 or ISO 13485 Required for CE Marking?
For medical devices placed on the European market, ISO 13485 is not legally stated as a formal prerequisite in the MDR text. However, for manufacturers of Class IIa and higher devices, a compliant Quality Management System is mandatory as part of the CE marking process.
In practical terms:
• ISO 13485 is considered the recognized standard for demonstrating compliance with MDR QMS requirements.
• Notified bodies expect manufacturers to operate a QMS aligned with ISO 13485.
• ISO 9001 alone is generally not sufficient for CE marking of medical devices.
ISO 9001 focuses on general quality management principles applicable across industries. It does not address specific regulatory requirements such as risk management for medical devices, clinical evaluation, post market surveillance or regulatory reporting obligations.
For foreign manufacturers seeking EU market access, ISO 13485 certification is therefore the appropriate and internationally accepted pathway to support CE marking under the EU MDR.What Is the Difference Between ISO 9001 and ISO 13485?
ISO 9001 and ISO 13485 are both Quality Management System standards, but they serve different purposes and industries.
ISO 9001 is a generic quality management standard applicable to all sectors. It focuses on customer satisfaction, process control and continuous improvement across any type of organization.
ISO 13485 is specifically developed for medical device manufacturers and related organizations. It integrates regulatory requirements and risk based controls tailored to the medical device sector.
Key differences include:
• Regulatory focus: ISO 13485 aligns with medical device regulations such as EU MDR and other global frameworks.
• Risk management: ISO 13485 requires integration of risk management throughout the product lifecycle.
• Documentation and traceability: More stringent requirements for technical documentation and product traceability.
• Post market obligations: Structured complaint handling, vigilance and post market surveillance processes are mandatory under ISO 13485.
While ISO 9001 emphasizes continuous improvement and business efficiency, ISO 13485 prioritizes regulatory compliance, product safety and lifecycle control.
For manufacturers outside the EU aiming at CE marking and EU MDR certification, ISO 13485 is the relevant and industry specific standard.Can Foreign Manufacturers Obtain ISO 9001 or ISO 13485 Certification Remotely?
Yes. Foreign manufacturers can obtain ISO 9001 or ISO 13485 certification through structured remote audit procedures, provided accreditation rules and regulatory requirements allow remote techniques.
Remote certification projects are particularly suitable when:
• The Quality Management System is centrally documented and digitally accessible
• Key personnel are available for structured online interviews
• Production processes can be demonstrated via secure live video sessions
• Documented evidence can be shared in real time
For medical device manufacturers, remote audits are commonly used for Stage 1 audits and, depending on risk classification and regulatory pathway, may also be applied for Stage 2 audits in combination with on site verification where required.
The certification scope, device class, product risk profile and applicable regulatory framework determine the extent to which remote auditing is permissible.How Do Remote Audits Comply with ISO 17021?
Remote audits are conducted in accordance with ISO 17021, which defines requirements for bodies providing audit and certification of management systems.
ISO 17021 allows the use of information and communication technologies as long as the certification body ensures:
• Audit integrity and impartiality
• Reliable identification of audit evidence
• Traceability of findings
• Secure data handling
• Equivalent audit depth compared to on site assessments
Remote audits must follow a documented audit plan, risk assessment and structured evidence collection process. Live interviews, system demonstrations, process walkthroughs and controlled document access ensure that the auditor obtains objective evidence.
Accredited certification bodies apply formal procedures for remote auditing to maintain compliance with accreditation rules and to ensure that certification decisions remain valid and internationally recognized.Can Chinese or Asian manufacturers obtain EU ISO 13485 certification without a European subsidiary?
Yes. Chinese and other Asian manufacturers can obtain ISO 13485 certification without establishing a European subsidiary.
ISO 13485 certification is issued to the legal manufacturer responsible for the Quality Management System, regardless of geographic location. The certification body audits the manufacturing site and associated processes, not the presence of a legal entity within the European Union.
However, if the manufacturer intends to place medical devices on the EU market, additional regulatory requirements under the EU MDR must be fulfilled. These may include appointment of an EU Authorized Representative and engagement with a notified body, depending on device classification.
ISO 13485 certification can therefore be obtained independently of EU company formation, but EU market access requires further regulatory steps.Do international manufacturers need an EU Authorized Representative Before ISO Certification?
No. An EU Authorized Representative is not required for obtaining ISO 13485 certification.
ISO certification is a management system assessment and does not depend on the existence of an EU Authorized Representative.
An EU Authorized Representative becomes mandatory only when a non EU manufacturer intends to place medical devices on the European market under the EU MDR. The Authorized Representative acts as the regulatory liaison within the EU and assumes defined legal responsibilities.
In practice, many manufacturers initiate ISO 13485 certification first to establish a compliant Quality Management System and then appoint an EU Authorized Representative as part of their CE marking strategy.Can ISO Certification Be Aligned with EU MDR Technical Documentation Preparation?
Yes. ISO 13485 certification can and should be strategically aligned with EU MDR technical documentation preparation.
While ISO 13485 focuses on the Quality Management System, the EU MDR requires comprehensive technical documentation as defined in Annex II and Annex III. These two elements are closely interconnected.
An aligned approach ensures that:
• Risk management processes support both ISO 13485 and MDR requirements
• Design and development controls generate audit ready technical documentation
• Clinical evaluation and post market surveillance processes are properly structured
• Supplier controls and traceability meet notified body expectations
Coordinating ISO certification and MDR preparation within a single regulatory roadmap reduces duplication, shortens timelines and improves conformity assessment readiness for CE marking.
For export oriented Chinese and Asian manufacturers, an integrated strategy is typically the most efficient pathway to EU market access.Is Remote Certification More Cost Efficient Than On Site Audits?
In many cases, yes. Remote ISO 13485 certification can be more cost efficient than traditional on site audits because travel expenses, accommodation costs and extended auditor presence at the manufacturing site are avoided.
Remote audits reduce logistical complexity and minimize production disruption. This is particularly relevant for manufacturers in China and other Asian countries where international travel significantly increases audit costs.
However, remote certification is not automatically applicable in every case. The feasibility depends on:
• Device classification and risk profile
• Regulatory pathway and involvement of a notified body
• Maturity of the Quality Management System
• Availability of secure digital documentation and live process demonstration
A case by case evaluation and a clear regulatory strategy are essential to determine whether a fully remote or hybrid audit model is appropriate.How Long Does ISO 13485 Certification Take for a Chinese Manufacturer?
For manufacturers with an established and documented Quality Management System, ISO 13485 certification can typically be completed within four to six weeks.
The timeline depends on:
• QMS maturity and level of documentation
• Number of products and processes
• Complexity of design and manufacturing activities
• Responsiveness in addressing potential nonconformities
A structured project plan with predefined milestones allows efficient audit preparation and timely certification decision.Can Certification Be Fast Tracked for EU Market Entry?
Yes. ISO 13485 certification can be accelerated when aligned with a clear EU market entry strategy.
Fast track certification is possible when:
• Core QMS documentation is already implemented
• Risk management and design controls are properly structured
• Technical documentation is being prepared in parallel
• Audit readiness is professionally coordinated
By combining ISO 13485 certification with EU MDR preparation in a single regulatory roadmap, manufacturers can significantly reduce overall time to CE marking and EU market access.
An integrated approach ensures efficiency without compromising regulatory compliance.Can We Keep Internal Procedures in Chinese or Ukrainian?
Yes. Internal operational procedures may remain in Chinese, Ukrainian or the local working language of the organization.
ISO 13485 does not prescribe a specific documentation language. What is required is that processes are clearly documented, effectively implemented and understandable during the audit.
During a remote or on site audit, responsible personnel must be able to explain procedures and demonstrate conformity. If documentation is maintained in the local language, structured explanations and selected translated summaries may be required to allow proper audit verification.
For EU market access projects, certain regulatory documents may require English versions, especially when interacting with European notified bodies.Do All Documents Need to Be Translated into English?
No. A full translation of all internal documentation is generally not required.
However, the following documents should typically be available in English for international certification and EU regulatory interaction:
• Quality Manual or QMS overview
• Scope statement
• Key procedures such as design control, risk management and complaint handling
• Management review summaries
• Certification application documents
For EU MDR projects, technical documentation and regulatory correspondence are usually expected in English.
Operational work instructions, production records and internal forms may remain in the local language, provided audit transparency is ensured.Do You Provide Chinese, Ukrainian or Russian Speaking Audit Support?
Yes. We support international manufacturers with multilingual regulatory coordination.
For projects involving manufacturers from China or Ukraine, we provide access to Chinese, Ukrainian and Russian speaking consultants who understand both local manufacturing environments and European regulatory expectations.
This ensures:
• Clear communication during audit preparation
• Accurate interpretation of regulatory requirements
• Efficient resolution of nonconformities
• Reduced misunderstandings in cross border certification projects
Multilingual support significantly improves audit efficiency and shortens overall certification timelines for export oriented manufacturers.
What Documents Must Be Available in English for ISO certification?
For international certification projects, documentation language requirements depend on the certification body and target market.
In most cases:
• The Quality Manual or QMS overview must be available in English.
• Key procedures such as design control, risk management, supplier control and complaint handling should be accessible in English.
• The scope statement and certification application documents must be in English.
• Management review records and internal audit summaries should be understandable to the auditor.
For ISO 13485 and medical device manufacturers seeking EU MDR alignment, technical documentation, risk management files and regulatory procedures often need to be available in English, especially when interacting with notified bodies.
Operational records such as work instructions may remain in the local language, provided responsible personnel can explain processes during the audit and the auditor can verify conformity through translated summaries where necessary.
Clear and structured English documentation significantly reduces audit time and accelerates certification decisions for foreign manufacturers.Do You Support Medical Device Manufacturers from China and Asia to get EU Certification?
Yes. We actively support medical device manufacturers from China and other Asian countries in obtaining ISO 13485 certification and preparing for EU MDR conformity assessment and CE marking.
For manufacturers targeting the European market, the main challenges typically include:
• Alignment of the Quality Management System with EU regulatory expectations
• Integration of ISO 14971 risk management into product lifecycle processes
• Preparation of technical documentation according to MDR Annex II and III
• Communication with European notified bodies
• Establishment of post market surveillance and vigilance procedures
We provide structured regulatory coordination and certification support tailored to export oriented manufacturers. Our approach ensures that documentation, processes and audit preparation are aligned with European regulatory standards while remaining practical and scalable.
To facilitate communication and efficient project execution, we work with experienced Chinese speaking consultants who understand both local manufacturing practices and European regulatory requirements. This significantly reduces misunderstandings, shortens project timelines and improves audit readiness.
Through our established network of notified bodies and accredited laboratories, we are able to coordinate certification pathways efficiently and provide commercially competitive solutions for manufacturers from China and across Asia seeking EU market access.How ISO 27001 Certification Works
ISO/IEC 27001 certification demonstrates that your organization has established, implemented, maintains and continually improves an Information Security Management System (ISMS) in accordance with the international standard.
1. Scope Definition and Project Initiation
At the outset, we jointly define the ISMS scope, including organizational units, locations, processes, information assets and interfaces. Clear scoping ensures that certification boundaries are risk-based, appropriate and aligned with your business objectives.
2. ISMS Design and Implementation
We support the structured development of your ISMS in line with ISO/IEC 27001 requirements. This includes:
• Context of the organization and stakeholder analysis
• Risk assessment and risk treatment methodology
• Statement of Applicability
• Definition and implementation of Annex A controls
• Policies, procedures and operational documentation
• Establishment of measurable information security objectives
The focus is on practical, audit-ready implementation integrated into existing business processes.
3. Internal Audit and Management Review
Prior to certification, internal audits are conducted to verify conformity and effectiveness of the ISMS. Top management performs a formal management review to confirm strategic alignment, resource allocation and continuous improvement measures.
4. Certification Audit by an Accredited Body
The certification process consists of two stages:
Stage 1 Audit
Review of documented information, ISMS design and readiness assessment.
Stage 2 Audit
On-site or remote audit assessing operational effectiveness, control implementation and compliance with ISO/IEC 27001 requirements.
Nonconformities, if identified, must be addressed before certification is granted.
5. Certification and Surveillance
Upon successful completion, the ISO/IEC 27001 certificate is issued with a three-year validity. Annual surveillance audits verify ongoing compliance and continual improvement. A recertification audit is required after three years.
GSI-CERT provides structured project management, regulatory expertise and audit-focused implementation support to ensure an efficient, risk-based and certification-ready ISMS.How ISO 9001 or ISO 13485 Certification Works for International Manufacturers
For international manufacturers, including medical device companies from China or Asia, ISO 9001 and ISO 13485 certification projects can be conducted efficiently through a structured remote audit approach, provided regulatory and accreditation requirements are met.
Scope of Certification
The certification scope typically covers the full Quality Management System, including:
• Design and development
• Supplier qualification and control
• Production and process validation
• Quality control and release
• Post market surveillance and complaint handling
• Regulatory compliance relevant to the intended markets and device classification
The exact audit scope depends on product type, device class and applicable regulatory frameworks.
Process and Estimated Timeline
A typical project is structured as follows:
Gap Analysis and Document Review
Initial assessment of the existing QMS documentation against ISO 9001 or ISO 13485 requirements. Duration approximately one week.
Stage 1 Audit Preparation
Readiness review focusing on documented procedures, regulatory framework, risk management and QMS maturity. Typically one to two weeks depending on the number of products, processes and sites.
Stage 2 Remote Audit
Comprehensive process verification conducted via structured video sessions, live system demonstrations, document sharing and interviews with responsible personnel. The audit evaluates effective implementation and operational compliance.
Certification Decision
Following closure of any nonconformities, the certification decision is usually issued within four to six weeks in total, depending on QMS maturity and response time.
Remote Audit Setup
Remote audits are conducted via secure online platforms with structured evidence sharing and real time access to documented information. The audit methodology follows ISO 17021 principles, ensuring independence, impartiality, traceability and full documentation of audit evidence.
This approach enables foreign manufacturers of medical device class I to obtain internationally recognized ISO certification while maintaining operational continuity and minimizing travel-related delays.How ISO 13485 Certification Works for Medical Device Manufacturers Class IIa and higher
For international manufacturers, including medical device companies from China or Asia, ISO 9001 and ISO 13485 certification projects can be conducted efficiently through a structured remote audit approach, provided regulatory and accreditation requirements are met.
Scope of Certification
The certification scope typically covers the full Quality Management System, including:
• Design and development
• Supplier qualification and control
• Production and process validation
• Quality control and release
• Post market surveillance and complaint handling
• Regulatory compliance relevant to the intended markets and device classification
The exact audit scope depends on product type, device class and applicable regulatory frameworks.
Process and Estimated Timeline
A typical project is structured as follows:
Gap Analysis and Document Review
Initial assessment of the existing QMS documentation against ISO 9001 or ISO 13485 requirements. Duration approximately one week.
Stage 1 Audit Preparation
Readiness review focusing on documented procedures, regulatory framework, risk management and QMS maturity. Typically one to two weeks depending on the number of products, processes and sites.
Stage 2 Remote Audit
Comprehensive process verification conducted via structured video sessions, live system demonstrations, document sharing and interviews with responsible personnel. The audit evaluates effective implementation and operational compliance.
Certification Decision
Following closure of any nonconformities, the certification decision is usually issued within four to six weeks in total, depending on QMS maturity and response time.
Remote Audit Setup
Remote audits are conducted via secure online platforms with structured evidence sharing and real time access to documented information. The audit methodology follows ISO 17021 principles, ensuring independence, impartiality, traceability and full documentation of audit evidence.
This approach enables foreign manufacturers of medical device class I to obtain internationally recognized ISO certification while maintaining operational continuity and minimizing travel-related delays.
Why Our Certification Offers Are Commercially Attractive for international Manufacturers
Our certification solutions are designed to combine regulatory robustness with economic efficiency.
We operate as an independent coordination and certification partner and do not maintain our own testing laboratories or heavy infrastructure. This structural approach allows us to avoid fixed laboratory overhead, facility costs and administrative burden typically embedded in traditional certification models. The resulting cost efficiency is directly reflected in our client pricing.
Instead of maintaining in-house testing capacities, we leverage a qualified international network of accredited laboratories and recognized partners. This enables us to select technically appropriate and cost-effective testing resources on a project specific basis, ensuring both compliance and financial efficiency.
In accredited and regulated areas, we cooperate with established notified bodies and recognized conformity assessment organizations. Through these formal partnerships and professional recognition, we are able to coordinate certification pathways in full alignment with applicable regulatory frameworks while maintaining independence and audit integrity.
Our model offers several advantages:
• Reduced structural overhead and competitive pricing
• Flexible selection of accredited testing capacities
• Efficient coordination between QMS certification and product conformity assessment
• Clear regulatory alignment through recognized notified body partnerships
This network based structure allows us to provide compliant, internationally accepted certification services while maintaining commercially attractive and scalable solutions for manufacturers.Regulatory Requirements for the Use of Machine Learning in Medical Devices in the European Union
The integration of Machine Learning into medical devices introduces specific regulatory and compliance challenges under the European regulatory framework. In the EU, medical devices incorporating Machine Learning are primarily regulated under Regulation EU 2017/745 on medical devices, known as the EU MDR.
1. Qualification as a Medical Device
Software incorporating Machine Learning qualifies as a medical device if it fulfills a medical purpose as defined in Article 2 of the EU MDR. This includes diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease.
Many Machine Learning applications in healthcare fall under the category of Software as a Medical Device. The intended purpose defined by the manufacturer determines regulatory classification and obligations.
2. Risk Classification
Under Annex VIII of the EU MDR, software is classified according to Rule 11. Machine Learning based diagnostic or therapeutic decision support systems often fall into Class IIa, IIb or even Class III, depending on the potential impact on patient health.
Higher classification results in mandatory involvement of a notified body for conformity assessment.
3. Quality Management System Requirements
Manufacturers of Class IIa and higher devices must implement a Quality Management System compliant with EU MDR Article 10 and typically aligned with ISO 13485.
For Machine Learning systems, the QMS must address:
• Software lifecycle processes
• Version control and configuration management
• Validation and verification procedures
• Change management processes
• Post market monitoring of algorithm performance
Continuous learning or adaptive systems require clearly defined update procedures to ensure regulatory compliance after deployment.
4. Software Lifecycle and Standards
Although the EU MDR does not mandate specific harmonized standards, manufacturers commonly apply:
• IEC 62304 for medical device software lifecycle processes
• ISO 14971 for risk management
• IEC 62366 for usability engineering
• ISO 13485 for quality management
For Machine Learning systems, risk management must specifically consider training data quality, bias, model validation, cybersecurity risks and potential performance degradation.
5. Clinical Evaluation
Under EU MDR Annex XIV, manufacturers must conduct a clinical evaluation demonstrating safety and performance. For Machine Learning based devices, this includes evidence that:
• The algorithm performs as intended in the target population
• Clinical benefit outweighs risks
• Performance metrics are clinically relevant
Clinical data may derive from clinical investigations, literature or performance studies depending on classification and novelty.
6. Transparency and Explainability
Regulators increasingly expect transparency regarding algorithm logic, input parameters and limitations. While full algorithm disclosure may not be required, manufacturers must document:
• Training and validation methodology
• Dataset representativeness
• Performance limitations
• Intended user interaction
Lack of transparency can impact both risk management and clinical evaluation.
7. Post Market Surveillance and Continuous Monitoring
Machine Learning based medical devices require robust post market surveillance under Articles 83 to 86 EU MDR. Manufacturers must monitor:
• Real world performance
• Adverse events and incidents
• Algorithm drift
• Changes in data distribution
Significant modifications to the algorithm may trigger a new conformity assessment.
8. Cybersecurity and Data Protection
Cybersecurity requirements are addressed under Annex I of the EU MDR. Machine Learning systems must ensure:
• Protection against unauthorized access
• Data integrity
• Secure update mechanisms
Additionally, compliance with GDPR is required where personal data is processed.
9. Interaction with the EU AI Act
In addition to the EU MDR, Machine Learning medical devices will be subject to the EU AI Act once fully applicable. Medical devices classified under MDR are generally considered high risk AI systems, which introduces additional obligations related to risk management, data governance, transparency and post market monitoring.
Conclusion
Machine Learning in medical devices is fully permissible within the EU regulatory framework, but it requires rigorous quality management, risk control, clinical validation and lifecycle governance.
Manufacturers must treat Machine Learning not merely as software functionality, but as a regulated medical technology requiring structured conformity assessment, notified body involvement where applicable, and continuous regulatory oversight throughout the product lifecycle.What Is the EU Medical Device Regulation (MDR)?
The Medical Device Regulation EU 2017/745, commonly referred to as the MDR, is the legal framework governing medical devices placed on the European market. It replaced the former Medical Device Directive 93/42/EEC and became fully applicable in May 2021, with transitional provisions for certain legacy devices.
The MDR significantly strengthens regulatory requirements to enhance patient safety, product traceability and clinical evidence standards.
Scope of the MDR
The MDR applies to medical devices intended for human use, including:
• Diagnostic and therapeutic devices
• Active medical devices
• Software with a medical purpose
• Certain aesthetic or non medical products listed in Annex XVI
A product qualifies as a medical device if it is intended by the manufacturer for medical purposes such as diagnosis, prevention, monitoring, prediction, treatment or alleviation of disease.
Key Objectives of the MDR
The regulation was introduced to:
• Improve patient safety and transparency
• Strengthen clinical evaluation requirements
• Increase traceability through Unique Device Identification
• Enhance oversight of notified bodies
• Ensure stronger post market surveillance
The MDR establishes a more rigorous and uniform regulatory system across all EU Member States.
Risk Classification
Medical devices are classified into four risk classes:
• Class I
• Class IIa
• Class IIb
• Class III
Classification is based on intended purpose and inherent risk, according to Annex VIII of the MDR. Higher risk classes require involvement of a notified body for conformity assessment.
Quality Management System Requirements
Manufacturers of Class IIa and higher devices must implement a compliant Quality Management System. The MDR requires a structured system covering:
• Design and development
• Risk management
• Supplier control
• Production and process validation
• Post market surveillance
• Vigilance and incident reporting
In practice, ISO 13485 is widely used to demonstrate compliance with these QMS obligations.
Clinical Evaluation and Evidence
One of the most significant changes introduced by the MDR is the strengthening of clinical evaluation requirements. Manufacturers must demonstrate clinical safety and performance through:
• Clinical data
• Clinical investigations where necessary
• Systematic evaluation of available evidence
The concept of equivalence has been tightened, making it more difficult to rely solely on competitor data.
Technical Documentation
The MDR requires comprehensive technical documentation as specified in Annex II and Annex III. This includes:
• Device description and specifications
• Risk management documentation
• Verification and validation data
• Clinical evaluation report
• Post market surveillance plan
Technical documentation must be maintained and made available to competent authorities and notified bodies.
Role of Notified Bodies
Notified bodies are independent organizations designated by EU Member States to conduct conformity assessments for higher risk devices. Under the MDR, notified bodies are subject to stricter designation and monitoring requirements.
Manufacturers of Class IIa, IIb and III devices must undergo a conformity assessment procedure involving a notified body before CE marking can be affixed.
Post Market Surveillance and Vigilance
The MDR introduces strengthened post market obligations. Manufacturers must:
• Establish a post market surveillance system
• Actively collect and analyze performance data
• Report serious incidents and field safety corrective actions
• Prepare periodic safety update reports for higher class devices
This lifecycle approach ensures continuous oversight after market placement.
Unique Device Identification and EUDAMED
The MDR introduces a Unique Device Identification system to improve traceability across the supply chain. In addition, device and manufacturer data are to be registered in the European database EUDAMED.
Conclusion
The EU Medical Device Regulation represents a comprehensive and significantly more demanding regulatory framework compared to the former directives. It emphasizes clinical evidence, lifecycle oversight, transparency and strengthened regulatory control.
For manufacturers seeking EU market access, early regulatory planning, a compliant Quality Management System and structured conformity assessment coordination are essential to achieve and maintain CE marking under the MDR.What the EU AI Act Means for Medical Device and IVD Manufacturers
The EU Artificial Intelligence Act introduces a horizontal regulatory framework for artificial intelligence systems across all sectors. For medical device and in vitro diagnostic manufacturers, the AI Act does not replace existing sectoral legislation such as the EU MDR or IVDR. Instead, it adds an additional regulatory layer that must be considered in parallel.
Manufacturers using AI or Machine Learning technologies in medical devices or IVDs must therefore comply with both the product specific regulatory framework and the AI specific obligations.
1. AI Systems in Medical Devices Are Considered High Risk
Under the AI Act, AI systems that are safety components of products subject to third party conformity assessment under EU harmonization legislation are classified as high risk AI systems.
This means that most AI enabled medical devices and IVDs falling under MDR or IVDR Class IIa and above will automatically be considered high risk under the AI Act.
High risk classification triggers strict requirements related to risk management, data governance, documentation and oversight.
2. Interaction Between MDR, IVDR and the AI Act
The AI Act follows the principle of regulatory consistency with existing product legislation. For medical devices and IVDs:
• Conformity assessment procedures should be aligned where possible
• Notified bodies designated under MDR or IVDR may also assess AI Act requirements, subject to designation
• Technical documentation must incorporate AI specific evidence
Manufacturers must ensure that AI Act requirements are integrated into the existing Quality Management System and regulatory strategy.
3. Risk Management Requirements
The AI Act requires a dedicated AI risk management system. For medical device manufacturers already operating under ISO 14971, this means extending risk management to include:
• Algorithmic bias and discrimination risks
• Data representativeness and quality
• Model robustness and reliability
• Cybersecurity vulnerabilities
• Human oversight mechanisms
AI specific risks must be systematically identified, mitigated and documented.
4. Data Governance and Training Data
High risk AI systems must be developed using high quality datasets that are:
• Relevant and representative
• Free from systematic bias
• Appropriately documented
• Traceable in terms of origin and preprocessing
For medical device and IVD manufacturers, this has direct implications for clinical datasets, real world data and training validation protocols.
Documentation of dataset governance becomes a regulatory expectation.
5. Transparency and Human Oversight
The AI Act requires that high risk AI systems are designed to enable effective human oversight. For medical devices, this typically means:
• Clear definition of user roles
• Transparent description of system limitations
• Adequate instructions for use
• Ability for healthcare professionals to interpret outputs
Black box behavior without documented performance boundaries is unlikely to be acceptable.
6. Technical Documentation and Record Keeping
Manufacturers must maintain detailed technical documentation demonstrating compliance with the AI Act. This documentation must include:
• System description and intended purpose
• Algorithm architecture and functionality
• Risk management documentation
• Validation and testing evidence
• Post market monitoring procedures
For medical devices and IVDs, this documentation must be integrated into the existing technical file under MDR or IVDR.
7. Post Market Monitoring and Continuous Learning
The AI Act requires ongoing post market monitoring of high risk AI systems. This includes:
• Monitoring performance drift
• Incident analysis
• Corrective and preventive actions
• Update control and change management
For adaptive or continuously learning systems, manufacturers must clearly define how updates are controlled and whether modifications trigger new conformity assessment obligations under MDR or IVDR.
8. Quality Management System Implications
Manufacturers of AI based medical devices and IVDs must ensure that their Quality Management System incorporates AI governance processes, including:
• Data management procedures
• Algorithm validation frameworks
• Change control mechanisms
• Documentation controls
ISO 13485 based systems will need to be expanded to formally integrate AI Act requirements.
9. Strategic Impact for Manufacturers
The AI Act increases regulatory complexity but also provides regulatory clarity. Manufacturers that proactively integrate AI governance into their development and quality processes can:
• Reduce approval delays
• Improve audit readiness
• Strengthen trust with notified bodies and authorities
• Demonstrate responsible AI deployment
Early alignment of MDR or IVDR strategy with AI Act compliance will be essential for long term market access.
Conclusion
For medical device and IVD manufacturers, the AI Act introduces mandatory governance obligations for AI enabled products classified as high risk. Compliance requires structured integration of AI specific risk management, data governance, transparency and lifecycle monitoring into existing regulatory frameworks.
AI technologies in healthcare remain fully permissible within the EU regulatory environment. However, they must be developed, validated and monitored under a dual compliance model combining MDR or IVDR requirements with the horizontal obligations of the AI Act.The impact of NIS2 and Cybersecurity on Medical Devices in the European Union
The NIS2 Directive EU 2022/2555 significantly strengthens cybersecurity requirements for critical and important entities across the European Union. For the healthcare sector and medical device ecosystem, NIS2 introduces binding organizational and technical security obligations that complement existing product specific frameworks such as the EU MDR and IVDR.
Medical device manufacturers, healthcare providers and certain service providers must therefore assess whether they fall within the scope of NIS2 and how cybersecurity governance must be adapted.
1. Scope of NIS2 in the Healthcare Sector
NIS2 applies to entities classified as essential or important based on sector and size criteria. Within healthcare, this may include:
• Hospitals and healthcare providers
• Manufacturers of medical devices, including IVD manufacturers
• Critical supply chain operators
• Managed service providers supporting healthcare infrastructure
Applicability depends on factors such as number of employees and annual turnover, as well as the strategic relevance of the entity for public health and critical infrastructure.
Manufacturers supplying critical medical technologies into EU healthcare systems may fall under NIS2 if they meet the size thresholds or are designated as critical by national authorities.
2. Relationship Between NIS2 and the EU MDR
The EU MDR already requires cybersecurity measures under Annex I, including protection against unauthorized access, data integrity risks and malicious interference.
However, MDR cybersecurity requirements are product focused, addressing safety and performance of the device.
NIS2 is organizationally focused. It requires companies to implement enterprise level cybersecurity governance, risk management and incident reporting structures.
In practice:
• MDR addresses secure device design and lifecycle safety.
• NIS2 addresses corporate cybersecurity governance and operational resilience.
Manufacturers potentially subject to both frameworks must integrate product level and organizational cybersecurity controls.
3. Cybersecurity Risk Management Requirements
NIS2 requires implementation of appropriate and proportionate technical, operational and organizational measures. These typically include:
• Risk analysis and security policies
• Incident handling procedures
• Business continuity and crisis management
• Supply chain security controls
• Secure system acquisition and development practices
• Encryption and access control mechanisms
For medical device manufacturers, this means extending cybersecurity governance beyond product development into enterprise IT systems, cloud infrastructure and supplier networks.
4. Incident Reporting Obligations
NIS2 introduces strict incident reporting timelines. Entities must:
• Submit an early warning within 24 hours of becoming aware of a significant incident
• Provide an incident notification within 72 hours
• Deliver a final report after resolution
For medical device manufacturers, cyber incidents affecting production systems, connected devices or cloud platforms may trigger reporting obligations.
Coordination between regulatory vigilance reporting under MDR and cybersecurity incident reporting under NIS2 becomes essential.
5. Supply Chain and Third Party Risk
NIS2 places strong emphasis on supply chain security. Manufacturers must assess risks stemming from:
• Software suppliers
• Cloud providers
• Contract manufacturers
• IT service providers
Given the increasing connectivity of medical devices, vulnerabilities in third party components can directly affect compliance under both MDR and NIS2.
6. Governance and Management Accountability
Under NIS2, management bodies are explicitly responsible for approving cybersecurity risk management measures and overseeing their implementation.
Failure to comply may lead to supervisory measures and significant administrative fines.
For medical device companies, cybersecurity governance must be elevated to executive level, integrated into corporate risk management and supported by documented policies.
7. Alignment with ISO 27001 and Security Standards
Implementation of an Information Security Management System aligned with ISO 27001 is widely recognized as an effective method to structure NIS2 compliance.
For medical device manufacturers, integration between:
• ISO 13485 Quality Management Systems
• ISO 14971 Risk Management
• ISO 27001 Information Security Management
creates a coherent framework covering product safety, cybersecurity resilience and regulatory governance.
8. Strategic Implications for Medical Device Manufacturers
NIS2 significantly increases regulatory expectations regarding cybersecurity maturity. Even manufacturers not directly falling under NIS2 may face indirect pressure through:
• Customer security requirements
• Procurement conditions of hospitals
• Supply chain audits
• Insurance and liability exposure
Proactive cybersecurity governance therefore becomes a competitive factor.
Conclusion
NIS2 establishes mandatory enterprise level cybersecurity obligations that directly affect the medical device ecosystem. While MDR focuses on product safety and cybersecurity by design, NIS2 addresses organizational resilience, incident reporting and supply chain security.
Medical device manufacturers operating in the EU must assess applicability, integrate cybersecurity governance into executive management structures and align product security with enterprise wide information security frameworks.
A structured combination of MDR compliance, ISO 13485 quality management and ISO 27001 based cybersecurity governance provides a robust foundation for meeting the combined regulatory expectations under NIS2 and European medical device law.