MDR Compliance Checklist
Manufacturer perspective including software as a medical device (MDSW). Covers qualification, classification, QMS, technical documentation, clinical evaluation, pre-market administrative, and post-market vigilance.
Counsel-grade external checklist for Regulation (EU) 2017/745 (MDR). Manufacturer perspective — including software as a medical device (MDSW). Importer, distributor and Authorised Representative obligations are flagged separately where relevant. EUDAMED module timelines and transitional provisions move — verify current status before relying on any specific date. This checklist is a working reference, not legal advice.
A. Qualification and classification gate — the make-or-break step
- Qualification: does the product meet the Art. 2(1) 'medical device' definition (intended medical purpose)? For software, apply MDCG 2019-11 decision steps — software driving or influencing a device, or with its own medical purpose (diagnosis, prevention, monitoring, prediction, prognosis, treatment).
- Intended-purpose statement drafted precisely — it determines qualification, classification, clinical-evidence burden, and the boundaries of permissible marketing claims.
- Classification per Annex VIII: for MDSW apply Rule 11 (software providing information for diagnostic or therapeutic decisions is at minimum Class IIa; higher where decisions may cause serious deterioration or death) with MDCG 2021-24.
- Borderline position documented if claiming non-device status (wellness, administrative) — regulator-facing rationale on file.
- Conformity-assessment route selected: Class I self-declaration versus notified-body involvement (Im / Is / Ir, IIa, IIb, III); NB capacity and lead-times factored into the launch plan.
B. Quality management system (Art. 10(9))
- QMS established covering all Art. 10(9) elements — in practice ISO 13485-aligned: regulatory strategy, risk management, clinical evaluation, PMS, vigilance, CAPA, design controls.
- Risk-management system per ISO 14971 — risk-management file per device.
- For MDSW: software lifecycle per IEC 62304, usability per IEC 62366, and (post-2024 expectations) cybersecurity per MDCG 2019-16.
- PRRC appointed (Art. 15) — person responsible for regulatory compliance with documented qualifications; micro and small enterprises may use a permanently-available external PRRC.
C. Technical documentation (Annexes II and III)
- Device description, variants, accessories, intended purpose, novel features.
- Design and manufacturing information, including software architecture and verification / validation for MDSW.
- GSPR checklist (Annex I) — every general safety and performance requirement addressed: applicable or not with justification, solution, standard applied, evidence reference.
- Benefit-risk analysis and risk-management outputs.
- Verification and validation data, including clinical evaluation.
- Labelling and instructions for use (Annex I Ch. III), language requirements per target Member States.
D. Clinical evaluation (Art. 61, Annex XIV)
- Clinical evaluation plan and report (CEP / CER) per MEDDEV 2.7/1 rev. 4 methodology.
- For MDSW: clinical evidence framed per MDCG 2020-1 (valid clinical association, technical performance, clinical performance).
- Equivalence route (if used) strictly justified — technical, biological, and clinical equivalence with data access.
- Clinical-investigation need assessed (Art. 62) — performance testing of prototypes outside clinical decision-making ("shadow mode" R&D) versus the investigation boundary documented.
- PMCF plan (post-market clinical follow-up) or a documented justification for exemption.
E. Pre-market administrative
- EU Declaration of Conformity drafted (Annex IV); CE marking affixed correctly.
- Basic UDI-DI and UDI-DI assigned; UDI carrier on label; EUDAMED actor and device registration per current module availability.
- SRN (single registration number) obtained.
- Non-EU manufacturer: Authorised Representative mandated (Art. 11) with a written mandate covering the minimum tasks; importer and distributor obligations (Arts. 13–14) allocated in the supply chain.
- Notified-body certificate scope matches device and claims (where applicable).
F. Post-market obligations — where enforcement actually happens
- PMS system and PMS plan per device (Arts. 83–84); PMS report (Class I) or PSUR (IIa: at least every two years; IIb / III: annually) maintained.
- Vigilance: serious-incident reporting timelines — 2 days for a serious public-health threat, 10 days for death or serious deterioration in health, 15 days for other serious incidents — via national portal / EUDAMED; trend reporting under Art. 88.
- Field safety corrective action (FSCA) and field safety notice process rehearsed.
- Complaint handling wired into CAPA and PMS inputs.
- Significant-change assessment procedure — software updates can trigger re-certification (MDCG 2020-3 logic).
- Technical documentation and DoC retention: 10 years after the last device is placed on the market (15 years for implantables).
Related
- Cybersecurity for medical devices under NIS2 and cross-regime breach clocks: see the NIS2 checklist and, for personal data, the GDPR checklist. One incident can trigger MDR vigilance, GDPR (72h) and NIS2 (24h/72h) on parallel clocks.
Last reviewed: July 2026. MDCG guidance, EUDAMED module status, and transitional deadlines (Regulation (EU) 2023/607) evolve — verify against current Commission and MDCG texts before relying on specific values.