Why Sustainability Matters in Medtech Today

The medical technology (Medtech) industry is undergoing a paradigm shift where sustainability has become an essential business priority. No longer just a "nice-to-have," sustainable practices are now seen as key factors for market access, investment, and long-term competitiveness[1]. In Switzerland, for example, new climate legislation requires companies to reach net-zero emissions by 2050[2]. Industry bodies are responding with clear roadmaps – Swiss Medtech's Industry Roadmap for Decarbonisation guides medtech SMEs to systematically cut carbon emissions and achieve net-zero across their supply chains[3]. The message is clear: the time for voluntary measures is over – sustainability is now an economic imperative for the entire medtech value chain[4].

This push for greener healthcare is not isolated to Switzerland. Across Europe, medtech regulators and associations are aligning with the EU Green Deal's sustainability goals. MedTech Europe (the EU medtech industry association) recently issued recommendations to make medical devices and diagnostics more environmentally friendly[5]. They call for integrating sustainability into all aspects of device design, production, and post-market processes – from transitioning to safer, sustainable materials to promoting circular economy practices such as reuse and recycling. Crucially, these initiatives emphasize that environmental progress must be aligned with regulatory compliance under frameworks such as the EU Medical Devices Regulation (MDR) and the In Vitro Diagnostics Regulation (IVDR). In other words, medtech companies are expected to innovate sustainably without compromising patient safety or product efficacy[6].

What does this mean for medtech manufacturers? In practical terms, regulatory requirements are expanding to include sustainability metrics. New laws stemming from the EU Green Deal are introducing obligations that directly impact medical device companies. For instance:

-        The EU Chemicals Strategy for Sustainability is accelerating restrictions on hazardous substances (like phthalates and endocrine disruptors) in medical devices[7]. Under EU MDR, certain harmful plasticizers are already limited to 0.1% unless a rigorous justification is provided, and more substance bans are expected as "safe and sustainable by design" materials become the norm[8].

 

-        The EU's Circular Economy Action Plan is driving regulations on the product lifecycle. A new Ecodesign for Sustainable Products Regulation (ESPR) was adopted in 2024 to improve product durability, reparability, and recyclability across industries. Medtech products are likely to see eco-design requirements by 2027, aiming for longer lifespans and increased recycled content. Likewise, the upcoming Packaging and Packaging Waste Regulation will require that all packaging be either reusable or recyclable, affecting how medical devices are packaged and labeled for the EU market.

 

-        The EU Battery Regulation and WEEE Directive impose strict obligations on electronic medical devices. Manufacturers of devices with batteries or electronic components must ensure proper recycling schemes, provide take-back programs, and often appoint local representatives in each country to manage these environmental compliance duties[9].

 

-        In the UK, parallel pressures are mounting. The NHS – one of the world's largest healthcare providers – has committed to a net-zero supply chain by 2045. This means medtech suppliers will only qualify for NHS contracts if they can demonstrate progress toward net-zero emissions[10]. Sustainability criteria are already built into UK procurement: as of 2024, all NHS tenders require a carbon-reduction plan, with progressively tighter reporting requirements each year[11]. To remain competitive in the UK market, medical device companies must adopt sustainable practices or risk losing business.

In summary, sustainability is now intertwined with regulatory compliance and market access in the medical device sector. Manufacturers of Medical Devices (MD) and in vitro diagnostics (IVD) must navigate not only safety and performance regulations but also emerging environmental standards. In response to this evolving landscape, our organization, as an EU Authorized Representative (EAR), UK Responsible Person (UKRP), and Swiss Authorized Representative (CH-REP), is strengthening its sustainability position and rolling out new services to support our clients.

 

Sustainability Services as Your Authorized Representative (EU, UK, CH)

As an appointed regulatory representative for manufacturers in the EU, UK, and Switzerland, we are your on-the-ground partner ensuring compliance in each region. We are now expanding our Authorized Representative services with a strong focus on sustainability, so that environmental compliance becomes a seamless part of your market access strategy. Our sustainability-related representative services include:

-        Environmental Compliance Monitoring:

We track and interpret new environmental regulations that impact medical devices across Europe. This includes upcoming EU Green Deal legislation (such as new battery, packaging, and chemicals rules) and national requirements. We will proactively alert you to relevant changes and guide you in meeting them – for example, advising on the new EU eco-design standards, battery take-back rules, or substance restrictions that need to be reflected in your Technical Documentation[12]. By staying ahead of these changes, you can adapt your products and documentation in a timely, compliant manner.

 

-        Regulatory Liaison for Sustainability Requirements:

As your EAR/UKRP/CH-REP, we already serve as the official point of contact with regulators. We also extend this role to environmental compliance matters. We will communicate with authorities on your behalf regarding sustainability-related obligations, such as registering your products in a national electronic waste database, filing packaging recycling reports, or responding to inquiries about the materials used in your device. Our team verifies that your Declarations of Conformity and product labels include all required environmental information (e.g., proper disposal symbols, such as the crossed-out wheelie bin for electronics, or chemical substance disclosures mandated by the MDR).

 

-        Extended Producer Responsibility (EPR) Representation:

Many environmental laws require foreign manufacturers to have a local representative to fulfill obligations. We can act as your authorized representative for EPR schemes, such as the Waste Electrical and Electronic Equipment (WEEE) Directive, battery recycling programs, and packaging waste compliance in EU member states. In practice, this means we handle country-specific tasks, such as product registration with recycling schemes, submission of recycling reports, and arranging take-back logistics through trusted partners. By entrusting us with these duties, you remain compliant with minimal administrative burden, even in countries where you have no physical presence.

 

-        Integration of Sustainability in Post-Market Surveillance:

Our role as a rep includes supporting your Post-Market Surveillance (PMS) and vigilance obligations. We now incorporate sustainability considerations into that support. For example, when reviewing your PMS plans and Periodic Safety Update Reports (PSURs), we'll check if any environmental risks or user feedback (e.g., on device reusability or disposal) should be documented and addressed. If regulators or customers raise environmental safety concerns (such as the leaching of substances or improper disposal incidents), we assist in vigilance reporting and corrective actions. This holistic approach ensures that device safety and environmental safety are both monitored throughout the product's lifecycle.

 

-        Professional Guidance on EU and National Green Markings:

We ensure that your products meet all sustainability-related marking and labeling requirements. For instance, if you sell electronics in Europe, we confirm that the WEEE symbol (indicating that the product should not be disposed of in household trash) is properly affixed. In Switzerland, we verify compliance with any specific environmental notices required by Swiss ordinance. Our familiarity with EU, UK, and Swiss labeling standards ensures that your device's packaging and Instructions for Use (IFU) convey all necessary sustainability information to end-users and distributors.

 

Through these enhanced representative services, we act not just as a compliance gatekeeper but as a partner in your sustainability journey. We help ensure that when you place devices on the EU, UK, or Swiss markets, you meet all regulatory requirements, including the growing sustainability expectations, in a professional, responsible manner.

 

Sustainability Consulting Services for Medtech Manufacturers

In addition to our duties as an authorized representative, we offer consultancy services to medtech companies seeking to improve their sustainability profile and comply with evolving environmental standards. These services are designed to provide deeper, strategic support that goes beyond day-to-day compliance. Our sustainability-focused consulting services include:

-        Sustainability Strategy & Roadmap Development:

We help you craft a tailored sustainability strategy that aligns with your business goals and regulatory obligations. This can involve conducting a carbon footprint assessment of your operations and products (in line with industry roadmaps, such as Swiss Medtech's net-zero pathway) and then setting achievable emission reduction targets. We'll develop a step-by-step roadmap for you to reach those targets, including improvements in energy efficiency, greener manufacturing processes, and supplier engagement. By formulating a clear plan, even small and medium-sized device manufacturers can systematically progress toward net-zero[13].

 

-        Regulatory Compliance Audit (Green Focus):

Our experts conduct comprehensive audits of your product portfolio and supply chain to ensure compliance with environmental regulations. We identify any gaps – for example, restricted substances in your device components, or lack of required recycling arrangements – and provide recommendations to close those gaps. If your devices contain materials like DEHP or BPA, we advise on alternatives or the documentation needed to justify their use under MDR's safety requirements[14]. We also review your supplier agreements and procurement policies to ensure they incorporate sustainability criteria (such as RoHS compliance, use of recycled materials, or ISO 14001 certification). Think of this as a "sustainability health check" that prepares you for regulatory scrutiny and customer expectations.

 

-        Eco-Design and Green Product Development:

For companies developing next-generation devices, we offer consultancy on sustainable product design. Our team can guide your R&D and quality teams on designing medical devices that use more sustainable materials, are energy-efficient, and generate less waste – all while complying with MDR/IVDR standards. We incorporate principles from the new EU Ecodesign regulation, aiming to improve product durability, repairability, and end-of-life recyclability[15]. For example, we might help redesign a device's packaging to be lighter and fully recyclable, or suggest modular design changes that allow easier part replacement instead of full device disposal. By embracing eco-design early, you not only reduce environmental impact but also mitigate future compliance risks and potentially lower costs (through material savings or avoidance of future substance bans).

 

-        Circular Economy & End-of-Life Solutions:

Transitioning to a circular model can be challenging in healthcare, but we help identify feasible opportunities. Our consultants advise on programs like device reprocessing, refurbishment, and take-back schemes. We can connect you with certified re-manufacturers for single-use devices (for instance, reprocessing catheters or surgical instruments to give them a second life) – a practice already yielding cost and waste reduction in hospitals[16]. We also design take-back and recycling programs for your products, ensuring compliance with WEEE and similar laws. For instance, if you produce an electronic diagnostic machine, we can set up a system to collect and recycle units at end-of-life, recovering valuable materials. These circular initiatives not only help the planet but can differentiate your brand in a market that increasingly values sustainability.

 

-        Sustainability Reporting & Communication: Reporting your progress is often as important as making it. We help prepare professional sustainability reports and disclosures tailored for medical technology companies. Whether you aim to use Swiss Medtech's standardized reporting tool for SMEs[17] or need to comply with broader frameworks (like the EU Corporate Sustainability Reporting Directive for larger firms), our team can gather and organize the necessary data. We focus on metrics relevant to medtech, including carbon emissions, energy usage, waste generated (especially clinical and electronic waste), and product-specific measures such as device recycling rates. By presenting clear, credible data, you can meet the expectations of regulators, hospital customers, and investors for transparency[18]. Additionally, we guide you in communicating sustainability achievements – for example, showcasing compliance with the Swiss Medtech Sustainability Code of Conduct as a commitment to ethical, social, and environmental standards[19]. Effective communication ensures that your sustainability efforts translate into enhanced reputation and trust in the market.

 

-        Training and Workshops:

Sustainable compliance is a team effort. We offer training sessions and workshops for your staff on topics like "Medtech and the Green Deal", "Implementing Eco-Design in Device Development", and "Navigating Environmental Regulations in EU, UK, and CH." These practical trainings empower your regulatory affairs, R&D, and quality assurance teams to incorporate sustainability into their daily work. For example, we can train your design engineers on new regulatory expectations for material choices, or educate your regulatory staff on how to monitor and report environmental performance indicators. By building in-house expertise, your company can more proactively manage sustainability challenges rather than reacting at the last minute to new rules.

 

Our consultancy approach is highly customized for medtech (MD and IVD) manufacturers, recognizing the unique challenges of this sector, including strict hygiene requirements, stringent product safety standards, and lengthy product development cycles. We blend deep knowledge of regulatory frameworks with practical sustainability solutions, ensuring that any green initiative we recommend is compatible with medical compliance and quality requirements.

 

Aligning with Industry Roadmaps and Standards

Our new services are deliberately designed as a response to the industry's sustainability roadmap – we aim to help clients meet the goals set by organizations such as Swiss Medtech and MedTech Europe. When Swiss Medtech introduced its Sustainability Roadmap and Code of Conduct, it signaled that even smaller medtech companies must step up their sustainability efforts despite limited resources. By integrating that roadmap's steps into our services (assessment, target-setting, action plans), we make it easier for you to follow through on those recommendations. We can, for instance, assist you in performing the initial climate impact assessment that the roadmap requires, and then in formulating credible reduction targets. We also embrace Swiss Medtech's concept of an industry-wide standard: by helping multiple clients implement the Sustainability Code of Conduct[20], we contribute to establishing a common baseline of ethical, social, and environmental performance in the medtech supply chain.

Similarly, our services align with MedTech Europe's sustainability guidelines. MedTech Europe advocates for the coherent implementation of the EU Green Deal within the healthcare sector, emphasizing alignment between device regulations and environmental laws. In practice, this means that manufacturers should prepare for new requirements related to batteries, electronics, and hazardous substances without disrupting patient care. Our regulatory monitoring and compliance services address exactly that need – ensuring you have "no surprises" when a new battery recycling rule or chemical restriction comes into force. We translate broad policies (such as the Circular Economy Action Plan) into tangible compliance actions (like designing for recyclability and documenting material choices), so that your company can fulfill both sets of expectations.

It's also worth noting that sustainability is increasingly a requirement from customers and investors, not just regulators[21]. Hospitals and clinics want to buy from suppliers who share their green commitments; large medtech corporations expect their smaller component suppliers to track and report emissions. By using our services, you can confidently inform your clients and stakeholders that you are adhering to the latest industry best practices in sustainability. We'll help you gather success stories – for example, if you've eliminated a toxic material or significantly cut waste in packaging, we'll ensure you publicize that in line with the industry's sustainability code. This professional presentation of your sustainability efforts can be a powerful differentiator in the marketplace.

In summary, we have embedded the ethos of industry roadmaps into our service offerings. Our goal is to empower you not only to comply with regulations, but to excel in sustainability relative to your peers. This alignment with industry direction ensures that our support is relevant, forward-looking, and valuable for achieving your business objectives.

 

Regional Focus: Europe (EU), United Kingdom, and Switzerland

Our core market as a firm spans the EU, UK, and Swiss medical device regulatory environments, and we tailor our sustainability services to each region's specific framework:

-        European Union (EU):

We help manufacturers comply with the EU MDR/IVDR regulations and all related sustainability directives. The EU is at the forefront of green regulations, so our EU Authorized Representative services place a strong emphasis on EU environmental laws. We guide you through compliance with EU-wide regulations, including REACH (chemical registration), RoHS (restrictions on hazardous substances in electronics), the new Batteries Regulation, and forthcoming Packaging Waste rules. For instance, if you sell a portable medical device in Europe, we ensure it meets the latest EU Battery Regulation's requirements for labeling, capacity information, and recycling – thereby preventing any risk of non-compliance when that law fully comes into effect. We stay connected with the European Commission's updates and MedTech Europe's guidance, so you receive the most current advice. By partnering with us, you gain a knowledgeable ally to navigate the EU's dynamic sustainability landscape, from Green Deal initiatives to each Member State's local implementations[22].

 

-        United Kingdom (UK):

In the post-Brexit UK market, we serve as your UK Responsible Person and sustainability advisor. The UK is developing its medical device regulations (expected to update by 2025), and it upholds strong climate commitments (net-zero by 2050 nationally, and NHS net-zero by 2045 for healthcare supply chains[23]). Our services in the UK context include ensuring your compliance with current UK MDR requirements as well as helping you meet NHS sustainability criteria that are increasingly important for winning contracts. We can help you align with the NHS Supplier Roadmap – for example, by assisting in the creation of your Carbon Reduction Plan, which is required for NHS tenders from 2024 onwards. We also monitor UK-specific environmental laws (such as UK packaging waste regulations or electronic waste rules) and integrate those into your compliance strategy. With our support, manufacturers targeting the UK market can confidently demonstrate both regulatory compliance and a commitment to the UK's healthcare sustainability goals, strengthening their appeal to hospitals and buyers.

 

-        Switzerland (CH):

Switzerland maintains its own regulatory system for medical devices (closely mirroring the EU MDR), and since mid-2021, it requires non-Swiss manufacturers to appoint a Swiss Authorized Rep (CH-REP) for market access[24]. In our role as CH-REP, we not only ensure you meet Swissmedic's requirements for device registration and vigilance, but also keep you aligned with Swiss sustainability expectations. Switzerland has adopted ambitious environmental policies, notably the Climate and Innovation Act, which mandates net-zero emissions by 2050. The Swiss medtech industry, led by Swiss Medtech, is proactively encouraging companies to cut emissions and uphold responsible practices via its code of conduct[25]. We help you respond to these local drivers: for instance, we can assist in implementing measures from the Swiss Medtech Sustainability Code so that you adhere to the ethical, social, and environmental norms that Swiss customers and partners look for[26]. Additionally, if your devices have an environmental impact in Switzerland (e.g., electronic waste), we coordinate with Swiss recycling programs or authorities to ensure compliance. Our deep understanding of both Swiss regulations and culture ensures you operate with the high level of responsibility expected in Switzerland's marketplace.

By emphasizing these regions – the EU, the UK, and Switzerland – we cover the regulatory jurisdictions most critical to international medtech manufacturers. We recognize that each region has its nuances: the EU's integrated but complex sustainability legislation, the UK's growing climate-driven procurement standards, and Switzerland's blend of EU-harmonized rules with its own sustainability agenda. Our team is organized to provide you with region-specific expertise under one roof. No matter where you are placing your medical device or IVD, our integrated approach ensures that safety, performance, and sustainability compliance are addressed in tandem. This comprehensive geographic focus is particularly beneficial for clients in the medical technology sector, since it's common to seek access to all three markets. We streamline your efforts by providing a one-stop solution for EAR, UKRP, and CH-REP services – all delivered with a consistent sustainability ethos.

 

Conclusion: Benefits of Our Integrated Approach

In a rapidly evolving regulatory landscape, medtech companies need partners who can anticipate change and provide end-to-end support. By integrating sustainability into our EAR, UKRP, and CH-REP services, we offer a forward-thinking partnership that safeguards your legal standing and enhances your brand reputation. The upcoming services we've outlined are designed to trigger value for both new and existing clients:

-        For potential new clients:

Our robust sustainability position demonstrates that we go beyond basic compliance. We present ourselves as a professional, cutting-edge representative that can help you navigate not only the MDR or UKCA marking, but also the challenges of decarbonization, green supply chain requirements, and ESG reporting. Engaging us can save your company time and resources – instead of juggling multiple consultants for regulatory compliance and sustainability, you gain a single trusted advisor who can do both. This holistic support can be a game-changer if you're entering the EU/UK/Swiss markets for the first time and want to do it "right" from the start, or if you're an established manufacturer looking to upgrade your compliance strategy to include sustainability benchmarks.

 

-        For existing clients:

If you're already relying on us as your authorized representative, you can seamlessly extend that relationship into the realm of sustainability. There's no need to start from scratch explaining your products or supply chain to a new consultant – we already know your business and can quickly identify how sustainability fits into your compliance program. We will keep you informed of emerging requirements (so you're never caught off guard by a new eco-regulation) and help you continually improve your sustainability performance year over year. Ultimately, this means a lower risk of non-compliance penalties, better preparedness for audits (whether by regulators or customers assessing suppliers), and a stronger competitive position when selling to eco-conscious buyers.

 

By focusing our article – and our services – as a direct response to initiatives like Swiss Medtech's sustainability roadmap, we underline that our priorities are aligned with those of the medtech community. We are here to ensure that when the industry says "let's move towards net-zero and circular healthcare," our clients have the practical means to do so. Our services are presented professionally, grounded in the latest regulatory knowledge and best practices, so you can trust that the guidance we provide is not only aspirational but also actionable and compliant.

In conclusion, sustainability in medtech is here to stay, and it will only become more integral to how regulators evaluate products and how customers choose suppliers. With our integrated EAR, UKRP, and CH-REP sustainability services, you gain a partner committed to your success in this new era. Together, we can ensure that your medical devices are not only safe and effective but also sustainable and future-proof, delivering better outcomes for patients, businesses, and the planet.

 

What SME Manufacturers Need to Know—and How QNET Can Support You

The U.S. Food and Drug Administration (FDA) has finalized its Quality Management System Regulation (QMSR), marking the most significant overhaul of U.S. medical device quality system requirements in more than two decades. The new regulation formally integrates ISO 13485:2016 into 21 CFR Part 820, aligning U.S. expectations with the internationally recognized standard already used in the EU, UK, Canada, and many other jurisdictions.

While this alignment has been widely anticipated, its practical implications for SME manufacturers are substantial.

From Awareness to Execution

Most SME medtech companies are already working with ISO 13485:2016 in some form. However, “ISO-certified” is no longer enough. The QMSR includes FDA-specific expectations that go beyond ISO 13485, such as:

• Documentation and control of complaint handling, corrections, and removals
• Enhanced requirements for software validation used in the QMS and production
• Clear expectations for labeling, packaging controls, and traceability
• Ongoing oversight and documentation for outsourced processes (aligned with 4.1.5 and 7.4)

For many organizations, QMS documents must be revised, roles clarified, and evidence of effective implementation created and maintained, without fragmenting your QMS across regions.

This is not just a regulatory exercise. The QMSR transition presents a strategic opportunity for SMEs to enhance their quality operations, improve internal coherence, and ensure regulatory agility across various markets.

 

Why Partner with QNET?

At QNET, we understand the challenges SMEs face when navigating complex, multi-jurisdictional compliance environments with limited internal resources. We are not a generalist consultancy—we are a specialized regulatory partner offering high-level support that is practical, proportionate, and audit-ready.

Our team brings deep expertise in:

• ISO 13485:2016 implementation and remediation
• FDA QMSR interpretation and integration with MDR/IVDR, UK MDR, and Swissmedic requirements
• Supplier qualification, internal audits, PRRC responsibilities, and post-market surveillance

Whether you manufacture Class I-IIa, IIb, III, IVD (A, B, C, D) products, operate as a virtual manufacturer, or rely on contract partners for key processes, we help you:

• Conduct a gap analysis between your current QMS and the full scope of QMSR + ISO 13485 requirements
• Develop or update compliant procedures (CAPA, complaint handling, document control, software validation, etc.)
• Prepare for FDA inspections or MDSAP audits
• Optimize your QMS for global market efficiency

 

Your Next Step: Clarity, Compliance, and Confidence

The transition timeline has begun, and your QMS will come under scrutiny sooner than you think. Don’t wait until notified body or FDA inspections reveal gaps that could delay market access or put your company at risk.

Now is the time to:

• Validate whether your QMS fully meets QMSR expectations
• Identify necessary updates
• Ensure your documentation, processes, and records are robust, aligned, and inspection-ready

 

Schedule a free orientation call with one of our senior consultants
Or contact us via This email address is being protected from spambots. You need JavaScript enabled to view it.

We’ll help you take action with confidence.

Ensuring Regulatory Compliance with Regulation 2023/1115: Navigating EU MDR and ISO 13485 for Manufacturers

In today's highly regulated market, manufacturers face stringent requirements to ensure their products are safe, effective, and compliant across different regions. The European Union's Medical Devices Regulation (EU MDR) exemplifies these challenges – it fully replaced the previous directives in May 2021[1], raising the bar for quality and safety. Similar regulatory expectations are emerging globally, from the UK to the US. Complying with such regulations isn't just a legal checkbox; it's a strategic imperative to maintain market access and customer trust. This guide provides a comprehensive overview of what manufacturers need to know about MDR, ISO 13485 quality management, and how leveraging expert support can turn compliance into a competitive advantage.

 

The Evolving Regulatory Landscape

The EU MDR 2017/745 introduced sweeping changes to the regulation of medical and other health-related devices in Europe. Effective 26 May 2021, the MDR replaced the older EU directives, introducing stricter requirements on clinical evidence, risk management, and post-market surveillance to enhance patient safety[2]. Manufacturers must now demonstrate higher standards of quality and oversight throughout a device's lifecycle. The regulation's intent is not only to improve safety, but also to "strengthen the image and value of CE-marked devices" for compliant manufacturers[3] , meaning those who meet the new standards can benefit from greater credibility in the market.

Importantly, non-compliance is not an option. Failing to meet MDR obligations can lead to severe consequences such as product certificate withdrawal, market recalls, import bans, or hefty fines[4]. Regulators are empowered to act swiftly against non-compliant products, and publicized enforcement can damage a company's reputation. In short, understanding and adhering to MDR is critical for any manufacturer selling in Europe.

Global context: Even outside the EU, the trend is toward stricter and more harmonized regulations. Other regions are bolstering their requirements or aligning with international standards. For example, the United States FDA has updated its Quality System Regulation to closely harmonize with ISO 13485:2016 (the global standard for medical device quality systems)[5]. This alignment by the FDA underscores that a robust quality management approach is now a worldwide expectation for manufacturers. Whether your company operates in Europe, the UK, the US, or beyond, a proactive compliance strategy will ensure you meet the evolving rules in each market and avoid costly disruptions.

 

Quality Management Systems and ISO 13485

One cornerstone of MDR – and modern regulatory frameworks in general – is the implementation of an effective Quality Management System (QMS). Under Article 10(9) of the MDR, all manufacturers are required to establish and maintain a QMS that covers all aspects of product realization and lifecycle management[6]. Even small manufacturers with Class I products must demonstrate adequate control over design, production, and post-market processes. In practice, this means documenting your procedures, managing risks, controlling suppliers, handling customer feedback, and continually improving your processes to ensure product quality and safety.

The internationally recognized blueprint for such a system is ISO 13485:2016. ISO 13485 is the global standard for quality management in the design and manufacture of medical devices[7]. It outlines specific requirements to help manufacturers consistently produce safe, effective devices that meet both customer and regulatory demands. Adopting ISO 13485 provides a structured framework to comply with rigorous regulations and is often considered "state of the art" for medical device QMS. Aligning your quality system with ISO 13485 greatly facilitates meeting MDR's QMS expectations, since the standard covers key elements such as design controls, risk management, supplier management, and traceability. (Do note that MDR adds some prescriptive requirements on top of ISO 13485[8], so manufacturers should address those gaps – for example, MDR's emphasis on post-market surveillance or the role of a PRRC).

Globally, the importance of ISO 13485 is growing. As mentioned, regulators are converging on this approach: the US FDA's new Quality Management System Regulation (QMSR) explicitly incorporates ISO 13485:2016 requirements, recognizing that an ISO 13485-based system provides a high level of assurance that devices will be consistently safe and effective. Many other jurisdictions – Canada, Australia, Japan, and others – either require ISO 13485 certification or accept it as evidence of a sound QMS. For manufacturers, this means investing in an ISO 13485-compliant QMS is not only vital for EU MDR, but also a smart move for global market acceptance.

 

Key MDR Compliance Requirements

The MDR is comprehensive, detailing many obligations for manufacturers. Here we highlight some of the key requirements and responsibilities you must fulfill under MDR (and similarly stringent regulations). Ensuring you cover these areas will position your company for successful compliance:

-        Organizational Requirements:

Establish and maintain an effective Quality Management System encompassing all processes from design through post-market activities (MDR Article 10(9))[9]. This system should be proportional to the device's risk class and must be kept up to date.

In addition, appoint a Person Responsible for Regulatory Compliance (PRRC) (MDR Article 15) – an in-house or outsourced expert with the requisite qualifications – who will oversee and sign off on regulatory compliance tasks[10]. The PRRC is responsible for ensuring that technical documentation and conformity procedures are in order, that post-market surveillance obligations are fulfilled, and that the company generally complies with the MDR. Having a designated regulatory point-person is now mandatory for manufacturers (with slight leeway for micro companies to contract this role externally).

 

-        Technical Documentation:

Prepare and maintain detailed technical documentation for each device (as specified in MDR Annex II and III). This documentation is essentially your proof of compliance and must include everything from the device description and intended use to design and manufacturing information, labeling/Instructions for Use (IFU), and evidence of conformity[11].

Key elements include a thorough risk management file, verification and validation data demonstrating that the device meets requirements, a clinical evaluation report, and plans for post-market surveillance and vigilance. All this information needs to be organized in a Technical File (for Class I devices) or Design Dossier (for Class III implants, etc.) and kept readily available for review. Notified Bodies and authorities can request your files at any time[12], so they must be current and complete. In short, documentation is a continuous task, not a one-time effort – as you update your device or gain post-market data, the files should be updated accordingly.

 

-        Risk Management and Post-Market Surveillance:

Implement a proactive Risk Management process throughout the product's entire lifecycle, following ISO 14971 (the risk management standard referenced by MDR)[13].

From the initial hazard identification and risk analysis in design through risk control implementation and residual risk evaluation, and extending into post-market use, risk management must be an ongoing process. MDR requires that post-market surveillance (PMS) be an integral part of your QMS. You need a PMS plan for each device, outlining how you will collect and analyze real-world performance data[14]. This could include customer feedback, complaint reports, failure rates, clinical follow-up studies, and other relevant data. The goal is to identify any emerging risks or trends quickly and take action (such as field safety corrective actions) if needed[15]. For higher-risk devices (Class IIa, IIb, and III), MDR further requires Periodic Safety Update Reports (PSURs) — regular summaries of safety and performance, submitted to the authorities. Serious incidents and any field corrective actions must be reported within strict timelines via EUDAMED, the EU's device database. In essence, MDR encourages manufacturers to actively monitor their devices after launch and continuously incorporate lessons learned into risk management and product improvement.

 

-        Unique Device Identification (UDI) and Traceability:

The MDR introduced a UDI system to enhance the traceability of devices throughout the supply chain. Manufacturers must assign a unique identifier to each device (comprising a device identifier and production identifier), physically label products and packaging with these UDI codes, and upload related information to the EUDAMED database[16]. This system significantly enhances transparency, allowing for easier tracking of devices in the event of recalls or safety alerts. Compliance with UDI requirements is phased by device class; however, most devices now require UDIs. Proper UDI implementation enhances recall efficiency and helps detect counterfeit or illicit devices on the market – a clear benefit to public health and responsible manufacturers.

 

-        Supplier and Economic Operator Controls:

MDR not only focuses on the manufacturer, but also on other economic operators in the device's supply chain – including authorized representatives, importers, distributors, and critical suppliers.

As the manufacturer, you are ultimately responsible for ensuring the compliance of your product, even when others perform parts of the work. You must verify that your suppliers and partners (e.g., contract manufacturers, component suppliers) adhere to applicable requirements, and you need formal agreements in place that define each party's responsibilities. Likewise, if you're outside the EU, your EU Authorized Representative has specific obligations, and you should closely oversee importers and distributors to ensure they handle the product correctly (e.g., they must keep proper records and not supply non-compliant devices). MDR has clarified and reinforced these roles[17], making supply chain management a critical component of compliance. Regular audits, quality agreements, and oversight procedures are expected to keep all players aligned with regulatory obligations[18].

 

-        Clinical Evidence and Evaluation:

A significant emphasis of the MDR is on clinical evaluation and evidence. Manufacturers must demonstrate through clinical data that their devices are safe and perform as intended, both for initial CE marking and on an ongoing basis. MDR raised the requirements for clinical investigations, especially for higher-risk and novel devices, to ensure robust evidence supports every device on the market[19]. This means you may need to conduct new clinical studies or post-market clinical follow-up (PMCF) to gather sufficient data. Every device (except perhaps the lowest-risk Class I) requires a Clinical Evaluation Report (CER) compiling the clinical evidence, and this must be updated periodically. Monitoring published literature, adverse event databases, and new research is an integral part of this continuous evaluation. In short, strong scientific evidence is now a prerequisite for regulatory approval and continued sale of devices.

 

These are just some of the core areas; MDR also includes requirements on aspects such as labeling (e.g., the need for an implant card for certain implantable devices), stricter oversight of Notified Bodies, transparency through a public database (EUDAMED), and the necessity for ongoing regulatory vigilance within your organization. The key takeaway is that MDR expects manufacturers to build quality and compliance into their entire operations, from product design to production to post-market monitoring. It can be a complex undertaking, but with the right systems and expertise in place, it is achievable and will ultimately raise the standard of your products.

 

Benefits of Proactive Compliance

While meeting all these requirements may seem daunting, it's important to recognize that investing in compliance brings significant benefits to your business. Beyond avoiding penalties, a strong compliance posture can improve your efficiency, reputation, and market opportunities. Here are a few key benefits of being proactive about MDR and quality system compliance:

-        Reduced Risk of Recalls and Penalties:

A robust compliance strategy (for example, implementing ISO 13485 across your operations) dramatically lowers the likelihood of costly product recalls or regulatory enforcement actions. Strong quality processes catch issues early and ensure safety, protecting you from defects that could harm patients. This not only safeguards the public but also shields your company from expensive legal consequences. A lower incidence of recalls and field safety notices means a lower risk of liability and far fewer reputational nightmares for your brand. In short, compliance is a key component of effective risk management.

 

-        Global Market Access and Growth:

Compliance opens doors. Achieving and maintaining CE marking under the MDR is essential for the EU market (worth over $60 billion by 2025), but it also signals to other markets that your product meets high standards.

Many countries align with or accept ISO 13485 and CE-marking principles[20], meaning if you can succeed under MDR, you'll find it easier to obtain approvals elsewhere. Being able to show an ISO 13485 certification and an MDR Declaration of Conformity gives your device instant credibility with regulators worldwide. In practical terms, companies with internationally compliant QMS and documentation face fewer barriers entering new markets, accelerating their global growth[21]. Compliance can thus be a competitive advantage – a selling point that you have the necessary clearances and robust processes that others might lack.

 

-        Improved Operational Efficiency and Quality:

Implementing the processes required by standards and regulations often has the side effect of streamlining your operations. For example, ISO 13485 demands defined procedures, training, and document control, which can eliminate inefficiencies and reduce errors in production.

Companies that embrace quality management typically see reduced waste, better use of resources, and improved product consistency[22]. Over time, a culture of continuous improvement takes hold, leading to innovation in the design and manufacture of products. In essence, quality becomes part of your company's DNA. This not only helps with compliance audits but also tends to correlate with higher customer satisfaction and lower costs associated with poor quality.

 

-        Enhanced Reputation and Customer Trust:

In the eyes of clients, healthcare providers, and end-users, having the proper certifications and regulatory compliance status is a strong trust signal. It shows that an independent authority (a Notified Body, in the EU context) has audited your product and systems. Manufacturers who align with MDR and obtain ISO 13485 certification are perceived as industry leaders committed to safety and excellence. The European Commission has noted that the stricter regulations will ultimately reward compliant companies by "strengthening the image and value" of their CE-marked devices[23]. Likewise, industry analyses report that demonstrating compliance builds credibility with stakeholders and can lead to expanded business opportunities[24]. Hospitals and procurement groups often favor suppliers with proven regulatory track records, knowing those products are less likely to fail or cause issues. In sum, being proactive about compliance enhances your brand's reputation and fosters trust, which is invaluable for long-term success.

By viewing regulatory compliance not as a burden but as a catalyst for better performance, companies can turn these obligations into business strengths. You not only avoid the downsides of non-compliance, but also gain a stronger company – one that is efficient, reputable, and ready to compete globally.

 

Our Services: Guiding You to Compliance Success

Navigating the MDR, ISO 13485 implementation, and other regulatory hurdles can be complex. This is where our expert services come in. We offer a combination of deep regulatory expertise and practical industry experience to help manufacturers like yours meet these requirements in a smooth and structured manner. Our approach is professional and tailored, yet with a personal touch – we aim not just to check off regulatory boxes, but to add value to your operations and give you confidence in your compliance. Here's how we can support your journey:

-        Regulatory Strategy & Gap Analysis:

Unsure where to start or where your current process stands? We begin by conducting a thorough gap analysis of your existing quality system and documentation against MDR and applicable standards. This review identifies any shortcomings or risks upfront. Then, we develop a clear, step-by-step roadmap to achieve compliance, prioritizing critical issues first. You'll know exactly what needs to be done – no guesswork, no wasted effort.

 

-        QMS Implementation & ISO 13485 Certification:

Building a compliant Quality Management System is much easier with seasoned guidance. Our team will help you implement or upgrade your QMS in line with ISO 13485 and MDR's specific requirements. This includes establishing required procedures (for design control, risk management, supplier management, etc.), creating quality manuals and records, and training your staff on the QMS processes. We can assist in integrating new requirements, such as post-market surveillance plans, into your system. If you are seeking ISO 13485 certification, we support you throughout the certification audit process. The result is a robust QMS that not only meets regulatory expectations[25] but also works for your business, laying the groundwork for consistent quality and continuous improvement.

 

-        Technical Documentation & CE Marking Support:

Preparing the MDR technical documentation can be one of the most labor-intensive tasks for manufacturers.

We bring expertise in compiling complete and audit-ready Technical Files. Our specialists will work with your team to gather all required documents – from device descriptions and engineering drawings to risk management files, clinical evaluation reports, labeling, and beyond – ensuring they meet the format and depth that regulators expect. We provide templates and guidance for MDR-specific elements (such as the General Safety and Performance Requirements checklist or PMS plan documentation) to ensure nothing is overlooked. If you're seeking CE marking for a new device, we can manage the process, liaise with Notified Bodies on your behalf, and assist in addressing any questions or deficiencies they may raise. Our goal is to streamline the path to CE approval by ensuring the documentation is accurate the first time.

 

-        Training & PRRC Support:

Compliance is most sustainable when your own people understand what's required. We offer training sessions and workshops to educate your staff on MDR and quality system requirements – from basic awareness for all employees to detailed regulatory training for your quality and regulatory affairs team. Key topics include MDR's general obligations, risk management practices, handling of non-conformities, and the role of the Person Responsible for Regulatory Compliance. Speaking of the PRRC, we know that appointing a qualified person can be challenging for smaller companies. Our experts can act as an external PRRC advisor or even fulfill the PRRC function for your company if appropriate (in line with MDR allowances for SMEs). This ensures you have the necessary regulatory oversight without having to hire full-time staff before you're ready. We also provide ongoing mentoring to any PRRC or quality manager you appoint, to help them stay on top of new developments.

 

-        Audit Preparation & Ongoing Compliance:

Whether it's an internal audit, a Notified Body conformity assessment, or even an FDA inspection, we help you get audit-ready with confidence. Our consultants conduct mock audits and document reviews, identifying compliance weaknesses before the actual auditors do. We guide you in closing those gaps, be it updating a procedure or collecting additional test data. Having successfully guided multiple firms through MDR audits, we understand what auditors focus on and can ensure you're well-prepared. Furthermore, regulatory compliance isn't a one-time project – rules and standards evolve. We offer ongoing support to keep you compliant, monitoring changes in regulations (e.g., MDR extensions, UKCA requirements post-Brexit, or FDA QMSR updates) and advising on how to adapt. When MDR guidance documents or ISO standards are updated, we'll alert you and assist you in updating your processes accordingly. In short, we stay by your side to maintain your compliance as your business grows and regulations change.

 

From initial gap analysis to long-term compliance maintenance, our services are designed to make regulatory compliance manageable and even beneficial for your company. We pride ourselves on being a partner to our clients – we take your compliance personally, and we work diligently until you reach the finish line (and beyond).

Ultimately, our mission is to let you focus on what you do best – innovating and manufacturing great products – while we handle the regulatory complexities. We understand the challenges manufacturers face under frameworks like MDR, and we have a proven track record of guiding firms to successful outcomes. With our professional yet slightly promotional approach, we aim not only to be consultants but also trusted allies in your regulatory journey.

If you want to ensure your products meet all applicable regulations (EU MDR, ISO 13485, and more) and leverage compliance as a competitive advantage, we are here to help. By partnering with us, you can navigate the maze of requirements with confidence and speed, avoiding pitfalls and unlocking new market opportunities.

Feel free to contact our team to discuss your specific needs or learn more about how our services can support your business. Compliance can indeed be complex – but with the right support, you will not only meet the standards, you can excel beyond them, strengthening your company's quality, reputation, and success in the global marketplace.

 

Introduction

In an era of connected healthcare, medical devices are no longer isolated appliances — they form integral parts of hospital networks, software ecosystems, and patient data flows. While connectivity enables advanced functionalities, it also introduces cyber risk. A cyberattack or vulnerability exploit in a medical device can, in the worst case, affect patient safety, data integrity, service continuity, or confidentiality.

This insight article provides (1) a panorama of the regulatory & technical landscape, (2) examples of near-misses and incidents, and (3) lessons learned and guidance for manufacturers, healthcare providers, and stakeholders.

 

The Regulatory & Technical Landscape

Regulatory Guidance & Expectations

• In the U.S., the FDA's "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions" is a foundational guidance, updated in June 2025. It requires manufacturers to incorporate cybersecurity risk management across the product life cycle, provide vulnerability-handling plans (e.g., for Section 524B devices), and integrate cybersecurity into design controls and postmarket surveillance.¹^,²
• The FDA also emphasizes the need for Secure Product Development Frameworks (SPDFs), which embed security activities (threat modeling, vulnerability assessments, patching) into the development lifecycle.³
• In Europe, the MDCG 2019-16 Rev.1 guidance remains the key reference under the Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR) for lifecycle cybersecurity, including risk assessment, software updates, and vulnerability handling.
• Regulatory bodies now expect near-misses or "non-harmful cybersecurity events" to feed into postmarket surveillance (PMS) and risk management processes.

 

The Threat Landscape & Trends

• A report from Runsafe Security found that 22% of healthcare organizations experienced cyberattacks targeting medical devices, and among those, 75% of incidents disrupted patient care.⁴
• Over 1.2 million medical devices have been found openly exposed to the internet, allowing attackers to access sensitive data in some cases.⁵
• Legacy or unsupported systems continue to be a major risk vector. For example, GE HealthCare issued a recall of older models of its "Muse 5" cardiology system due to critical security risks.⁶
• Recently, Masimo (a medical device manufacturer) disclosed a cyberattack that impaired order processing and shipping capabilities, affecting business continuity.⁷
• In early 2025, the FDA flagged cybersecurity risks in Contec and Epsimed patient monitors — vulnerabilities that could allow unauthorized remote access or manipulation. Although no incidents or injuries have yet been reported, these are considered near-miss signals.⁸

 

Selected Incidents & Near Misses

Year / Case	Description	Impact / Outcome	Insights
2025 – Contec / Epsimed monitors	FDA identified vulnerabilities that could allow remote control or data exfiltration.	No known harm yet; mitigation urged.	Example of a near miss leading to proactive mitigation.⁸
2025 – Masimo cyberattack	Attack impacted the manufacturing network, reducing throughput and order fulfillment.	Operational disruption, possibly delayed deliveries.	Demonstrates that cyber threats affect not just patient-facing software but supply chain and operations.⁷
2025 – GE Muse 5 recall	Older cardiology info systems recalled due to security risk.	Decommissioning or upgrade required.	Legacy systems pose hidden liabilities.⁶
2025 – SimonMed Imaging data breach	Vendor-linked attack exfiltrated data of 1.2 million patients.	Data breach, reputation damage, regulatory exposure.	Illustrates how device/partner linkage can propagate risk.⁹

 

Lessons Learned & Best Practices

1. Embed cybersecurity from day one.
   Adopt a Secure Product Development Framework (SPDF) so that threat modeling, secure coding, fuzzing, and security validation occur alongside functional development.
2. Manage vulnerabilities proactively.
   Maintain a Vulnerability Handling Process (e.g., coordinated vulnerability disclosure), track a Software Bill of Materials (SBOM), and define patching/update pathways.
3. Treat near-misses as first-class signals.
   Even if no harm occurs, anomalies, attempted intrusions, or discovered vulnerabilities should feed into the risk management and PMS system.
4. Address legacy system risks.
   Deploy compensating controls (network segmentation, monitoring, intrusion detection) or plan for decommissioning/upgrades when security patching is impossible.
5. Ketenrisico (supply chain and vendor risk)
   Ensure that third-party components, connectivity modules, or service vendors adhere to cybersecurity requirements. Control remote access surfaces.
6. Continuous monitoring & threat intelligence.
   Monitor CISA/CISA ICS advisories, FDA safety communications, known CVEs, and sector-specific alerts.¹⁰
7. Transparency & stakeholder communication.
   Maintain clarity in labeling, user guidance (e.g., "security update required"), end-of-life policies, and incident response procedures.
8. Align with risk frameworks & standards.
   Integrate ISO 14971 (risk management) with cybersecurity risk practices. Use NIST, IEC 62304, and standards like AAMI TIR-57 for guidance.

 

Secure Product Development Framework (SPDF)

A Secure Product Development Framework (SPDF) is a set of processes designed to embed security into every stage of a product's lifecycle, from design to decommissioning. This proactive approach aims to reduce and mitigate product vulnerabilities and is particularly emphasized by the FDA for medical devices, requiring manufacturers to integrate cybersecurity measures throughout development and maintenance. Key components include risk management, secure design, testing, secure communications, and postmarket surveillance.

 

Key components of an SPDF

• Risk Management: Involves proactively identifying, evaluating, and mitigating cybersecurity risks throughout the product's life.
• Design and Development Controls: Ensures security is integrated into the design phase, not added as an afterthought. This includes "security by design" principles.
• Information Security Management: Establishes policies and controls to safeguard data and protect against breaches.
• Secure Communications: Protects data both when it is stored and when it is in transit.
• Postmarket Surveillance and Response: Includes continuous monitoring of devices in the field to identify and address vulnerabilities, often through patching and updates.
• Threat Modeling: Analyzing potential vulnerabilities early in the process to proactively address them.
• Regulatory Compliance: Adhering to relevant regulations, such as FDA guidelines, HIPAA, and other cybersecurity standards like IEC 81001-5-1.

 

Why SPDF is important

• Reduces vulnerabilities: By building security in from the start, it helps prevent and reduce the number and severity of security gaps.
• Ensures safety and trust: For connected devices, especially medical ones, security is critical for user safety, data privacy, and maintaining public confidence.
• Meets regulatory requirements: Frameworks like the FDA's SPDF are essential for medical device manufacturers to meet regulatory obligations and for premarket submissions.
• Simplifies the development process: Integrating security early can streamline development and avoid costly and time-consuming security-related delays later on.

 

 

Footnotes (sources):

1. FDA: "Cybersecurity in Medical Devices" guidance, June 2025, U.S. Food and Drug Administration
2. FDA: Quality system & premarket submission guidance U.S. Food and Drug Administration+1
3. Summary / SPDF approach in commentary on FDA guidance Cobalt+2Regulatory knowledge for medical devices+2
4. Runsafe report: 22 % of organizations, 75 % impacted patient care, Industrial Cyber
5. Over 1.2M devices exposed on the Internet, Cybernews
6. GE recalls Muse 5 cardiology systems, Cardiovascular Business
7. Masimo's cyberattack affects order fulfillment. The Record from Recorded Future+1
8. FDA identifies risks in Contec / Epsimed patient monitors (no harm reported yet) U.S. Food and Drug Administration+3Reuters+3Reuters+3
9. SimonMed Imaging data breach (1.2 million patients), TechRadar
10. CISA / ICS medical cybersecurity advisories CISA