MDR compliance 101: The MDR compliance procedure and its complexities Part 4.

In the previous articles about MDR (Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices), compliance we’ve explored the topics of MDR from a cybersecurity point of view, the most common causes of vulnerabilities and their prevention and the medical device testing process. Today, in the last segment of the MDR series, we will explain the MDR compliance procedure and its possible complexities that everyone needs to know who has to conform with these regulations and obtain a CE certification. It is important to state that the cybersecurity requirements set by MDR and IVDR are identical, so whenever we write about MDR compliance, it also applies to IVDR in terms of cybersecurity obligations.

In this article we will answer the following questions:

• Why is MDR compliance necessary?
• Who are the parties involved in the compliance procedure and what are the steps of it?
• What are the complexities of the MDR/IVDR preparation?
• How can you make your job easier to comply with the actual regulation?

Let’s dive right in!

Why is MDR compliance necessary?

Even though we’ve elaborated on this topic before in one of the previous articles of the series, let’s recap why affected manufacturers can’t ignore the requirements of the regulation.

Those manufacturers and service providers who don’t comply with the requirements of the MDR (and also IVDR) will not be able to receive the CE certification. However, the CE certification is obligatory for all companies who aim to market their products and services within the European Union. As a result, the question of compliance needs to be among the top items on their priority list, if they don’t want to lose the right of offering their medical devices to European consumers.

Who are the parties involved in and steps of the compliance procedure?

The process lies on the responsibilities of two main parties. These are:

• the vendor itself, who desires to receive the certification, 
• the notified body, who issues the MDR/IVDR certificate for CE marking based on MDR/IVDR compliance.

If you are looking for the complete list of the notified bodies and their technical competence under the directive of 93/42/EEC for medical devices, check out this official list.

Compliance procedure steps: 

1. Manufacturer/Developer applies for compliance certification
2. Notified Body evaluates attached evidence and performs further assessments if needed (e.g. audit)
3. If the attached evidence satisfies regulatory requirements the Notified Body certifies the product as MDR/IVDR compliant
4. If the attached evidence does not satisfy regulator requirements the Notified Body might provide the manufacturer/developer a chance to supply additional evidence for compliance, but if those are still not satisfied the regulatory requirements, the certification process has to be started again from the beginning.

The key for a successful, fast, and cost efficient certification process is deliberate preparation.

What are the complexities of the MDR/IVDR preparation?

Although he goal of the certification preparation is to create processes and documentation that will be accepted by accredited notified bodies and result in successful certification there are still some complicating factors in the process:
The regulation sets out expectations for Manufacturers towards Developers, but does not provide guidance on how to make them. For example, according to the best development practices, software can be developed in many ways, but may not be secure enough for Notified Bodies. This can lead to delays or failure of certification, as the Manufacturer / Developer has carried out the implementation and documentation with a different mindset than the Notified Body.
The experience is that although many medical device and/or software Manufacturers or Developers are excellent at making medical devices, many of them are lack of cybersecurity expertise, leading to misunderstandings and not being able to provide evidence for compliance.

How can you make your job easier to comply with the actual regulation?

A deliberate preparation methodology based on internationally recognised industry standards can provide a strong foundation and confidence that the certification process will go smoothly.
A cost efficient solution to plan and execute preparation for certification is to hire cybersecurity analysts who have years of experience working with internationally recognized cybersecurity standards and certification frameworks. Cybersecurity analysts at CCLab are certified evaluators for Common Criteria, one of the most rigorous assessment framework. They know how notified bodies think, what they are expecting, and how to present information for a compliance assessment.

Medical device Manufacturers and Developers are committed to creating products and services services that help solving people’s health problems, providing them a higher quality of life. It is not their job to become a cybersecurity expert, but it is also in their interest to keep their devices and services secure for both parties.
Let our cybersecurity analysts help you with the cybersecurity perspective in your processes so you can focus on what you are the best in. 

If you are looking for the easiest way out from the fairly complicated jungle of MDR compliance, get in touch with CCLab evaluation laboratory, an official partner of the QTICS medical group, to enjoy the advantages of professional guidance, consulting, education, and assessment.

Get in touch with us now!

‍