If you’re a medical device manufacturer, you already know that compliance isn’t a walk in the park. It’s more like a hike through regulatory terrain with the occasional mountain lion (metaphorically speaking). But don’t panic. We’ve distilled insights from a recent expert-packed webinar to help you navigate the wild world of EU regulations – with a sense of humour intact.
Tip 1. First Things First: Do You Have Enough Money and Patience to go into Medical Device Industry?
Before you write a single line of code, you’ll need three things: money for certification, patience, and a strategy. Yes, strategy – because you have to decide whether you’re developing “just” a medical device or aiming for reimbursement pathways (DiGA, DiPA, etc.). That decision affects everything from software design to documentation.
Tip 2. The Backbone: EU MDR Compliance Essentials
Start with the basics: technical documentation and a Quality Management System (QMS). As Oliver Hilgers from Regenold put it, if you’re a startup, don’t try to do it all at once. Focus on:
Establishing a documentation framework early on, preferably having an eQMS that is able to communicate with your software development environment (no silos).
Implementing core processes: software lifecycle, cybersecurity, risk management, usability.
And remember, EU MDR compliance isn’t just paperwork. It’s your product’s passport to the European market.
Check out BSI’s booklet on MDR conformity assessment routes here: https://www.bsigroup.com/globalassets/meddev/localfiles/en-gb/documents/bsi-md-mdr-conformity-assessment-routes-booklet-uk-en.pdf
Tip 3. Auditors and Notified Bodies are not your enemy
Thomas Doerge from BSI reminded us that auditors aren’t there to ruin your life. They want to make sure your device is safe and effective as the NB will take part of the responsibility for its release into the market.
In terms of how to present your technical documentation to Notified Bodies – they need to have documentation as physical evidence, which needs to remain in their systems and needs to be accessible at any point of time. (hint: static version of your documentation like PDF export or alike beats giving them Confluence access).
Tip: don’t treat the QMS and technical documentation as completely separate entities. They should speak to each other.
Tip 4. Tool Validation: The Necessary Evil (we assure it’s manageable)
Yes, Confluence, Jira, vulnerability scanners, debuggers – they all need validation if they impact your product or your quality system.
Here’s what matters:
Apply a risk-based approach to validation, don’t try to validate everything all the time or validate tools that do not need to be validated.
Use validation guidance documents from the FDA, from pharma (e.g. GAMP 5) and EN IEC 80002-2.
Create your own SOPs based on your tools’ criticality.
Validation doesn’t mean testing every button every day. It means proving your tools consistently do what you need them to do.
Check out the FDA Guidance on Software Validation here.
Tip 5. Preparing for Audits: A Game of Strategy
Don’t wait until the last minute. Matteo Gubellini from SoftComply sees this all the time: companies scramble late and suffer.
Tips:
Start with the intended use and build everything from there, user needs, requirements, risks;
Use MDCG guidance documents and Team-NB questionnaire for AI in medical devices here
Structure your documentation according to your notified body’s preferences (BSI has one, follow it → here)
And no, you can’t get certified and your product CE marked in three months unless you own a time machine. Realistically consider at least 9 months.
Check out the BSI informative guidance on AI in medical devices here, Team-NB guidance documents here and MDCG guidance documents here.
Tip 6. Talk to Your Notified Body Early (Yes, Really!)
Engaging with a notified body early in your journey is a smart move – especially if you want to avoid surprises (and stress hives). BSI, for example, offers a structured dialogue process that allows general questions about the conformity assessment before you sign a contract. Once you do sign, you get access to their Dedicated Interactive Review Pathway, which includes:
A full review schedule upfront
A kick-off meeting with your assigned reviewers
A Teams channel for real-time Q&A (because email chains are so 2008)
This helps prevent “notified body shopping” – aka hopping between notified bodies hoping for easier and more affordable approval. Spoiler alert: they talk to each other. You’re not fooling anyone.
Tip 7. EU AI Act: More Than a Buzzword
Here’s the good news: there will only be one CE mark, even with the AI Act. The AI Act piggybacks on the MDR, so you won’t need a separate certificate.
But you do need to:
Manage training data like it’s radioactive: label it, version it, trace it (including development data, according to the latest FDA’s guidance!)
Enable human oversight and transparency (e.g. explain how the AI reaches decisions, add human intervention where reasonable).
Start with the Team NB AI questionnaire – you will need it for MDR anyway.
The AI Act doesn’t reinvent the wheel – it adds spokes. So start spinning it early.
Tip 8. Cybersecurity: The Invisible Giant
Whether it’s NIS2, ISO/IEC 81001-5-1, or penetration tests, cybersecurity is no longer optional.
Key takeaways:
Penetration testing is not always mandatory, but highly encouraged, including (and in particular!) during development.
Internal testing can work if it’s independent and well-documented
Consider cybersecurity from the start of your design process
One developer actually tried to validate a tool after it got hacked. Let’s avoid that, shall we?
Tip 9. Funniest Audit Moment?
Let’s just say one manufacturer proudly claimed pest control wasn’t needed because a marten (yes, the animal) lived upstairs and scared off the mice. Auditors love originality, but let’s not go feral with our mitigations.
Tip 10. Final Words from the Experts
Matteo: Don’t underestimate regulatory burden. Investors have become regulation-savvy. They will ask about intended use, regulatory strategy, need for clinical trials and more.
Thomas: Read the MDR. Then read the guidance. Then re-read your documentation. Get in touch with your Notified Body early on!
Oliver: Ask yourself if you really need AI in your device. If you can do the same job with logic rules, do it.
In Summary
Start early. Define your intended use. Validate smartly. Prepare like it matters (because it does). And when in doubt, don’t rely on martens for risk mitigation.
Your journey to market is tough, but you’re not alone. The guidance is there. The support exists. And hey, at least you can laugh a little along the way.
For more details, check out the full webinar recording in our YouTube channel.
