We're on Medica 2023, come say "hi" and connect in Hall 12, Booth E53-03!

Back to blog

A Beginner’s Guide to EU Medical Device Regulation


The European Union (EU) Medical Device Regulation (MDR) is a comprehensive regulatory framework that governs the development, manufacturing, and distribution of medical devices within the EU market.

For developers and manufacturers of medical devices, compliance with the MDR is crucial to ensure safety, efficacy, and market access. This guide aims to provide developers with a clear understanding of the EU MDR and practical steps to navigate its complexities.

post illustration

Understanding the EU MDR


When exploring the EU MDR, it’s imperative to trace its origins and the compelling motivations that led to its implementation.

The transition from the long-standing Medical Device Directive (MDD) to the MDR represents a significant paradigm shift in European medical device regulation. The MDD, which was first introduced in the 1990s, governed the medical device industry for several decades.

However, as technology advanced and new challenges emerged in the healthcare sector, it became apparent that an updated and more rigorous regulatory framework was necessary to ensure patient safety, enhance product transparency, and adapt to the evolving landscape of medical technology.

The EU MDR, born out of these imperatives, serves as a crucial milestone in harmonizing and strengthening medical device regulations across the European Union.


The scope of the EU MDR is broad and encompasses a wide range of medical devices and in vitro diagnostic devices (IVDs). Understanding this scope is essential to determine whether a specific product falls under its jurisdiction.

Medical devices regulated by the MDR encompass instruments, apparatus, appliances, software, materials, or other articles intended to be used for medical purposes. These can range from simple devices like thermometers to complex equipment like MRI machines.

On the other hand, in vitro diagnostic devices (IVDs) are products used to examine specimens derived from the human body, such as blood or tissue, for diagnostic or monitoring purposes. This distinction is vital because IVDs have their own set of specific regulations under the MDR.

Key Definitions

In order to navigate the intricate landscape of the EU MDR effectively, it’s crucial to acquaint oneself with a set of pivotal definitions integral to the regulation’s framework:

  • Manufacturer: The entity responsible for designing, producing, and placing a medical device or IVD on the market. This can be a company or an individual.
  • Authorized Representative: An entity appointed by a manufacturer who takes on certain responsibilities on their behalf, especially for manufacturers located outside the EU.
  • Notified Body: An independent organization designated by EU member states to assess the conformity of medical devices with the MDR. They play a crucial role in the certification process.
  • Unique Device Identifier (UDI): A unique alphanumeric code assigned to each medical device to ensure traceability and facilitate the monitoring of devices throughout their lifecycle. This system enhances post-market surveillance and recalls, contributing to greater patient safety.

In summary, a thorough grasp of the EU MDR necessitates not only an understanding of its historical context but also a keen awareness of its scope and key definitions.

This knowledge equips stakeholders, including manufacturers, regulatory authorities, and healthcare professionals, to navigate the regulatory landscape effectively, ensuring the safe and effective use of medical devices within the European Union.

Classification and Conformity Assessment

Classify Your Device

One of the initial and pivotal steps in the regulatory journey of medical devices within the European Union under the Medical Device Regulation (MDR) involves classifying your device accurately.

This classification process, defined in Annex VIII of the MDR, is integral to ensuring that each device is subject to the appropriate level of scrutiny and conformity assessment. The classification hinges on the potential risks associated with the device and its intended use.

Essentially, the MDR classifies medical devices into four main classes: Class I, Class IIa, Class IIb, and Class III, with Class III devices representing the highest level of risk.

Classifying your device correctly is a task that requires a deep understanding of its intended purpose, characteristics, and potential impacts on patients and users. It entails considering factors such as invasiveness, duration of contact with the human body, and the nature of the device’s technology.

Once you’ve successfully determined the appropriate class for your device, you’ll be able to proceed with the subsequent steps in the regulatory process.

Conformity Assessment Route

Following the device classification, the next critical milestone is identifying the appropriate conformity assessment route outlined in the MDR. The conformity assessment process serves as a means to evaluate the device’s compliance with the regulatory requirements, ensuring its safety and efficacy.

The EU MDR offers different conformity assessment routes, primarily detailed in Annexes II, III, and IV, which vary in terms of rigor and complexity. The choice of route is directly linked to the device’s classification and the level of risk it poses to patients and users.

Here’s a simplified breakdown:

  • Annex II (Full Quality Assurance): Devices in higher-risk classes, such as Class III or certain Class IIb devices, typically follow this route. It involves a comprehensive assessment of the manufacturer’s quality management system and may require the involvement of a Notified Body.
  • Annex III (Production Quality Assurance): Devices of lower risk classes, like Class IIa, may undergo this route. Manufacturers need to maintain a quality management system and ensure compliance with essential requirements, often with the involvement of a Notified Body.
  • Annex IV (Product Quality Assurance): Devices in the lowest risk class, Class I, or those with a sufficiently low level of risk, can typically opt for this route. Manufacturers self-certify their compliance with essential requirements and do not usually require Notified Body involvement.

Selecting the correct conformity assessment route is crucial as it influences the depth of scrutiny and the resources needed to attain regulatory compliance. Navigating these complexities demands a comprehensive understanding of your device’s classification and the regulatory landscape, ensuring that you follow the most appropriate path toward bringing your medical device to market in the European Union.

Ultimately, proper classification and conformity assessment are vital steps to ensure patient safety and the successful entry of your device into this important market.

Quality Management Systems

Implement ISO 13485

With medical device regulation and manufacturing, adherence to high-quality standards is paramount to safeguarding both the patient and the reputation of the manufacturer. ISO 13485, an internationally recognized standard for quality management systems specifically tailored for the medical device industry, is the main framework that helps achieve this objective.

Compliance with ISO 13485 signifies a commitment to a comprehensive set of quality management principles encompassing every aspect of medical device development, production, and distribution.

This standard emphasizes a meticulous focus on risk management, traceability, documentation, and process control. Implementing ISO 13485 requirements involves establishing and maintaining a quality management system that not only meets regulatory expectations but also fosters a culture of continuous improvement.

Under ISO 13485, manufacturers are guided through the creation of a quality management system that covers design and development, production, installation, and servicing. This holistic approach ensures that quality is not just an end goal but a foundational element woven into every stage of the product lifecycle.

Adhering to ISO 13485 facilitates compliance with European regulations and serves as a global passport, opening doors to international markets by demonstrating a commitment to the highest quality and safety standards.

Post-Market Surveillance

Beyond the initial stages of device development and regulatory clearance, the responsibility for ensuring a device’s safety and efficacy extends into its entire lifecycle. Post-market surveillance (PMS) is the cornerstone of this ongoing commitment to monitoring and improving device performance in real-world settings.

A robust PMS system involves collecting, analyzing, and evaluating data on how the device performs once it’s in the hands of healthcare professionals and patients. This process serves several critical purposes:

  • Identifying Safety Concerns: PMS helps in the early detection of potential safety issues or adverse events associated with the device, allowing manufacturers to take prompt corrective actions.
  • Evaluating Device Effectiveness: By gathering data on the device’s clinical performance, manufacturers can assess whether it meets its intended purpose and if any improvements are needed.
  • Continuous Improvement: The insights gained from PMS data can inform product enhancements, updates, and innovations, contributing to the evolution of safer and more effective devices.
  • Regulatory Compliance: A robust PMS system is a regulatory requirement under the EU MDR and is crucial for demonstrating ongoing compliance with safety and performance standards.

To establish an effective PMS system, manufacturers should define clear processes for data collection, reporting, and analysis.

Additionally, they should maintain open lines of communication with healthcare providers and end-users to gather valuable feedback. By integrating PMS into their quality management systems, manufacturers can ensure that their devices not only meet initial regulatory requirements but continue to meet safety and performance expectations throughout their lifecycle, ultimately enhancing patient safety and trust in their products.

Clinical Evaluation and Evidence

Clinical Evaluation

Clinical evaluation of a medical device is a process that forms the backbone of demonstrating its safety and performance. This process involves systematically assessing clinical data derived from various sources, like clinical trials, post-market surveillance, and scientific literature. It is needed to establish the device’s conformity with regulatory requirements and its ability to deliver the intended clinical benefits.

A thorough clinical evaluation serves several key purposes:

  • Risk Assessment: It helps identify and evaluate potential risks associated with the device and assess whether the benefits outweigh these risks, a fundamental consideration for regulatory compliance.
  • Performance Assessment: Clinical data is used to evaluate the device’s performance, including its clinical efficacy, accuracy, and reliability in diagnosing, treating, or monitoring medical conditions.
  • Documentation of Clinical Evidence: The findings from the clinical evaluation must be documented and made available for regulatory scrutiny. This documentation forms a crucial part of the Technical Documentation required under the EU MDR.
  • Continuous Monitoring: Clinical evaluation is not a one-time process. It should be ongoing, with periodic updates to reflect new data, emerging safety concerns, and evolving clinical practices.

Ensuring the success of a clinical evaluation requires a well-defined and scientifically sound methodology, rigorous data analysis, and expert input. To execute this process effectively, it’s important to assemble a multidisciplinary team, including clinicians, statisticians, regulatory affairs professionals, and medical writers.

Clinical Investigations

Clinical investigations, often referred to as clinical trials, are an integral component of the clinical evaluation process and are typically required for certain medical devices. These investigations involve the deliberate and systematic study of a device’s safety and performance in human subjects under controlled conditions.

Clinical investigations are typically mandated for higher-risk medical devices or those with novel technologies, where clinical data from similar devices is insufficient to establish safety and performance. The decision to conduct clinical investigations depends on various factors, such as the device classification, intended use, and potential risks.

Planning and conducting clinical investigations requires adherence to rigorous scientific and ethical principles:

  • Protocol Development: A well-defined study protocol outlining the objectives, methods, patient population, endpoints, and statistical analyses is crucial. This protocol should align with regulatory requirements and ethical standards.
  • Ethical Considerations: It is crucial to obtain informed consent from study participants and ensure their rights and safety are protected. Ethical review boards play a vital role in this process.
  • Data Collection and Analysis: Rigorous data collection, monitoring, and statistical analysis are essential to generate robust clinical evidence.
  • Regulatory Reporting: Regulatory authorities must be informed of the progress and outcomes of clinical investigations in accordance with their requirements.
  • Post-Investigation Analysis: The results of clinical investigations inform the clinical evaluation and should be integrated into the overall evidence package.

This way, clinical evaluation and evidence generation are integral components of ensuring the safety and efficacy of medical devices. A well-executed clinical evaluation, supported by clinical investigations when necessary, not only demonstrates compliance with regulatory requirements but also fosters confidence among healthcare professionals, regulatory authorities, and patients in the device’s performance and safety.

Technical Documentation

Technical Documentation Preparation

Technical documentation is the cornerstone of medical device regulatory compliance. It provides a comprehensive record of your device’s design, development, performance, and safety. Preparing this documentation requires attention to detail and adherence to regulatory standards.

The technical file or design dossier serves as a repository of information that demonstrates the conformity of your device with the requirements of the European Medical Device Regulation (MDR). It should encompass a wide array of data and documents, including:

  • Device Description
  • Risk Assessment
  • Design and Manufacturing Information
  • Clinical Data
  • Labeling and Instructions for Use
  • Quality Management System
  • Notified Body Certificates (if applicable)

The process of preparing technical documentation requires interdisciplinary collaboration between engineers, regulatory experts, quality assurance professionals, and clinical specialists. It should be approached as a dynamic and living document that evolves as the device matures, incorporating updated information and addressing any changes or improvements made over time.

Essential Requirements

Meeting the essential requirements outlined in Annex I of the MDR is a must for medical device manufacturers. These requirements set the fundamental safety and performance criteria the devices must meet to be placed on the European market.

Annex I covers a wide range of aspects, including but not limited to:

  • Biological Safety: Ensuring the device is biocompatible and will not cause harm when in contact with the human body.
  • Clinical Performance: Demonstrating that the device performs its intended purpose effectively and accurately.
  • Electromagnetic Compatibility: Ensuring that the device does not interfere with other devices or systems and is not susceptible to interference.
  • Software Validation: Validating the software used in the device to ensure it operates correctly and safely.
  • Sterilization and Microbial Control: If applicable, it can demonstrate the device is appropriately sterilized and maintained free from harmful microorganisms.
  • Materials and Chemical Composition: Detailing the materials used in the device and ensuring they are safe for their intended use.

Adhering to these essential requirements requires testing, risk assessment, and documentation. Manufacturers should also be prepared for ongoing assessment and verification of their devices’ compliance throughout their lifecycle.

This way, technical documentation and adherence to essential requirements are crucial in the regulatory journey of medical devices in the EU. The documentation not only helps manufacturers achieve regulatory compliance but also instills confidence in the safety and performance of their devices among healthcare professionals, regulatory authorities, and patients.

Notified Bodies

Select a Notified Body

One of the pivotal steps in navigating the regulatory landscape for medical devices in the European Union is the selection of a Notified Body. Notified Bodies are independent organizations designated and authorized by EU member states to assess the conformity of medical devices with the European Medical Device Regulation (MDR). Their role is to ensure that devices meet the safety and performance standards required for market entry within the EU.

The choice of a Notified Body should be considered, as it significantly impacts the regulatory journey and the success of your device in the European market.

Key factors to consider when selecting a Notified Body include:

  • Expertise and Experience: Ensure the Notified Body has experience in assessing devices similar to yours in terms of classification and technology. Their expertise in your device’s specific domain is crucial.
  • Accreditation and Designation: Verify that the Notified Body is accredited and designated by the relevant national authority. This ensures their competence and authority to perform conformity assessments.
  • Capacity and Resources: Consider the Notified Body’s capacity to handle your assessment within the required timeframes. Overburdened Notified Bodies may cause delays in the regulatory process.
  • Communication and Collaboration: Assess their communication practices and willingness to collaborate with your team. Clear communication is essential for a smooth conformity assessment process.

Interaction with Notified Bodies

Notified Bodies are critical in assessing your device’s compliance with the MDR and ensuring its safety and performance. Their responsibilities include:

  • Conformity Assessment: Notified Bodies conduct the required conformity assessments based on the risk classification of your device. This may involve reviewing technical documentation, conducting on-site audits, and assessing the quality management system.
  • Certification: If your device meets the MDR’s requirements, the Notified Body issues a certificate attesting to its conformity. This certificate, often referred to as a CE certificate, is a key milestone in the regulatory process.
  • Ongoing Surveillance: Notified Bodies maintain surveillance over certified devices, ensuring they continue to meet regulatory requirements throughout their lifecycle.
  • Post-Market Surveillance: They monitor the performance of devices on the market, including investigating adverse events and ensuring timely corrective actions if issues arise.

Manufacturers should be prepared to provide comprehensive technical documentation, respond to inquiries, and facilitate any necessary assessments or audits. Collaborating closely with the Notified Body can streamline the regulatory process and help ensure a successful path to market entry in the European Union.

Unique Device Identification (UDI)

UDI Requirements

The Unique Device Identification (UDI) system is a critical component of modern medical device regulation aimed at improving device traceability, post-market surveillance, and overall patient safety. Complying with UDI requirements is not only a regulatory necessity but also a means to bolster transparency and accountability within the medical device industry.

UDI Requirements encompass several key components:

  • UDI Issuing Agency: Manufacturers must obtain a UDI from an authorized UDI Issuing Agency responsible for issuing and managing UDI codes. These agencies are often designated by regulatory authorities.
  • Device Identifier (DI): The DI is a unique code specific to each version or model of a device. It distinguishes one device from another and allows for precise identification.
  • Production Identifier (PI): The PI provides information about the device’s manufacturing lot, serial number, and expiration date, if applicable. It aids in tracking the device’s production history and traceability.
  • UDI Database Submission: Manufacturers are typically required to submit UDI information to a central database, which is accessible to regulatory authorities, healthcare providers, and other stakeholders. This database plays a pivotal role in post-market surveillance, recalls, and monitoring device performance.

Compliance with UDI requirements ensures that devices can be traced back to their source, making it easier to identify and address safety concerns or quality issues promptly. It also facilitates more efficient recalls, reducing the potential impact on patients and healthcare providers.

Labeling and Packaging

Correctly displaying UDI information on your device’s labeling and packaging is critical to compliance with UDI requirements. The labeling and packaging of medical devices serve as the primary means for communicating essential information to healthcare professionals and end-users.

Ensuring compliance includes:

  • Label Design: Design labels that prominently display the UDI, including the DI and PI, in a clear, legible, and standardized format. This information should be easily accessible and understandable to users.
  • Label Placement: Ensure the UDI is placed on the device in a location that is easily visible and won’t degrade or become unreadable during use or storage.
  • Packaging Integration: Integrate UDI information on the device’s packaging, if applicable, to enhance traceability even before the package is opened.
  • Barcoding: Many UDIs are represented as barcodes for quick and accurate scanning. Ensure that barcodes conform to recognized standards to facilitate data capture.
  • Language and Symbols: Consider international language and symbol standards to accommodate a global audience.

Proper UDI labeling and packaging not only contribute to regulatory compliance but also support safe and effective device use. It enables healthcare professionals to quickly identify and access critical device information, reducing the risk of errors and ensuring the device is used as intended.

Post-Market Obligations

Vigilance and Reporting

Post-market obligations are designed to detect and address any issues or adverse events that may arise during real-world use. Comprehending your responsibilities in this regard is crucial for regulatory compliance and patient safety.

Adverse Event Reporting: Manufacturers are typically required to establish a robust system for collecting, documenting, and analyzing adverse events associated with their devices. This includes any unexpected or undesirable events or incidents that occur during device use and may harm patients or users. Timely and accurate reporting of adverse events is essential and often mandated by regulatory authorities.

Incident Reporting: In addition to adverse events, incidents related to device malfunction, labeling errors, or other issues must be documented and reported. Incidents may not always result in patient harm but still warrant investigation and corrective actions to prevent recurrence.

Understanding the specific reporting requirements and timelines in your region and adhering to them diligently is crucial. Failure to report adverse events or incidents can have serious consequences, including regulatory penalties and damage to your device’s reputation.

Market Surveillance

Market surveillance is an ongoing process of monitoring a device’s performance once it’s in the hands of healthcare professionals and patients. It involves gathering and analyzing data on how the device is being used, its clinical outcomes, and any trends or patterns related to its safety and effectiveness.

It includes:

  • Data Collection and Analysis: Establish mechanisms for collecting and analyzing data from various sources, including post-market clinical studies, user feedback, complaint databases, and adverse event reports.
  • Trend Analysis: Conduct trend analysis to detect patterns or anomalies in device performance or safety. Monitoring trends can provide early warning signs of issues that require further investigation.
  • Corrective and Preventive Actions: If market surveillance identifies safety or performance issues, take swift corrective actions. This may involve issuing recalls, updating labeling or instructions, and implementing design changes.
  • Communication: Maintain open and transparent communication with regulatory authorities, healthcare professionals, and end users. Timely reporting and information sharing foster trust and demonstrate a commitment to patient safety.

Post-market obligations are essential for safeguarding patients and users of medical devices. It allows manufacturers to adapt and improve devices based on real-world data, ultimately enhancing their safety and performance and fostering trust among stakeholders.

Transition from MDD to MDR

Timelines and Deadlines

The transition from the Medical Device Directive (MDD) to the Medical Device Regulation (MDR) represents a significant shift in the regulatory landscape for medical devices in the European Union. Manufacturers, regulatory affairs professionals, and stakeholders must be well-versed in the transition timelines and adhere to critical deadlines to ensure regulatory compliance and market access.

Transition Timelines: The MDR officially came into force on May 26, 2021, replacing the MDD. However, the transition period allowed for a gradual shift, during which devices could still be placed on the market under MDD provisions. Recently, the EU extended the EU MDR transition periods for devices transitioning to the EU MDR from 26 May 2024 to:

  • 26 May 2026 for class III implantable custom-made devices
  • 31 December 2027 for class III and implantable class IIb devices
  • 31 December 2028 for non-implantable class IIb and lower-risk devices
  • 31 December 2028 for class I devices that are a higher class under the MDR.

Planning: Manufacturers must establish clear timelines for updating technical documentation, conducting necessary assessments, and engaging with Notified Bodies or competent authorities as required.

Impact Assessment: A thorough impact assessment is necessary to identify how the MDR’s requirements differ from the MDD and how these changes will affect your devices. This assessment should encompass aspects such as clinical data requirements, labeling and UDI, risk classification, and conformity assessment routes. It may reveal the need for additional clinical studies, updated quality management systems, or changes in labeling and packaging.

Legacy Devices

Legacy devices, those that were placed on the market under the MDD prior to the MDR’s full application, pose a unique set of challenges during the transition.

Documentation Update: Manufacturers of legacy devices must review and update their technical documentation to align with MDR requirements. This includes addressing changes in risk classification, conformity assessment routes, and clinical data expectations.

Considerations for Legacy Devices: Manufacturers should carefully consider the classification of their legacy devices under the MDR, as this may impact the level of scrutiny and the conformity assessment route required. Some legacy devices may need to undergo additional assessments, while others may benefit from transitional provisions.

Post-Market Surveillance: Manufacturers should also establish robust post-market surveillance systems for legacy devices to monitor their performance and safety in accordance with MDR requirements.

All in all, the transition from MDD to MDR demands meticulous planning, compliance with timelines, and a thorough understanding of the regulatory changes. Manufacturers must be proactive in updating technical documentation and ensuring the ongoing regulatory compliance of both new and legacy devices. A smooth transition ensures continued access to the European market and maintains patient safety and trust in medical devices.

Involvement of Authorized Representatives and Importers

Roles and Responsibilities

Authorized Representatives (ARs): Authorized Representatives play a crucial role in the regulatory landscape of medical devices in the European Union, particularly for manufacturers based outside the EU. Understanding their roles and responsibilities is vital for a seamless and compliant market entry.

Key Responsibilities of ARs are:

  • Legal Presence: ARs serve as the legal presence of non-EU manufacturers within the EU. They are responsible for ensuring that the manufacturer’s devices meet EU regulatory requirements
  • Communication: ARs facilitate communication between the manufacturer and regulatory authorities, including reporting adverse events and providing information upon request.
  • Technical Documentation: They must have access to the technical documentation of the devices they represent and be prepared to provide it to authorities if required.
  • Registration: ARs are often responsible for registering devices with relevant authorities, which is a prerequisite for market access.
  • Post-Market Surveillance: ARs may be involved in post-market surveillance activities, including reporting and addressing safety concerns.


Importers also play a critical role in ensuring the safety and compliance of medical devices entering the EU market. Their responsibilities extend beyond merely bringing products into the EU.

Key Responsibilities of Importers:

  • Verification of Compliance: Importers must ensure that the devices they import conform to EU regulations, including labeling, documentation, and conformity assessment.
  • Record Keeping: They are required to maintain records of devices they import and the associated documentation. These records should be accessible to authorities upon request.
  • Notifying Incidents: Importers are obligated to notify authorities and the manufacturer if they believe a device they’ve imported poses a risk to patients or users. This is a crucial aspect of post-market surveillance.
  • Cooperation with Authorities: Importers must cooperate with competent authorities during market surveillance activities and investigations.
  • Labeling and UDI: Ensuring that devices bear the correct labeling, including the Unique Device Identifier (UDI), and that this information is accurately transferred to the EU label and packaging.

The involvement of Authorized Representatives and Importers is instrumental in navigating the complex regulatory landscape of the EU for medical devices. It’s important to note that the roles and responsibilities of Authorized Representatives and Importers can vary depending on the specific device, its classification, and the regulatory framework of the EU member state in which they operate. Manufacturers, ARs, and Importers should establish clear agreements and communication channels to ensure a harmonized approach to regulatory compliance.

Digital Health and Software as Medical Devices

The advent of digital health technologies and the recognition of software as medical devices are revolutionizing the healthcare landscape. Understanding and adapting to these trends is essential for both manufacturers and regulators.

Digital Health Ecosystem: Digital health encompasses a broad spectrum of technologies, including mobile health apps, wearable devices, telemedicine platforms, and remote monitoring systems. Manufacturers are increasingly developing and integrating these technologies into medical devices to enhance patient care and monitoring.

Regulatory Framework: Regulatory agencies, such as the European Medicines Agency (EMA) in the EU and the FDA in the United States, have been actively evolving to accommodate the unique challenges posed by digital health and software as medical devices.

Data Privacy and Security: As digital health devices collect and transmit sensitive patient data, stringent data protection and cybersecurity measures are paramount. Ensuring the confidentiality, integrity, and availability of patient information is an ongoing challenge that manufacturers and regulators must address.

Artificial Intelligence and Machine Learning

Artificial intelligence (AI) and machine learning (ML) are poised to transform healthcare by enhancing diagnostics, treatment planning, and predictive analytics. However, they introduce novel regulatory complexities.

Complex Algorithms: AI and ML algorithms can be highly complex and may “learn” and adapt over time. This dynamic nature poses challenges in terms of pre-market assessment and ongoing monitoring.

Data Integrity: The quality and diversity of training data are critical for AI and ML model performance. Ensuring data integrity and representativeness is challenging, especially in healthcare, where data privacy is paramount.

Regulatory Adaptation: Regulatory authorities are actively working on adapting guidelines and frameworks to accommodate AI and ML technologies. Manufacturers need to stay informed about evolving regulatory requirements.

Ethical Considerations: AI in healthcare also brings ethical questions, including issues related to bias in algorithms, transparency, and accountability.

Cybersecurity and Data Protection

With the increasing connectivity of medical devices, cybersecurity and data protection have emerged as major concerns. Ensuring the security of patient data and device functionality is a top priority.

Vulnerabilities: Medical devices are susceptible to cyberattacks that can compromise patient safety and privacy. Manufacturers must implement robust cybersecurity measures to protect against such threats.

Regulatory Expectations: Regulatory agencies are increasingly focusing on cybersecurity requirements for medical devices. Manufacturers must incorporate cybersecurity into their design and development processes to meet these expectations.

Interoperability: As healthcare systems become more interconnected, ensuring the interoperability of devices while maintaining security is a challenge. Standardization efforts are underway to address this issue.

Patient Trust: Maintaining patient trust is essential. Data breaches or device vulnerabilities can erode confidence in medical devices and digital health technologies. Manufacturers must be proactive in addressing cybersecurity concerns.

Of course, these trends bring new challenges regarding regulation, data security, and ethical considerations. Manufacturers, regulators, and healthcare stakeholders must work collaboratively to harness the potential of these technologies while safeguarding patient safety and privacy.


This Beginner’s Guide to EU Medical Device Regulation is a vital and all-encompassing resource crafted with the specific purpose of empowering developers, manufacturers, and all stakeholders operating within the dynamic realm of the medical device industry. It equips its readers with the knowledge and tools they require to not only meet but also master the intricacies of EU Medical Device Regulation.

At its core, this guide is a compass, helping you navigate the maze of regulatory landscape of the European Union. With this guide in hand, you are poised not only to meet the challenges of the EU MDR but to thrive in an environment where safety, efficacy, and innovation converge if you’re dedicated to contributing to the continuous improvement of healthcare and making a lasting impact on the lives of patients across Europe.

Looking to launch your medical device prototype? Try iCure for free.


Ready for more?

or stop by our instagram icon or linkedin icon to say hello =)

Terms of use



ICure SA is incorporated in Geneva, Switzerland, with a registered office at Rue de la Fontaine 7, 1211 Geneva, Switzerland registered in the commercial registry under CHE-270.492.477 (“iCure”).

These Terms of Use constitute a legally binding agreement made between you, whether personally or on behalf of an entity (“you”) and iCure SA (“we,” “us” or “our”), concerning your access to and use of the https://www.icure.com website as well as any other media form, media channel, mobile website or mobile application related, linked, or otherwise connected thereto (collectively, the “Website”).

When you accept, these Terms form a legally binding agreement between you and iCure. If you are entering into these Terms on behalf of an entity, such as your employer or the company you work for, you represent that you have the legal authority to bind that entity.


iCure may, in its sole discretion, elect to suspend or terminate access to, or use of the iCure to anyone who violates these Terms.

All users who are minors in the jurisdiction in which they reside (generally under the age of 18) must have the permission of, and be directly supervised by, their parent or guardian to use the Website. If you are a minor, you must have your parent or guardian read and agree to these Terms of Use prior to you using the Website.

The original language of these Terms and Use is English. In case of other translations provided by iCure, the English version shall prevail.


The Content of the documentation stated on this Website is ours. All Marks, Content that concern iCure cannot be copied, reproduced, aggregated, republished, uploaded, posted, publicly displayed, encoded, translated, transmitted, distributed, sold, licensed, or otherwise exploited for any commercial purpose whatsoever, without our express prior written permission.

Provided that you are eligible to use the Website, you are granted a limited license to access and use the Website and to download or print a copy of any portion of the Content to which you have properly gained access solely for your personal, non-commercial use. We reserve all rights not expressly granted to you in and to the Website, the Content, and the Marks.


By using the Website, you represent and warrant that:

  1. All registration information you submit will be true, accurate, current, and complete; you will maintain the accuracy of such information and promptly update such registration information as necessary.
  2. You have the legal capacity, and you agree to comply with these Terms of Use.
  3. You are not under the age of 13.
  4. Not a minor in the jurisdiction in which you reside, or if a minor, you have received parental permission to use the Website.
  5. You will not access the Website through automated or non-human means, whether through a bot, script, or otherwise.
  6. You will not use the Website for any illegal or unauthorized purpose.
  7. Your use of the Website will not violate any applicable law or regulation.


You may not access or use the Website for any purpose other than that for which we make the Website available. The Website may not be used in connection with any commercial endeavors except those that are specifically endorsed or approved between you and iCure.

As a user of the Website, you agree not to:

  1. Publishing any Website material in any other media.
  2. Selling, sublicensing, and or otherwise commercializing any Website material.
  3. Publicly performing and or showing any Website material.
  4. Using this Website in any way that is or may be damaging to this Website.
  5. Using this Website in any way that impacts user access to this Website.
  6. Using this Website contrary to applicable laws and regulations, or in any way may cause harm to the Website, or to any person or business entity.
  7. Engaging in any data mining, data harvesting, data extracting, or any other similar activity in relation to this Website.
  8. Using this Website to engage in any advertising or marketing.


This Website is provided “as is,” with all faults, and iCure expresses no representations or warranties, of any kind related to this Website or the materials contained on this Website. Also, nothing contained on this Website shall be interpreted as advising you.


In no event shall iCure, nor any of its officers, directors, and employees shall be held liable for anything arising out of or in any way connected with your use of this Website whether such liability is under this agreement. iCure, including its officers, directors, and employees shall not be held liable for any indirect, consequential, or special liability arising out of or in any way related to your use of this Website.


You hereby fully indemnify iCure from and against any and/or all liabilities, costs, demands, causes of action, damages, and expenses arising in any way related to your breach of any of the provisions of these Terms.


If any provision of these Terms is found to be invalid under any applicable law, such provisions shall be deleted without affecting the remaining provisions herein.


iCure is permitted to revise these Terms at any time as it sees fit, and by using this Website you are expected to review these Terms on a regular basis.


iCure is allowed to assign, transfer, and subcontract its rights and/or obligations under these Terms without any notification. However, you are not allowed to assign, transfer, or subcontract any of your rights and/or obligations under these Terms.


These Terms constitute the entire agreement between iCure and you in relation to your use of this Website and supersede all prior agreements and understandings.


These Terms shall be governed by and construed in accordance with the laws of Switzerland, without regard to its conflict of law provisions.

The parties shall attempt to solve the matter amicably in mutual negotiations. In case of a non-amicable settlement that has been found between the parties, the Court of Geneva will be competent.


Please refer to our Privacy Policy and Cookie Notice for the Data that we collected from the contact form and the Matomo cookie.

iCure SA

Contact: contact@icure.com

Last update: November 2nd, 2022.

Privacy Policy


iCure SA (iCure) is incorporated in Geneva, Switzerland, with a registered office at Rue de la Fontaine 7, 1204 Geneva, Switzerland registered in the commercial registry under CHE-270.492.477.

This Privacy Policy describes the information that we collect through our Website (https://www.icure.com), how we use such information, and the steps we take to protect such information. We strongly recommend that you read the Privacy Policy carefully.


The original language of this Privacy Policy is English. In the case of other translations provided by iCure, the English version shall prevail.

This Privacy Policy is incorporated into and is subject to, the iCure Terms of Use.

1. Definitions

Administrative Data: means Personal Data such as the Name, Email, and Phone in order to perform administrative tasks like Invoicing or contacting the Client (if support is needed).

Cookies: means text files placed on a computer to collect standard internet log information and visitor behavior information. When you visit a website, they may collect information from a computer automatically through cookies or similar technology (for further information please refer to our Cookies Notice, visit allaboutcookies.org.).

Data controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Personal Data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Visitor: means the natural person that submits their Personal Data through our contact form; and/or sends us an email; and/or cookies have been implemented.

All other undefined terms used in this Agreement have the meaning from our Terms and Conditions and the General Data Protection Regulation of the Regulation (EU) 2016/679 of 27 April 2016 (GDPR).

2. Concerning your Personal Data

For this website, iCure collects and determines the use and the purpose of any Personal Data uploaded by the visitor, therefore iCure is defined as the Data Controller according to the GDPR.

2.1 Contact Form

iCure collects Administrative Data that the Visitor completed in our contact form available through our Website.

The Administrative Data that Visitor provides to iCure on this contact form are the First name, the last name, the working e-mail address, the name of your organization, and other Personal Data that the Visitor included in the description of its work.

iCure processes these Administrative Data on the lawful basis of the Visitor’s consent (Article 6, 1. a) of the GDPR).

iCure uses these Administrative Data to perform administrative tasks like contacting the Visitor who completed the contact form, to better understand your needs and interests, and to provide you with better service.

2.2 Email

The Visitor can contact iCure through contact@icure.com to get any information about the Company or new job positions. In this email, the Visitor includes his Name, mail address, and any other Personal Data.

iCure processes these Personal Data on the lawful basis of the Visitor’s consent (Article 6, 1. a) of the GDPR).

iCure uses these Personal Data to answer any request from the Visitor and to consider the Visitor’s job application that they sent us by email.

2.3 Newsletters

iCure offers newsletters to provide you with updates, promotional communications, and offers related to our products and services. If you wish to receive our newsletters, we will collect and process your Personal Data for this specific purpose.

iCure processes these Personal Data on the lawful basis of the Visitor’s consent (Article 6, 1. a) of the GDPR). By subscribing to our Newsletters, you explicitly consent to the use of your Personal Data for direct marketing purposes, including the sending of promotional communications and offers by email.

If you do not want your Personal Data to be further processed for direct marketing purposes, you have the right to withdraw your consent at any time, free of charge and without having to provide any justification, by contacting iCure.

3. Security

iCure has implemented appropriate technical and organizational measures to safeguard your Personal Data against any accidental or illicit destruction, loss, modification, deterioration, usage, access, divulgation, and any other unauthorized processing of your Personal Data. We make every effort to protect personal information. However, you should always be careful when you submit personal or confidential information about yourself on any website, including our website.

4. The data retention period and the conditions for deletion

iCure will not retain your Personal Data, as collected, and processed in accordance with this Privacy Policy, for a period longer than necessary to fulfill the purposes described above.

For the Administrative Data from the contact form completed by the Visitor (as described in section 2.1 of this Privacy Policy), these Data shall be stored for a maximum period of 1 month from the completion of the form.

For the Personal Data from the Email completed by the Visitor (as described in section 2.2 of this Privacy Policy), these Data shall be stored for a maximum period of 2 months from the completion of the form.

For the Personal Data from the Newsletters completed by the Visitor (as described in section 2.3 of this Privacy Policy), these Data shall be stored for a maximum period of 11 months from the date of your consent or until you withdraw it.

5. Your rights

You are entitled to access your Personal Data processed by iCure and request their modification or erasure if it is incorrect or unnecessary. To exercise your rights, you may get in touch with iCure by using the electronic contact form available on our website or send a written and signed request to iCure at the email address privacy@icure.com with a copy of your ID or other identification documents, and any document proving that you are the data subject.

In general, where applicable, you also have the right to withdraw consent to the processing at any time. This withdrawal does not affect the lawfulness of processing based on consent made prior to such withdrawal. In certain cases, you also have the right to data portability. Those rights can be exercised by following the abovementioned procedure.

You have the right to lodge a complaint with a supervisory authority, in the Member State of the European Union of your usual place of residence, your place of work, or the place where the violation occurred, if you consider that the processing of personal data relating to you infringes Data Protection Law.

Please, note that the term of processing of such request can take up to one month. Contact: privacy@icure.com

6. Modification

iCure expressly reserves the right to modify this Privacy Policy and you undertake to regularly review the Privacy Policy. By amending the Privacy Policy, iCure will consider your legitimate interests. You will receive a notification if the Privacy Policy is modified. By continuing to actively use the iCure Services after such notification, you acknowledge that you have read the modifications to the Privacy Policy.

7. Information Sharing

Our employees and/or authorized contractors are the people in charge of the Data Processing.

iCure does not sell, rent, or lease any individual’s personal information or lists of email addresses to anyone for marketing purposes, and we take commercially reasonable steps to maintain the security of this information.

However, iCure reserves the right to supply any such information to any organization into which iCure may merge in the future or to which it may make any transfer in order to enable a third party to continue part or all of its mission.

We also reserve the right to release personal information to protect our systems or business when we reasonably believe you to be in violation of our Terms of Use and Privacy Policy or if we reasonably believe you to have initiated or participated in any illegal activity.

In addition, please be aware that in certain circumstances, iCure may be obligated to release your personal information pursuant to judicial or other government subpoenas, warrants, or other orders.

8. Links to other Websites

This Website may provide links to third-party websites (Instagram and Linkedin) for the convenience of our users. If you access those links, you will leave this website. iCure does not control these third-party websites and cannot represent that their policies and practices will be consistent with this Privacy Policy. For example, other websites may collect or use personal information about you in a manner different from that described in this document. Therefore, you should use other websites with caution and do so at your own risk. We encourage you to review the privacy policy of any website before submitting personal information.

9. Cookies

To get more information on how iCure uses Matomo’s cookies, please check our Cookie Notice.

10. Contact

Please contact us with any questions or comments about this Policy, your Personal Data, and our use and disclosure practices by email at privacy@icure.com If you have any concerns or complaints about this Policy or your Personal Data, you may contact our DPO at privacy@icure.com.

Please, note that the term of processing of such request can take up to one month.

iCure SA

Contact : privacy@icure.com

Last update: July the 26th, 2023.

Information Security Policy


1. Introduction

The iCure universe is built on trust. Guaranteeing the confidentiality of the data that are entrusted to us is our highest priority.

The Information Security Policy of iCure abstracts the security concept that permeates every activity and abides by the ISO 27001:2013 requirements for Information Security, so that we ensure the security of the data that iCure and its clients manage.

Every employee, contractor, consultant, supplier and client of iCure is bound by our Information Security Policy.

2. Our Policy

iCure is committed to protecting the confidentiality, integrity and availability of the service it provides and the data it manages. iCure also considers protecting the privacy of its employees, partners, suppliers, clients and their customers as a fundamental security aspect.

iCure complies with all applicable laws and regulations regarding the protection of information assets and voluntarily commits itself to the provisions of the ISO 27001:2013.

3. Information Security Definitions

Confidentiality refers to iCure’s ability to protect information against disclosure. Attacks, such as network reconnaissance, database breaches or electronic eavesdropping or inadvertent information revealing through poor practices.

Integrity is about ensuring that information is not tampered with during or after submission. Data integrity can be compromised by accident or on purpose, by evading intrusion detection or changing file configurations to allow unwanted access.

Availability requires organizations to have up-and-running systems, networks, and applications to guarantee authorized users’ access to information without any interruption or waiting. The nature of data entrusted to us requires a higher-than-average availability.

Privacy is the right of individuals to control the collection, use, and disclosure of their personal information. Our privacy policies are based on the GDPR(https://gdpr-info.eu/) and can be augmented by added requirements of specific clients or law areas.

4. Risk Assessment

The main threats iCure is facing as a company are:

  1. Data Theft;
  2. Data Deletion;
  3. Denial of Service attacks;
  4. Malware;
  5. Blackmail and Extortion.

As providers of a solution used by developers active in Healthcare, we also have to anticipate the risks of:

  1. Attacks on our clients’ data, which could lead to major social damages and a loss of trust in our solution;
  2. Abuse of our solution by ill-intentioned clients, that could impact the quality of the service provided to the rest of our clients.

The motivation of the attackers in the latter cases can range from financial gain to political or ideological motivations.

A last risk is linked to the nature of the healthcare data we handle. We must ensure, that the data we handle are not used for purposes other than those for which they were collected:

A piece of data collected from a patient for the purpose of a medical consultation should not be available to third parties, not even a government agency.

5. Risk Management

The main principles we apply to manage the risks we face are:

  1. Confidentiality by design: All sensitive data is encrypted end-to-end before being stored in our databases. We do not have any access to the data we store. Our client’s customers are the only ones who can decrypt the data we store.
  2. Anonymization by design: Healthcare information that has to be stored unencrypted is always anonymized using end-to-end encryption scheme. This means that the link between the healthcare and administrative information must be encrypted.

Those two principles allow us to minimize the risks of data theft, blackmail, extortion, and coercion by government agency.

  1. Multiple real-time replicas, with automatic failover: We use a distributed database architecture to ensure that our data is available at all times. We use a master-master architecture, each data is replicated at least 3 times. Snapshots are taken every day to ensure that we can restore the data in case of a malevolent deletion event.
  2. Automatic password rotations: no single password can be used for more than 48 hours. Passwords are automatically rotated every 24 hours. In case of a password leak, we can limit the window of opportunity for an attack.

Those two principles allow us to minimise the risks of data deletion, denial of service attacks, and malware.

  1. Minimization of the attack surface: we deploy our systems in the most minimal way. We only expose the network services that are strictly necessary.
  2. Strict dependency management: we only use open-source software that is regularly updated and audited by the community. We favor dependency management software and providers that minimize the risk of supply chain poisoning.

Those two principles allow iCure to minimise the risks of intrusion by vulnerability exploit or supply chain attacks, two risks that could lead to data theft or data deletion.

6. Further Information

This policy is valid as of November 10th, 2022. For futher information please connect with us at privacy@icure.com


iCure SA

Rue de la Fontaine 7, 1204 Geneva, Switzerland


This website uses cookies

We use only one cookie application for internal research on how to improve our service for all users. It is called Matomo, and it stores the information in Europe, anonymized and for limited time. For more details, please refer to our and .