The EU Medical Device Regulation (MDR) 2017/745 has been fully applicable since May 2021, with staggered transition deadlines running through 2028 for legacy devices. Yet many small medical device importers, distributors, and manufacturers are still unclear on exactly what is required of them — and whether the compliance burden is even proportionate to their size.

It is. And the consequences of non-compliance are serious: loss of CE mark, inability to place devices on the EU market, and in some cases personal liability for the Person Responsible for Regulatory Compliance (PRRC).

This article breaks down what EU MDR compliance actually requires for small companies, where most organisations fall short, and what a practical path to compliance looks like.

What changed under EU MDR — and why it matters

The EU MDR replaced the Medical Devices Directive (MDD) 93/42/EEC and the Active Implantable Medical Devices Directive (AIMDD) 90/385/EEC. The shift was not cosmetic. The regulation substantially increased requirements across clinical evidence, post-market surveillance, traceability, and quality management.

The changes most relevant to small companies include:

Stricter clinical evidence requirements. Under MDD, many Class I and low-risk Class IIa devices relied on equivalence data from literature. Under MDR, clinical evaluation requirements are more rigorous, and demonstrating equivalence is harder. Notified bodies are scrutinising clinical evaluation reports far more closely.

Expanded post-market surveillance obligations. All manufacturers must maintain a post-market surveillance system proportionate to the risk class of the device. For Class IIa and above, this includes a Periodic Safety Update Report (PSUR). For Class I, a Post-Market Surveillance Report (PMSR) is required.

Unique Device Identification (UDI).UDI requirements under EU MDR are phased by device class and are now fully in force across all device classes. Class III and implantable devices have been required to carry UDI on labels and packaging since 26 May 2021; Class IIa and IIb since 26 May 2023; and Class I devices since 26 May 2025. As of today, there are no remaining phase-in windows — every medical device placed on the EU market must carry a compliant UDI carrier on its label and all higher levels of packaging. Critically, as of 28 May 2026, registration in EUDAMED’s UDI/Device module is mandatory for all new devices before first placement on the EU market. Legacy devices already on the market before 28 May 2026 must be registered in EUDAMED by 27 November 2026. Companies that have not yet assigned a UDI or completed EUDAMED registration are in active non-compliance, regardless of the validity of their CE mark.

Person Responsible for Regulatory Compliance (PRRC). Every manufacturer and authorised representative must designate at least one PRRC. This person must hold specific qualifications and bears regulatory responsibility. For small companies, the PRRC is often also the quality manager or regulatory affairs lead — which is fine, but the role cannot be vacant.

Quality Management System requirements. ISO 13485:2016 is the recognised standard for EU MDR QMS compliance. Certification is not explicitly mandatory under MDR, but Notified Bodies conducting conformity assessments expect to see a QMS that meets ISO 13485 requirements in substance. For most small companies, the practical outcome is the same: you need an ISO 13485-compliant QMS.

What applies to importers and distributors specifically

A common misconception is that EU MDR compliance is the manufacturer’s problem. It is not — not entirely. Importers and distributors have specific obligations under Articles 13 and 14 of EU MDR.

Importers (companies that place a device on the EU market from a non-EU manufacturer) must:

  • Verify that the manufacturer has a Declaration of Conformity and that the device bears a CE mark
  • Verify the device is registered in EUDAMED (once applicable)
  • Ensure the manufacturer has appointed an authorised representative in the EU
  • Check that the device is correctly labelled and that the label includes the importer’s name and address
  • Maintain records of complaints and non-conforming devices
  • Cooperate with market surveillance authorities

Distributors must verify CE marking and labelling, handle storage and transport appropriately, and maintain traceability records sufficient to support a recall.

Neither role requires a full QMS under ISO 13485, but if you are also involved in repackaging, re-labelling, or any modification of the device or its packaging, you are treated as a manufacturer under MDR and full manufacturer obligations apply.

Where small companies most commonly fall short

Based on gap analyses conducted across small medical device companies, the most common compliance failures are:

No documented QMS or a QMS that exists on paper but is not followed. A Quality Manual and a folder of SOPs is not a QMS. The system must be implemented, audited, and actively maintained.

Missing or inadequate technical documentation. Technical files must be structured per Annex II and III of MDR. Many legacy technical files were built for MDD and have not been updated. Commonly missing elements include updated clinical evaluation reports, risk management files compliant with ISO 14971:2019, and post-market surveillance data.

PRRC role not formally designated. Many small companies have someone doing the work without the role being documented, their qualifications verified against the MDR criteria, and their responsibilities formally assigned.

No post-market surveillance system. PMS is not a form you fill in once. It requires defined processes for complaint handling, incident reporting to EUDAMED, trend analysis, and feed-back into design and risk management.

UDI non-compliance. Companies that have not yet applied for a UDI or registered in EUDAMED are in technical non-compliance regardless of their CE mark status for that device class.

A practical compliance roadmap for small companies

Regulatory compliance is most efficiently approached as a structured programme rather than a piecemeal checklist. For a small company with a defined product portfolio, a realistic roadmap looks as follows:

Phase 1 — Gap analysis. Assess current state against EU MDR requirements and ISO 13485:2016. The output is a prioritised gap list with risk ratings. This is the baseline from which all subsequent work is planned.

Phase 2 — QMS establishment or remediation. Build or update the QMS to ISO 13485 standard: Quality Manual, Quality Policy, core SOPs, document control, record control, internal audit programme, CAPA system, management review process.

Phase 3 — Technical documentation remediation. Update technical files to MDR Annex II/III structure. Update or commission a current clinical evaluation report. Update the risk management file to ISO 14971:2019.

Phase 4 — PRRC designation. Formally appoint the PRRC, document their qualifications, and define their responsibilities in the QMS.

Phase 5 — PMS system activation. Implement post-market surveillance processes: complaint handling SOP, serious incident reporting procedure, PSUR or PMSR template and schedule, EUDAMED registration.

Phase 6 — Internal audit and CAPA closure. Conduct a full internal audit against ISO 13485 and MDR requirements. Raise and close CAPAs. This step confirms that the QMS is not only documented but implemented.

Phase 7 — Notified Body engagement (if required). For Class IIa and above, conformity assessment by a Notified Body is required. Being well-prepared before the Stage 1 audit avoids costly re-assessments and delays.

How long does this take?

For a small company with a straightforward product portfolio (Class I or Class IIa, single site, fewer than 20 staff), a focused sprint covering QMS establishment and core technical documentation can be completed in two to four weeks with the right external support. The limiting factor is usually internal resource — specifically, staff time for training, document review, and process implementation — rather than the complexity of the regulatory requirements themselves.

Working with a regulatory consultant

EU MDR compliance is a specialised area. For most small companies, the cost of building internal regulatory expertise from scratch outweighs the cost of engaging an experienced consultant, particularly for the initial certification sprint.

When selecting a consultant, look for: demonstrated knowledge of EU MDR 2017/745 (not just legacy MDD experience), ISO 13485 lead auditor credentials, and practical experience with Notified Body submissions. A consultant who has worked on both the regulatory authority side and the industry side brings a perspective that is difficult to replicate.

Vesta Consulting provides ISO 13485 certification-readiness programmes and EU MDR compliance support for small medical device companies across South Africa, the UK, and the EU. If your company is approaching a Notified Body assessment or is working through MDR transition, get in touch to discuss your requirements.

Key references

– Regulation (EU) 2017/745 of the European Parliament and of the Council on medical devices

– ISO 13485:2016 — Medical devices — Quality management systems

– ISO 14971:2019 — Medical devices — Application of risk management

– MDCG 2020-1: Guidance on clinical evaluation under EU MDR

– EUDAMED: ec.europa.eu/tools/eudamed

 

Tesha Hiralal is the founder of Vesta Consulting and a BSI-certified ISO 13485 Lead Auditor (CQI/IRCA). She holds an MSc in Regulatory Affairs and a B.Pharm (Hons), and is a former SAHPRA Medicines Control Officer and Inspector.