EU MDR Implementation: What Manufacturers Need to Know in 2026

The EU Medical Device Regulation (MDR 2017/745) has fundamentally transformed the regulatory landscape for medical devices in Europe. Since its full application date of 26 May 2021, the industry has navigated a complex transition period marked by extended deadlines, resource constraints at Notified Bodies, and evolving guidance from the Medical Device Coordination Group (MDCG). As we move through 2026, manufacturers must take stock of where they stand and what remains to be done.

The most significant recent development is the extended transition timeline established by Regulation (EU) 2023/607. Under this amendment, certain legacy devices with valid MDD/AIMDD certificates may remain on the EU market until 31 December 2027 for higher-risk devices (Class III and Class IIb implantables) and until 31 December 2028 for other device classes. However, these extensions are not automatic. Manufacturers must demonstrate that they have submitted an MDR application to a Notified Body, that a written agreement with the Notified Body is in place, and that their quality management system and post-market surveillance remain compliant.

Notified Body capacity remains a bottleneck. Although the number of designated MDR Notified Bodies has grown to over 40, many manufacturers report wait times of 12 to 18 months before their conformity assessment can begin in earnest. This backlog underscores the importance of early engagement with your chosen Notified Body and of submitting documentation that is complete and audit-ready from the outset. Incomplete or poorly structured technical documentation is the single most common cause of delays in the certification process.

EUDAMED, the European Database on Medical Devices, continues its phased rollout. The Actor Registration and UDI/Device Registration modules are operational, and manufacturers should already be registered and submitting UDI data. The remaining modules for certificates, notified body data, clinical investigations, vigilance, and market surveillance are expected to become mandatory in a staggered approach through 2027. Manufacturers should proactively begin entering data into available modules rather than waiting for the mandatory date, as this accelerates internal process maturity and signals readiness to regulators.

From a documentation perspective, the requirements under MDR Annex II and Annex III remain demanding. Technical documentation must comprehensively address the General Safety and Performance Requirements (GSPR) set out in Annex I, with clear traceability between identified hazards, risk controls, and the evidence demonstrating that each requirement is met. Common areas where manufacturers face challenges include sufficient clinical evidence per Article 61, post-market clinical follow-up (PMCF) plans that go beyond the minimum, and benefit-risk determinations that reflect the current state of the art.

Post-market surveillance (PMS) obligations under the MDR are substantially more rigorous than under the legacy directives. Manufacturers must maintain a PMS plan and produce periodic safety update reports (PSUR) for Class IIa, IIb, and III devices, or a PMS report for Class I devices. The emphasis is on proactive and systematic data collection. Regulators expect manufacturers to actively monitor field performance, complaints, incident trends, and published literature. Manufacturers who treat PMS as a passive, reactive exercise will find their documentation scrutinized more heavily.

For manufacturers of software as a medical device (SaMD), the MDR in conjunction with MDCG guidance documents 2019-11 and 2020-1 has clarified classification rules. Many software products that were previously unregulated or classified as Class I under the MDD now fall under Class IIa or higher. This reclassification has significant implications for the required conformity assessment procedure and the involvement of a Notified Body. Software manufacturers should ensure their classification rationale is robust and well-documented.

Cybersecurity has emerged as a critical focus area for both regulators and Notified Bodies. While not a new MDR requirement per se, the MDCG 2019-16 guidance on cybersecurity and the upcoming harmonisation of IEC 81001-5-1 have raised expectations. Manufacturers must demonstrate that cybersecurity risks have been systematically identified, that the device incorporates appropriate security controls, and that a plan exists for managing vulnerabilities throughout the device lifecycle. This is particularly relevant for connected devices and SaMD.

Practical advice for manufacturers navigating this landscape: First, conduct a comprehensive gap analysis of your technical documentation against MDR Annex II requirements. Second, ensure your quality management system is aligned with EN ISO 13485:2016 and that internal audits specifically address MDR compliance gaps. Third, engage your Notified Body early and maintain open communication channels. Fourth, invest in robust post-market surveillance processes and clinical evidence generation. Fifth, do not underestimate the effort required for UDI implementation and EUDAMED data entry.

The path to full MDR compliance is demanding, but it is also an opportunity to strengthen your regulatory foundation and competitive position in the European market. Manufacturers who invest in building comprehensive, well-structured documentation and mature quality processes will not only achieve compliance more efficiently but will also be better positioned for global market access, as regulatory convergence trends mean that robust EU documentation increasingly supports submissions in other jurisdictions.