Tag: EU MDR

Medical Device Compliance Standards: What Manufacturers Need to Know in 2026

Medical device manufacturers face a layered compliance framework — ISO 13485, ISO 14971, FDA QMSR, and EU MDR each impose specific requirements that must work together as an integrated system. This guide explains the core standards, how they interact, and what manufacturers need to prioritize at each stage of the compliance process.

The regulatory framework every medical device manufacturer must understand before the first audit

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.

The Compliance Gap That Gets Medical Device Manufacturers in Trouble

Most medical device manufacturers don’t fail audits because they ignored the requirements. They fail because they didn’t understand how the requirements connect — and which standards they were actually obligated to meet.

The medical device compliance standards landscape is layered. ISO 13485 sets the QMS framework. ISO 14971 governs risk management. FDA regulations run parallel to international standards and don’t always align. Supplier controls, sterilization validation, design controls, and labeling each carry their own standard reference. A manufacturer who treats these as independent checkboxes instead of an integrated system is building toward an audit finding — or worse, a product recall.

The stakes are not abstract. The FDA issued 483 observations totaling thousands of findings in the medical device sector last year. Most cited documentation gaps, inadequate CAPA processes, or failure to meet design control requirements — all areas governed by the standards covered in this guide.

I’ve worked in quality systems that span heavy industrial, energy, and manufacturing environments — and the pattern I’ve seen across every sector is the same: organizations that struggle with audits are usually managing compliance requirements in silos. In the medical device world, that problem is amplified because the regulatory framework is both more complex and less forgiving than most industrial standards. Getting the structure right before your first audit is not optional — it’s the difference between certification and a warning letter.

Before you map your compliance requirements, download the ISO 13485 Gap Assessment Checklist — it walks you through every clause so you can identify exactly where your QMS falls short before an auditor does → ISO 13485 Gap Assessment Checklist

In This Guide:

  • The core standards every medical device manufacturer must know
  • How ISO 13485, ISO 14971, and FDA regulations interact
  • US vs. EU regulatory requirements compared
  • Supplier control and special process standards
  • Decision-stage guidance: what to prioritize based on where you are in the compliance process

👉 Start Here — Top Resources

Download Standards

The Core Standard: ISO 13485:2016

ISO 13485:2016 infographic showing clause structure and comparison of ISO 13485 versus ISO 9001 requirements for medical device quality management systems.
A visual breakdown of ISO 13485:2016 requirements and how they differ from ISO 9001 for medical device manufacturers.

ISO 13485:2016 is the international standard for quality management systems specific to medical device manufacturers and their supply chains. It is the foundation of medical device compliance worldwide.

ISO 13485 is not simply ISO 9001 with medical device language added. The two standards share structural similarities through the harmonized high-level clause structure, but ISO 13485 imposes stricter requirements in several critical areas ISO 9001 leaves to organizational discretion:

Requirement AreaISO 9001:2015ISO 13485:2016
Risk managementRisk-based thinking (general)Formal risk management required (links to ISO 14971)
Design controlsRequiredMore prescriptive — validation, verification, design transfer
CAPARequiredMore detailed — specific investigation and effectiveness checks
Regulatory requirementsNot addressedExplicitly required — must identify and meet applicable regs
Sterile product controlsNot addressedSpecific controls for sterile devices
Supplier controlsRequiredMore stringent — supplier qualification and monitoring
Document and record retentionNot specifiedSpecific retention periods tied to device lifetime

If you are ISO 9001 certified and entering the medical device market, you are not starting from scratch — but you are adding significant requirements. The gap is larger than most manufacturers expect.

If you need the standard itself, ISO 13485:2016 is available through the ANSI Webstore — use code CC2026 for 5% off through December 31, 2026.

Most common finding: Inadequate document control — specifically, failure to control the review and approval of documents and maintain records of changes. ISO 13485 Clause 4.2 is one of the most frequently cited areas in FDA 483 observations.

Risk Management: ISO 14971:2019

ISO 14971 is the international standard for risk management applied to medical devices. It is not optional if you are manufacturing medical devices — ISO 13485 explicitly requires you to apply risk management throughout the product lifecycle, and ISO 14971 is the recognized method for doing it.

ISO 14971:2019 defines the process for:

  • Identifying hazards associated with a medical device
  • Estimating and evaluating associated risks
  • Controlling those risks
  • Monitoring the effectiveness of controls

The relationship between ISO 13485 and ISO 14971 is not optional. ISO 13485 Clause 7.1 requires organizations to establish risk management requirements for product realization. ISO 14971 is the standard that defines what “proper” risk management looks like. Auditors will look for evidence that your risk management file connects directly to your design controls, production processes, and post-market surveillance activities.

ISO 14971 vs. ISO 13485 — understanding how they interact is one of the most common questions from manufacturers building a QMS for the first time.

If your risk management files exist independently of your design control documentation — that is an audit finding waiting to happen. Most teams miss the linkage between hazard identification in the risk management file and the verification/validation activities in the design history file.

Run your gap assessment before you go further — most QMS gaps in medical device companies trace back to missing connections between ISO 14971 risk files and ISO 13485 design controls: ISO 13485 Gap Assessment Checklist

Download IEC Standards

US Regulatory Requirements: FDA QMSR and 21 CFR Part 820

US medical device manufacturers operate under FDA jurisdiction. The Quality Management System Regulation (QMSR), which took effect February 2, 2026, replaced the legacy Quality System Regulation (QSR) under 21 CFR Part 820.

The QMSR represents a significant shift: it incorporates ISO 13485:2016 by reference as the baseline for device QMS requirements. This means FDA-regulated manufacturers who are ISO 13485 certified are closer to QMSR compliance than they were under the old QSR — but important differences remain.

AreaISO 13485:2016FDA QMSR (2026)
ScopeInternationalUS market devices only
ComplaintsRequiredRequired + specific MDR reporting timelines
Corrections and removalsAddressed in CAPASpecific FDA reporting requirements (21 CFR Part 806)
UDINot addressedRequired for most device classes
Electronic recordsNot specified21 CFR Part 11 compliance required
Third-party auditsRequired for ISO 13485 certificationFDA inspections — not third-party certification

Understanding the relationship between FDA QSR and ISO 13485 is essential for US manufacturers — the two frameworks are now more aligned than before, but they are not identical.

If you are selling devices in the US market, FDA QMSR compliance is a legal requirement, not a voluntary certification. ISO 13485 certification does not satisfy FDA obligations — it demonstrates QMS capability but does not substitute for an FDA inspection.

Comparison infographic showing US FDA QMSR and EU MDR regulatory pathways for medical device manufacturers and ISO 13485 quality system requirements.
A side-by-side comparison of US FDA QMSR and EU MDR pathways showing how medical device compliance differs across global markets.

EU Requirements: MDR and CE Marking

Selling medical devices in the European Union requires CE marking under the EU Medical Device Regulation (MDR 2017/745), which replaced the Medical Device Directive (MDD) and came into full effect in 2021. The transition deadline for legacy MDD-certified devices has been extended but enforcement has tightened significantly.

Key MDR requirements relevant to QMS:

MDR RequirementConnection to ISO 13485
Technical documentationDesign history file / DHF requirements
Clinical evaluationPost-market clinical follow-up (PMCF)
Unique Device Identification (UDI)Traceability requirements
Post-market surveillance (PMS)Customer feedback and complaint monitoring
Notified Body auditISO 13485 certification is typically required
Person Responsible for Regulatory Compliance (PRRC)Management responsibility — ISO 13485 Clause 5

The MDR is more prescriptive than ISO 13485 in clinical evidence requirements. If you are exporting to the EU, your clinical evaluation report and post-market surveillance plan must meet MDR requirements that go beyond what ISO 13485 explicitly requires.

If you are selling in both the US and EU markets, you are managing two regulatory frameworks simultaneously. This is where a well-structured ISO 13485 QMS becomes particularly valuable — it provides the common foundation that both frameworks build on.

Supplier Controls and Special Process Standards

ISO 13485 Clause 7.4 imposes stricter supplier control requirements than most manufacturers new to the medical device space expect. You are not simply verifying that a supplier has a quality system — you are responsible for ensuring that purchased products and services meet specified requirements and that critical suppliers are evaluated, approved, and monitored.

For medical device manufacturers, supplier controls must address:

  • Supplier qualification — documented criteria for evaluation and approval
  • Incoming inspection — defined acceptance criteria for purchased product
  • Critical supplier monitoring — ongoing performance data, not just initial qualification
  • Supplier audits — for high-risk or critical component suppliers
  • Flow-down requirements — pushing your quality requirements into the supply chain

Special processes — sterilization, biocompatibility testing, coating, welding on implantable components — require additional validation documentation. The relevant standards include:

ProcessStandard Reference
Sterilization (EO, radiation, steam)ISO 11135, ISO 11137, ISO 17665
BiocompatibilityISO 10993 series
Packaging validationASTM F2132, ISO 11607
Software validationIEC 62304
Electrical safetyIEC 60601 series

These are not optional for manufacturers of the relevant device types. If your device is sterilized, you need sterilization validation documentation. If it contacts patient tissue, you need biocompatibility data. Gaps in special process validation are among the most serious findings an FDA inspector or Notified Body auditor can cite.

Design Controls and Validation Standards

ISO 13485 design controls infographic showing the Design History File process from inputs through outputs, verification, validation, and design transfer.
A visual guide to the ISO 13485 design controls process and how design inputs become validated, production-ready medical devices.

Design controls are where ISO 13485 certification and FDA compliance intersect most directly. ISO 13485 Clause 7.3 requires a structured design and development process covering:

  • Design and development planning
  • Design inputs (requirements)
  • Design outputs (specifications)
  • Design review at defined stages
  • Design verification (does it meet inputs?)
  • Design validation (does it meet user needs?)
  • Design transfer (can it be manufactured consistently?)
  • Design changes (controlled and documented)

The design history file (DHF) is the physical record of this entire process. It is the first thing an FDA inspector or Notified Body auditor will request. Manufacturers who build their DHF as a collection of unconnected documents — rather than as a traceable record linking inputs to outputs to verification to validation — create significant risk for themselves.

If you are new to building a medical device QMS and need a structured path through these requirements, the ISO 13485 Implementation Roadmap on The Standards Navigator covers the full sequence from gap assessment through certification.

BSI Group offers ISO 13485 training covering both requirements understanding and implementation — useful for teams building their first medical device QMS or transitioning from a general ISO 9001 system.

Labeling and Traceability Standards

Labeling compliance is a specific, frequently cited area in FDA 483 observations. Under both FDA QMSR and MDR requirements, device labeling must meet defined content and format requirements — and the label must be controlled as a quality record.

Key labeling standards and requirements:

  • ISO 15223-1 — symbols used in medical device labeling (required for EU MDR compliance)
  • 21 CFR Part 801 — FDA labeling requirements for US devices
  • UDI requirements — FDA requires Unique Device Identification on most device labels, with submission to the GUDID database

Traceability connects directly to your CAPA and complaint handling processes. If a complaint involves a specific lot or device unit, your traceability records must be sufficient to identify affected products, investigate the root cause, and determine corrective action scope. ISO 13485 Clause 7.5.9 addresses traceability explicitly — and auditors will test it.

How the Standards Work Together

Layered medical device compliance standards infographic showing ISO 13485 as the foundation with ISO 14971, FDA QMSR, EU MDR, supplier controls, CAPA, and traceability requirements.
A visual framework showing how ISO 13485, FDA QMSR, EU MDR, and supporting standards connect into an integrated medical device compliance system.

The most important thing to understand about medical device compliance is that these standards are not independent — they form an integrated system. Here is how they connect:

StandardRole in the System
ISO 13485:2016QMS framework — the backbone that everything else connects to
ISO 14971:2019Risk management process — required by ISO 13485, referenced throughout
FDA QMSRUS regulatory layer — builds on ISO 13485, adds FDA-specific requirements
EU MDREU regulatory layer — requires ISO 13485 certification via Notified Body
IEC 62304Software lifecycle — required if your device includes software
ISO 10993Biocompatibility — required for patient-contacting devices
ISO 15223Labeling symbols — required for EU MDR labeling compliance

A manufacturer who has ISO 13485 certification, a complete ISO 14971 risk management file, and solid FDA QMSR documentation has built the framework that all additional standards layer onto. The common mistake is treating each standard as a separate compliance project rather than building the integrated system first.

If you are deciding between prioritizing FDA QMSR or ISO 13485 certification first: in most cases, building to ISO 13485 gives you the QMS foundation that both US and EU regulatory compliance require. The ISO 13485 Documentation Requirements article covers what your QMS documentation set must include.

Quick Compliance Checklist

Use this as a starting reference — not a substitute for a clause-by-clause gap assessment.

✅ ISO 13485:2016 obtained and QMS scope defined
✅ Risk management procedure in place referencing ISO 14971
✅ Design controls documented — inputs, outputs, verification, validation, transfer
✅ CAPA process established with effectiveness verification
✅ Supplier qualification and monitoring program documented
✅ Document and record control procedures in place with defined retention periods
✅ Internal audit program scheduled and resourced
✅ Management review process defined and conducted
✅ Complaint handling and MDR/vigilance reporting process established
✅ UDI requirements evaluated and implemented where applicable
✅ Applicable special process validations identified and documented
✅ Labeling reviewed against ISO 15223 (EU) and 21 CFR Part 801 (US)

⚠️ If you cannot check most of these — complete a formal gap assessment before committing to a certification timeline.

FAQ

Is ISO 13485 certification required to sell medical devices?

ISO 13485 certification is not legally required by US law — the FDA requires QMSR compliance, not ISO 13485 certification specifically. However, ISO 13485 certification is required to sell devices in the EU under MDR, and it is increasingly required by OEM customers and contract manufacturers as a condition of doing business. Most manufacturers targeting both markets pursue certification.

How is ISO 13485 different from ISO 9001?

ISO 13485 is a sector-specific standard derived from ISO 9001 but with significantly stricter requirements in risk management, design controls, CAPA, supplier controls, and regulatory compliance. It does not include the continual improvement emphasis that ISO 9001 requires — instead it focuses on consistent compliance with regulatory requirements. A detailed comparison is covered here.

Do I need ISO 14971 if I am ISO 13485 certified?

Yes. ISO 13485 explicitly requires risk management throughout the product lifecycle and references ISO 14971 as the applicable method. You are not ISO 13485 compliant if your risk management process does not meet ISO 14971 requirements. The two standards work together — you cannot separate them.

What is the FDA QMSR and how is it different from the old QSR?

The Quality Management System Regulation (QMSR) took effect February 2, 2026 and replaced 21 CFR Part 820 (the Quality System Regulation). The QMSR incorporates ISO 13485:2016 by reference, making it more aligned with the international standard. Key differences remain around FDA-specific reporting requirements, UDI obligations, and 21 CFR Part 11 electronic records requirements. A full breakdown of FDA QSR vs ISO 13485 is here.

How long does it take to get ISO 13485 certified?

For a manufacturer building a QMS from scratch, 12–18 months is a realistic timeline. Organizations with an existing ISO 9001 QMS can often close the gap in 6–12 months, depending on how many medical device-specific requirements need to be added. The ISO 13485 Implementation Roadmap covers the full timeline in detail.

What is a Notified Body and do I need one?

A Notified Body is an organization designated by EU member states to assess conformity of medical devices under the MDR. If you are seeking CE marking for Class IIa, IIb, or Class III devices, you must engage a Notified Body — they conduct the audits that verify ISO 13485 compliance and technical documentation. BSI Group is one of the major Notified Bodies offering both training and certification services.

What are the most common ISO 13485 audit findings?

The most frequently cited areas include: inadequate document and record control (Clause 4.2), incomplete CAPA processes with missing effectiveness verification (Clause 8.5.2), insufficient supplier qualification documentation (Clause 7.4), and gaps in design control records — particularly missing design verification and validation evidence (Clause 7.3). Common mistakes in ISO 13485 QMS implementation covers these in detail.

Do my suppliers need to be ISO 13485 certified?

Not necessarily — but you are responsible for ensuring purchased product meets specifications regardless. Whether a supplier needs ISO 13485 certification depends on their criticality and what they supply. Critical component suppliers and contract manufacturers of finished devices are typically expected to be certified. Commodity suppliers may only require documented incoming inspection.

📥 Free Resources

ISO 13485 Gap Assessment Checklist — free checklist for medical device manufacturers assessing their QMS against ISO 13485 requirements — medical device articles only

ISO 9001 Roadmap — step-by-step implementation guide for manufacturers building or improving a quality management system

Manufacturing Compliance Checklist — practical compliance reference covering key ISO, OSHA, and quality requirements for production environments

Supplier Quality Checklist — evaluation tool for assessing supplier quality controls and flow-down compliance before audits or new contracts

AS9100 Rev D Gap Assessment Checklist — 74-item clause-by-clause checklist for aerospace suppliers assessing their QMS before certification

Not Sure What to Do Next?

🔹 Still researching your compliance requirements? Start with a gap assessment against ISO 13485 before you invest in implementation. Download the free ISO 13485 Gap Assessment Checklist — it maps every clause so you know exactly where you stand.

🔹 Ready to build your QMS? ISO 13485 training through BSI Group covers requirements, implementation, and internal auditor training — the right sequence for a team building their first medical device QMS.

🔹 Need the standard itself? Buy ISO 13485:2016 through the ANSI Webstore — use code CC2026 for 5% off through December 31, 2026. International buyers can purchase in multiple languages.

Medical device compliance is not a single standard — it is a framework of interconnected requirements that must be built and maintained as a system. Understanding how ISO 13485, ISO 14971, FDA QMSR, and EU MDR relate to each other is the first step toward building a QMS that holds up under audit. The Standards Navigator covers each of these standards in depth — start with the resources above and build from there.

Stay Current on Medical Device Compliance

Regulatory changes in the medical device space don’t slow down. FDA QMSR took effect in 2026. EU MDR enforcement is intensifying. ISO 14971 continues to be misapplied by manufacturers who treat risk management as a documentation exercise rather than an integrated process.

Organizations that keep pace with these changes have one thing in common — they’re not waiting for an audit finding to tell them something changed. The ones that struggle are managing compliance reactively, updating their QMS only when a customer or inspector forces the issue.

The Standards Navigator covers ISO 13485, ISO 14971, FDA regulatory requirements, and the full medical device compliance framework — from standard purchase through certification and ongoing surveillance.

👉 Get updates when new medical device compliance articles publish
👉 Be first to access the ISO 13485 Documentation Kit when it launches

Subscribe below to stay ahead.

Subscribe

* indicates required

The Standards Navigator — Industrial Compliance. Clearly Explained.