The field of medical devices has developed rapidly in recent years. The Medical Device Regulation (2017/745), which replaced the Medical Device Directive (93/42), represents an important step towards a stricter and more uniform system, with a stronger focus on patient safety. There is now greater emphasis on continuous monitoring, traceability and compliance with post market obligations once a medical device has been put into use.
This tightening of the rules is not without reason. A well known example is the so called PIP case. In that case, breast implants were manufactured for years using non approved industrial silicone, despite having obtained a CE marking. At the same time, patients were left with little recourse after the manufacturer went bankrupt.
Incidents of this kind underline the need for stricter requirements on control, traceability and supervision, as now reflected in the MDR.[1]
On 16 December 2025, the European Commission presented a legislative proposal to further improve the MDR system. In this blog, we discuss the proposal insofar as it is relevant to the ICTRecht practice.
Purpose of the Medical Device Regulation
To make medical devices safer and more traceable, certification procedures have been introduced through national supervisory authorities. The emphasis is on a risk based approach to medical devices. The higher the potential risk to the patient, the stricter the conditions for placing the device on the market and putting it into use.
In addition to safety requirements, information systems have been developed to inform stakeholders about medical devices. The so called UDI system ensures that every economic operator, such as manufacturers and distributors, as well as each medical device or component, can be identified by anyone seeking that information. It is therefore quickly clear which party is responsible for which part of a medical device.
From 28 May 2026, all this information will be publicly accessible through the registration obligation in the European Database on Medical Devices (EUDAMED). This marks a major step towards greater transparency and traceability of medical devices.[2]
Criticism of the MDR
Despite these ambitions, the market and academic literature have criticised the MDR system.[3] It has been described as overly complex, with high administrative burdens and rules that are sometimes unclear or ambiguous. The Medical Device Coordination Group (MDCG) has sought to provide guidance on how to interpret certain rules, but this has not always met the needs of specific situations in practice.[4]
European Commission proposal
The criticism has not fallen on deaf ears. The European Commission acknowledges that the MDR system needs improvement and has therefore presented a legislative proposal. The proposal aims to remove unnecessary barriers and stimulate innovation. It marks a first step towards amending the MDR. Various institutions within the European legislative process still need to assess the proposal. A final decision is not expected before 2028.[5] Nevertheless, it is useful to understand the direction in which the European Commission intends to take the MDR.
In this blog, we briefly discuss a number of key proposals insofar as they are relevant to the ICTRecht legal practice. We address risk classification, in house development of medical devices, the position of smaller manufacturers, certification, clinical evidence and post market obligations.
The increasing use of artificial intelligence in medical software is an important topic but falls outside the scope of this blog. We will address this in more detail in a future contribution.
1. Risk classification
Medical devices are classified according to a risk based system. The risk categories increase progressively: class I, IIa, IIb and III. Class I represents low risk, while class III represents high risk to the patient. In general terms, the lower the classification, the lighter the procedure and external supervision. For example, class I medical devices do not require a procedure with a notified body, and the developer may perform a self assessment before placing the device on the market.[6]
The risk classification of software is assessed on the basis of rule 11, as set out in MDCG guidance.[7] This rule places the majority of medical software in class IIa, with class I designated as a residual category. Market participants face uncertainty about which category applies, because class I is currently not further defined.
If a medical device is classified as class IIa, software manufacturers almost always need to undergo an external certification process via a notified body. Notified bodies are independent organisations that assess whether a device meets legal requirements before it can be placed on the market. If a medical device falls within class I, a self assessment by the software manufacturer is sufficient.[8]
The proposed revised wording of rule 11 reads as follows:
‘Software which is intended to generate an output that confers a clinical benefit and is used for diagnosis, treatment, prevention, monitoring, prediction, prognosis, compensation or alleviation of a disease or condition is classified as class I, unless the output is intended for a disease or condition: in a critical situation with a risk of causing death or an irreversible deterioration of a person's state of health, in which case it is classified as class III; in a serious situation with a risk of causing a serious deterioration’.
Risk classification requires an in depth analysis of the medical software. We will not go through the full analysis here, but by way of illustration we highlight the distinction between class I and class IIa medical devices.
Under the proposal, medical software that displays blood pressure trends without medical interpretation is generally a class I medical device. By contrast, monitoring software for a life threatening condition without treatment advice would, in our view, fall within class IIa. This is because the risk associated with errors in the context of a life threatening condition is generally higher than that of a blood pressure monitor.
Greater clarity on class I medical devices shortens procedures and improves predictability, while maintaining stricter supervision for higher risk software.
2. In house development
The MDR allows healthcare providers to develop and use medical devices in house within their own organisation. This applies to devices that are not used commercially, are deployed on a limited scale, and for which no comparable CE marked device is available on the market. This enables healthcare providers to develop bespoke software tailored to their organisation. Many of the healthcare providers we work with make use of this option.
With the proposed amendment, the European Commission seeks to actively support in house development, provided it does not displace existing devices already available on the market. The proposal includes a relaxation of the restriction on transferring developed devices. This would allow in house developed devices to be used more frequently by other legal entities.[9] Other organisations could then benefit from smart software developments without having to reinvent the wheel.
3. Small and medium sized enterprises
Approximately 90 percent of medical devices are developed by small and medium sized enterprises (SMEs).[10] SMEs do not always have sufficient capital or in house expertise to navigate MDR procedures.
The European Commission proposes that notified body fees should be transparent in advance, allowing SMEs to better estimate the costs of an MDR trajectory. To reduce costs further, the Commission also proposes that notified bodies offer their services in standardised cost packages.
4. Validity of certification
Certificates are currently valid for a maximum of five years, which can lead to unnecessary recertification procedures. The proposal removes the five year limitation and introduces the principle that certificates are valid indefinitely, unless special circumstances apply and the competent authorities objectively deem intervention necessary. While it is not yet fully clear when this will be the case, organisations would no longer need to undergo the standard five yearly cycle as a matter of course.
5. Clinical evidence
To place a medical device on the market, a software manufacturer must demonstrate that the device performs its intended function and can be used safely. This evidence must be collected, substantiated and archived by the manufacturer. Where clinical evidence cannot be provided, other robust, documented evidence may be used instead, so called non clinical data. Non clinical evidence means that the device has not been tested directly on humans, but is based on literature, calculations and models.
The legislative proposal emphasises the scope for software manufacturers to base safe usability on non clinical evidence.[11] This broader approach requires care from the market and notified bodies, and clear guidance from the MDCG. Patient safety remains the core objective of the MDR.
The European Commission also seeks to accommodate innovation and established technologies, referred to as well established technologies (WETs). These are products with a longer market history and known risk profiles. As their safety and performance have already been demonstrated, WETs are partially exempt from the obligation to conduct clinical investigations. In our view, this is a sensible development. Barriers should not be raised where they serve no purpose.
6. Post market obligations
Once a medical device has been placed on the market, parties are required to continuously collect and analyse data throughout its lifecycle to ensure safety, performance and conformity. This is known as post market surveillance. The European Commission does not undermine this phase. Competent authorities are, however, granted some discretion to impose notification obligations.
Not every post market observation needs to be reported by market participants. The focus is on ensuring that the software manufacturer gathers evidence that the device remains state of the art. Serious incidents must still be reported to the competent authorities. The proposal clarifies that non serious incidents only need to be reported where a trend becomes apparent.[12]
Conclusion
The safety, transparency and traceability of medical devices rightly rank high on the European agenda. The strict design of the MDR is understandable given the risks medical devices may pose to patients. At the same time, practice has shown that the system can also lead to market stagnation, driven by high costs, complex procedures and unnecessary delays.
With the proposed amendments, the European Commission is seeking a better balance between strict supervision and workable rules.
We are happy to support manufacturers and in house developers of medical software and devices in this process. We can help provide clarity in this complex area, guide implementation trajectories and assist your organisation in placing MDR compliant medical devices on the market.
