Last week we saw publication of the new MDCG guidance on the authorised representative under the MDR and the IVDR, MDCG 2022-16. My first impression: much about the ‘what’ and not so much about the ‘how’, resulting in a guidance that, in typical MDCG fashion, repeats a lot of the law back at you without providing a lot of additional actual guidance that fills in the blanks. Nevertheless, there is certainly some interesting content in the document.

More in general my impression is that the document is intended to reinforce the function that the competent authorities see for the AR in market surveillance, and it is intended to hammer home the message to the ARs in the field that they have to up their game because being an AR really means something in the overal scheme of device compliance.

The focus of policy still seems to be very much on the external, independent ARs because there is almost no mentioning at all of internal ARs in the guidance document.

Three months Dutch competent authority AR inspection programme

The publication concurs with the kick-off of competent authority market surveillance activities directed to the AR starting immediately: the Netherlands’ Healthcare Inspectorate has used the occasion to kick off a three-month review program under which they will inspect as many ARs as they can in the Netherlands according to a published set of inspection criteria. The Dutch Healthcare Inspectorate does exhibit awareness of the differences between external and internal ARs in the explanatory text of the inspection criteria, although there is no differentiation between them in the inspection criteria.

So if you are an internal or external AR in the Netherlands, better get organised on the triple double and make sure that the coffee is hot and fresh when the Healthcare Inspectorate shows up to inspect your records. Best to prepare by making your own internal assessment of whether you consistently meet the criteria that they have announced to use as a basis for the inspection.

Mandate of the AR

There is only one statement on the internal AR in the guidance document and that is in relation to the internal AR, to the effect that

“A mandate should be drawn up irrespective of whether the authorised representative is independent/outside of, or is part of the same larger organization as the manufacturer.”

MDCG 2022-16, p. 3

Since the written mandate must agreed between parties according to the guidance, this solves the question whether a mandate can be given by means of a procedure in the QMS: no. If you want to stay as close as possible, implement it by means of a quality agreement. In any event the agreement, be it an intra-group (adherence) agreement or a quality agreement or something else, it should meet the minimum requirements in article 11 (3) MDR/IVDR.

There are some words on how the importer should verify that an AR has been designated. The MDCG offers some possiblities there, none of which are remotely practical or cost-efficient at any scale, such as contact the manufacturer or AR to confirm that a designation has taken place. The guidance is not clear on the extent of the check, because it mentions as alternative options a check on the label as verification or a check in Eudamed. Neither of these may be sufficient to establish compliance at face value, because the label may not reflect the actual situation anymore (mandate may have been terminated in the mean time and unfortunately Eudamed is already often not updated (timely) for roles and responsibilities).

Obligations of the AR

The guidance document includes some useful language on some obligations of the AR.

For example, it is expected that the AR actively checks that the conformity assessment procedure for devices in scope of the mandate is appropriate for the devices in question. From this the MDCG infers that

“If the authorised representative considers or has reason to believe that the conformity assessment procedure is not appropriate for the device in question, they may inform the manufacturer.”

MDCG 2022-16, p. 5

Since this ties directly into compliance under article 10 MDR/IVDR, this is an important part of AR due diligence. Manufacturers can expect ARs to become a lot more critical on items that they were previously not concerned with, such as classification (since this drives the available conformity assessment procedure).

The guidance further specifies in a small list what documentation the AR must be able to produce in order to meet the requirement in article 11 (3) (d) MDR/IVDR to

“provide that competent authority with all the information and
documentation necessary to demonstrate the conformity of a device”

MDCG 2022-16, p. 6

Unfortunately and unhelpfully the list provided in the guidance is not an exhaustive list, which does not help a lot for legal certainty on this point.

There is also some guidance on what ‘permanently available’ (article 10 (8) last para MDR and IVDR) means in terms of manufacturer documentation to be available to the AR so he can make it available to the competent authority if needed. It is important to keep in mind that the legal obligation of having the documentation available is on the manufacturer. The guidance clarifies this as that

“‘Permanently available’ in this context means it will be mandatory for the manufacturer to provide the authorised representatives with the requisite documentation, in their most recent versions and for certificates this includes amendments or supplements, either in hard or electronic copy. In practical terms having ‘permanent access’ to such documents, should imply constant availability via electronic or physical storage, either shared or otherwise.”

MDCG 2022-16, p. 5

ARs should be wary to still have the option to copy a final version of (elements of) the documentation in case the mandate ends or the device is removed from the market because they themselves have to have the documentation available for much longer still (see Annex IX, sections 7 and 8 MDR/IVDR).

The MDCG guidance does not clarify the obligations of the AR PRRC (“responsible for regulatory compliance”, see article 15 (6) MDR/IVDR), although this would have been much welcomed. We will have to wait for the revision of the MDCG guidance on PRRCs for this.

Liability of the AR

The joint and several product liaiblity of the AR introduced under article 11 (5) the MDR and IVDR remains problematic and this new guidance does nothing to help this, although it does try to shed some light on what the MDCG thinks that the EU legislator intended with this clause.

The element ‘on the same basis as’ the manufacturer (“the authorised representative shall be legally liable for defective devices on the same basis as”) remains unclear. The MDCG explains it as that this

“means that when the liability of the authorised representative is alleged within the framework of a specific legal regime on liability for defective products, the authorised representative is afforded the same rights to
defend itself as the manufacturer under that regime.”

MDCG 2022-16, p. 8

However, in my view that MDCG mixes up basis for liability and rights of defence against that liability, which proves problematic when the basis is the ‘same’ between the manufacturer and the AR. I will illustrate with an example: under the Product Liability Directive (PLD) the producer, when he held laible for damage caused by a defective product, has the defense that he did not put the product in circulation. If the AR is afforded ‘the same rights to defend himself as the manufacturer under that regime’ (as the MDCG puts it), the AR would always be able to defend himself by arguing that he did not put the product in circulation (except maybe if he doubles as importer, which is a good reason not to do this as AR). It would be more logical that the AR is not liable if the producer is not liable (for example because he successfully relies on a defense available under the PLD), but that is not how the MDCG chooses to clarify the provision in the MDR and IVDR.

However, this discussion and the MDCG guidance on this point will be largely superseded by the new PLD, which provides for a direct no fault liability for the AR, affording the AR his own direct defenses under the PLD.

Market surveillance

The market surveillance role of the AR becomes quite apparent where the MDCG document suggests that

“In the event of a problematic termination (e.g. where the manufacturer fails or refuses to address a non-compliance identified, or is either not responsive to or traceable by the authorised representative), the out-going authorised representative is also advised to inform the competent authorities and where applicable, the notified body, of the extent of the manufacturer’s non-compliance.” (Emphasis added)

MDCG 2022-16, p. 8

This is a step further than the legal requirement in my view, because that stops at ‘reasons’ for termination, which does not necessarily equal ‘extent of non-compliance of the manufacturer’. I think the MDCG may not (or may, who knows) have realised that this volunteering of detailed smoking guns beyond their strict legal duty would probably put ARs in a difficult position under the contract with the manufacturer. As an AR is would make more sense in these circumstances to stick to ‘reasons’ and have the competent authority take the decision whether they see a need to order production of more information. In that case the additional would normally fall outside the scope of any duty of confidentiality because there is a formal investigation request for the information.

More details in the book

Much more details on the authorised representative are available in my book The Enriched MDR and IVDR, of which the second edition was recently published. While MDCG 2022-16 unfortunately came out after the text was closed, you will still find a lot of useful additional detail on the AR in it that is additional to MDCG 2022-16. The book also discusses AR obligations in context in detail.

Outlook for the AR mandate

Is MDCG 2022-16 the guidance to end all guidance on the AR mandate and obligations? By no means. It is quite clear that the compentent authorities are still finetuning their policies on what role they see exactly for the AR in market surveillance, a process that started with the list of expectations in MEDDEV 2.5/10. Also, authorities will learn from what they will come across in their market surveillance activities and calibrate policies further. So were are definitely not there yet. In the mean time companies and ARs can use this guidance to be as rational as they can be in implementation of requirements and see this as a step in a developing story.