Supply chain and economic operator regulation under the MDR and IVDR

CE Call Erik

Credits: Bassil Akra of TÜV SÜD

One of the interesting features of the new MDR and IVDR is the new chapter on economic operators (chapter II), which implements a completely new (to the medical devices industry at least) regime of supply chain regulation and related aspects.

The new supply chain regime was on the horizon for a long time because it was conceived in 2008 and has in the mean time been implemented for a number of product groups covered by EU legislation. It has now, totally expectedly, found its way to the devices sector via de MDR and IVDR.

A presentation about supply chain under MDR/IVDR

I presented about this at the RAPS Regulatory Convergence:

I find that many companies have difficulties in understanding this framework and do not realize that becoming compliant under the MDR and IVDR requires a close look at the supply chain leading into the EU, and identification of each entity up to the end user as one of the economic operators regulated under the regulations: the MAID (Manufacturer, Authorised Representative, Importer and Distributor).

We are used to the manufacturer having regulatory responsibility under the directives, but it’s new that the importer and distributor suddenly have important obligations in the supply chain and that the role of the authorised representative has changed a lot.

Economic operators 2017 RAPS Convergence


As you can see in the embedded presentation above and the slide below at the RAPS Convergence above importers and distributors now have their own responsibilities with respect to PMS and vigilance and in verification of compliance of the devices that they import/distribute.

Economic operators 2017 RAPS Convergence

Given these overlapping responsibilities it becomes more important than ever to organise your supply chain contractually in a way as to avoid surprises, e.g. because a distributor decides to issue a local recall for a not so profitable product that will be visible for every authority in the EU via Eudamed and may spin off into something of epic proportions.

Information sharing with(in) your supply chain becomes key, as well as division of responsibilities. I am pretty sure that your contracts can be improved because so far I have not seen any that are up to standards.

Regulatory is from Venus, tax is from Alpha Centauri and third party importer anyone?

These responsibilities and who has them should be part of your gap assessment for the MDR and IVDR. Companies organise their supply chain currently mainly based on tax considerations, but now they will need to add MDR/IVDR supply chain regulation considerations. It means making your regulatory department talk to your tax lawyers/accountants.

From my own experience these groups often find the other group’s work a form of esoteric voodoo because they use completely different definitions of the respective economic actors. The MDR/IVDR contain definitions for the MAID (which are described in a lot of detail in the bible of CE marking the Blue Guide) so it may take some time before your regulatory department has your MDR/IVDR supply chain regulatory ideas aligned with your tax planning, and you find out in the process that an importer for tax law purposes is not necessarily the same entity as the importer for MDR/IVDR purposes.

For example, many companies outsource warehousing in the EU to external parties, which often provide additional services like final labeling. That may make that external party an importer in the meaning of the MDR/IVDR, with all the regulatory obligations. That will likely lead to the third party asking you for more money for what they do, and you suddenly have a regulated external party in your supply chain that must refuse to import your devices if it comes to the conclusion that they may not be compliant.

Subsidiaries that must rat you out and run away

There are major problems with authorised representatives because the MDR/IVDR messes with corporate governance if you have your own AR in the EU, most often a company subsidiary. The MDR/IVDR make the AR into a sort of competent authority mole in your organization. It must monitor the manufacturer, admonish in case of non-compliance, report the manufacturer to the authorities in case of persistent non-compliance and then run away after terminating the AR agreement. That must be problematic for a subsidiary. Yet, the wise people that wrote the MDR and IVDR did not give this much thought.

Also the MDR and IVDR prescribe a mandatory format for the AR agreement and for a contractual handover regime in case of switch in AR.

Oh, and did you know the AR is product liable now for all of your devices in the EU jointly and severally with the manufacturer? Better not nominate a subsidiary with a lot of assets.


Because of the new distributor obligations you will want to revisit distribution agreements. And if you don’t your distributors will want to because they need to do a lot more to be able to distribute your products, like check compliance etc.

And there is more

With the new economic operator regime come a lot of other additional things that I presented about recently too at the MedTech Summit in Amsterdam, such as new advertising and marketing claims regulation and a new weird Frankenstein product liability regime:


“Immediately is already rather late”

As I sit here at the RAPS Convergence I see the companies that are trying to get their arms around this but most of them are already quite late in starting their work on transition. One of the lines that all the many notified bodies and competent authorities present are repeating over and over is: start now if you haven’t already. The gap is large. The impact enormous. Your EU market is at risk, as I have been saying myself too. One of the best statements I heard from the authorities and notified bodies was: “if you start immediately you are already rather late”.



San Jose CA workshop: Everything You Always Wanted to Know about the EU Medical Devices Regulation, but Were Afraid to Ask

agent-smith-matrix-hear-that-that-is-the-sound-of-inevitabilityIf you have questions about what the MDR will mean for your company and happen to be in San Jose in California on 25 September, consider attending the evening workshop that Factory (the Dutch devices CRO) and I are organizing on Monday, 25 September 2017 from 19:30 to 21:30 (PDT). You may be in San Jose anyway for the Advamed MedTech conference so this is a nice opportunity to get a more detailed perspective on the MDR and IVDR.

As I am writing this I’m at the RAPS Regulatory Convergence conference in Washington DC (another nice opportunity to educate yourself on the EU MDR and IVDR by the way), finding that way too many US companies have no idea what the new EU regulations will mean for their company and how to implement them. And implement them you must because the regulations will not provide for grandfathering. Just not – so not being compliant by 25 May 2020 means (subject to some very limited and inconvenient exceptions) no more placing additional products on the EU market, even if you have been selling into the EU for decades without any incident ever. Timely compliance is a must and while already 1/9 of the transitional period has expired by now, so if you haven’t started by now you are not in a good place. Read up on how to and timelines here.

The workshop will specifically focus on the new clinical evidence requirements but it will give you a great opportunity to ask any other questions that you may have about the new MDR (or IVDR) requirements and how to transition to compliance. It’s exciting for me too  because it’s the first ever US event I’m organising.

Because we need to rent a location we are asking a small nominal contribution to pay for location and snacks/drinks. Space is limited unfortunately and so are the tickets (we have a 100 available so be quick) – purchase yours here.


  • 19:30        Major changes in Clinical Evidence for CE marking: MDR/MEDDEV Rev 4.
  • 20:00        Clinical Evaluation Reports under the new regulations
  • 20:30        Clinical Investigations and Post Market Clinical Follow-up
  • 21:00        How to close the gap towards the MDR: legal and practical perspectives

Hope to see you then and there!

MDR and IVDR transitioning – where are you in your process?

agent-smith-matrix-hear-that-that-is-the-sound-of-inevitabilityI see in practice that some companies are well on their way with implementing the new MDR and IVDR regulations, while a lot of others are not. It will be interesting where everyone will be by the time the transitional period of the MDR ends and then when the IVDR transitional period ends.

This post is intended to address some seemingly quite ingrained misunderstandings about the MDR and IVDR. If you don’t believe me, that’s fine. Double check with your international branch associations, MedTech Europe, COCIR, Advamed – they will tell you the same.

No grandfathering, no extensions

Many companies misunderstand the transitional regime and think that medical devices and IVDs currently on the EU market with a valid CE mark will automatically slide into the new system. This is not the case.

Other companies that understand the transitional system somewhat better and realise that there will be a bottleneck in notified body capacity towards the end of the MDR and IVDR transitional periods. I have heard management of those companies say: ‘the EU cannot afford chaos in the market, they will have to give companies more time’. There is nothing to indicate that the EU is planning that and there is no precedent of the EU doing this.

As I have repeated like a broken record: there will be no grandfathering and you should not count on the EU relaxing the deadlines. I mean, you could but it would be a kind of ‘kamikaze-with-option-of-survival’ business strategy that is difficult to explain to shareholders:

-“What’s your plan again?”

-“Our plan is to – rather than put in the work now that is required for being compliant in time – bet on the EU legislator changing the law against all odds and expectations, and in a way they haven’t done before in the EU. Oh yeah, and we also bet on them changing the law in a way that will actually work for us.”

Sounds very much like a nomination for a corporate Darwin award to me, pardon the cynicism. It’s like juggling burning running chainsaws as a business model.

If your management does not understand this, tell them in these words: the company will not be able to sell products in the EU anymore if you do not get this right in time. Cash flow will collapse, the business will tank, competitors will take your market share, your company may go bankrupt or be acquired by another as the sitting duck that it has become. It will be ugly, it will be costly and the business may not recover. And they could have seen it coming from light years away and you have been told about too. But hey, why worry about this – it’s only the company core business, right?

Start tackling this thing

Deadlines in the mirror of denial are closer than they appear – just remember that I told you to start sooner rather than later. Make a plan and follow through – see here for the presentations at my firm’s seminar on this by the Dutch competent authority IGZ, Qserve and myself.

I will be speaking about this at the RAPS and Advamed conferences in Washington DC and San Jose in September and you can ask me anything you want there, or just contact me before. These are good conferences to go to to get the full picture. But please do not do nothing.

An unsurprising case of software qualification

logo-curiaFirst: my apologies for the collapsed frequency of articles on this blog – I’m very very busy, literally day and night, with questions about any and all aspects of the MDR and the IVDR. The summer is a bit more quiet so you can expect more content again.

Intermezzo on software under MDR and GDPR

While everybody should be beavering away on the implementation of the MDR and IVDR or overcoming their inertia do so ASAP, still some interesting things happen in the mean time. If your company is in software as medical device, there is even more reason to do so because of the MDR changes the classification rules for software as medical device dramatically, expands the scope of the concept of accessory (which enlarges the scope of software regulation) and includes a whole chapter on software design requirements.

And then there is the new General Data Protection Regulation that your software needs to be compliant with by 25 May 2018 – less than a year, that’s right. How long is your company’s software development cycle? See my presentation at the Personal Connected Health Alliance in May this year below for a very brief overview of MDR and GDPR compliance requirements coming your way very fast:

If you have class I software on the market now, and it is up-classified under the new classification rules, you need an MDR certificate from a notified body by 25 May 2020.

New EU court case law on software qualification as a medical device

Back to the topic at hand: this opinion of the AG at the European Court of 28 June may have gone somewhat unnoticed because it’s not available in English yet (and not in German, Swedish and Gaelic either). I linked to the Spanish version because it’s the language in which it was written, but you can toggle the language of the document as preferred on the EU Court’s site.

Decision support software

The Advocate General at the EU Court issued the opinion in the SNITEM case on 28 June, a preliminary reference from the French Conseil d’ Etat (Administrative High Court) about the question whether software that supports physicians with information regarding contra indications, dosis and interactions between medicinal products when prescribing medicinal products for reanimation and anaesthesia.

French additional software certification requirement for prescription support software

France has a rule that requires a national certification of software that is used for support in prescription of medicinal products. SNITEM, the French medical devices branch association, and one of its members, started proceedings against the French state based on the argument that CE marking as a medical device precludes additional national certifications for the same software. The French Administrative High Court decided to check in a preliminary reference if the software concerned really was a medical device, because this was crucial for resolving the dispute. The French government argued that the software was not a medical device because support of prescription of medicines did not constitute support of an intended purpose within the definition of medical device, while SNITEM and the manufacturer of the software (that had CE marked the software as medical device already) argued that it was a medical devices.

As per normal procedure the Advocate General at the EU Courtopines on the matter, after which the Court renders judgment, usually in line with the AG’s opinion. While the AG’s opinion is not the Court’s judgment, it’s a good indication of where that will go. It would be news if the Court would diverge significantly. So let’s see what the AG has to say.

Clearly a medical device

The AG’s reasoning is very straightforward: both for anaesthesia as for intensive care purposes the software has functionality with which prescribers can determine what medicines to prescribe, map possible allergies and calculate the duration of treatment. Given that finding, the AG says it can hardly be denied that the software is specifically intended for diagnostic or therapeutic purposes, as required under the definition of medical device after the change in 2007 by means of Directive 2007/47 (see paras 48 and 49 of the opinion). The AG remarks that it is important in this regard that the software is not used after the physician has already determined the right treatment, but rather is used by the physician to do exactly that (para 52). I would argue that even in the first case the software would still be a medical device if it was intended to provide a double check  on the physician’s decision.

Some discussion of the software MEDDEV

There is a discussion of the modules section of the software MEDDEV, which is less interesting because the discussion is mainly about whether the preliminary request for interpretation to the EU Court concerned all modules of the software or just one. It is however interesting that the AG also refers to the national guidances on qualification of software ‘that all lead to the same conclusion’. That’s a hopeful statement that I do not necessarily share, as I have demonstrated in the past how different these national guidances are. I personally like the MHRA interactive pdf document the best – practical and comprehensive. If the Brexit goes south I’ll miss the MHRA and it’s contributions to guidance and implementation. Oddly the AG does not refer to any of the qualification statements in the Borderline and Classification Manual, which has a software qualification section (chapter 9) in it for some time now.

Not surprising

I would be surprised if the EU Court rules differently from the AG in its judgment – it’s obvious that the software is a medical device. The only reason why the EU court had to be involved in the first place is because of the French government pigheadedly holding on to the position that it was not as best argument for defending a national rule that in my view is clearly pre-empted by the Medical Devices Directive. It’s a demonstration of why we now have a regulation for medical devices: to give member states less room for this kind of stuff. In sum: this case adds but does not add anything surprising to the acquis on qualification of software as a medical device in the EU.

Netherlands to adopt medical devices anti-corruption legislation

il_570xn-1096935598_e8z4As we say in Dutch: the day that you knew that would come is finally here. The legislative proposal to grant the Healthcare Inspectorate (IGZ) IGZ enforcement powers in the field of industry/HCP interactions (the “Wet van 17 mei 2017 tot wijziging van wetgeving op het terrein van de zorg in verband met het invoeren van een wettelijke regeling voor gunstbetoon bij medische hulpmiddelen en enkele bepalingen over transparantie tussen beroepsbeoefenaren en bedrijven op het terrein van geneesmiddelen en medische hulpmiddelen” – yes, we like very long descriptive titles for laws in the Netherlands) that was a long time in the making has finally been finally published. It amends the Act on Medical Devices and the Act on Healthcare Professions.


The aim of the law is twofold:

  • enable similar controls for the IGZ in the field of medical devices as it has regarding  industry/HCP interactions in the field of medicinal products and allow the IGZ to use these controls only in excessive cases where the current self-regulation under the GMH Code does not provide for sufficient control.
  • implement a legal basis for mandatory Sunshine type transparency reporting (which currently happens on a self-regulatory basis under the GMH Code).

A novelty is that contravention of the industry/HCP interactions rules is now subject to criminal enforcement in the Netherlands, and not only for industry but also for the persons accepting unlawful hospitality, i.e. HCPs but also healthcare insurance fund staff and employees of the purchasing department of healthcare institutions.


The scope of the law is not identical to that of the GMH Code. An important difference is that the law defines ‘hospitality’ (gunstbetoon), which the GMH Code deliberately does not do because of its special connotation as relevant to the medicinal products field. This is obviously not ideal, because it provides for a bad interface between the GMH Code and the law. Yet, the explanatory memorandum to the act says that the intention is that the act intends to follow the substantive provisions of the GMH Code. The act seeks to capture that entire scope regarding hospitality in one single short and rather generally worded article addressing:

  • meeting attendance (necessary costs)
  • consultancy (reasonable in relation to the work)
  • gifts (minor value and relevant to the practice)
  • purchase related bonuses / rebates

While the article is very general, there is of course a limitation in its generality and that is none of the preciseness of the GMH Code reflected in the amounts and hourly rates that industry can pay has found its way to the law. That means that the IGZ could theoretically have a completely different idea of what is necessary, reasonable or minor and relevant. It is expected however that the government will publish further policy regarding interpretation by the IGZ, so we will need to see how this will land in the end.


The act will enter into force at a date to be determined by implementing act, which no doubt will take place soon.

Companies already diligently implementing the GMH Code for the Netherlands (likely) will not see any substantive changes (we hope) as a result of this law and companies that do not have some additional compliance implementation work to look forward to.

Final MDR and IVDR texts published

agent-smith-matrix-hear-that-that-is-the-sound-of-inevitabilityAs Agent Smith said: “You hear that Mr. Anderson?… That is the sound of inevitability…”.

Today’s EU Official Journal contains the final final final texts of the MDR (finally numbered as Regulation (EU) 2017/745) and the IVDR (finally numbered as Regulation (EU) 2017/746), downloadable in any language that you could possibly like.

I wish you a pleasant weekend reading them in front of the fireplace with a good glass of wine. I for myself am glad I started with that more than four years ago.

Now is the time, and this is not an exaggeration. If you have not started getting to grips with these new rules, start immediately. You will find it’s  lot of work, especially if you are a small or medium sized company. You will literally need to redo all your technical files, redo all declarations of conformity, redo all clinical evaluations to a higher standard, implement all new definitions in the MDR and IVDR, deal with changes in classification and their consequences for renewed CE marking under the MDR and IVDR (especially in IVDs, software, substance based devices and nanomaterial containing devices!), implement UDI, amend your quality system, amend your vigilance and PMS procedures, implement PMCF where you not doing that already, implement new software design requirements, etc., etc., etc.

Schermafdruk 2017-05-05 13.00.06

And then there is of course the Brexit impact of which nobody even knows yet what it will entail.

Impact in costs/FTEs

This will all come at a cost. Basil Akra from notified body TÜV SÜD posted this simple rough calculation on his LinkedIn profile today:

Costs MDR

If you are not an SME then – well duh – the implementation costs will be a lot higher because more devices, so more FTEs and more costs. Where will we find all these people that we never needed before?

Gap and impact assessment

In order to know what to do specifically for implementation of the new rules you have to find the gaps and assess them for impact. If you are not already doing this, start now. Otherwise you’ll be too late to for example complete any additional clinical studies you might need to do to meet the new burden of clinical data under the MDR and obtain a new CE mark under the new regulations. Especially for IVDs the new IVDR is an enormous step up in requirements for clinical data, clinical performance evaluation and dossier / procedural requirements. And for IVDs there are even less experts available in the market or at your competitors, so catch them while you can.

If you you have no idea where to start, or have an idea but would like to be inspired, I recommend you visit our seminar in Amsterdam this Wednesday (10 May) afternoon, which is only and specifically about transition and implementation.


MDR and IVDR to be published this Friday

agent-smith-matrix-hear-that-that-is-the-sound-of-inevitabilityMark 5 May 2017 in your calendar – this date will be a landmark for EU medical devices law because the MDR and IVDR will be published in the EU Official Journal.

This means that the MDR and IVDR will enter into force on the twentieth day following that of their publication and from that date the transitional periods under the regulations will start.

E-mailAnd the clock will then start ticking officially – if you still are not feeling a sense of urgency about getting ready for their implementation now is a good time to start feeling that urgency.

As I have been repeating like a broken record: not being compliant under the regulations in time equals to no more placing products on the EU market. There-is-no-grandfathering. Every device must be phased into the new system and meet all new requirements that apply to it.

You will be able to download the final texts from the Official Journal website yourself in any of the 24 official EU languages that you like, but I will of course also post them on this blog as well.

You are still welcome to join our timely 10 May seminar in Amsterdam to hear more about the MDR – we expanded capacity and can host a lot more people now. We will follow up with an IVDR specific seminar soon.

%d bloggers like this: