Ensuring Regulatory Compliance: Navigating EU MDR and ISO 13485 for Manufacturers

News-Insights

Ensuring Regulatory Compliance with Regulation 2023/1115: Navigating EU MDR and ISO 13485 for Manufacturers

In today's highly regulated market, manufacturers face stringent requirements to ensure their products are safe, effective, and compliant across different regions. The European Union's Medical Devices Regulation (EU MDR) exemplifies these challenges – it fully replaced the previous directives in May 2021[1], raising the bar for quality and safety. Similar regulatory expectations are emerging globally, from the UK to the US. Complying with such regulations isn't just a legal checkbox; it's a strategic imperative to maintain market access and customer trust. This guide provides a comprehensive overview of what manufacturers need to know about MDR, ISO 13485 quality management, and how leveraging expert support can turn compliance into a competitive advantage.

 

The Evolving Regulatory Landscape

The EU MDR 2017/745 introduced sweeping changes to the regulation of medical and other health-related devices in Europe. Effective 26 May 2021, the MDR replaced the older EU directives, introducing stricter requirements on clinical evidence, risk management, and post-market surveillance to enhance patient safety[2]. Manufacturers must now demonstrate higher standards of quality and oversight throughout a device's lifecycle. The regulation's intent is not only to improve safety, but also to "strengthen the image and value of CE-marked devices" for compliant manufacturers[3] , meaning those who meet the new standards can benefit from greater credibility in the market.

Importantly, non-compliance is not an option. Failing to meet MDR obligations can lead to severe consequences such as product certificate withdrawal, market recalls, import bans, or hefty fines[4]. Regulators are empowered to act swiftly against non-compliant products, and publicized enforcement can damage a company's reputation. In short, understanding and adhering to MDR is critical for any manufacturer selling in Europe.

Global context: Even outside the EU, the trend is toward stricter and more harmonized regulations. Other regions are bolstering their requirements or aligning with international standards. For example, the United States FDA has updated its Quality System Regulation to closely harmonize with ISO 13485:2016 (the global standard for medical device quality systems)[5]. This alignment by the FDA underscores that a robust quality management approach is now a worldwide expectation for manufacturers. Whether your company operates in Europe, the UK, the US, or beyond, a proactive compliance strategy will ensure you meet the evolving rules in each market and avoid costly disruptions.

 

Quality Management Systems and ISO 13485

One cornerstone of MDR – and modern regulatory frameworks in general – is the implementation of an effective Quality Management System (QMS). Under Article 10(9) of the MDR, all manufacturers are required to establish and maintain a QMS that covers all aspects of product realization and lifecycle management[6]. Even small manufacturers with Class I products must demonstrate adequate control over design, production, and post-market processes. In practice, this means documenting your procedures, managing risks, controlling suppliers, handling customer feedback, and continually improving your processes to ensure product quality and safety.

The internationally recognized blueprint for such a system is ISO 13485:2016. ISO 13485 is the global standard for quality management in the design and manufacture of medical devices[7]. It outlines specific requirements to help manufacturers consistently produce safe, effective devices that meet both customer and regulatory demands. Adopting ISO 13485 provides a structured framework to comply with rigorous regulations and is often considered "state of the art" for medical device QMS. Aligning your quality system with ISO 13485 greatly facilitates meeting MDR's QMS expectations, since the standard covers key elements such as design controls, risk management, supplier management, and traceability. (Do note that MDR adds some prescriptive requirements on top of ISO 13485[8], so manufacturers should address those gaps – for example, MDR's emphasis on post-market surveillance or the role of a PRRC).

Globally, the importance of ISO 13485 is growing. As mentioned, regulators are converging on this approach: the US FDA's new Quality Management System Regulation (QMSR) explicitly incorporates ISO 13485:2016 requirements, recognizing that an ISO 13485-based system provides a high level of assurance that devices will be consistently safe and effective. Many other jurisdictions – Canada, Australia, Japan, and others – either require ISO 13485 certification or accept it as evidence of a sound QMS. For manufacturers, this means investing in an ISO 13485-compliant QMS is not only vital for EU MDR, but also a smart move for global market acceptance.

 

Key MDR Compliance Requirements

The MDR is comprehensive, detailing many obligations for manufacturers. Here we highlight some of the key requirements and responsibilities you must fulfill under MDR (and similarly stringent regulations). Ensuring you cover these areas will position your company for successful compliance:

-        Organizational Requirements:

Establish and maintain an effective Quality Management System encompassing all processes from design through post-market activities (MDR Article 10(9))[9]. This system should be proportional to the device's risk class and must be kept up to date.

In addition, appoint a Person Responsible for Regulatory Compliance (PRRC) (MDR Article 15) – an in-house or outsourced expert with the requisite qualifications – who will oversee and sign off on regulatory compliance tasks[10]. The PRRC is responsible for ensuring that technical documentation and conformity procedures are in order, that post-market surveillance obligations are fulfilled, and that the company generally complies with the MDR. Having a designated regulatory point-person is now mandatory for manufacturers (with slight leeway for micro companies to contract this role externally).

 

-        Technical Documentation:

Prepare and maintain detailed technical documentation for each device (as specified in MDR Annex II and III). This documentation is essentially your proof of compliance and must include everything from the device description and intended use to design and manufacturing information, labeling/Instructions for Use (IFU), and evidence of conformity[11].

Key elements include a thorough risk management file, verification and validation data demonstrating that the device meets requirements, a clinical evaluation report, and plans for post-market surveillance and vigilance. All this information needs to be organized in a Technical File (for Class I devices) or Design Dossier (for Class III implants, etc.) and kept readily available for review. Notified Bodies and authorities can request your files at any time[12], so they must be current and complete. In short, documentation is a continuous task, not a one-time effort – as you update your device or gain post-market data, the files should be updated accordingly.

 

-        Risk Management and Post-Market Surveillance:

Implement a proactive Risk Management process throughout the product's entire lifecycle, following ISO 14971 (the risk management standard referenced by MDR)[13].

From the initial hazard identification and risk analysis in design through risk control implementation and residual risk evaluation, and extending into post-market use, risk management must be an ongoing process. MDR requires that post-market surveillance (PMS) be an integral part of your QMS. You need a PMS plan for each device, outlining how you will collect and analyze real-world performance data[14]. This could include customer feedback, complaint reports, failure rates, clinical follow-up studies, and other relevant data. The goal is to identify any emerging risks or trends quickly and take action (such as field safety corrective actions) if needed[15]. For higher-risk devices (Class IIa, IIb, and III), MDR further requires Periodic Safety Update Reports (PSURs) — regular summaries of safety and performance, submitted to the authorities. Serious incidents and any field corrective actions must be reported within strict timelines via EUDAMED, the EU's device database. In essence, MDR encourages manufacturers to actively monitor their devices after launch and continuously incorporate lessons learned into risk management and product improvement.

 

-        Unique Device Identification (UDI) and Traceability:

The MDR introduced a UDI system to enhance the traceability of devices throughout the supply chain. Manufacturers must assign a unique identifier to each device (comprising a device identifier and production identifier), physically label products and packaging with these UDI codes, and upload related information to the EUDAMED database[16]. This system significantly enhances transparency, allowing for easier tracking of devices in the event of recalls or safety alerts. Compliance with UDI requirements is phased by device class; however, most devices now require UDIs. Proper UDI implementation enhances recall efficiency and helps detect counterfeit or illicit devices on the market – a clear benefit to public health and responsible manufacturers.

 

-        Supplier and Economic Operator Controls:

MDR not only focuses on the manufacturer, but also on other economic operators in the device's supply chain – including authorized representatives, importers, distributors, and critical suppliers.

As the manufacturer, you are ultimately responsible for ensuring the compliance of your product, even when others perform parts of the work. You must verify that your suppliers and partners (e.g., contract manufacturers, component suppliers) adhere to applicable requirements, and you need formal agreements in place that define each party's responsibilities. Likewise, if you're outside the EU, your EU Authorized Representative has specific obligations, and you should closely oversee importers and distributors to ensure they handle the product correctly (e.g., they must keep proper records and not supply non-compliant devices). MDR has clarified and reinforced these roles[17], making supply chain management a critical component of compliance. Regular audits, quality agreements, and oversight procedures are expected to keep all players aligned with regulatory obligations[18].

 

-        Clinical Evidence and Evaluation:

A significant emphasis of the MDR is on clinical evaluation and evidence. Manufacturers must demonstrate through clinical data that their devices are safe and perform as intended, both for initial CE marking and on an ongoing basis. MDR raised the requirements for clinical investigations, especially for higher-risk and novel devices, to ensure robust evidence supports every device on the market[19]. This means you may need to conduct new clinical studies or post-market clinical follow-up (PMCF) to gather sufficient data. Every device (except perhaps the lowest-risk Class I) requires a Clinical Evaluation Report (CER) compiling the clinical evidence, and this must be updated periodically. Monitoring published literature, adverse event databases, and new research is an integral part of this continuous evaluation. In short, strong scientific evidence is now a prerequisite for regulatory approval and continued sale of devices.

 

These are just some of the core areas; MDR also includes requirements on aspects such as labeling (e.g., the need for an implant card for certain implantable devices), stricter oversight of Notified Bodies, transparency through a public database (EUDAMED), and the necessity for ongoing regulatory vigilance within your organization. The key takeaway is that MDR expects manufacturers to build quality and compliance into their entire operations, from product design to production to post-market monitoring. It can be a complex undertaking, but with the right systems and expertise in place, it is achievable and will ultimately raise the standard of your products.

 

Benefits of Proactive Compliance

While meeting all these requirements may seem daunting, it's important to recognize that investing in compliance brings significant benefits to your business. Beyond avoiding penalties, a strong compliance posture can improve your efficiency, reputation, and market opportunities. Here are a few key benefits of being proactive about MDR and quality system compliance:

-        Reduced Risk of Recalls and Penalties:

A robust compliance strategy (for example, implementing ISO 13485 across your operations) dramatically lowers the likelihood of costly product recalls or regulatory enforcement actions. Strong quality processes catch issues early and ensure safety, protecting you from defects that could harm patients. This not only safeguards the public but also shields your company from expensive legal consequences. A lower incidence of recalls and field safety notices means a lower risk of liability and far fewer reputational nightmares for your brand. In short, compliance is a key component of effective risk management.

 

-        Global Market Access and Growth:

Compliance opens doors. Achieving and maintaining CE marking under the MDR is essential for the EU market (worth over $60 billion by 2025), but it also signals to other markets that your product meets high standards.

Many countries align with or accept ISO 13485 and CE-marking principles[20], meaning if you can succeed under MDR, you'll find it easier to obtain approvals elsewhere. Being able to show an ISO 13485 certification and an MDR Declaration of Conformity gives your device instant credibility with regulators worldwide. In practical terms, companies with internationally compliant QMS and documentation face fewer barriers entering new markets, accelerating their global growth[21]. Compliance can thus be a competitive advantage – a selling point that you have the necessary clearances and robust processes that others might lack.

 

-        Improved Operational Efficiency and Quality:

Implementing the processes required by standards and regulations often has the side effect of streamlining your operations. For example, ISO 13485 demands defined procedures, training, and document control, which can eliminate inefficiencies and reduce errors in production.

Companies that embrace quality management typically see reduced waste, better use of resources, and improved product consistency[22]. Over time, a culture of continuous improvement takes hold, leading to innovation in the design and manufacture of products. In essence, quality becomes part of your company's DNA. This not only helps with compliance audits but also tends to correlate with higher customer satisfaction and lower costs associated with poor quality.

 

-        Enhanced Reputation and Customer Trust:

In the eyes of clients, healthcare providers, and end-users, having the proper certifications and regulatory compliance status is a strong trust signal. It shows that an independent authority (a Notified Body, in the EU context) has audited your product and systems. Manufacturers who align with MDR and obtain ISO 13485 certification are perceived as industry leaders committed to safety and excellence. The European Commission has noted that the stricter regulations will ultimately reward compliant companies by "strengthening the image and value" of their CE-marked devices[23]. Likewise, industry analyses report that demonstrating compliance builds credibility with stakeholders and can lead to expanded business opportunities[24]. Hospitals and procurement groups often favor suppliers with proven regulatory track records, knowing those products are less likely to fail or cause issues. In sum, being proactive about compliance enhances your brand's reputation and fosters trust, which is invaluable for long-term success.

By viewing regulatory compliance not as a burden but as a catalyst for better performance, companies can turn these obligations into business strengths. You not only avoid the downsides of non-compliance, but also gain a stronger company – one that is efficient, reputable, and ready to compete globally.

 

Our Services: Guiding You to Compliance Success

Navigating the MDR, ISO 13485 implementation, and other regulatory hurdles can be complex. This is where our expert services come in. We offer a combination of deep regulatory expertise and practical industry experience to help manufacturers like yours meet these requirements in a smooth and structured manner. Our approach is professional and tailored, yet with a personal touch – we aim not just to check off regulatory boxes, but to add value to your operations and give you confidence in your compliance. Here's how we can support your journey:

-        Regulatory Strategy & Gap Analysis:

Unsure where to start or where your current process stands? We begin by conducting a thorough gap analysis of your existing quality system and documentation against MDR and applicable standards. This review identifies any shortcomings or risks upfront. Then, we develop a clear, step-by-step roadmap to achieve compliance, prioritizing critical issues first. You'll know exactly what needs to be done – no guesswork, no wasted effort.

 

-        QMS Implementation & ISO 13485 Certification:

Building a compliant Quality Management System is much easier with seasoned guidance. Our team will help you implement or upgrade your QMS in line with ISO 13485 and MDR's specific requirements. This includes establishing required procedures (for design control, risk management, supplier management, etc.), creating quality manuals and records, and training your staff on the QMS processes. We can assist in integrating new requirements, such as post-market surveillance plans, into your system. If you are seeking ISO 13485 certification, we support you throughout the certification audit process. The result is a robust QMS that not only meets regulatory expectations[25] but also works for your business, laying the groundwork for consistent quality and continuous improvement.

 

-        Technical Documentation & CE Marking Support:

Preparing the MDR technical documentation can be one of the most labor-intensive tasks for manufacturers.

We bring expertise in compiling complete and audit-ready Technical Files. Our specialists will work with your team to gather all required documents – from device descriptions and engineering drawings to risk management files, clinical evaluation reports, labeling, and beyond – ensuring they meet the format and depth that regulators expect. We provide templates and guidance for MDR-specific elements (such as the General Safety and Performance Requirements checklist or PMS plan documentation) to ensure nothing is overlooked. If you're seeking CE marking for a new device, we can manage the process, liaise with Notified Bodies on your behalf, and assist in addressing any questions or deficiencies they may raise. Our goal is to streamline the path to CE approval by ensuring the documentation is accurate the first time.

 

-        Training & PRRC Support:

Compliance is most sustainable when your own people understand what's required. We offer training sessions and workshops to educate your staff on MDR and quality system requirements – from basic awareness for all employees to detailed regulatory training for your quality and regulatory affairs team. Key topics include MDR's general obligations, risk management practices, handling of non-conformities, and the role of the Person Responsible for Regulatory Compliance. Speaking of the PRRC, we know that appointing a qualified person can be challenging for smaller companies. Our experts can act as an external PRRC advisor or even fulfill the PRRC function for your company if appropriate (in line with MDR allowances for SMEs). This ensures you have the necessary regulatory oversight without having to hire full-time staff before you're ready. We also provide ongoing mentoring to any PRRC or quality manager you appoint, to help them stay on top of new developments.

 

-        Audit Preparation & Ongoing Compliance:

Whether it's an internal audit, a Notified Body conformity assessment, or even an FDA inspection, we help you get audit-ready with confidence. Our consultants conduct mock audits and document reviews, identifying compliance weaknesses before the actual auditors do. We guide you in closing those gaps, be it updating a procedure or collecting additional test data. Having successfully guided multiple firms through MDR audits, we understand what auditors focus on and can ensure you're well-prepared. Furthermore, regulatory compliance isn't a one-time project – rules and standards evolve. We offer ongoing support to keep you compliant, monitoring changes in regulations (e.g., MDR extensions, UKCA requirements post-Brexit, or FDA QMSR updates) and advising on how to adapt. When MDR guidance documents or ISO standards are updated, we'll alert you and assist you in updating your processes accordingly. In short, we stay by your side to maintain your compliance as your business grows and regulations change.

 

From initial gap analysis to long-term compliance maintenance, our services are designed to make regulatory compliance manageable and even beneficial for your company. We pride ourselves on being a partner to our clients – we take your compliance personally, and we work diligently until you reach the finish line (and beyond).

Ultimately, our mission is to let you focus on what you do best – innovating and manufacturing great products – while we handle the regulatory complexities. We understand the challenges manufacturers face under frameworks like MDR, and we have a proven track record of guiding firms to successful outcomes. With our professional yet slightly promotional approach, we aim not only to be consultants but also trusted allies in your regulatory journey.

If you want to ensure your products meet all applicable regulations (EU MDR, ISO 13485, and more) and leverage compliance as a competitive advantage, we are here to help. By partnering with us, you can navigate the maze of requirements with confidence and speed, avoiding pitfalls and unlocking new market opportunities.

Feel free to contact our team to discuss your specific needs or learn more about how our services can support your business. Compliance can indeed be complex – but with the right support, you will not only meet the standards, you can excel beyond them, strengthening your company's quality, reputation, and success in the global marketplace.

 

 

Cybersecurity in Medical Devices: Insights, Near Misses, and Lessons Learned

News-Insights

Introduction

In an era of connected healthcare, medical devices are no longer isolated appliances — they form integral parts of hospital networks, software ecosystems, and patient data flows. While connectivity enables advanced functionalities, it also introduces cyber risk. A cyberattack or vulnerability exploit in a medical device can, in the worst case, affect patient safety, data integrity, service continuity, or confidentiality.

This insight article provides (1) a panorama of the regulatory & technical landscape, (2) examples of near-misses and incidents, and (3) lessons learned and guidance for manufacturers, healthcare providers, and stakeholders.

 

The Regulatory & Technical Landscape

Regulatory Guidance & Expectations

  • In the U.S., the FDA's "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions" is a foundational guidance, updated in June 2025. It requires manufacturers to incorporate cybersecurity risk management across the product life cycle, provide vulnerability-handling plans (e.g., for Section 524B devices), and integrate cybersecurity into design controls and postmarket surveillance.¹,²
  • The FDA also emphasizes the need for Secure Product Development Frameworks (SPDFs), which embed security activities (threat modeling, vulnerability assessments, patching) into the development lifecycle.³
  • In Europe, the MDCG 2019-16 Rev.1 guidance remains the key reference under the Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR) for lifecycle cybersecurity, including risk assessment, software updates, and vulnerability handling.
  • Regulatory bodies now expect near-misses or "non-harmful cybersecurity events" to feed into postmarket surveillance (PMS) and risk management processes.

 

The Threat Landscape & Trends

  • A report from Runsafe Security found that 22% of healthcare organizations experienced cyberattacks targeting medical devices, and among those, 75% of incidents disrupted patient care.⁴
  • Over 1.2 million medical devices have been found openly exposed to the internet, allowing attackers to access sensitive data in some cases.⁵
  • Legacy or unsupported systems continue to be a major risk vector. For example, GE HealthCare issued a recall of older models of its "Muse 5" cardiology system due to critical security risks.⁶
  • Recently, Masimo (a medical device manufacturer) disclosed a cyberattack that impaired order processing and shipping capabilities, affecting business continuity.⁷
  • In early 2025, the FDA flagged cybersecurity risks in Contec and Epsimed patient monitors — vulnerabilities that could allow unauthorized remote access or manipulation. Although no incidents or injuries have yet been reported, these are considered near-miss signals.⁸

 

Selected Incidents & Near Misses

Year / Case

Description

Impact / Outcome

Insights

2025 – Contec / Epsimed monitors

FDA identified vulnerabilities that could allow remote control or data exfiltration.

No known harm yet; mitigation urged.

Example of a near miss leading to proactive mitigation.⁸

2025 – Masimo cyberattack

Attack impacted the manufacturing network, reducing throughput and order fulfillment.

Operational disruption, possibly delayed deliveries.

Demonstrates that cyber threats affect not just patient-facing software but supply chain and operations.⁷

2025 – GE Muse 5 recall

Older cardiology info systems recalled due to security risk.

Decommissioning or upgrade required.

Legacy systems pose hidden liabilities.⁶

2025 – SimonMed Imaging data breach

Vendor-linked attack exfiltrated data of 1.2 million patients.

Data breach, reputation damage, regulatory exposure.

Illustrates how device/partner linkage can propagate risk.⁹

 

Lessons Learned & Best Practices

  1. Embed cybersecurity from day one.
    Adopt a Secure Product Development Framework (SPDF) so that threat modeling, secure coding, fuzzing, and security validation occur alongside functional development.
  2. Manage vulnerabilities proactively.
    Maintain a Vulnerability Handling Process (e.g., coordinated vulnerability disclosure), track a Software Bill of Materials (SBOM), and define patching/update pathways.
  3. Treat near-misses as first-class signals.
    Even if no harm occurs, anomalies, attempted intrusions, or discovered vulnerabilities should feed into the risk management and PMS system.
  4. Address legacy system risks.
    Deploy compensating controls (network segmentation, monitoring, intrusion detection) or plan for decommissioning/upgrades when security patching is impossible.
  5. Ketenrisico (supply chain and vendor risk)
    Ensure that third-party components, connectivity modules, or service vendors adhere to cybersecurity requirements. Control remote access surfaces.
  6. Continuous monitoring & threat intelligence.
    Monitor CISA/CISA ICS advisories, FDA safety communications, known CVEs, and sector-specific alerts.¹⁰
  7. Transparency & stakeholder communication.
    Maintain clarity in labeling, user guidance (e.g., "security update required"), end-of-life policies, and incident response procedures.
  8. Align with risk frameworks & standards.
    Integrate ISO 14971 (risk management) with cybersecurity risk practices. Use NIST, IEC 62304, and standards like AAMI TIR-57 for guidance.

 

Secure Product Development Framework (SPDF)

A Secure Product Development Framework (SPDF) is a set of processes designed to embed security into every stage of a product's lifecycle, from design to decommissioning. This proactive approach aims to reduce and mitigate product vulnerabilities and is particularly emphasized by the FDA for medical devices, requiring manufacturers to integrate cybersecurity measures throughout development and maintenance. Key components include risk management, secure design, testing, secure communications, and postmarket surveillance.

 

Key components of an SPDF

  • Risk Management: Involves proactively identifying, evaluating, and mitigating cybersecurity risks throughout the product's life.
  • Design and Development Controls: Ensures security is integrated into the design phase, not added as an afterthought. This includes "security by design" principles.
  • Information Security Management: Establishes policies and controls to safeguard data and protect against breaches.
  • Secure Communications: Protects data both when it is stored and when it is in transit.
  • Postmarket Surveillance and Response: Includes continuous monitoring of devices in the field to identify and address vulnerabilities, often through patching and updates.
  • Threat Modeling: Analyzing potential vulnerabilities early in the process to proactively address them.
  • Regulatory Compliance: Adhering to relevant regulations, such as FDA guidelines, HIPAA, and other cybersecurity standards like IEC 81001-5-1.

 

Why SPDF is important

  • Reduces vulnerabilities: By building security in from the start, it helps prevent and reduce the number and severity of security gaps.
  • Ensures safety and trust: For connected devices, especially medical ones, security is critical for user safety, data privacy, and maintaining public confidence.
  • Meets regulatory requirements: Frameworks like the FDA's SPDF are essential for medical device manufacturers to meet regulatory obligations and for premarket submissions.
  • Simplifies the development process: Integrating security early can streamline development and avoid costly and time-consuming security-related delays later on.

 

 

Footnotes (sources):

  1. FDA: "Cybersecurity in Medical Devices" guidance, June 2025, U.S. Food and Drug Administration
  2. FDA: Quality system & premarket submission guidance U.S. Food and Drug Administration+1
  3. Summary / SPDF approach in commentary on FDA guidance Cobalt+2Regulatory knowledge for medical devices+2
  4. Runsafe report: 22 % of organizations, 75 % impacted patient care, Industrial Cyber
  5. Over 1.2M devices exposed on the Internet, Cybernews
  6. GE recalls Muse 5 cardiology systems, Cardiovascular Business
  7. Masimo's cyberattack affects order fulfillment. The Record from Recorded Future+1
  8. FDA identifies risks in Contec / Epsimed patient monitors (no harm reported yet) U.S. Food and Drug Administration+3Reuters+3Reuters+3
  9. SimonMed Imaging data breach (1.2 million patients), TechRadar
  10. CISA / ICS medical cybersecurity advisories CISA

 

A New Chapter for Quality Management: ISO 9001 and ISO 13485 on the Horizon

News-Insights

Quality management standards are never static. They evolve, just as industries evolve. For more than a decade, ISO 9001:2015 has set the benchmark for organizations worldwide seeking to demonstrate efficiency, consistency, and customer trust. In February 2024, a modest amendment added a focus on climate-related issues — a clear signal that broader societal challenges are finding their way into quality standards. But this was only the beginning.

A significant revision of ISO 9001 is now in motion. In August 2025, the Draft International Standard (DIS) was released to ISO member states for review. If the timeline holds, a completely new edition — ISO 9001:2026 — will be published in September 2026. Organizations will then be granted a transition period of a maximum of three (3) years, meaning the revised standard will become mandatory for certification around late 2029. While the final details are still under discussion, it is already evident that (i) sustainability, (ii) digital transformation, and (iii) the ability to anticipate stakeholder expectations will become core themes. For medical technology companies, this is not simply a matter of updating a certificate. It is about redefining how quality systems can both ensure compliance and create strategic value in a rapidly changing healthcare environment.

Running in parallel is ISO 13485, the quality standard tailored for medical devices and in vitro diagnostics. This standard has been the cornerstone for demonstrating compliance with regulatory frameworks such as the EU MDR/IVDR, UK MDR, Swiss regulations, and the US FDA’s QSR. The current edition dates back to 2016, and although it remains valid, the standard is under active review. While no firm timeline has yet been announced, industry committees are exploring revisions in the coming years to align ISO 13485 more closely with ISO 9001:2026 while preserving its essential regulatory rigor.

For medtech manufacturers, the implications are significant. Two standards, each vital in its own right, are moving towards an updated vision of quality management. The likely outcome will be more emphasis on sustainability, risk-based thinking, and digital integration. Companies will be challenged to adapt — but those who do so proactively will not only secure compliance; they will strengthen their resilience and credibility in a competitive market.

At QNET, we see these revisions as opportunities. They offer medical technology companies a chance to step beyond a compliance-driven mindset and embed quality as a genuine driver of trust, safety, and innovation. The countdown to 2026 has already begun, and the organizations that prepare today will be the ones that lead tomorrow.

Want to know how the upcoming revisions to ISO 9001 and ISO 13485 will affect your medical technology business? Contact us — we help manufacturers worldwide align their quality systems with evolving standards and regulatory requirements.

ISO 9001:2026 Transition Timeline

  • February 2024: Amendment published (climate aspects)
  • August 2025: Draft International Standard (DIS) released
  • September 2026: Final ISO 9001:2026 publication expected
  • 2026 – 2029: Transition period (max. 3 years)
  • Late 2029: ISO 9001:2015 certificates expire

Cookie Policy