“If CE certificates no longer have a five-year validity period, is EU medical-device regulation actually being relaxed—or just getting harsher in a different way?”
This is a recentdraft amendment to the EU MDR (Regulation (EU) 2017/745),published on December 16,and one of the biggest points of contention in the industry.
Seen from the draft's overall structure, this is not a “local patch,” but rather asystemic reordering of the regulatory logic:
👉 shifting from “fixed-cycle + centralized re-certification” to “continuous lifecycle oversight + phased requirements.”
Next, we will examineat the regulatory text level, item by item, this update draftwhat actually changed, andwhat companies must do now。
I. Why is the EU revising the MDR? The draft preamble already lays it out
In the amendment draft’s **preamble (Recitals)**, the European Commission directly acknowledges, in rare candid fashion:
The current MDR has, in implementation,driven compliance costs too high, processes too lengthy, and predictability too weak, and has already had a negative impact onmedical-device accessibility, supply continuity, and innovation capability.
This judgment runs through the amendment direction of several core provisions in the draft.
There are only three keywords:
reducing duplicate oversight
strengthening continuous oversight
introducing the principle of proportionality
II. Core changes
Change 1: CE certificates will no longer have an explicitly defined “maximum five-year” validity period
Original requirement in the 2017 MDR
InArticle 56(2) of the MDR, it clearly states:
Certificates issued by Notified Bodiesmust not exceed five years in validity, and renewals are also limited to five years.
This has been one of the main sources of repeated pressure on companies over the past few years.
Key changes in the amendment draft
In the latest amendment draft,the relevant provisions of Article 56 have been reworded:
the hard cap of “no more than five years of validity” has been removed
and instead the draft emphasizes that certificates remain valid whilethe regulatory requirements continue to be met
In other words:
👉 certificate validity will no longer lapse automatically with time, but will instead depend on compliance status,This means the costs companies pay for conformity assessment may be somewhat lower..
⚠️ Important note:
This is not a “permanent certificate”, but rathera shift from an “expiry-based” model to a “status-based” model。
Change 2: the Notified Body’s “recertification role” has been redefined
Legal basis
Article 44 (ongoing surveillance activities of the Notified Body)
Article 56 (certificate management)
Through linked amendments across multiple articles, the draft revision de-emphasizes the concept of “fixed-cycle recertification” and reinforces the Notified Body’sdynamic intervention based on the following factors:
PMS results
PMCF data
safety signals and trend reports
What this really means
The Notified Body is no longer something you “see once every 5 years,” but rathera regulatory participant that may intervene at any time。
Change 3: the “source requirements” for clinical evidence have been materially relaxed
Legal basis
Article 2 (definition of clinical data)
Article 61 (clinical evaluation)
Annex XIV (clinical evaluation and PMCF)
In the draft revision, the wording on sources of clinical data is no longer explicitly limited topeer-reviewed scientific literature。
What this really means
literature sources are more flexible
there is more room for real-world data, observational studies, and post-market data
but at the same time, the implicit expectations formethodology, evidence consistency, and bias controlare higher。
Change 4: PMS and PMCF have become the core evidence for a certificate’s continued validity
Legal basis
Articles 83–86 (PMS)
Annex XIV (PMCF)
What has changed?
The draft revision repeatedly emphasizes:
post-market surveillance and PMCF results may be used directly toreassess certificate validity。
What this really means
Whether a certificate “remains valid” no longer depends primarily on:
the initial regulatory submission dossier
Instead, it depends on:
whether post-market real-world use data continue to support safety and performance
What does this mean for companies?
PMCF has been elevated from a “compliance task” to a “certificate lifeline”
Data continuity, trend analysis, and closed-loop management will directly affect certificate stability
Change 5: “Well-established technology” is formally incorporated into the regulation
Source provision
The draft revision adds new definitional provisions (relevant new definitions in Article 2)
and uses them in multiple provisions as a basis for proportionate regulation
Substance of the change
The EU is attempting to use the concept of “well-established technology” devices,to replace the previous simple list-based product management approach。
There is only one prerequisite:
👉 companies mustdemonstrate that it is “well established”, rather than merely claiming it is。
Change 6: supply interruption and shortages are brought into core compliance obligations
Provision anchor
New/strengthened Article 10a (supply interruption and shortages)
What has changed?
Manufacturers are required toat least 6 months in advance, notify the competent authorities of any anticipated interruption or cessation of device supply and explain the reasons.
Substance of the change
Supply chain issues are elevated from a “business issue” to a:
public health and regulatory issue
What does this mean for companies?
Production discontinuation, market withdrawal, and capacity adjustments are no longer merely “internal decisions””
They require compliance assessment, external communication, and regulatory notification mechanisms
Change 7: priority review and rolling review are introduced for breakthrough devices and orphan devices
Provision anchor
The draft revision adds new content onbreakthrough devices and orphan devicesthrough dedicated provisions
and clarifies expert panel involvement and rolling review
What has changed?
For the first time, the EU systematically introduces into the MDR:
priority review
phased submission
early expert panel involvement
Substance of the change
This is the early institutional form of an EU-style “accelerated pathway.”
What does this mean for companies?
Truly innovative products or products for rare diseases
may have the opportunity to significantly shorten the regulatory approval pathway
but place higher demands on upfront strategic planning
Change 8: Regulatory Sandbox is introduced into the MDR text
Relevant provisions
The draft revision adds new definitions and enabling provisions
What changed?
The draft allows Member States and the EU level to establishregulatory sandbox mechanisms。
Nature of the change
Regulation shifts from “post hoc correction” to:
“early validation in a controlled environment”
What does this mean for companies?
AI medical devices, digital therapeutics, brain-computer interfaces, etc.
may gain a more predictable regulatory testing environment
Change 9: Compliance requirements for online (internet) sales are explicitly strengthened
Relevant provisions
Article 6 (Distance sales)
Article 10 (Manufacturer obligations)
What changed?
The draft revision clarifies:
Devices sold online must provide users withsufficient information to identify the device and its compliance status。
Nature of the change
Online sales are no longer a regulatory gray area.
What does this mean for companies?
Content on official websites, e-commerce platforms, and third-party platforms
may all become subject to compliance review
Change 10: Systematic alignment between the MDR, the AI Act, and cybersecurity legislation is strengthened
Relevant provisions
Multiple cross-references and enabling provisions
involvingAI Actthe Cyber Resilience Act (CRA), etc.
What changed?
The draft revision explicitly states:
it is necessary to avoid different EU regulations overlapping and causinginnovation to be unreasonably constrained。
Nature of the change
Medical device compliance is moving from “single-regulation response” into:
a phase of coordinated multi-regulation management
What does this mean for companies?
AI devices and SaMD will face “combined compliance”
Registration strategies require cross-regulatory coordination rather than siloed approaches
III. This is not deregulation, but an upgrade in the regulatory approach
Many companies’ first reaction is: “Great, one less recertification.”
But if that is all you see, you are mistaken.
The supporting provisions strengthened in parallel in the draft include:
Ongoing compliance obligations have been systematically strengthened
MDR Article 10 (General obligations of manufacturers)is further emphasized in the revised draft:
Manufacturers must, throughout the entire lifecycle,continuously demonstrateconformity, rather than only at certificate checkpoints.
The role of Post-market Surveillance (PMS) and PMCF has been further elevated
Articles 83–86 (PMS)
Annex XIV (PMCF)
The draft emphasizes in multiple places:
Notified Bodies may, based on PMS/PMCF results,trigger certificate assessment, restriction, or withdrawal at any time
In one sentence:
👉 the once-every-five-years major exam has becomecontinuous daily scrutiny。
IV. Five things companies must do now (not wait for the regulation to take effect)
1. Immediately restructure your “certificate maintenance strategy”
No longer use “expiry” as the timeline, but instead:
PMS
PMCF
adverse event trends
as the main axis, and build acertificate risk radar。
The practical weight of Annex XIV is increasing, not decreasing.
For non-peer-reviewed literature:
study design
risk of bias
generalizability
must be formalized intoauditable methodological documentation。
Especially when there are:
rising complaints
abnormal post-market trends
supply changes
any of these may trigger certificate reassessment.
The draft is still in the legislative process, but the direction is already very clear:
Those who adapt first to continuous oversight will have the lowest future costs.
V. Clinsota's CRO Perspective
This is not a “deregulatory reform,” but rather asmarter, more refined regulatory restructuring。
Clinsota believes companies must act on these 8 priorities now, rather than waiting for the regulation to take effect
1. Rebuild the logic for certificate maintenance
No longer centered on the “expiry date,” but on:
PMS
PMCF
safety signals
buildinga certificate risk monitoring system。
2. Transform PMCF from a “compliance task” into “certificate insurance”
Under the logic of certificates without a fixed validity period,PMCF quality = certificate stability。
3. Upgrade your clinical evidence strategy, rather than simply “doing fewer studies”
Broader use of literature ≠ using literature casually
This must be supported by:
systematic literature review methodology
evidence quality grading
a closed loop with post-market data
4. Determine whether your product can be classified as a “mature technology device”
and prepare in advance:
evidence of design stability
a long-term safety record
trend analysis of complaints and adverse events
5. Be prepared for “inquiries from the Notified Body at any time”
Key scenarios include:
an increase in complaints
trend reporting triggers
abnormal PMCF data
6. Treat supply interruption as a compliance event, not a commercial decision
Establish:
trigger thresholds
internal escalation pathways
consistent regulatory messaging
7. Support “continuous compliance” with digital tools
This is not about storing documents, but abouttraceability, auditability, and reviewability。
8. Treat this draft as a “window for reordering your regulatory submission strategy”
The companies that will truly benefit are not those who “wait and see,” but those whoadjust early。
For companies,
low-quality complianceIt becomes riskier
High-quality, systematic complianceis, instead, more cost-effective
Closing note: If the certificate is not set to 5 years, it is not to let you rest for 5 years,
instead, it requires you—to stand firm every day.
