6 Key EU MDR Requirements for SaMD & How to Comply?

EU Medical Device Regulation (EU MDR) has placed the Software as a Medical Device (SaMD) under a strict risk-based framework (EU MDR Rule 11). EU MDR broadened the scope for SaMD compared to the old Medical Device Directive (MDD). Many software products previously considered low risk under MDD are now moderate or high risk under MDR. As per EU MDR, SaMD is treated as a medical device in its own right. Hence, it requires CE marking, compliance with General Safety and Performance Requirements, notified body involvement, and conformity assessment. Thus, EU MDR demands that SaMD be treated with the same rigor as traditional medical devices. Hence, EU MDR requirements for SaMD have been formulated to ensure safety, effectiveness, and continuous monitoring throughout its lifecycle.

Currently, EU MDR Rule 11, a risk-based classification framework, has been applied to SaMD. Hence, most SaMDs now fall into Class IIa, IIb, or III depending on the potential impact of incorrect decisions on patient health. Moreover, manufacturers must implement a Quality Management System, follow risk management, and adhere to software lifecycle standards (IEC 62304). Post-market surveillance, vigilance reporting, and cybersecurity controls are mandatory, thereby reflecting the evolving nature of software. In this blog, we will detail the key EU MDR requirements for SaMD.

EU MDR regulations for SaMD

• Definition: SaMD is a standalone software with a medical purpose (diagnosis, prevention, monitoring, treatment) independent of hardware. SaMD is referred to as Medical Device Software (MDSW) under EU MDR. Administrative, scheduling, billing, or general wellness apps are not included in SaMD. Examples: AI diagnostic tools, chronic disease monitoring apps, therapeutic apps delivering cognitive behavioral therapy.
• General Safety & Performance Requirements (Annex I) for SaMD: SaMD must demonstrate accuracy, precision, and stability of algorithms. It requires verification, validation, and performance testing (e.g., SpO₂ accuracy ±2%).Cybersecurity and data protection are integral to compliance with EU MDR requirements for SaMD.
• Applicable industry and regulatory standards: ISO 13485 guidelines for Quality Management System. Additionally, ISO 14971 for Risk Management and IEC 62304 for Software lifecycle processes. Furthermore, MDCG 2019-11 for guidance on software qualification and classification.

EU MDR requirements for SaMD: EU MDR Rule 11 classification

The EU MDR Rule 11 classification is the cornerstone regulation for classifying Software as a Medical Device (SaMD). It applies a risk-based framework to determine whether software belongs to Class I, IIa, IIb, or III, depending on its intended purpose and the potential impact on patient safety. EU MDR Rule 11 classification ensures that software with medical purposes is classified consistently as per its risk profile.

The EU MDR SaMD classification depends on the intended use and the severity of harm that could result from incorrect functioning or reliance on the software. Many software developers underestimate classification level. However, notified bodies scrutinize Rule 11 classifications closely. Hence, manufacturers must justify risk assessments with traceability and clinical evidence. Higher classes require extensive technical files, risk management, and clinical evaluation. Thus, manufacturers must carefully document intended use, risk analysis, and justification for classification to satisfy regulators. Therefore, compliance with EU MDR Rule 11 classification is important to abide by EU MDR requirements for SaMD. We have presented the four EU MDR SaMD classes:

• Class III: Software that provides information used to make decisions with potential to cause death or irreversible deterioration of health. Example: Sepsis detection app triggering urgent interventions; software controlling pacemakers
• Class IIb: Software that provides information used to make decisions with potential to cause serious deterioration of health or need for surgical intervention. Example: Oncology decision-support tools; advanced diagnostic imaging analysis
• Class IIa: Software that provides information used to make decisions with potential to cause moderate harm. Example: Chest X-ray interpretation software; chronic disease management apps
• Class I: Software not intended to provide diagnostic/therapeutic information, or where risks are minimal. Example: Fitness trackers without medical claims

6 Key EU MDR requirements for SaMD

1. EU MDR Rule 11 classification

EU MDR Annex VIII, Rule 11 specifically governs the classification of SaMD. It applies a risk-based approach. The EU MDR SaMD classification depends on the potential harm incorrect software output could cause to patients. Most SaMD now falls into Class IIa, IIb, or III, with Class I reserved only for minimal-risk software. Misclassification can lead to regulatory rejection, delays, or even product withdrawal from the EU market. Therefore, manufacturers must carefully justify their classification in the technical documentation.

2. Quality Management System (QMS)

For SaMD classified as Class IIa and above, compliance with ISO 13485 is mandatory. This ensures that the organization has a robust quality management system covering design, development, testing, and maintenance. The QMS must integrate risk management, traceability, and controlled processes for software updates. Audits by notified bodies will assess QMS effectiveness before granting CE marking. Without ISO 13485 compliance, SaMD manufacturers cannot legally market their products in the EU.

3. Technical documentation

Annex II and III of EU MDR outline the requirements for technical documentation. This includes detailed files on risk management, software validation, usability engineering, cybersecurity measures, and clinical evaluation. Documentation must demonstrate that the software is safe, effective, and performs as intended under all foreseeable conditions. Regulators expect traceability between requirements, design, verification, and validation activities. Incomplete or poorly structured documentation is a common reason for regulatory delays or rejection. Hence, technical documentation is one of the critical EU MDR requirements for SaMD.

4. Notified body involvement

For Class IIa, IIb, and III SaMD, a notified body must review and approve the conformity assessment. The notified body evaluates technical documentation, QMS compliance, and risk management processes. Their involvement ensures independent oversight and validation of the manufacturer’s claims. The depth of review increases with higher risk classifications, with Class III requiring the most scrutiny. Manufacturers must maintain ongoing communication with notified bodies for audits and post-market obligations.

5. CE marking

CE marking is the legal authorization to market SaMD in the European Union. It signifies conformity with EU MDR requirements and is only granted after successful notified body assessment for Class IIa and above medical devices. The CE mark must be affixed to the product and included in labeling and promotional materials. Each SaMD requires its own CE mark, independent of any associated hardware. Failure to obtain CE marking prohibits distribution and use within the EU market. CE marking is one of the major EU MDR requirements for SaMD.

6. Post-market surveillance

EU MDR mandates continuous monitoring of SaMD performance and safety after market entry. Manufacturers must establish systems to collect, analyze, and act on real-world data, including adverse event reports. Vigilance reporting to regulators is required for serious incidents or risks. Updates, patches, and modifications must follow controlled change management processes under the QMS. This ensures that evolving software remains compliant, safe, and effective throughout its lifecycle.

How to comply with EU MDR requirements for SaMD?

1. Determine intended medical purpose: Check whether software will be considered a SaMD. Define whether the software is for diagnosis, prevention, monitoring, or treatment.
2. Classify under Rule 11: Apply Annex VIII, Rule 11 to determine the SaMD class (Class I, IIa, IIb, or III) based on risk.
3. Implement QMS and standards: Adopt ISO 13485, ISO 14971, and IEC 62304 for quality, risk, and lifecycle management. Comply with General Safety and Performance Requirements (GSPR)
4. Prepare technical documentation: Compile the technical documentation dossier covering clinical evaluation, risk analysis, validation, and performance evidence.
5. Undergo conformity assessment: Engage a Notified Body for Class IIa and above to review compliance.
6. Obtain CE marking for SaMD: Secure CE mark approval for market entry in the EU.
7. Maintain post-market surveillance: Monitor performance, report incidents, and manage updates under MDR requirements.

Need help complying with EU MDR requirements for SaMD? Email at [email protected] or call/Whatsapp on 9996859227 and we will be more than happy to help.