Your Medical Device Got CE Marked – Now What?

By Published On: February 28th, 2023Categories: CE Marking, EU MDR, PMS PMCF, Post Market Surveillance

Obtaining the CE mark is one of the most significant milestones in the life of most medical devices. Unfortunately, it typically takes years and can exhaust even the most determined regulatory personnel. Nevertheless, getting the good news of an approved application is an occasion worth celebrating!

However, once the CE mark has been granted, the work to maintain compliance with the European Medical Device Regulation (EU MDR; 2017/45) and the In Vitro Diagnostics Regulation (IVDR; 2017/746) has just begun.

Many medical device manufacturers might need to realize the amount of work required to ensure compliance with European regulations, especially if they are new to the requirements of the MDR. The scope of the MDR is much broader than the pre-existing MDD (Medical Device Directives; 93/42/EEC), and various new responsibilities and documents are required.

Here we look at the responsibilities of medical device manufacturers once the CE mark has been granted and the frequency with which documents must be updated. We also review the update requirements and what you should include in each of your reports.

General Obligations of Medical Device Manufacturers

The general obligations of medical device manufacturers are described in Article 10 of the MDR and IVDR. It describes manufacturers’ responsibilities after placing their devices on the market. Besides the responsibilities described in detail below, manufacturers must also implement the IDU system (described in article 27 of the MDR), appoint authorized representatives if applicable, consider language requirements and labeling, and maintain a compliant quality management system.

Risk Management for Medical Devices

It is not a coincidence that the first obligation described in Article 10 is risk management. We all remember a medical device scandal or two from the last decade, and risk management has been promoted to one of the most critical aspects of medical device documentation.

Risk management performed correctly can significantly reduce the occurrence of Field Safety Corrective Actions (FSCA) and ensure the safety and well-being of your users. It also provides that you have taken into consideration every risk associated with the use of your device to avoid unpleasant surprises once the device hits the market.

What Should Be Included in My Risk Management Systems?

The European regulation requires manufacturers and their risk management documentation to:

  • Reduce any risks associated with the device as much as possible without affecting the risk-benefit profile
  • Implement a risk management system for each device developed and manufactured
  • Use state-of-the-art measures to control risks
  • Address human factor risks
  • Ensure risk mitigation is adequate and effective for the whole lifetime of the device
  • Ensure risks are not affected by the transport or storage of the device
  • Ensure foreseeable residual risks are outweighed by the benefits of using the device

The MDR/IVDR does not specify a harmonized standard for risk management, but most medical device manufacturers will implement EN ISO 14971 Application or risk management to medical devices. While not a complete solution, it is the simplest way to ensure you perform the basic risk management duties.

Continuous Risk Management

It is not enough to only perform risk assessment when developing a medical device. As defined by the MDR,

…risk management is a continuous iterative process throughout the entire lifecycle of a device, requiring regular, systematic updating.

During post-market activities, relevant data presented from patients, users, and healthcare professionals, as well as information generated by the supply chain, publicly available information, literature reviews, safety information, social media, regulatory databases, clinical evidence, etc., must be collected. This information should be reviewed to identify any previously unrecognized hazards or hazardous situations, changes to the risk acceptability due to increased severity or probability, changes to the state-of-the-art, or any other aspect that might impact risk. Once evaluated, any changes in risk must be assessed and mitigated, if applicable.

Appropriate resources should be allocated to update and maintain risk management documents and activities. Any trends or indications regarding the safety information of your medical device should be closely monitored, and appropriate measures should be implemented as soon as possible.

Clinical Evaluation

Clinical evaluations for medical and in vitro diagnostic devices consist of verifying the device’s performance and safety information, and clinical benefits, when used as described in the Instructions for Use, by reviewing and summarizing clinical evidence. The point of clinical evaluation is to demonstrate that the risk-benefit profile of the device is acceptable and comparable to that of the current state-of-the-art treatments or technologies.

Clinical data comes from literature review, clinical investigations, and post-market surveillance activities on the subject device and similar or equivalent device(s).

When should I update my clinical evaluation?

Preparing and submitting your initial clinical evaluation report is just the beginning. Your clinical evaluation must be updated regularly and throughout the lifetime of your device.

If no new information that affects the risk-benefit profile or general clinical evaluation is identified. In that case, you must update your clinical evaluation at least annually for Class III or novel devices and every 2-5 years for lower-risk and well-established devices. However, if you do identify new information that affects the risk-benefit profile of your device, you should update the clinical evaluation immediately.

CER Literature Review

Updating your clinical evaluation report also means updating your literature review. With the addition of more than 3 million publications to scientific journals per year, a systematic review must be performed regularly to keep track of the current state-of-the-art, critically appraise any new clinical data, and make sure your device remains safe and performs as intended.

The clinical evaluation report is one of the most critical aspects of your technical documentation, so it is vital to ensure it is regularly and appropriately updated.

Post-Market Surveillance (PMS)

The goal of post-market surveillance is to ensure that a medical device is performing as intended and that it remains safe for patients and users. To do that, a proactive and systematic process must be set up to continuously gather data on the safety and performance of your device throughout its lifetime.

Post-market surveillance consists of both proactive and reactive processes. Proactive processes consist of collecting and analyzing data for your device and similar or equivalent devices. The gathered data is then used to identify trends, update risk management and quality systems, review instructions for use and user training, identify manufacturing issues, and more. Reactive processes are those included in vigilance, which is discussed below.

When should I update my post-market surveillance?

Post-market surveillance reports must be submitted for Class I devices as needed. For Class IIa, Class IIb, and Class III devices, a periodic safety update report (PSUR) must be submitted at least every two years (Class IIa) or at least annually (Class IIb, Class III). Both reports must include a summary and conclusion of PMS data, description and rationale for preventive and corrective actions, sales and usage frequency data, findings from post-market clinical follow-up (see below), if applicable, and a conclusion on the risk-benefit evaluation.

Post-Market Clinical Follow-Up (PMCF)

Post-market clinical follow-up is an important part of your post-market surveillance activities and clinical evaluation. It is described in Annex XIV, part B, of the MDR, and Annex XIII, Part B of the IVDR.

Not every device needs PMCF. High-risk devices must update their PMCF report annually, while lower-risk devices might benefit from PMCF depending on their residual risks. The MDR states in article 83 that manufacturers must create a post-market surveillance system proportionate to the risk class and appropriate for the type of device. Therefore, if you do not believe you need PMCF, you must justify it thoroughly in your post-market surveillance plan.

PMCF aims to assess the available clinical data on the safety and performance of your device to:

  • Identify previously unknown side-effects
  • Monitor previously identified side effects and contradictions
  • Identify and analyze developing risks
  • Ensure the risk-benefit profile remains acceptable
  • Identify potential systematic misuse or off-label device use to ensure the intended purpose is appropriate

The Medical Device Coordination Group (MDCG) has issued guidance on the PMCF plan and report. The clinical data needed for your PMCF activities vary from general data, such as user feedback, information from scientific literature, and other sources of clinical evidence, to specific data, such as randomized controlled trials, PMCF studies, or a registry database. Whichever data you include in your PMCF should be documented and justified in your PMCF plan.


Vigilance is the activity associated with collecting information about serious incidents, complaints, and adverse events. It is the reactive process in post-market surveillance.

Vigilance is described in articles 87-90 of the MDR and articles 82-85 of the IVDR and consists of the reporting and analysis of serious incidents and field safety corrective actions (FSCA), trend reporting, and analysis of vigilance data.

Medical device manufacturers must report serious incidents to the relevant competent authorities within the following timeframes:

  • Serious incident: no later than 15 days after becoming aware of the incident
  • Death or serious deterioration of a person’s state of health: no later than ten days after becoming aware of the incident
  • Serious public health threat: no later than two days after becoming aware of the incident

The MEDDEV 2.12/1 Rev. 8 guidance document on medical device vigilance systems. Additional guidance has also been issued. The timelines for follow-up reports are not specified in the MEDDEV guidance. However, submitting a follow-up report within 30 days of the initial report or as soon as additional information becomes available is recommended.

Note that EU member states might have different local timeline expectations from the European Commission. Therefore, we always recommend making sure you check the rules and recommendations in the member state where your incident report is submitted.

Whether you submit post-market surveillance reports or periodic safety update reports, vigilance information must be included in your post-market surveillance updates. In addition, you should describe and rationalize any field safety corrective actions performed and discuss whether they impact the risk-benefit profile of your device.

Technical Documentation Updates

Once your device is on the market, the technical documentation must be continuously updated. In addition, the technical documentation must be maintained constantly to indicate the device currently being manufactured and sold.

Although not required by the MDR, we recommend performing a periodic review of the technical documentation in regular intervals to ensure it is up to date. A change log should also be established for an accessible overview. Some changes will require notified body approval before they are implemented, so make sure you check Annex IX and Annex X carefully before doing so.

A good rule is to update the technical file every time a controlled document changes.

Updating Your Documentation

With this much documentation to update, you might wonder, how will I ever get all this done? And yes, a lot of work is required to keep your technical documentation updated. You are especially considering that this work must be performed for each device on the market!

Many regulatory departments are stretched to the limit. Resources are scarce, and it can be difficult to allocate more time and money to keep an increasing number of technical files up to date. If this is the case for you, consider outsourcing recurring document updates. For example, for most devices, the clinical evaluation and post-market surveillance reports need to be updated every 1-5 years. While not overly complicated, the updates can be labor-intensive. Likewise, performing literature reviews and reviewing complaint data might be simple enough in theory, but it takes excessive time. Hiring medical writers or companies with expertise in the subject can ensure quality work for a fraction of the time and effort.

At Citemed, we can keep your technical file up to date. We offer services in regular updates of literature reviews, clinical evaluation reports, and post-market surveillance documentation. Our one-of-a-kind software makes updating documents a breeze and helps you reduce both time and money spent. Contact us at

Want more EU MDR and Regulatory Insights?

We send weekly emails with the latest regulatory developments, templates, and strategies straight to QA/RA Professionals like you. Sign up below to get access today.