Critical Requirements Under MDR/IVDR
Why Some EO Obligations Matter More Than Others
MDR and IVDR introduced an extensive list of responsibilities for every Economic Operator in the supply chain. But within that list are a handful of obligations that hold unusual weight — the Critical Requirements. These aren’t simply compliance tasks operators must remember to perform. These are the foundational obligations that, if missing or poorly implemented, can destabilize your entire regulatory system.
Manufacturers sometimes treat all EO responsibilities equally, but regulators don’t. Critical Requirements are the areas where Competent Authorities focus heavily because they signal whether an EO is prepared, capable, and compliant. If an operator fails one of these, the risk isn’t theoretical. It’s immediate.
The PRRC: Where Regulatory Accountability Actually Lives
One of the most transformative additions under MDR/IVDR is the requirement for certain operators to appoint a Person Responsible for Regulatory Compliance. The PRRC is not a symbolic title or an optional add-on. They are the regulatory conscience of the EO.
A strong PRRC brings stability to everything: documentation, vigilance, verification, and communication with authorities. They understand MDR/IVDR deeply and ensure the operator follows their obligations proactively, not reactively.
When an EO lacks a PRRC — or appoints someone who doesn’t understand their responsibilities — everything downstream becomes fragile. A missing PRRC is often the earliest sign of a weak operator.
EUDAMED Registration: The Regulatory Identity of Every EO
EUDAMED is still evolving, but one thing is already certain: operators need an SRN. This is their regulatory identity. Without it, they’re invisible in the system and unable to fulfil registration and verification tasks properly.
The number of EOs who believe EUDAMED is optional is surprisingly high. Many think registration is something the manufacturer handles. Some don’t remember whether they registered. Others assume partial registration is enough.
During an inspection, this excuse doesn’t hold. Regulators expect EUDAMED compliance. If an EO can’t produce their SRN, you start the audit with a significant nonconformity.
Vigilance: The Requirement Most Likely to Break First
If you want to assess an EO’s competence, look at their vigilance system. Vigilance obligations are strict, time-bound, and unforgiving. They require operators to recognize incidents, escalate them quickly, document them properly, and communicate them to the manufacturer without delay.
Yet vigilance is where most EOs fail, especially distributors.
Many operators:
Treat complaints casually
Store incident information loosely
Don’t understand escalation criteria
Have no written procedures for vigilance reporting
Don’t know MDR/IVDR timelines
When a serious incident occurs and the EO mishandles it, the manufacturer is the one who answers to the regulator.
Technical Documentation Checks: The First Line of Regulatory Defense
Importers and distributors must verify essential documentation before placing devices on the market or further distributing them. This includes CE marking, the Declaration of Conformity, and correct labeling.
This responsibility is often misunderstood. Many EOs believe the manufacturer handles documentation and that verification is optional. But MDR/IVDR explicitly requires EOs to check that documentation exists and is correct.
When this step is skipped — and it frequently is — noncompliant devices enter the market. Regulators treat this as a serious failure because documentation checks are fundamental to device safety.
GDPR and Data Handling: The Risk Most EOs Forget
Medical device vigilance and PMS involve personal data. Complaints, incidents, adverse events — all of these may include identifiable information. Under MDR/IVDR, EOs must handle this data securely and according to GDPR.
Many EOs assume GDPR is a marketing issue, not a vigilance issue. That misunderstanding becomes the manufacturer’s liability. GDPR violations can lead to financial penalties, reputational damage, and regulatory scrutiny.
An EO who doesn’t understand GDPR exposes the manufacturer to far more than MDR/IVDR risk.
Insurance: The Safety Net Behind EO Liability
Every EO involved in regulatory responsibilities must carry liability insurance appropriate to the risk of the devices they handle. The logic is simple: if something goes wrong, they must be able to support their legal obligations.
Yet many EOs have insufficient coverage. Some don’t update their policies. Others don’t carry insurance at all. When an incident occurs, lack of insurance becomes a catastrophic gap.
Reputation and RAPEX: The Past Predicts the Future
An EO’s track record matters. If they’ve been cited in RAPEX alerts, involved in recalls, or faced enforcement actions, those events provide valuable insights into how they operate under pressure. Manufacturers sometimes ignore an operator’s history because of personal relationships or commercial convenience.
But regulators don’t ignore history. And neither should manufacturers.
Why Critical Requirements Must Drive EO Selection
Critical Requirements are not just compliance checkpoints. They are predictors of future behavior. Weakness in these areas nearly always indicates broader structural issues. Manufacturers who focus on these requirements first gain insight into the actual maturity of the operator.
The goal is simple: eliminate partners who can’t support your compliance before they jeopardize it.
The Consequence of Ignoring Critical Requirements
Manufacturers who overlook Critical Requirements frequently experience:
Delayed audits
Difficult vigilance reporting
Regulatory findings
Device suspensions
Costly remediation
Reputational damage
These aren’t edge cases. They’re common outcomes of weak EO oversight.
The Bottom Line
Critical Requirements are not optional extras. They are the essential foundation of MDR/IVDR compliance. When manufacturers evaluate and monitor EOs through the lens of Critical Requirements, they build a supply chain that can withstand regulatory scrutiny — and protect patients effectively.
