How to Choose the Right Authorised Representative (AR) Under EU MDR/IVDR

Written By Ishbel Watson

Introduction 

Selecting an Authorised Representative (AR) is one of the most strategically significant decisions a non-EU medical device manufacturer will make when entering or maintaining access to the European market. Under the Medical Device Regulation (MDR, Regulation (EU) 2017/745) and the In Vitro Diagnostic Medical Device Regulation (IVDR, Regulation (EU) 2017/746), the role of the AR has shifted from a largely administrative intermediary to a deeply embedded regulatory actor with legal liability, defined responsibilities, and a direct relationship with Competent Authorities (CAs). 

Despite the scale of this transformation, many manufacturers still approach AR selection as a commercial procurement task, prioritising cost and convenience rather than capability and compliance maturity. This often results in manufacturers exposing themselves to substantial risk—regulatory, financial, and reputational—because they rely on an AR unprepared for the scrutiny, documentation requirements, and vigilance obligations imposed under the MDR/IVDR. 

This blog provides an academically grounded, methodologically rigorous, and operationally practical framework for selecting an Authorised Representative under MDR/IVDR. Drawing upon the “Best Economic Operators” (BEO) model— which uses weighted, risk-based criteria and identifies Critical Requirements— this article explains how manufacturers can evaluate and compare ARs using objective, evidence-based indicators. The goal is to empower manufacturers to make defensible, audit-ready decisions that prioritise compliance, safety, and long-term regulatory resilience. 

1. The Evolving Role of the AR Under MDR/IVDR 

The Authorised Representative is the manufacturer’s legally appointed representative in the EU. Under Article 11 of both the MDR and IVDR, the AR must act as the regulatory interface between the manufacturer and EU Member State authorities. This includes obligations that are not optional, not delegable, and not negotiable. 

What distinguishes the AR under MDR/IVDR from previous frameworks is the  explicit allocation of liability. Article 11(5) of the MDR and IVDR establishes that the AR may be held legally liable for defective devices if the manufacturer is non-compliant. This shared liability fundamentally redefines the relationship between the manufacturer and the AR, shifting it from a simple commercial arrangement to a form of regulatory partnership. 

An inadequate AR jeopardises not only market access, but also the manufacturer’s legal position.

For example: 

  • If the AR fails to transmit vigilance reports in a timely manner, the manufacturer remains accountable. 

  • If the AR cannot provide technical documentation during a CA inspection, the manufacturer may face penalties or corrective action. 

  • If the AR mismanages a field safety corrective action (FSCA), the manufacturer may be held responsible for failures in communication. 

Therefore, selecting the correct AR is not a back-office administrative task, but a crucial component of the manufacturer’s quality management system and global regulatory strategy. 

2. Understanding the Legal Mandate: What the AR Must Do 

The MDR/IVDR impose clear and legally binding obligations on the Authorised Representative. Any AR incapable of fulfilling these obligations should immediately be excluded from consideration. 

Key responsibilities include: 

Verification Obligations: 

The AR must confirm that technical documentation, the EU Declaration of Conformity (DoC), CE marking, UDI assignment, and conformity assessment procedures are in place before the device is placed on the market. This verification obligation is ongoing; the AR must verify updates to documentation and ensure continued compliance. 

Cooperation with Competent Authorities: 

The AR must maintain readiness to respond to CA requests “on all matters relating to the device.” This means the AR must have organisational processes in place to retrieve documentation swiftly and provide detailed explanations of compliance strategy. 

Vigilance and PMS: 

The AR receives incident reports and executes communication obligations with CAs for serious incidents and FSCAs. The AR must have procedures for timely reporting—often within days. 

Document Retention: 

The AR must hold copies of technical documentation for 10–15 years, depending on device classification. This demands systematic archiving, cybersecurity measures, and redundancy. 

Termination Obligations: 

If the AR terminates the mandate, it must inform the CA—and the manufacturer must appoint a new AR without disrupting compliance. 

Each of these obligations must be explicitly reflected in the AR’s internal processes. Manufacturers must therefore assess not only whether the AR claims compliance, but whether it has robust systems for executing these obligations in practice. 

3. Critical Requirements: The Non-Negotiables in AR Selection 

Using the BEO weighted model, the following items are designated Critical Requirements. These are mandatory for a Preferred AR classification and reflect elements that regulators scrutinise most deeply. 

3.1 A Compliant and Comprehensive Mandate 

The mandate must explicitly reference Article 11(3) and define the respective responsibilities, including authority to act on behalf of the manufacturer. A vague or generic mandate signals regulatory immaturity. 

3.2 EUDAMED SRN Registration 

A legitimate AR must possess a valid Single Registration Number. Any AR without an SRN is either non-functional, non-compliant, or inexperienced. 

3.3 Technical File Verification Process 

The AR must have a documented process for verifying technical documentation, CE marking, DoC presence, and label conformity. An AR that performs superficial checks is a compliance risk. 

3.4 Vigilance Capability 

The AR must maintain: 

  • time-bound escalation procedures (2–10 days)

  • trained personnel

  • documented vigilance SOPs

  • communication pathways with the manufacturer and CA. 

Failures in vigilance communication have led to multiple regulatory actions. 

3.5 GDPR & Data Protection Compliance 

Because vigilance may involve personal health data, the AR must demonstrate GDPR alignment, evidence of training, privacy policies, and security measures. If UK-based, ICO registration may also be expected. 

3.6 Appointment of a Qualified PRRC 

Under Article 15, the PRRC ensures regulatory compliance. An AR without a qualified PRRC is unfit for MDR/IVDR operations. 

3.7 Adequate Liability Insurance 

Under Article 10(16), manufacturers must ensure that EOs—including ARs— carry adequate liability insurance. Insurance gaps could expose both the AR and manufacturer to significant financial liability. 

3.8 Regulatory Reputation and Past Performance 

Any AR with sanctions, RAPEX alerts, or significant compliance deviations should be considered high-risk. 

If any of these Critical Requirements are not met, the manufacturer should not consider the AR a suitable partner. 

4. Evaluating the AR’s Quality System: Beyond the Minimum 

An AR's compliance maturity is strongly reflected in the robustness of its quality management system. Manufacturers should seek evidence of structured SOPs, regulatory training, CAPA processes, supplier controls (if outsourcing activities), and the ability to manage Competent Authority inspections. 

4.1 Alignment with ISO 13485 

Although certification is not mandatory, ISO 13485 alignment demonstrates organisational discipline. The AR should be able to show process flowcharts, training logs, SOPs, change control records, and auditing activity. 

4.2 CAPA Processes 

Weak ARs treat CAPA as an afterthought. Mature ARs treat CAPA as a central mechanism for continuous improvement and risk management. 

4.3 Competency Management 

Regulatory compliance is personnel-driven. Manufacturers must assess whether AR staff possess the necessary training, qualifications, and ongoing education. 

5. Operational and Communication Competence 

Even a technically competent AR is useless if it cannot manage operational demands. 

An effective AR must demonstrate: 

  • reliable communication mechanisms

  • multilingual capacity

  • documented response times

  • clear reporting pathways

  • readiness for unplanned regulatory events

Operational performance is a leading indicator of how the AR will function under stress, such as during a CA investigation or an FSCA. 

6. Using a Weighted Evaluation Framework to Select an AR 

The BEO framework uses weighted criteria that reflect regulatory risk, operational importance, and organisational maturity. This method treats AR selection as an objective evaluation rather than a commercial negotiation. 

Because the model is binary (compliant vs. non-compliant) and weighted according to regulatory importance, it produces: 

  • repeatable results

  • clear audit trails

  • defensible selection rationale

  • quantifiable risk levels

  • transparent communication with internal stakeholders

The tier system (Preferred, Approved, Conditional) further supports supplier qualification processes. 

Conclusion 

Choosing an Authorised Representative is not an administrative task. It is a foundational regulatory decision with profound consequences for compliance, safety, and market continuity. A structured, weighted, and evidence-based evaluation—such as the BEO framework—ensures that manufacturers select ARs capable of meeting legal obligations, supporting vigilance processes, and safeguarding patient safety. 

An AR is not a vendor. It is a strategic partner in regulatory compliance. 

Manufacturers who recognise this will be best positioned to maintain stable EU market access under the MDR and IVDR. 

Ishbel Watson https://www.designbyish.com/
Previous

Selecting the Right Importer Under the EU MDR/IVDR