Proposed amendment to the MDR: what changes for vigilance and surveillance

In December 2025, the European Commission presented a proposal to amend Regulation (EU) 2017/745 (Medical Device Regulation, MDR) and, in parallel, Regulation (EU) 2017/746 (In Vitro Diagnostic Medical Devices Regulation, IVDR), with the aim of addressing a number of critical issues that have emerged during the application of the Regulations, while maintaining an unchanged level of public health protection. The proposal is currently undergoing the European legislative process and may be further amended prior to its final adoption.

This article has a specific objective: to provide professionals with an operational and interpretative guide to the proposed amendments relating to vigilance and post-market surveillance, clarifying in concrete terms what changes compared to the current MDR framework and what the practical implications are for manufacturers and service providers.

The revision of the MDR is based on a targeted evaluation carried out by the European Commission on the MDR and IVDR, which highlighted that, alongside the benefits in terms of safety, a number of structural shortcomings have emerged. In particular, implementation experience has shown an administrative burden that is often disproportionate, especially for SMEs, fragmentation of application practices across Member States, and operational difficulties in the uniform implementation of requirements.

In this context, vigilance and post-market surveillance are areas in which the Commission has chosen to intervene through targeted adjustments. The objective is not to rewrite the architecture of the MDR, but to clarify regulatory expectations, strengthen system coherence and improve the use of data generated after placing devices on the market.

The proposal significantly strengthens the role of post-market surveillance, increasingly qualifying it as a structured decision-making process rather than a mere data collection activity. It clarifies that PMS must be based on analysis criteria defined by the manufacturer and consistent with the device, its risk profile and the relevant clinical context.

The proposal does not introduce prescriptive criteria or standardised methodologies for PMS data analysis, nor does it establish mandatory numerical thresholds. The regulatory message is different and more substantive: the manufacturer must be able to demonstrate that evaluation criteria have been defined, applied in a systematic and reproducible manner, and used as the basis for decision-making. This means being able to explain which data are considered relevant, how they are interpreted over time and how such assessments do or do not lead to the adoption of preventive or corrective actions.

From an operational perspective, the focus therefore shifts from the mere existence of a formally compliant PMS plan to the demonstrability of the decision-making process linking data, assessments and decisions. PMS thus takes the form of a continuous, documented and verifiable process that can be assessed on its merits by competent authorities.

Within this framework, the proposal also recalls the principle of proportionality of the quality management system, which must ensure compliance in an effective manner appropriate to the risk class and type of device. In particular, the explicit objective is to reduce duplication of activities and documentary deliverables, while maintaining the system’s ability to detect and manage clinical risks.

In line with this approach, a significant documentary simplification is introduced: the results of Post-Market Clinical Follow-up (PMCF) activities may be integrated directly into the updated clinical evaluation report, avoiding the need to draw up a separate PMCF report. For those managing PMS and vigilance, this reinforces the integration between post-market clinical data, clinical evaluation and safety decisions, reducing formal duplication without weakening oversight of device safety.

You might be interested in: MDR Post market surveillance: manufacturers requirements and obligations

The Periodic Safety Update Report (PSUR) is also subject to a targeted revision. The proposal introduces greater proportionality in the frequency of updates, linking it to the device risk class and the evolution of the benefit-risk profile.

In the current wording of the proposal, for class IIb and III devices under the MDR (and for class C and D devices under the IVDR), the PSUR should be updated after the first year following certificate issuance and subsequently on a biennial basis, rather than annually, as well as in the event of significant changes to the benefit-risk balance.

For class IIa devices, the update would no longer be subject to a predefined minimum frequency (currently biennial), but required only when necessary, with a significant reduction in administrative burden for medium- to low-risk products. As this is a legislative proposal, these frequencies may be subject to further adjustment during the adoption process.

At the same time, the role of the PSUR within the surveillance system is strengthened. The document becomes structurally part of the technical documentation and one of the elements examined as part of notified bodies’ surveillance activities. For class III devices and class IIb implantable devices under the MDR, as well as class D devices under the IVDR, the proposal also provides that manufacturers and notified bodies make the PSUR and the related assessment available to competent authorities through the European database on medical devices (Eudamed).

Operationally, this implies that the PSUR can no longer be considered an isolated document, but must coherently and consistently reflect PMS data, integrate vigilance information and trend reporting results, and provide a reliable overview of the device’s safety status over time. Reduced formal rigidity is therefore offset by greater responsibility for the quality and coherence of content.

The proposal also intervenes in a targeted manner on the vigilance system, with particular reference to event classification and reporting timelines. A graduated structure of notification timelines for serious incidents is maintained, while greater proportionality is introduced.

In particular, for certain types of serious incidents that do not constitute a serious public health threat and do not involve death or serious deterioration of health, the maximum reporting timeframe may be extended to up to thirty days from the moment the manufacturer becomes aware of the event. This intervention does not reduce vigilance obligations, but requires a more robust initial classification of the event and documentation of the rationale justifying the application of extended reporting timelines.

From a practical perspective, the proposal aims to reduce notifications submitted solely out of excessive caution, favouring more targeted, higher-quality reports based on solid and traceable initial assessments. In parallel, it is clarified that the assessment of information on serious incidents should, where possible, take place in a coordinated manner at national level by competent authorities, in dialogue with the manufacturer, strengthening consistency of decisions and reducing fragmented approaches among Member States.

The proposal further reinforces the distinction between serious incidents, expected undesirable side-effects and trend reporting activities. Serious incidents remain events that, by their nature and clinical impact, fall within the scope of vigilance with defined notification obligations and timelines. Expected undesirable effects, if consistent with the known risk profile of the device, must be monitored within PMS without automatically generating vigilance reports. Trend reporting assumes a distinct and complementary role, enabling the detection of statistically significant increases in the frequency or severity of known events, even in the absence of individual serious incidents.

In particular, it is clarified that not every post-market signal automatically triggers vigilance obligations, and that reporting to authorities must be the result of a structured assessment of the event.

Operationally, this strengthened distinction implies that PMS, vigilance and trend reporting can no longer be managed as overlapping or indistinct flows. Instead, the manufacturer is required to demonstrate correct event classification, conscious selection of the appropriate regulatory channel, and documentation of the rationale underlying these decisions. The distinction between categories is therefore not merely conceptual, but has direct consequences for applicable obligations, reporting timelines and the overall defensibility of the vigilance system.

With regard to market surveillance, the proposal strengthens coordination at European level, including through a more explicit role of technical, scientific and administrative support by the European Medicines Agency (EMA) to national competent authorities. This strengthening aims to improve harmonisation of vigilance and market surveillance activities across Member States.

To this end, the proposal provides that the EMA may access Eudamed and, where necessary, national electronic systems, enhancing centralised analytical capacity and coordination among competent authorities. Competent authorities are required to plan control activities on the basis of coordinated annual programmes, systematically taking into account vigilance data, PMS information and complaints or non-compliances identified.

Operationally, this approach means that the quality, consistency and traceability of post-market data will directly influence exposure to targeted controls and inspections. PMS, vigilance and PSUR thus become central elements of an increasingly risk-based and data-driven surveillance model.

The proposal extends the scope of vigilance to new risk profiles, in particular those related to cybersecurity and artificial intelligence. In practical terms, these provisions apply to medical devices and IVDs that incorporate software, connectivity or artificial intelligence systems, where digital risks may affect the safety, performance or correct use of the device. Relevant cybersecurity vulnerabilities and incidents are brought within the scope of medical device vigilance, with the objective of ensuring a structured management of digital risks.

The proposal also introduces specific attention to cybersecurity events which, although not qualifying as serious incidents under traditional medical vigilance, may have an impact on device safety. In this context, the vigilance system is required to interface with European cybersecurity actors, fostering cooperation with Computer Security Incident Response Teams (CSIRTs) and the European Union Agency for Cybersecurity (ENISA), in order to ensure coordinated management of vulnerabilities and digital incidents.

In such cases, reporting should take place via Eudamed within defined timelines and, according to the current wording of the proposal, also involve European cyber incident response mechanisms. For professionals, this effectively introduces a new vigilance flow, distinct from traditional clinical vigilance, requiring appropriate skills, processes and tools for the structured management of digital risks. These operational aspects may be further refined during the legislative process.

For devices falling within the category of high-risk artificial intelligence systems, coordination is envisaged between competent authorities under the MDR and those responsible for surveillance under the AI Act. No parallel systems are introduced; instead, integration between the different regulatory frameworks is reinforced.

Alongside interventions directly relating to vigilance and post-market surveillance, the proposal introduces certain amendments which, while formally located in other areas of the MDR, have a direct impact on the day-to-day activities of those responsible for vigilance and PMS, as they affect the interfaces between documentary compliance and real patient safety.