Key Takeaways
- ISO 13485 is the operational foundation of medical device compliance - both EU MDR and FDA require a Quality Management System aligned with this standard. Without it, neither certification pathway is accessible.
- EU MDR and FDA are separate regulatory processes that run in parallel, not in sequence. Shared technical documentation helps, but each market has distinct procedures, classifications, and submission requirements.
- Software that performs a medical function is a medical device. Both MDR and FDA apply to SaMD regardless of whether it runs on hardware - intended use determines regulatory scope.
- How you define what your device does is a regulatory decision. Claims around diagnosing, monitoring, or treating directly determine device class and the documentation burden that follows. Teams that define intended use late often can't certify cost-effectively.
- QMS implementation typically takes 6–12 months before certification is even feasible. Starting in parallel with product development is the practical approach - treating it as a post-build step is one of the most common and costly mistakes.
- Certification doesn't end at market entry. Both EU and US frameworks require ongoing surveillance, post-market reporting, and continuous QMS operation. Getting certified is the start of a compliance program, not the finish line.
Is Your HealthTech Product Built for Success in Digital Health?
.avif)
Ask most health tech teams what they need to certify a medical device, and you'll get one of two answers: a blank look, or a list of acronyms (ISO 13485, MDR, CE mark, 510k, PMA) delivered with varying degrees of confidence.
The acronyms are real. The confusion about how they relate is also real. This article maps the three main certification systems, ISO 13485, EU MDR, and FDA, and explains how they work together.
Why Medical Devices Are Regulated Differently
Medical device certification isn't bureaucratic overhead. It exists because medical devices occupy a category where the consequences of failure can be permanent and severe, and where end users (patients, clinicians) typically lack the information to evaluate safety themselves.
Governments have determined that in this category, the principle that guides innovation should be: safety first, novelty second. New capabilities must be demonstrated against evidence, not just declared. This is why medical device compliance is compulsory, not a certification a company can choose to pursue or skip depending on market strategy.
If a company sells, distributes, or in some jurisdictions even uses a medical device without appropriate certification, the legal consequences can include criminal liability. For companies building health tech products for regulated clients, understanding this baseline is important even when your organization isn't the manufacturer of record.
The good news: the EU and US markets together represent the regulatory standard that most of the world follows. Companies that meet EU and US requirements can generally access most other markets with limited additional work.
The Three Systems: What Each One Is
ISO 13485: The Quality Standard
ISO 13485 is an international standard, not a regulation. It defines requirements for a Quality Management System (QMS) specifically for the medical device industry. It's developed and published by ISO (International Organization for Standardization), an independent body based in Geneva.
ISO 13485 is the operational foundation of medical device development. It governs how a company designs, develops, tests, documents, and monitors its devices. A company certified to ISO 13485 has had its QMS independently audited and confirmed to meet the standard.
EU MDR: The European Legal Framework
EU Medical Device Regulation (EU 2017/745) is a regulation with legal force across all EU member states. It defines what a medical device must demonstrate before it can be placed on the European market. Successful MDR conformity assessment results in CE marking.
MDR explicitly requires manufacturers to operate a QMS compliant with ISO 13485. So ISO 13485 certification isn't parallel to MDR. It's embedded in it. MDR also references harmonized standards (mostly ISO standards) and MDCG guidances that fill technical gaps.
FDA: The US Regulatory Body
The US Food and Drug Administration is a government agency with authority over medical devices sold in the US market. Unlike MDR, which uses accredited private notified bodies, the FDA manages the certification process directly.
FDA has its own Quality System Regulation that overlaps significantly with ISO 13485, though the two aren't identical. FDA also has its own guidances that in some cases modify or extend harmonized standards, meaning a company that meets an ISO standard must also verify it meets FDA's interpretation of that standard.
How the Three Systems Connect
The relationship between ISO 13485, MDR, and FDA is best understood as layered rather than parallel.
ISO 13485 is the base layer. Both EU MDR and FDA approval require quality management systems that align with (or are equivalent to) ISO 13485. A company without a functioning QMS cannot obtain MDR certification or FDA clearance. In practice, most companies pursuing either market will implement ISO 13485 as the foundation.
MDR and FDA are market-specific regulatory layers built on top. Each has its own procedures, submission formats, device classification systems, and enforcement mechanisms. Meeting one does not automatically satisfy the other. The technical evidence overlaps substantially, but the regulatory processes are separate.
The practical implication: a company building a medical device for both the EU and US markets will typically:
- Implement a QMS to ISO 13485 standard
- Develop the device within that QMS (with documentation satisfying both MDR and FDA requirements where possible)
- Pursue EU MDR conformity assessment through a notified body (to obtain CE mark)
- Pursue FDA clearance or approval through the appropriate pathway (510k, De Novo, or PMA)
Steps 3 and 4 are parallel, not sequential. Many of the underlying technical documents are shared, but each regulatory pathway has distinct requirements.
{{lead-magnet}}
Key Differences Between the EU and US Systems
Notified bodies vs. direct government oversight.
EU MDR uses private companies (notified bodies) accredited by national authorities. FDA is a government agency that handles review internally. The EU model creates more variation: different notified bodies have different wait times, capacities, and interpretation styles. The FDA model is more centralized but can be influenced by policy and political priorities in ways private notified bodies cannot.
Guidances: filling gaps vs. modifying standards.
In the EU, MDCG guidances fill gaps that harmonized standards don't cover. In the US, FDA guidances can actually modify or extend requirements beyond what a harmonized standard specifies. This means a US-market device may need to meet requirements that go beyond what the corresponding ISO standard states.
510k and the predicate system.
The EU has no direct equivalent of 510k. In the US, most Class II devices are cleared by demonstrating substantial equivalence to a previously cleared predicate device. This predicate-based system doesn't exist in EU MDR. European manufacturers must demonstrate conformity with applicable standards and requirements directly.
Timeline and cost.
Both systems can be time and cost intensive, but the ranges differ. FDA 510k submissions aim for a 90-day review. EU MDR notified body assessments can take 6 months to 2+ years depending on device class and body capacity. Cost structures vary significantly by device complexity and class.
What This Means for Health Tech Teams
Software as a Medical Device (SaMD) is fully in scope. Both MDR and FDA apply to software that performs a medical function, not just hardware. The intended use of your application determines whether it's classified as a medical device and under which class.
Intended use is a regulatory decision, not a marketing one. The claims you make about what your device does (diagnose, monitor, treat, compensate) determine your device class, applicable standards, and documentation requirements. Teams that define intended use late in development often discover they've built something they can't certify cost-effectively.
QMS implementation takes time. Whether you're pursuing MDR, FDA, or both, implementing ISO 13485-compliant processes from scratch typically takes six months to a year before certification is even feasible. Teams that start QMS implementation in parallel with product development fare significantly better than those that treat it as a post-development project.
Certification is not a one-time event. Both MDR certification (through notified body) and FDA clearance require ongoing compliance: surveillance audits, post-market reporting, and continuous QMS operation. The certification gets you to market; maintaining it is an ongoing operational commitment.
A Note on Market Scope
The EU and US markets are the two most demanding regulatory environments for medical devices globally. Other major markets (Japan, Canada, Australia) each have their own requirements, but they frequently accept evidence packages and technical documentation developed for EU MDR or FDA as a starting point.
Companies that navigate EU and US certification successfully are generally well-positioned to access additional markets with targeted supplementary work rather than starting from scratch.
For a structured 25-minute walkthrough of how ISO 13485 certification, EU MDR, and FDA actually work and what they require from your team before they affect your roadmap, the recording is available on demand.
Watch: ISO, MDR & FDA: Medical Device Certification Explained
