CE marking under MDR — what's genuinely new, and what teams still get wrong

I remember the first MDR audit I ran as lead RA — felt like climbing the Eiger with half my maps missing. Five years in, the climb is less surprising but the route keeps changing. Here’s what I now tell engineering and product teams when they ask: "Is MDR really different, or are we just doing more paperwork?"

What's actually new (not just louder)

• Stronger regulatory accountability: the PRRC requirement (per Article 15) means someone in your organisation must be demonstrably competent and available for regulatory questions. This is compliance with teeth, not a checkbox.
• Clinical evidence expectations: Annex XIV tightened how you justify residual risk and demonstrate clinical benefits. PMCF is no longer a "nice-to-have" follow-up — it must be planned, proportionate and continuously executed.
• More detailed Technical Documentation: Annex II expects explicit traceability between design inputs, risk controls, verification/validation and post-market data. The structure is the same idea as before, but explicit depth and linkage matter.
• UDI and EUDAMED: UDI is now central to vigilance and market surveillance. EUDAMED exists in practice (and sometimes behaves like it does not), so preparing for the data model and submitting robust, consistent UDI, device and economic operator records is essential.
• Post-market vigilance and periodicity: PSURs and PMS reporting cycles are formalised and expected to inform design decisions in a documented way.

To be fair, none of these are philosophically new — ISO 13485, ISO 14971 and good clinical practice have always driven safety. Granted, MDR demands you make those threads explicit, linked and auditable.

What teams still get wrong (common, and costly)

• "Equivalence will save us." Teams still treat equivalence as a simple shortcut. Under MDR, demonstrating equivalence to a marketed device requires extremely tight technical, biological and clinical comparability. Notified bodies will probe depth, not assertions.
• Treating PMCF as one study. PMCF is a continuous process (Annex XIV), not a single trial. I've seen PMCF plans that read like proposals for a one-off RCT — those typically get questioned for being disproportionate or irrelevant.
• Fragmented traceability. Design outputs, risk controls, clinical inputs and post-market signals must be linked. If your eQMS only stores documents without live-reactive impact analysis, change control becomes a paper chase during an audit.
• Underestimating notified body variation. Notified bodies interpret the MDR differently. There is no single "MDR playbook." If your strategy assumes perfect harmonisation, you will be surprised.
• UDI as a sticker exercise. UDI affects labelling, economic operator records and vigilance data downstream. Delaying UDI implementation until the last sprint causes systemic failures in EUDAMED submission and market surveillance linkage.
• PRRC as an HR formality. Per Article 15, the PRRC must have documented qualifications and authority. A "named engineer" without the paperwork and time allocation is a liability.

Practical steps that actually survive a notified body review

• Start with the Annex II map. Break your Technical File into the Annex II headings, allocate owners, and create a cross-reference table. Use that table in comfort with auditors — it shows structure and traceability.
• Link risk controls to evidence. For each risk item (ISO 14971), show the design control, verification/validation evidence, and post-market performance indicators that confirm control effectiveness.
• Make PMCF pragmatic and continuous:
  • Define objectives tied to specific residual risks or uncertainties.
  • Use a mix of passive and active data sources (registries, user feedback, targeted follow-ups).
  • Feed PMCF outputs into PSURs and into design-change decision-making.
• Treat equivalence claims like a product dossier. Document every technical, biological and clinical point of comparison; include rationales where identical data cannot be produced.
• Bake UDI into launch plans. Label revisions, packaging, software updates — plan them early and test the process end-to-end with your supply chain.
• Use your eQMS for traceable workflows. Native workflow integration that connects change control, risk, and clinical data reduces audit friction. Where possible, enable automated CAPAs and AI-assisted CAPA suggestion only as "controlled assistance" so reviewers can see reviewability and traceability.

Quick checklist before your next notified body review

• Annex II cross-reference completed and owner-signed.
• PRRC documented with qualifications and availability.
• PMCF plan aligned to Annex XIV objectives, with data sources listed.
• Risk-to-evidence traceability (risk → design control → V&V → post-market indicator).
• UDI plan in place and tested for EUDAMED submission.
• Equivalence claims supported by side-by-side data tables, not assertions.

I say all of this because, in the end, MDR is mostly an insistence on coherence: the documents must speak to each other. If your technical documentation is a pile of well-written PDFs that do not interlink, an auditor will treat them as unrelated artifacts. When everything links — risks, clinical needs, verification, PMCF, CAPAs — audits feel less like a climb and more like walking a well-marked trail.

One practical note from the trenches: notified bodies will ask for evidence that post-market data actually changed something. They want to see the loop closed — data triggers an investigation, CAPA, or design revision. Automated CAPAs or AI-supported CAPA assistance help only if the output is reviewable and traceable.

What's the single MDR-related task that's most painful in your organisation right now — PMCF, equivalence, UDI, traceability, or something else?