Competent Authority (CA)

What it is

Competent Authority (CA) is the national regulator that enforces medical device and IVD laws in its country or region. In the EU/EEA, “competent authority” refers to a Member State authority under MDR/IVDR; in other regions, the role exists under other names (for example, FDA, Health Canada, TGA). CAs watch the market, review vigilance reports, inspect organizations, and, when needed, take action to protect public health.

Regulatory framework

• European Union: CA tasks appear across MDR 2017/745 and IVDR 2017/746, including vigilance (MDR Arts. 87–92; IVDR Arts. 82–87), market surveillance and enforcement (MDR Chapter VII Arts. 93–100; IVDR Chapter VII), clinical investigation oversight (MDR Chapter VI), and coordination with notified bodies (MDR/IVDR Chapter IV).
• United States: FDA is the federal authority; key provisions include FD&C Act §704 (inspections), 21 CFR 803 (Medical Device Reporting), 21 CFR 806 (corrections/removals), 21 CFR 807 (registration/listing), and 21 CFR Part 820/QMSR.
• Canada: Health Canada regulates under Medical Devices Regulations SOR/98-282 (licensing, incident reporting, recalls, and compliance) and accepts MDSAP for QMS evidence.
• Japan: MHLW/PMDA act under the PMD Act with GVP and QMS ordinances (e.g., MHLW Ordinance No. 135/2004 (GVP); No. 169/2004 (QMS)) for approvals, vigilance, and inspections.
• Australia: TGA operates under the Therapeutic Goods Act/Regulations; duties include conformity assessment, ARTG inclusion, post-market monitoring, and enforcement (e.g., Medical Devices Regulations 2002 r. 5.7–5.8).

Key elements

• Legal authority for device and IVD control (EU uses the term “competent authority”).
• Market checks, vigilance review, and risk-based actions (MDR/IVDR Chapter VII; 21 CFR 803/806).
• Inspections of manufacturers, importers, and suppliers; review of technical files and records.
• Enforcement powers: require corrections, restrict or stop supply, mandate recalls, and apply penalties as allowed by law.
• Coordination with notified bodies (EU) and with other regulators when risks cross borders.

Process — how it works

• Monitor: Track signals from PMS/PSUR, vigilance reports, complaints, and FSNs; then prioritize by risk.
• Assess: Check the legal basis and urgency; classify the issue and decide the next step.
• Inspect: Perform on-site or remote reviews; request technical documentation and objective evidence.
• Decide: Issue findings and set required actions (for example, CAPA, FSCA/recall, labeling updates).
• Enforce & follow up: Verify completion, escalate if needed, and share information with other authorities.

Common pitfalls

• Using “competent authority” outside the EU/EEA context instead of the correct local term “regulatory authority.”
• Late or incomplete vigilance submissions that miss legal timelines.
• Weak technical files during inspections (gaps to MDR Annex II/III or required 21 CFR records).
• Assuming notified body decisions equal CA approval or acceptance in the EU.
• Poor recall/FSCA planning and weak traceability that slow containment.

Quick checks

• Map each product and site to the right authority and list your legal duties.
• Stage vigilance and recall packs in advance (event codes, risk rating, FSN templates) to meet deadlines.
• Keep inspection-ready technical files, PMS evidence, UDI, and training/records up to date.
• Use clear terms internally: EU “competent authority” vs US “FDA,” CA “Health Canada,” AU “TGA,” JP “MHLW/PMDA.”