Articles

Navigating the 2026 EU MedTech Overhaul

Navigating the 2026 EU MedTech Overhaul: MDR/IVDR Simplification, the AI Act and EUDAMED

The EU is reshaping its MedTech framework. Between MDR/IVDR simplification, the Digital Omnibus (including the AI Act) and mandatory EUDAMED use in 2026, manufacturers now face a new set of risks and opportunities that need to be managed together, not in isolation.

2026 at a glance

Simplification of MDR/IVDR to reduce bottlenecks and protect device availability.
Digital Omnibus package aligning the AI Act, GDPR and related rules with sectoral law.
EUDAMED becoming a non-negotiable gateway for EU market access.

Pillar 1

MDR/IVDR Simplification ("Health Package")

Targets notified body bottlenecks, administrative burden and device availability, with a more risk-based approach to oversight and recertification.

Pillar 2

Digital Omnibus & AI Act Alignment

Aligns AI Act, GDPR, Data Act and NIS2 with MDR/IVDR so digital and AI-enabled devices follow one integrated assessment track.

Pillar 3

EUDAMED as a Core Infrastructure

Makes EUDAMED the central source of truth for actors, devices, certificates and market surveillance, with hard deadlines in 2026.

1. Why the EU Is Reforming Its MedTech Framework

MDR and IVDR were introduced to raise the bar on patient safety and traceability. In practice, the way they were implemented created structural problems that hit manufacturers and healthcare systems hard, especially for small and medium-sized enterprises (SMEs).

Four issues in particular pushed the Commission to act:

Notified body bottlenecks: Too few designated notified bodies created long, unpredictable queues. New and legacy devices struggled to obtain or renew certificates in time, with direct impact on patient access.
Disproportionate administrative burden: Documentation and process requirements increased sharply. For many manufacturers the main barrier became not clinical evidence, but the time and cost of navigating the system.
Risk to device availability: High recertification costs and uncertainty made it hard to justify keeping smaller or lower-margin devices on the EU market, even when they were safe and clinically useful.
Pressure on innovation: A complex and unpredictable pathway made the EU less attractive as a launch region for new technologies, echoing concerns raised in the Draghi Report about competitiveness.

The legislative response is therefore not a minor update. It is a structured attempt to restore predictability, protect availability of safe devices and make the EU a more workable base for MedTech innovation.

2. Two Main Legislative Packages to Watch

The Commission’s response is organised around two legislative pillars that affect almost every MedTech company operating in or selling into the EU.

Legislative Package	Core Objective
MDR/IVDR Simplification Proposal ("Health Package")	Fix structural problems in MDR/IVDR: reduce unnecessary administrative burden, stabilise notified body capacity and protect device availability without lowering safety expectations.
Digital Omnibus Package	Align the AI Act, GDPR, Data Act, NIS2 and related digital rules with sector-specific frameworks so AI-powered and data-driven devices face one coherent set of obligations.

The next sections look first at the MDR/IVDR simplification itself, then at the Digital Omnibus and its impact on AI and data-driven MedTech, and finally at the concrete EUDAMED obligations landing in 2026.

3. MDR/IVDR Simplification: What Changes for Manufacturers

The simplification proposal was adopted by the Commission on 16 December 2025 and will now move through the ordinary legislative procedure. Final adoption and entry into force are expected around 2026. Manufacturers should already be adjusting their regulatory roadmaps so the transition is planned, not reactive.

3.1 Conformity Assessment and Certification

Legally binding notified body timelines: The proposal introduces maximum timelines for key notified body activities during certification and re-certification, such as technical documentation assessment, QMS audits and final decision-making. Once these limits apply, the main variable will be how complete and robust your submission is on day one.
No more mandatory 5-year recertification cycle: The removal of the fixed five-year certificate validity shifts the focus to continuous oversight via post-market surveillance (PMS), surveillance audits and change control, instead of periodic full re-assessments.
Clearer proportionality for well-established technologies (WETs): A formal legal definition of well-established technology devices gives manufacturers with long-standing, stable products a more predictable, proportionate conformity assessment route.
Removal of "sell-off" deadlines: Previous rules that could have forced safe devices to be removed from supply chains purely because of expiry dates on certificates are being removed, reducing the risk of artificial shortages.

3.2 Post-Market Surveillance (PMS) and Vigilance

More risk-based PSUR frequency: Periodic Safety Update Report (PSUR) frequency can be adjusted based on device risk class and the stability of available data, rather than defaulting to annual updates for all higher-risk devices.
Clarified vigilance responsibilities: The division of tasks between competent authorities and notified bodies for incident assessment is clarified, limiting duplicate review of the same vigilance data.
Simplified change notifications: Notified bodies will have to distinguish between changes that require prior approval and those that do not, with the option to agree predetermined change control plans that give manufacturers more flexibility over product lifecycle changes.

3.3 Innovation, Niche Devices and Expert Support

Regulatory sandboxes: Controlled environments where innovative devices can be developed and tested with closer regulatory guidance, giving clearer conditions for breakthrough technologies.
Stronger role for expert panels and EMA: Expanded advisory functions, including early advice for high-risk IVD performance evaluation, and additional technical support from the European Medicines Agency.
Support for orphan devices: Grandfathering provisions help keep orphan devices for small patient populations on the market when they were already CE marked under the former Directives.

4. The Digital Omnibus: AI, Data and One Coherent QMS

For AI-enabled devices and data-driven solutions, the Digital Omnibus is just as important as the MDR/IVDR changes. It aims to resolve overlap and conflict between the AI Act, GDPR and sector-specific rules so companies can build one integrated compliance system instead of several parallel ones.

4.1 AI Act and MDR/IVDR

Extended timelines for high-risk AI: Compliance dates for high-risk AI systems that are medical devices are extended, with long-stop dates around 2027–2028 depending on the use case. This gives manufacturers more time to embed AI Act requirements into existing device development and assessment processes.
Sectoral assessments take precedence: AI Act obligations can be fulfilled within MDR/IVDR conformity assessment, avoiding a second, standalone assessment track.
Single QMS for devices and AI: A single quality management system can cover MDR/IVDR and AI Act obligations, reducing the risk of duplicated procedures and documentation.
Clarification on R&D and testing: Guidance on research and pre-market testing is planned so AI Act obligations do not unduly constrain clinical studies and real-world testing before market placement.

4.2 GDPR and Data Use for AI

Legitimate interest for AI training: Processing personal data to develop or operate AI systems, including for bias detection and correction, can be based on legitimate interest where appropriate safeguards are in place.
Handling health data: Incidental processing of special category data, including health data, is permitted for AI development when done under clear safeguards.
Pseudonymised data and identifiability: Pseudonymised data will not always be considered personal data for an entity that has no realistic means to re-identify individuals, giving more legal certainty for large health datasets.

5. EUDAMED: Non-Negotiable Deadlines in 2026

While simplification measures and digital alignment will take time to work through the legislative process, EUDAMED deadlines are much closer. For many manufacturers, 2026 will be defined by how well they manage EUDAMED implementation.

5.1 Mandatory Modules and Core Deadlines

From 28 May 2026, use of the following EUDAMED modules becomes mandatory:

Actor Registration
UDI & Device Registration
Notified Bodies & Certificates
Market Surveillance

Deadline	Obligation	Practical Impact
From 28 May 2026	All new MDR/IVDR devices must be registered in EUDAMED before being placed on the EU market.	EUDAMED registration becomes a standard gateway step for new product launches.
By 27 November 2026	Legacy MDD/AIMDD/IVDD devices that remain on the market must be registered in EUDAMED.	Requires a structured data migration and clean-up project for existing portfolios; missing the deadline affects ongoing sales.

5.2 Practical EUDAMED Readiness Checklist

To keep EUDAMED manageable, treat it as a defined project with clear workstreams rather than an open-ended task list.

Secure your Single Registration Number (SRN): Actor registration is the entry point. Non-EU manufacturers must ensure the link to their EU authorised representative is validated early to avoid delays.
Audit UDI data governance: Go beyond basic field validation and look at how UDI data is owned, generated and maintained. Errors in Basic UDI-DI grouping can quickly affect certificates and vigilance.
Prioritise new and legacy devices: Protect your innovation pipeline by planning EUDAMED registration for upcoming launches, while in parallel building the data set for legacy devices ahead of the November 2026 deadline.
Assess machine-to-machine (M2M) options: For larger portfolios, manual data entry is not sustainable. Consider M2M integrations between your ERP/PLM systems and EUDAMED.
Align internal procedures: Update QMS, PMS and vigilance procedures so they reflect EUDAMED data submission and reporting flows rather than treating the database as an add-on.

6. What MedTech Leaders Should Do Next

The direction of travel is clear: a more risk-based, data-driven and predictable system. The companies that will benefit most are those that combine good technical documentation with early planning for new rules and digital infrastructure.

In practical terms, leadership teams should focus on:

Reframing financial planning: Move from large, periodic recertification costs towards stable, ongoing investment in PMS, change control and documentation quality.
Investing in submission-ready files: With fixed notified body timelines, the quality and completeness of your first submission becomes a direct driver of time to market.
Executing a clean EUDAMED transition: Treat 2026 deadlines as non-negotiable for both new and legacy products. A controlled transition protects revenue and avoids last-minute disruption.
Strengthening notified body dialogue: Use structured discussions to align on clinical strategies, change control approaches and the use of sandboxes or expert advice where appropriate.

Sources & Further Reading

European Commission communications and proposals on MDR/IVDR simplification ("Health Package").
Digital Omnibus and AI Act alignment documents and associated guidance.
EU-level summaries on AI Act timelines for high-risk systems, including medical devices.
European Commission information on EUDAMED modules, functionality and mandatory use dates.
Industry position papers and analyses on EU MedTech competitiveness and regulatory burden.