Blogs

To build or to buy: evaluating options for Regulatory Information Management

Wendy Levine

December 6, 2022

4 min read

Your regulatory team needs dedicated software to manage market entry activities, maintain regulatory integrity, and ensure post-market compliance. While small medtech companies often start out managing regulatory data in spreadsheets, this quickly becomes unwieldy.

Can you develop a system that tracks product information and registration expiration dates? Yes, absolutely – especially if your medical device company has internal software development capabilities as part of your IT team. However, a strong RIM system will also give you the ability to completely manage market entrance documents and regulatory workflows. And building a RIM system will also require significant input from your regulatory and quality teams, in addition to IT resources.

Admittedly, we are a bit biased here, but this is the reason we started Rimsys – to create regulatory order in the medtech community and help regulatory professionals automate processes and digitize information so that they can spend more time on activities that truly make a difference for their organizations.

Before you begin a project to build your own RIM system, or to modify an existing system to meet regulatory needs, consider the entire size and scope of the project. This article discusses the common areas where custom-built RIM projects can run into unanticipated costs or issues.

Meeting software regulatory requirements

RIM systems are the source of information used by your regulatory team to provide accurate and timely information to regulators and auditors to ensure that your organization is compliant with existing regulations. This means that the software system itself needs to meet certain requirements. To ensure a compliant and secure RIM system, you need the following:

ISO 9001 certification

Your organization may already be ISO 9001 certified, but in developing your own software to manage internal data and processes, you are greatly expanding the scope of your ISO 9001 project.

ISO/IEC 27001 certification

ISO/IEC 27001 is the global standard for information security management, including data protection and cyber security and resilience. You will need to obtain ISO/IEC 27001 certification for your RIM system.

21CFR Part 11 compliance (US) and EU annex 11 (EU)

21 CFR Part 11 is the portion of US federal regulation that addresses electronic records and electronic signatures as related to FDA processes and documents. The EU Annex 11 is the equivalent regulation in the EU. A good RIM system is designed with Part 11 and Annex 11 compliance in mind and can easily be validated to the regulations. You will need to demonstrate procedures that ensure all electronic records kept in the RIM system are controlled, authentic, and can be verified. Features such as data audit trails and specific electronic signature requirements need to be implemented.

SOC II Type 2

SOC II Type 2 may be used in place of ISO/IEC 27001 to demonstrate suitable data security, particularly in cloud-based systems. SOC II Type 2 reports prove a company’s controls, but are not a certification provided by an independent registrar. SOC II Type 2 also requires an Informational Security Management System (ISMS), which is the framework focused on risk management and risk mitigation.

GDPR compliance (EU)

While often associated with email marketing activities, the EU General Data Protection Regulation requires companies that store any information about an EU citizen to have specific safeguards in place. In particular, if your RA team includes EU citizens then their personal data is subject to GDPR and, among other things, they have the right to request their data is deleted from the system if they leave the company. All personal data needs to be protected from outside access as well.

Reducing overall cost of ownership

Building a RIM system from scratch or building RIM features into a QMS or PLM system is not a one-time endeavor. Consider the following on-going activities that will be required:

Addressing regulatory changes

Global medtech regulations are constantly changing. For example, Rimsys created an entirely new module to handle Unique Device Identifier (UDI) requirements as countries announced compliance dates related to UDI labeling and databases. In this example, and in others, each country has different requirements regarding the data that needs to be stored, the format of that data, and the ways in which it is to be reported.

A RIM system is not just a software development project. It requires the attention of regulatory professionals who can ensure that the system is properly handling the requirements of each country in which your device is marketed.

Managing validation documentation

As with a medical device, a validated RIM system cannot be modified without following specific and documented procedures designed to ensure the system’s integrity. Any time a new feature is added, or a change is made to the system – whether it be a small bug fix or the addition of a major new function to address an updated regulation – the affected part of the system will need to be revalidated.

System support

The cost of maintaining and supporting a system as complex as a RIM system is significant. Such costs include not only the development costs, but the cost to train and support users of the system on an ongoing basis. If you are using internal resources, as many companies do, it is important that you include the lost opportunity cost for your development team in cost calculations. What are your developers not working on while they build your RIM system?

Consider carefully whether your IT team is positioned to become a software development team in the long-term. An IT team that is advocating for an in-house solution should be able to provide a plan for how often new features will be provided, how the system will be supported, and how an ongoing product roadmap will be managed.

Reasons not to build a RIM system in-house

Considering the above information, the primary arguments you can make against building a RIM system in-house are:

Building a RIM system is not just a software development project. We will need to stay on top of changing regulations and requirements and be prepared to update the system frequently. Note that this is the primary argument to be made when an IT team is pushing for an in-house solution (a situation we see frequently).
A RIM system built with internal resources builds your existing regulatory process into the system. Are you sure that those processes can’t be improved upon? A RIM system that is used by many medtech companies not only includes built-in industry best practices but will evolve to support new workflows and processes as the industry changes. A custom-built RIM system will have none of those advantages.
The system will need to be validated and certified according to several standards and regulations, like our medical devices. This has the potential to significantly increase the scope of our ISO-related processes and other internal procedures.
Purchasing a dedicated RIM system from a company that is solely focused on providing up-to-date functionality for regulatory professionals is a safer and simpler choice.

We have worked with a number of companies that ultimately chose to implement Rimsys after attempting to build a RIM system in-house. Faced with the unexpected complexity of the development project, they ultimately chose to go with a packaged solution. Be sure to carefully evaluate all potential costs, including on-going costs, when making the build vs buy decision.

‍

Share this post

Featured

Rimsys Announces Rimsys AI to Eliminate Repetitive Tasks and Enhance Decision-Making for MedTech Regulatory Teams

Rimsys, the leading Regulatory Information Management (RIM) platform for the MedTech industry, today announced the launch of Rimsys AI, a suite of embedded artificial intelligence (AI) agents.

Similar posts

How Smith & Nephew Repositioned Regulatory as a Strategic Commercial Partner

Caroline La

May 28, 2026

4 min read

Smith & Nephew is a global medical device manufacturerwith a broad portfolio spanning orthopedics, sports medicine, and woundmanagement, sold and registered across markets worldwide. Before Rimsys,regulatory data was scattered across spreadsheets, shared drives, anddisconnected systems.

When Smith & Nephew selected Rimsys, they deployed itenterprise-wide from day one. Executive reporting moved from manual fire drillsto real-time dashboards. Change impact assessments became faster and moreconsistent. The regulatory team made the shift from reactive compliancefunction to strategic partner to the business.

The Challenge

Regulatory data at Smith & Nephew lived in multiplespreadsheets, shared drives, SharePoint sites, emails, and disconnectedsystems. Without a centralized record, the team could not reliably trackregistration timelines, measure on-time submissions, assess change impacts, orunderstand the downstream impact of product changes across markets. Preparingexecutive reporting meant manually assembling data from multiple sources, aprocess that consumed time and introduced risk each time.

‍

The Solution

Smith & Nephew selected Rimsys for its configurable, notcustomized, platform: an intuitive user interface, centralized submissionmanagement, robust metrics, change assessment capabilities, and UDI supportwith machine-to-machine transmission. Rimsys’ interconnected modulearchitecture linked products, registrations, projects, change assessments, andUDI in a centralized location.

Rather than piloting in one business unit, Smith &Nephew deployed Rimsys across the entire regulatory organization from day one.The decision was deliberate: a partial deployment would have preserved thefragmentation. Enterprise-wide adoption established consistent metrics,standardized processes, and a single source of truth from the start.

‍

The Results

Executive and board reporting, previously built from manualdata pulls, now flows directly from Rimsys in real time. What had been adisruptive, recurring effort is now a routine view. Leadership has thevisibility to make faster, more confident decisions, and the regulatory team isno longer pulled into reporting fire drills.

Change management has also been transformed. Direct linkagebetween products, registrations, and projects means impact assessments arefaster and less dependent on individual knowledge. UDI operations havesimilarly improved: machine-to-machine transmission has reduced manual uploadsand centralized DI record visibility supports global UDI requirements.

The most significant shift is strategic. With centralizedregulatory intelligence and real-time data, Smith & Nephew’s regulatoryteam now actively supports commercial planning: informing budget cycles,guiding renewal and launch sequencing, and advising on regulatory pathways toaccelerate market entry. Regulatory is no longer a downstream compliancefunction. It is a business partner.

Smith & Nephew now runs four modules across its RIM operation:

Registrations— Centralized license tracking across 250 countries and 30+ business units
Change Assessments— Direct product-registration linkage for faster, consistent impact assessments
Executive Reports— Real-time dashboards replacing manual data pulls and board reporting fire drills
UDI— Machine-to-machine transmission reducing manual uploads across global markets

Take this to your team

If you’re evaluating how to modernize RIM operations at scale, the Smith & Nephew case study is a practical reference to share internally. It covers the full implementation story, module breakdown, and results data in a format built for stakeholder conversations.

Download the Case Study

How Philips Scaled Active Product Registrations More Than 20x

Caroline La

May 21, 2026

4 min read

Philips Healthcare operates one of the largest regulatory portfolios in global MedTech: products registered across 250 countries, with a footprint that grows with every acquisition. Before Rimsys, that complexity was managed through email and spreadsheets. Submission packages moved through inboxes with no audit trail, no performance data, and no reliable view of where products were authorized to ship.

Philips selected Rimsys in 2022 as the enterprise RIM platform to bring regulatory order to that complexity. Since go-live, active product registrations have scaled more than 20x, user adoption has doubled in the last six months, and the regulatory affairs function now operates from a single source of truth spanning the entire enterprise.

The Challenge

Without structured data, Philips could not measure regulatory performance, track license expiration across the portfolio, or identify where submission work was stalling. Every acquisition made it worse: incoming business units arrived with their own workflows and systems, absorbing more fragmentation rather than resolving it.

‍

The Solution

Philips evaluated multiple platforms against requirements built with both market-facing and business regulatory affairs teams. Rimsys won on two dimensions: an interface that made complex product and registration data immediately visible, and more enterprise-ready features than competing platforms at the right price point.

Philips went live with Rimsys Registrations and Submissions modules in July 2022. The team deployed platform experts for train-the-trainer sessions and launched regular drop-in sessions where users could ask questions and surface issues. Standing up a dedicated Regulatory Operations team focused exclusively on rest-of-world registration accelerated adoption further.

When an early business unit pushed back on workflow efficiency, Philips and Rimsys worked through it together. A hands-on process walkthrough identified exactly what needed to change, a resolution plan was shared, and that transparency and collaboration became the foundation for sustained user buy-in across the enterprise.

‍

The Results

Since go-live, Philips has scaled active product registrations more than 20x, with further growth already underway. What started as a single deployment now spans 30+ business units across 250 countries, with Rimsys serving as the single source of truth for regulatory data across the enterprise, including businesses acquired since implementation.

For the first time, Philips can measure its own regulatory performance. KPIs flow directly from the platform, giving leadership real-time visibility into registration health. When anomalies surface, they drive data correction and user training, closing gaps that previously went undetected until they affected revenue.

Now with Rimsys AI-assisted Submissions and Regulatory Intelligence now in use, Philips expects to accelerate further: reducing administrative burden so skilled regulatory professionals can focus on strategy.

Philips now runs four modules across its RIM operation:

Registrations— Centralized license tracking across 250 countries and 30+ business units
Submissions— AI-assisted submission workflows replacing email-based package management
Intelligence— Real-time KPI dashboards giving leadership visibility into registration health
Standards— Essential Principles and standards tracking aligned to global market requirements

‍

Take this to your team

If you’re evaluating how to modernize RIM operations at scale, the Philips Healthcare case study is a practical reference to share internally. It covers the full implementation story, module breakdown, and results data in a format built for stakeholder conversations.

Download the Case Study

What RAPS Euro Convergence 2026 Told Us About the Future of MedTech Regulation

Caroline La

May 12, 2026

4 min read

Last week, the MedTech regulatory community gathered in Lisbon for RAPS Euro Convergence 2026: nearly 100 sessions, hundreds of professionals, and one overriding theme: transformation.The European regulatory landscape is shifting faster than it has in two decades, and the pressure is on every RA team to keep pace.

We were there. And here is what we took away.

The Dominant Signal: Change Is Accelerating

For MedTech manufacturers, the immediate reality is demanding. MDR 2.0 is advancing. The EU AI Act is creating new compliance obligations for software-enabled devices. EUDAMED continues to mature. And teams are being asked to absorb all of this while still meeting existing registration and renewal deadlines.

The practical implication is clear: RA functions that rely on manual tracking, disconnected spreadsheets, and tribal knowledge are being outrun by the pace of change. Across the industry, teams are moving from talking about AI to actively experimenting with it, using it to handle the volume and complexity that manual processes simply cannot absorb. The teams emerging as strategic forces are the ones who have connected, real-time regulatory infrastructure and are putting AI to work within it.

AI Is No Longer Optional Thinking

The conversation at Euro Convergence made one thing clear: AI has moved from future-state to present-tense. Regulatory professionals were encouraged to embrace AI while maintainingaccountability for the outcome and challenging the algorithms.
‍

" Our role is to make sure that the AI does the right interpretations appropriate to our products, to our business."

— João Martins, Director of Regulatory Affairs at Abbott at RAPS Euro Convergence 2026 Opening Plenary
‍

That framing resonates deeply with how we have built AI into Rimsys. The goal was never to replace regulatory judgment; it is to amplify it. Rimsys AI is domain-specific, built on the regulatory data structures and logic that reflect real-world requirements, country-specific nuances, and product context. It proposes, analyzes, and alerts. Your team reviews, approves, and decides.

For teams that are ready to accelerate, Rimsys AI accelerates regulatory intelligence monitoring and submission authoring, removing the repetitive, detail-heavy work so skilled professionals can focus on strategy, market expansion, and the higher-order decisions that increasingly complex regulations demand.
‍

"As future regulators, we will need to be scientifically strong, comfortable with complexity, open to innovation, and also be able to work in increasingly complex environments."

— Rui Santos Ivo, President of Portugal's National Authority of Medicines and Health Products (INFARMED) and chair of the EMA management board, RAPS Euro Convergence 2026 Opening Plenary
‍

MDR 2.0: Reform With Guardrails

A panel of experts representing regulators, industry, and notified bodies gave their views on the proposed revision of the EU Medical Device Regulation at the conference. While their sentiments were largely supportive, notified body representatives urged the European Commission to maintain proactive surveillance of devices to protect patients.

The discussion acknowledged the complexity of balancing reform with patient safety. Simplification and innovation go hand in hand, though if it is overly complicated or overly simplified, it becomes difficult to innovate. Structured dialogues in MDR/IVDR will provide transparency and predictability for manufacturers, especially in early product development.

Regulatory Workflows Cannot Be an Afterthought

A recurring observation across sessions was that MDR 2.0, EUDAMED, and the EU AI Act are only as effective as the operational workflows behind them. Structured dialogues, risk-proportionate pathways, and submissions all require teams to move quickly with accurate, up-to-date product data. That is simply not possible when that data lives across email threads, spreadsheets, and disconnected systems.

The workflows that came up most in Lisbon (change control, renewals, new product introductions, and registration management) are exactly the areas where manual processes create the most risk. A missed renewal. A design change that triggers 40 country-level impact assessments with no system to coordinate them. A registration record that no one has updated since the last audit.

Rimsys keeps these workflows connected and proactive. Renewal expiration reminders fire before deadlines become a risk. Change control impact surveys are configurable to your SOPs, so teams can assign tasks and coordinate work across regions without relying on someone to manually track progress. New product introductions move faster because previous submission content can be reused across markets. Target market data, registration history, and approval status are already centralized, so teams are building on existing work rather than starting from scratcheach time.

The result is regulatory operations that reduce time to market by weeks to months, not add to it. Access information in seconds rather than hours. Regulatory release authorization in minutes rather than weeks. More than 90% reduction in regional regulatory reporting time. These are not projections. They are outcomes reported by Rimsys customers operating in exactly the kind of complex, multi-market environments that dominated the conversation in Lisbon.

The Regulatory Professional Is Evolving

Perhaps the most striking thread across sessions was the evolution of the RA function itself. Regulatory work was once seen mainly in terms of compliance procedures and submissions. Today, the profession is much broader than that.

This evolution is exactly the transition Rimsys is designed to support. When regulatory data is centralized, connected, and visible in real time, RA teams stop spending their days chasing down registration status and start contributing to commercial strategy: market expansion decisions, launch sequencing, change control planning, and executive-level risk communication.

The heart of regulatory operations is not a filing cabinet. It is a living, connected system that elevates the entire function.

What It All Points To

RAPS Euro Convergence 2026 made one thing clear: the organizations that will thrive are those who have invested in regulatory infrastructure that can absorb change without breaking. Rimsys is the platform built for exactly this moment: enterprise-grade, intuitive enough for global teams to actually use, and trusted by 6 of the top 12 global MedTech manufacturers worldwide.

Book a conversation with our team