Featured
Rimsys Announces Rimsys AI to Eliminate Repetitive Tasks and Enhance Decision-Making for MedTech Regulatory Teams
Rimsys, the leading Regulatory Information Management (RIM) platform for the MedTech industry, today announced the launch of Rimsys AI, a suite of embedded artificial intelligence (AI) agents.
An overview of 21 CFR Part 820 - quality systems for medical device manufacturers
What is 21 CFR Part 820?
21 CFR 820 is the FDA federal regulation that pertains to quality systems for medical device manufacturers, and it is part of the agency’s set of Current Good Manufacturing Practices (CGMP) for industry. Also referred to as the FDA’s quality system regulation (QSR), the regulation defines design controls and quality processes at all stages of device development in order to ensure that all medical devices marketed in the United States are safe and effective.
21 CFR 820 consists of 15 subparts, which define quality system requirements for each stage and function within the medical device manufacturing process. We define each subpart below.
Federal regulations are organized as Title → Chapter → Subchapter → Part, which means that 21 CFR 820 is short-hand for:
21 CFR 820 vs ISO 13485
ISO 13485 is the de facto international quality system standard for medical device manufacturers, but this is not currently the standard in the United States. While Part 820 and ISO 13485 are structured differently, they have no conflicting requirements. Therefore, companies that are marketing medical devices in the U.S. and in other markets will need to comply with both ISO 13485 and the FDA’s QSR, as defined in 21 CFR 820.
However, the FDA is moving towards harmonizing these standards, and on February 23, 2022 issued a proposed rule to amend the QSR to align more closely with the international consensus standard for Quality Management Systems, primarily by incorporating reference to the ISO 13485 standard. The FDA has published FAQ’s about the proposed rule.
21 CFR Part 820 Requirements
Part 820: General Controls (subpart A)
The General Controls subpart contains three sections providing general information about the regulation, including the scope and applicability along with key definitions.
Scope
The regulation defines current good manufacturing practice (CGMP) requirements governing the methods, facilities, and controls used for the “design, manufacture, packaging, labeling, storage, installation, and servicing of all finished devices intended for human use." Specifically, this subpart defines:
- Applicability:
The requirements of this regulation are intended to ensure the safety and efficacy of all finished medical devices intended for human use that are manufactured in or imported into the United States. Manufacturers that are involved in some, but not all, manufacturing operations should comply with those requirements that are applicable to the functions they are performing.
Exceptions:
- This regulation does not apply to manufacturers of medical device components, but such manufacturers are encouraged to use this regulation as guidance.
- Class I medical devices are exempt from the Design Controls defined in this regulation, except for those listed in § 820.30(a)(2).
- Manufacturers of blood and blood components are not subject to this regulation but are subject to Biologics good manufacturing practices as defined in Subchapter F, Part 606 of the regulation.
Definitions
This section of the regulation contains definitions for a number of terms used throughout the document. The following are the major definitions related to quality records:
- Design history file (DHF): A compilation of records that describes the design history of a finished device.
- Design input: The physical and performance requirements of a device that are used as a basis for device design.
- Design output: The results of a design effort at each design phase and at the end of the total design effort. The finished design output is the basis for the device master record. The total finished design output consists of the device, its packaging and labeling, and the device master record.
- Device history record (DHR): A compilation of records containing the production history of a finished device.
- Device master record (DMR): A compilation of records containing the procedures and specifications for a finished device.
Quality System
The section of the regulation sets the basic requirement for a quality system by stating that “Each manufacturer shall establish and maintain a quality system that is appropriate for the specific medical device(s) designed or manufactured, and that meets the requirements of this part.”
The term “appropriate” is used throughout this regulation and can be open to interpretation. A manufacturer, however, should assume that all requirements are appropriate and applicable except in cases where non-implementation of the requirement can be shown to have no effect on the product's specified requirements or ability to carry out necessary corrective actions.
Quality system requirements (subpart B)
This section of the regulation defines the overall responsibilities and the resources required for the management of the quality system.
Management responsibilities
Executive management is responsible for establishing a quality policy and ensuring adequate resources to effectively maintain and manage the quality system. In addition, management is responsible for establishing a specific quality plan, consisting of relevant practices, resources, activities, and procedures.
Quality audit
Periodic audits of the quality system are required to be conducted by personnel not directly responsible for the activities being audited. The dates and results of each audit need to be documented, along with the results of the audit. It is expected that corrective actions and, when necessary, reaudits, be performed for any identified noncompliances.
Personnel
Manufacturers are responsible for assigning sufficient personnel with appropriate experience and training to perform all tasks required by the quality system plan.
Design controls (subpart C)
Manufacturers of all class II and class III medical devices, along with the specific class I devices listed in paragraph (a)(2) of this regulation, are required to establish design control procedures that ensure design requirements are met as specified.
Design controls shall define:
- Design and development planning - Plans that describe the design and development activities, and responsibilities for these activities and their implementation.
- Design input - Procedures that ensure design requirements are appropriate and address the intended use of the device.
- Design output - Procedures that document design output, including acceptance criteria, so that conformance to design input requirements can be adequately evaluated.
- Design review - Formal and documented reviews of the ensign results that include participation from representatives of all.
- Design verification - Procedures for verifying the device design that confirm that the design output meets the design input requirements.
- Design validation - Procedures for validating the device design, ensuring that devices conform to defined user needs and intended uses, and including testing of production units under actual or simulated conditions.
- Design transfer - Procedures to ensure that the device design is correctly translated into production specification.
- Design changes - Procedures for identifying, documenting, validating, and managing the verification and approval process of all design changes before they are implemented.
- Design history file - A design history file (DHF) is required for each type of device and should include or reference the records necessary to demonstrate that the design was developed in accordance with the approved design plan and device requirements.
Document controls (subpart D)
Medical device manufacturers are required to put in place document controls for all documents required in this regulation.
Document approval and distribution
One or more people must be assigned to review and approve documents prior to issuance. The approval must be documented, include a date and the signature of the approver, and be made available at all locations where applicable. Procedures must also be in place to ensure that obsolete documents are removed and/or prevented from being used.
Document changes
Similar to document approval procedures, changes to documents must be approved, reviewed, and documented. Records of all changes must be maintained.
Purchasing controls (subpart E)
To continue reading this Regulatory Brief, including a definition of the remaining subparts and a comparison of 21 CFR 820 to ISO 13485, please download the full brief.
CE marking guide for medical devices in the EU
This article is an excerpt from the CE marking guide for medical devices in the European Union.
Table of Contents
- What is CE marking?
- Why is CE marking important?
- CE marking responsibilities
- What countries require or accept CE marking?
- Which medical devices require a CE mark?
- Technical documentation
- What are the costs associated with CE marking?
- How do you apply the CE marking?
- CE mark and UDI
- Does the CE mark expire?
- Do I need to CE mark my software?
- Final steps
CE marking is a symbol that consists of “CE, “ which is the abbreviation of the French phrase "Conformité Européene" meaning "European Conformity". The term initially used to describe “CE” was "EC Mark" but it has officially been replaced by "CE marking" according to the EU Directive 93/68/EEC. CE marking is used in all EU official documents, although you will still see "EC Mark" being used in common language. If you are using EC Mark in your documentation, you should change that terminology to CE marking in the future.
The letters ‘CE’ appear on many products traded on the Single Market in all the member states of the European Union plus Iceland, Liechtenstein, Norway and Switzerland. Simply put, The CE mark is a mandatory compliance mark, informing the consumer that the product is compliant with all applicable EU directives and regulations where the CE mark is required.
The Single Market was established in 1993 and is still considered one of the most significant achievements of the European Union. The main goal was to ensure the movement of goods and services freely within all the member states and to establish high safety standards for consumers. The CE mark indicates that goods and services do not need to be verified when shipping into another member country. To further support this movement, in April 2011, the Single Market Act was established to boost growth and strengthen confidence in the economy even further.
CE marking is required for many types of products, not just medical devices. The CE symbol can be found on bicycle helmets, toys, laptop batteries, wheelchairs, construction equipment, gas appliances and cell phone chargers - to name a few. CE marking is required for products manufactured anywhere that are sold in the EU, and only for those products for which EU specifications exist and require CE marking. The CE marking signifies that the product has been found to meet the general safety and performance requirements (GSPRs) of the European health, safety and environmental protection legislation and allows the product to be sold in the EU.
Manufacturer responsibilities for CE marking
Medical device manufacturers are responsible for properly and legally CE marking products before they leave the warehouse.
Most Class II and III medical devices, along with IVDs and some Class I devices, require a conformity assessment performed by a Notified Body to ensure that all legislative requirements are met before it can be placed on the market. Manufacturers of most Class I devices can self assess conformity. This process needs to demonstrate that all the legislative requirements are met, including any testing and inspections, and that all necessary certifications are obtained.
The European Commission lists 6 steps that manufactures should follow to affix a CE marking to their devices:
- Identify the applicable directive(s) and harmonized standards - see EU standards for Medical Devices, In Vitro Diagnostic (IVD) devices, and Implantable Medical Devices.
- Verify product specific requirements using the essential principles identified in the above standards.
- Identify whether an independent conformity assessment by a Notified Body is necessary. Notified bodies will be required to verify compliance with relevant Essential Requirements for most medical devices classified as IIa, IIb, or III - along with sterile class I devices. See the Notified and Designated Organization (NANDO) database for available notified bodies.
- Test the product and check its conformity.
- Create and keep available the required technical documentation.
- Affix the CE marking and create the EU Declaration of Conformity.
Importer responsibilities for CE marking
If you are importing medical devices into the EU, it is your responsibility to review all the technical documentation and maintain a copy, or to make sure that it’s available to you upon request.
You should verify:
- That the device has been CE marked and that the EU declaration of conformity has been completed.
- That the manufacturer has designated and established an authorized representative.
- That the device is labeled appropriately and contains instructions for use (IFU).
- When applicable, that a UDI has been assigned to the product.
- Whether or not the product is registered in EUDAMED (registration is currently voluntary).
Take action:
- List your name and address on the device or packaging, in addition to the manufacturer’s information.
- Keep records of complaints, non-conformities, recalls, etc. on file.
- Report any noticed non-conformity or product complaints from end users to the manufacturer and authorized representative immediately.
- Maintain a copy of the EU declaration of conformity and any other relevant certificates.
Distributor responsibilities for CE marking
If you are a distributor, you are responsible for reviewing the technical documentation provided to you so that you can verify the product is safe to put on the local market. You must also be sure the product is labeled correctly with the CE marking symbol clearly visible. The technical file documentation contains all of the information that is necessary to show conformity of the product to the applicable requirements.
You should verify:
- That the device has been CE marked and that the EU declaration of conformity has been completed.
- That the device includes all the appropriate labeling, including instructions for use.
- That if imported, the importer has complied with all the EU regulations.
- When applicable, that a UDI has been assigned to the product.
Take action:
- Report any noticed non-conformity to the manufacturer, importer, and authorized representative immediately.
- If a product appears to be out of compliance to the regulations and could pose a serious risk, the information should be reported to the Competent Authority, and to the manufacturer, importer and authorized representative.
- Any complaints or reports from end users about the product should be reported to the manufacturer and, if necessary, to the importer and authorized representative.
Important note: If the importer or distributor markets the product under their own company name, then they become responsible for CE marketing, and take over that role from the manufacturer.
CE marking is mandatory when importing products into the European Union, which is part of the larger European Economic Area (EEA). The EEA Agreement, established in 1992 and made official in 1994, is an international agreement that enables the extension of the European Union’s single market to non-EU members. It consists of the 27 EU countries plus the four European Free Trade Association (EFTA) countries - Iceland, Liechtenstein, Norway and Switzerland. Today, the EFTA has 29 Free Trade Agreements (FTAs) with 40 countries and territories outside the EU. Because these countries operate in the single market, this allows free movement of goods and services across all of the EEA.
Source: European Environment Agency (EEA).
All medical devices sold in the EU require a CE mark. While a CE mark is not required for items such as chemicals and pharmaceuticals, it can be required for combination devices and medical device software. For these two situations, how do you know if your product requires a CE mark?
To continue reading this ebook, including an overview of CE mark costs, and the associated technical documentation/general safety and performance requirements (GSPRs) that manufacturers are required to maintain please register to download the full version
.avif)
Rimsys Enters Strategic Alliance Relationship with KPMG
PITTSBURGH – March 11, 2025 -- Rimsys, the global leader of MedTech Regulatory Information Management (RIM) software, today announced that it has entered into a strategic alliance relationship with KPMG to advance digital transformation in the MedTech industry.
“KPMG’s deep experience in advisory and business transformation services and exceptional reputation make them a valuable alliance relationship for us,” said James Gianoutsos, Founder and CEO of Rimsys. “KPMG is on the cutting edge of industry trends and has a wide breadth of experience in helping companies innovate and scale. We are thrilled to work with them to help MedTech teams transform their regulatory management processes and leverage the benefits of automation and digitization as part of their broader transformation strategy.”
Founded for and by MedTech regulatory affairs professionals in 2017, Rimsys was created to bring efficiency to regulatory information management and fill an inhibitive technology gap in an underserved industry. Rimsys has since grown to support the world’s MedTech leaders backed by a staff that understands their complex workflows and a robust, secure technology infrastructure that allows customers to scale Rimsys software to support their changing regulatory needs and requirements.
“There is tremendous innovation happening in the MedTech industry, and we are excited to work with Rimsys to help clients transform how they manage regulatory information for getting new products to market and sustaining their existing product portfolios. It’s critical to approach these programs as a holistic business transformation across people, process, technology, data, and governance & controls,” said Dipan Karumsi, Principal, Consulting Sector Leader for Life Sciences at KPMG.
“Through our strategic alliance with KPMG, we can further expand our reach to large and enterprise MedTech companies and continue our exponential growth,” said James. “Combined with KPMG’s experience helping organizations mature their data collection and transformation processes to reach RIM readiness, we can enable the MedTech industry to innovate faster, strengthen compliance, and most importantly, improve the availability of life-changing medical technologies.”
See the full press release here.
FDA’s Final Rule on LDTs: What manufacturers need to know
In July 2024, the FDA's final rule in 21 CFR Part 809 on laboratory developed tests (LDTs) went into effect, amending its previous regulations to make it clear that IVDs, including those that are manufactured in laboratories, are classified as devices under the Federal Food, Drug, and Cosmetic Act. Our blog post provides an overview of LDTs, FDA’s final rule, the phase out policy schedule, and how LDT manufacturers can prepare themselves for compliance.
What are LDTs?
Simply put, LDTs are IVDs that are designed, manufactured, and utilized within a certified laboratory and are typically used for high-complexity testing.
Historically, FDA has used enforcement discretion only on LDTs, which means that most LDTs haven’t been subjected to specific regulatory requirements. However, the volume of and risks associated with LDTs have grown over the years. Some examples of modern LDTs include glucose tests, genetic tests for cancer and infectious diseases, and newborn screenings for early diagnostics. Without a regulatory framework in place, patients are at greater risk of receiving inaccurate test results, forgoing necessary or undergoing unnecessary treatment, and adhering to misleading or false product claims, possibly endangering patients and leading to higher healthcare costs.
FDA’s Final Rule on LDTs
Following the final rule that was issued, LDTs are now subject to the same regulatory requirements as other IVDs, including premarket reviews, quality system requirements, labeling requirements, adverse event reporting, and device listing and registration. To prevent disruptions in patient care, there is a four-year transition or phaseout period consisting of the following five stages:
- Stage 1 (May 6, 2025): LDT manufacturers will be expected to comply with FDA medical device reporting (MDR) requirements, correction and removal reporting requirements, and quality system (QS) requirements for complaint files.
- Stage 2 (May 6, 2026): LDT manufacturers will be required to comply with IVD registration and listing requirements, labeling requirements, and investigational use requirements.
- Stage 3 (May 6, 2027): LDT manufacturers will need to comply with all other QS requirements not covered in Stage 1.
- Stage 4 (November 6, 2027): Unless a premarket submission is received before the start of this stage, LDT manufacturers of high-risk products will need to comply with premarket review requirements for IVDs that may be classified into class III or that meet the requirements of section 351 of the Public Health Service Act.
- Stage 5 (May 6, 2028): LDT manufacturers of moderate and low –risk products will need to comply with premarket review requirements for IVDs unless a submission is received before the beginning of this stage.
Manufacturers of LDTs that don’t meet the requirements in each stage are deemed non-compliant to the regulations governing IVDs and may be subject to FDA 483 observations or warning letters, financial penalties, and even worse, involuntary removal of products from the market.
Note that some LDTs will be exempt from these requirements. Refer to the FDA’s website for more guidance.
Preparing for Compliance
Despite a four-year phaseout period, it’s crucial for LDT manufacturers to start assembling a compliance plan. Starting as early as May 2025, manufacturers will be required to comply with FDA Medical Device Reporting (MDR) requirements, correction and removal reporting requirements, and quality system requirements for complaint files.
It's good practice to conduct an internal regulatory assessment to ensure you have the resources, processes, and tools in place to successfully meet new requirements for LDT devices. It’s also essential to make sure your team is well-versed in these new requirements and the documentation and timelines involved. Including all relevant stakeholders early on, getting a comprehensive project plan in place, and meeting regularly to ensure all tasks are completed would be helpful during the phaseout period and beyond.
Regarding the LDT changes, the FDA has provided a Q&A sheet that you may find helpful.
If you're looking for guidance on FDA premarket submissions, see our Beginner’s Guides to the FDA 510(k), De Novo, and PMA processes.
How Regulatory Tools Can Help
FDA’s final rule on LDTs will add complexity to the regulatory information management of laboratory diagnostic tests. There are digital solutions that can help manufacturers stay current on updated regulations and manage the additional information and documentation needed because of these updates.
A regulatory intelligence database like Rimsys Intel can provide detailed global market entrance requirements, application timelines, fees, risk class specifications, and documentation needed for medical devices and IVDs so that manufacturers can start preparing their premarket strategies.
Regulatory Information Management (RIM) software like Rimsys can help boost efficiency, reduce compliance risk, and increase collaboration by centralizing regulatory information and automating time-consuming, manual processes. As a result, medical device manufacturers gain complete visibility into their submission management and selling status so that they can plan more effectively, avoid costly product delays, and execute faster.
%2520(1755%2520x%2520550%2520px)%2520(855%2520x%2520268%2520px)%2520(1).avif)
Planning Your Enterprise’s UDI Strategy for EUDAMED and Beyond
Rimsys recently hosted a webinar with RAPS titled “Planning Your Enterprise’s UDI Strategy for EUDAMED and Beyond.” During the session, our experts, Adam Price, Director of Regulatory and Technical Programs, and James Gianoutsos, Founder and CEO, provided best practices to help MedTech companies navigate the complexities of Unique Device Identification (UDI) compliance. The session covered key topics such as comparing US and EU UDI regulations, preparing for the January 2026 mandatory EUDAMED submission date, and using EUDAMED as a foundation for a global UDI strategy that can scale as additional markets adopt UDI requirements.
Here are some of the key topics we discussed to help Medtech teams prepare their strategy:
1. The importance of UDI to regulatory affairs teams
UDI is a globally unique identifier for medical devices that helps improve traceability, manage adverse event reporting, and ensure compliance with regulatory requirements. Regulatory affairs teams play a critical role in both establishing and maintaining UDI data to meet submission timelines and market placement requirements.
Responsibility for UDI management can vary between organizations, with some MedTech companies assigning the responsibility to IT or supply chain teams. When we asked our audience who is responsible for UDI management at their company, 80% of respondents said that it was their regulatory affairs team, emphasizing UDI’s crucial role in market placement.
2. Comparing US and EU UDI Requirements
FDA GUDID requirements have been in place since 2014. As such, some MedTech teams may plan to use their GUDID submission strategy as a baseline for the development of their EUDAMED submission strategy. While the US FDA’s GUDID system has standardized requirements, the EU’s EUDAMED is more complex due to additional data fields, language-specific entries, and the use of the EMDN nomenclature instead of GMDN. EUDAMED also introduces the Basic UDI-DI, which connects related devices within family groupings and links different EUDAMED modules. Companies must adapt their UDI strategies to account for these variations.
“Unlike the standardized US GUDID, the EU’s EUDAMED is more complex, featuring multiple device categories, language-specific data, and the EMDN nomenclature.” - Adam Price
3. The Interconnectivity of EUDAMED
EUDAMED consists of multiple interconnected modules. The Basic UDI serves as the key data element linking these modules together. This interconnected structure ensures that regulatory bodies, manufacturers, and economic operators can efficiently track devices throughout their lifecycle. Properly aligning UDI submissions with these modules is essential for seamless compliance and data consistency.
“The interconnectivity of EUDAMED is really important because the Basic UDI family groupings are the key piece of data that is going to tie the different modules together. For example, your notified body certificates for the regulations will have your Basic UDI numbers indicated on them. And then that's connected to the Basic UDI numbers that you have associated to your single registration number.” - Adam Price
4. Deadlines, Compliance Risks, and Recommended Actions per Device Category
The deadline for mandatory UDI submissions to EUDAMED is January 1, 2026, with a six-month grace period until June 2026 for devices already on the market. Failure to meet these deadlines could result in compliance risks, including regulatory penalties and restricted market access. Different categories of devices are subject to specific rules:
- Regulated Devices: Devices compliant with MDR or IVDR regulations must be linked to Basic UDI groupings and classified accurately under EMDN. Recommended actions include ensuring all data aligns with the new requirements and preparing for immediate submissions of new devices after January 2026.
- Legacy Devices: Devices compliant with older EU directives that remain on the market do not require a Basic UDI but must still have all essential data submitted. Companies should consolidate and verify legacy data, ensuring consistency with prior regulatory approvals.
- Non-Registered Devices: Devices no longer placed on the market but still have post-market surveillance activities must be registered for traceability. Manufacturers should identify these devices, gather historical data, and ensure that post-market surveillance records are aligned with regulatory expectations
.
5. Data Preparation and Submission Process
Data preparation for EUDAMED compliance is going to take some time, and the time to start preparing is now. It's important to recognize some of these high-level steps needed for effective UDI data preparation and submissions so that MedTech teams can plan appropriately:
- Identify: Collect and review all required UDI data, including language-specific fields and Basic UDI groupings.
- Verify: Ensure data accuracy and alignment with regulatory requirements, using EUDAMED’s business rules as a reference.
- Format: Structure data to meet EUDAMED’s formatting and enumeration rules, ensuring compatibility with submission methods.
- Submit: Transmit data using manual entry, XML uploads, or automated machine-to-machine (M2M) transmission, depending on the volume and complexity of your product portfolio.
“Ultimately, manufacturers need to be in a position to have all the data in for all products - not just the new products on the market but for all products by the end of that transitional period. It sounds a little apocalyptic but given the right planning, I think it's very achievable." - Adam Price
6. Getting Data into EUDAMED
Manufacturers have multiple options for submitting UDI data into EUDAMED, depending on their resources and portfolio size. Data can be manually entered through the EUDAMED user interface, uploaded via XML files, or submitted using automated machine-to-machine (M2M) transmission. Organizations managing large product portfolios are encouraged to adopt M2M transmission to ensure efficiency and data accuracy. Testing data submissions in the EUDAMED playground before official submission is highly recommended to identify and resolve any formatting or compliance issues.
“With more products, more data, and more BUDI families, there's more complexity. And as you're looking across your product portfolio, that's something that you need to consider as you plan your submission strategy.” -Adam Price
7. UDI Management Solutions
Organizations can choose from various UDI management solutions depending on their size and needs:
- Spreadsheets: Might be suitable for small companies with limited product portfolios but are time-consuming to manage and error-prone
- Repurposed Internal Systems: PLM or PIM systems can manage UDI data but may require manual processes and in-house expertise.
- Purpose-Built Connectors: Provide transmission capabilities for UDI data but don’t provide data capture and management
- RIM Systems (e.g., Rimsys): Provide a centralized, automated solution that integrates UDI data with product registrations and certificates, supporting seamless M2M transmissions.
“For large, complex product portfolios, RIM systems like Rimsys provide automated UDI management and seamless M2M transmissions.”
“Having an integrated data hub that's the source of truth for your UDI information is key. Then being able to associate your UDI data with all other data needed for UDI transmission in a RIM system, your registrations, certificates, legal entity, manufacturer, manufacturing locations, all the product data, all your BUDI data, having that all centralized in a RIM system is really critical to understanding and organizing your data in a way that can be meaningfully managed moving forward.” - James Gianoutsos
8. EUDAMED as a Foundation for Global UDI Compliance
There is a tremendous opportunity for EUDAMED’s comprehensive data requirements to serve as a foundation for global UDI compliance, as many countries are adopting similar regulations. Australia, Switzerland, the UK, and India are among the markets expected to enforce UDI requirements soon, with varying deadlines and data requirements. By using their EUDAMED data output as the foundation for a global UDI program, MedTech companies can build a UDI strategy that positions them to meet current and future requirements as they evolve.
“The application of UDI is not a one and done approach like it had possibly felt for manufacturers in the past. These requirements are going to need to be continually maintained from the perspective of your product characteristic data as well as new technologies as they're being introduced. So it's maintaining compliance to the current requirements, establishing compliance to the new countries’ UDI programs as those get rolled out, and being in a good position to control and consistently apply your UDI data.” -Adam Price
Conclusion
With the January 2026 deadline approaching, companies must act now to ensure compliance, streamline submissions, and prepare for future UDI requirements worldwide. Establishing a robust UDI strategy today will not only support compliance with EUDAMED but also lay the groundwork for expanding regulatory demands in other global markets. Leveraging centralized systems like RIM platforms can help manage the increasing complexity of global UDI regulations, ensuring consistent and efficient compliance.
“This seems to be a trend globally that UDI has become this single source data point to control and manage and maintain your products on the market. And so EUDAMED is just really the tip of the iceberg. Even though we know how complex it is, this is really just the beginning of this global UDI strategy that you have to be thinking about as you go into EUDAMED preparation.” -James Gianoutsos
Those interested in watching the webinar can access the recording here.
With an integrated and automated approach to UDI, Rimsys is a trusted and proven solution to help MedTech teams simplify EUDAMED compliance and assemble a global UDI program that meets current and future requirements. Request a custom demo rimsys.io/demo.
Quick reference guide - global medical device UDI requirements and timelines
This article was last updated on February 10, 2025.
What is UDI?
UDI systems are intended to benefit healthcare providers, manufacturers, authorized health authorities, hospitals and institutions, and individual consumers by providing:
- Faster discovery of possible flawed medical device information by health authorities.
- Quicker access to recall information, and visibility into current inventory.
- A reduction in medical errors through consistently documented product expiration dates.
- Identification of any counterfeit products being used in healthcare facilities.
- Assurances that information regarding an implanted device is safely retained and traceable.
UDI timelines and deadlines vary by market, classification risk, and product and have been revised multiple times in some countries*. This article details the UDI deadlines for the countries which have announced specific programs (draft or implemented) and is current as of the date of this article.
*Note: these dates can change as participating countries adjust their plans. We do our best to update this as more information becomes available.
Quick Links to country-specific sections:
- Australia UDI
- Brazil UDI
- Canada UDI
- China UDI
- European Union UDI
- India UDI
- Japan UDI
- Saudi Arabia UDI
- Singapore UDI
- South Korea UDI
- Taiwan UDI
- United States UDI
- UDI databases by country
General UDI labeling requirements
There are two components to a medical device UDI: the UDI device identifier (UDI-DI) and the UDI production identifier (UDI-PI). The UDI is presented as a barcode label (human and machine readable) on device packaging or on the device itself and acts as the access key to all device UDI attributes.
UDI-DI: This is the static portion of the UDI which identifies the manufacturer along with the specific device version. The UDI-DI (device identifier), also known as the Global Trade Item Number (GTIN) is assigned by an approved organization, such as GS1, and contains:
- Company prefix
- Manufacturers internal product code
- Check character
The UDI-DI is the primary identifier to be used in looking up device attributes in country-specific databases and is assigned prior to placing a product on the market. Note that the device identifier is different for different packaging levels of the same device.
UDI-PI: This is the dynamic portion of the UDI which is assigned by the manufacturer and identifies one or more of the following:
- Manufacturer’s lot or batch number
- Serial number
- Manufacturing date
- Expiration date
- Other attributes as defined by country-specific regulations
The UDI-PI actual values do not appear in country-specific databases (with the exception of the EU vigilance database).
Australian UDIGuidelines
Reporting Database: AusUDID (pre-production)
The Australian government for medical devices, the TGA, has not launched any official regulations or timeline for mandatory UDI labeling. They do provide a wealth of information on their website that is worth reviewing. In the meantime, however, they are hoping for a Q1 2025 implementation. The AusUDID Pre-Production environment is available for sponsors and manufacturers of medical devices supplied in Australia. It is a test environment that allows testing of data submission, prior to submission to the AusUDID Production environment. Any sponsor or manufacturer with an active TBS account can access the database.
ANVISA UDI guidelines
Reporting database:TBD
RDC No. 591/2021 is the regulations guideline for the identification of medical devices regulated by ANVISA, implementing the Unique Identification of Medical Devices (UDI) system. In July 2024, ANVISA finalized amendment RDC No. 884/2024 which implemented various adjustments to RDC 591/2021. The biggest take-away regarding UDI is the extension of one year on the implementation deadlines.
Health Canada website
Reporting Database: N/A
Position paper on the current state of UDI implementation
Medtech Canada strongly supports the global initiative led by regulators under the guidance of the International Medical Devices Regulators Forum (IMDRF), which aims to standardize the identification of medical devices by requiring that certain medical devices carry an internationally recognized UDI. Currently, there is no process in place for UDI in Canada.
China (NMPA) website
Reporting Database: China National UDI Database
Announcement No 22 of 2023
On January 1, 2021, the NMPA implemented the UDI system for its first batch of medical devices, including 69 Class III devices. The following year, June 1, 2022, followed the implementation for the second batch of other Class III medical devices (including IVD reagents). Then in 2023, Order No. 22 announced the third batch of products to adopt the UDI system.
As of June 1, 2024, medical devices listed in the third batch implementation product catalog must have already had UDI implemented. According to the degree of risk and regulatory needs, some Class II medical devices in the third batch included high-demand single-use products, items selected for centralized procurement, and medical aesthetic products, totaling 103 types in 15 categories.
European Union UDI Information
Reporting Database: EUDAMED
Rimsys Updated EUDAMED Timeline Blog Post
The UDI & Devices module is expected to be declared fully functional by the end of Q2 2025 and mandatory for industry use on January 1, 2026. The EU continues to strongly recommend to the industry to establish its solution and to submit data on a voluntary basis.
Medical Devices Rules, 2017
Legal Metrology Act, 2009
Reporting Database: N/A
Rule 46 of Medical Device Rule 2017 was set to require UDI labeling by January 1, 2022. However, details on how the UDI needs to be implemented have not yet been released but India's labeling and traceability requirements must be met as per CDSCO regulations.
In addition to the Medical Device Rule 2017, the Legal Metrology Act, 2009 focuses on standardizing weights and measures and ensures that packaged commodities, including medical devices, are labeled with accurate and clear information.
Law to Ensure Quality, Efficacy and Safety of Pharmaceuticals, Medical Device, and Similar Products
Reporting Database: N/A
There are two regulatory authorities responsible for regulation of medical devices in Japan: The Ministry of Health, Labour and Welfare (MHLW) and the Pharmaceuticals and Medical Devices Agency (PMDA). The MHLW is responsible for the administrative actions such as guidance and approval, and judgment on whether or not a product is considered a medical device. The PMDA undertakes product review and post-market safety measures.
As of Dec 2022, bar code labeling based on international standards is required for immediate containers/wrappings/retail packages of medical devices. It is expected for barcodes to be displayed on every medical device in unit of use for patients. Japan was an early promoter of standardized barcodes and is still working towards harmonizing the requirements with global UDI expectations.
The Pharmaceuticals and Medical Devices Act (PMD Act) translates in Japanese meaning "Law to Ensure Quality, Efficacy and Safety of Pharmaceuticals, Medical Devices, and Similar Products," but is often shortened to Act on Pharmaceuticals and Medical Devices or just PMD Act.
Requirements for Unique Device Identification (UDI for Medical Devices)
Reporting Database: Saudi-DI
The SFDA requires compliance with the Unique Device Identification (UDI) regulations on all medical device companies in Saudi Arabia for all classifications. Medical device classifications include: devices, IVD, non-medical IVD, chemical for medical use, distillation device, general lab use, HCT/Ps product and radiation devices.
Guidance for UDI Implementation
Reporting Databases: Singapore Medical Device Register (SMDR) - For risk class B or higher, Class A Medical Device Database - Risk class A only
Singapore is now requiring compliance with UDI labeling and database registration. They will accept UDI labels for devices already marketed in the U.S. and the EU without any need for modification. However, if they are not marketed in either country, then they are required to implement via Singapore UDI regulations.
Companies are given an additional 6 months from the compliance date to deplete the respective medical devices that have been imported prior to the compliance date and exist in their current supply chain.
Note:
• UDIs will not be required for medical devices for clinical research, investigational testing or clinical trial and custom-made medical devices
• Medical devices authorized for supply via Special Access Routes (GN26, GN27, GN29) are required to comply with UDI requirement on a risk-calibrated approach
Act on In Vitro Diagnostic Medical Devices
Act on Medical Devices
Reporting Database: South Korean Integrated Medical Device Information System (IMDIS)
South Korea has already implemented UDI regulations by Article 20-23 of the Medical Device Act (No. 14330) and Article 54-2 of Enforcement Regulations of Medical Device Act (No. 1512).
Guidance document from Taiwan FDA
Reporting Database: TUDID
Taiwan has previously implemented UDI regulations, which include labeling and database reporting requirements.
FDA website for UDI
Reporting database: GUDID database
The United States has previously implemented UDI regulations, which includes labeling and database reporting requirements.
Each country has their own UDI database and varying requirements for the data stored in those databases. There is overlap in the data required among the various UDI databases, but each country also has unique data they require.
In addition, countries require that UDI-DI information be provided by “issuing entities.” Note that with the exception of China, all countries accept GS1, HIBCC, and ICCBA as issuing entities.
* Data attributes are approximations based on country UDI requirements and include mandatory, optional, mandatory if applicable, and country database auto generated elements.
** Expected to be similar to US GUDID requirements.
Keeping pace with UDI regulations
Keeping track of country-specific UDI requirements, implementation timelines, and affected devices can be a big challenge to RA teams—especially because the information is scattered across many sources and simply hard to find. In this guide, we have consolidated timeline information and device class requirements across multiple countries. While we make every effort to provide accurate and up to date information, it's always advised to check the government website for the country in question.
Additional UDI resources
Looking for more information? You can visit our EUDAMED resource center, where you will find videos and resources to help you plan for UDI requirements in Europe. In addition, you may enjoy our blog post that outlines our views on the recent EUDAMED timeline updates.
For a broader introduction to UDI, see our Rimsys UDI Overview blog post.
If you're looking for an automated, integrated solution to help you meet changing regulations and manage your global UDI program, request a custom Rimsys demo!
%2520(1755%2520x%2520550%2520px)%2520(855%2520x%2520268%2520px).avif)
Why a RIM System is Critical to Successfully Support MedTech M&A Activities
There was significant M&A activity in the MedTech sector in 2024, and the industry is predicting another big year for mergers and acquisitions. As MedTech companies aim to expand their product lines, enter new markets, innovate faster, and remain competitive in a rapidly evolving space, mergers and acquisitions can be attractive and cost-efficient options. Additionally, some manufacturers are choosing to divest parts of their business to hone their focus, drive additional investment in other key areas, and optimize operations.
For the regulatory affairs professional, M&A activities can be anything but efficient. An influx of new products, registrations, and regulatory information to maintain can wreak havoc on RA teams who are already struggling to effectively manage and maintain compliance amid a seemingly constant state of regulatory change.
In an increasingly complex regulatory landscape, many MedTech teams are turning to RIM systems to help them centralize regulatory information across the business, automate time-consuming, manual processes, and strengthen global compliance. These benefits are even more palpable for companies undergoing mergers, acquisitions, and divestitures, giving them streamlined, fully visible regulatory information management that can scale with their evolving business needs and additional regulatory information to manage.
Case Study: Large, Publicly Traded Device Manufacturer Navigates Product Line Divestiture with Ease
A large, publicly traded manufacturer of products for pain management, digestive health, and IV therapy was in the process of divesting one of its product lines to another company. As a result, some of their regulatory employees were transitioned to the company that purchased its product line. The customer leveraged Rimsys’ unique Linked Accounts feature, which allows users to grant external stakeholders controlled access to Rimsys, to give those impacted access to the 100+ registrations associated with the divested products. As a result, the transitioned employees lost no access to their respective products and are able to manage, review, and approve those registrations as they normally would.
“Linked Accounts is a fantastic feature that I didn’t originally appreciate as much. Rimsys made it easy for us to identify the products impacted by the divestiture and provide access to those who need them. It has been a bright spot in the sea of headaches both teams are experiencing when trying to review and approve information in other systems.”
-Program Manager, Regulatory Information Management
When the transaction is complete, the customer will easily be able to export the list of registrations by product tag and archive the registrations in Rimsys for easy management and visibility. The transitioned employees will also still retain access to the information they need in Rimsys as they work to implement their own Rimsys solution to manage those registrations.
Navigating Business and Regulatory Changes with RIM Systems
As the MedTech industry prepares for additional mergers, acquisitions, and divestitures this year, getting a solid regulatory information foundation in place is critical for a successful transition and ongoing compliance. Yet, many MedTech RA teams are using manual processes and siloed systems to manage regulatory information.
One of Rimsys’ goals is to serve as a strategic partner to MedTech RA teams, helping them better understand their current RIM state and the steps they need to advance their processes. This includes the implementation of a RIM system such as Rimsys to centralize their regulatory information, enable easy collaboration with internal and external stakeholders, and automate time-consuming manual processes for strengthened global compliance.
See our Guide to MedTech RIM Maturity, which provides our RIM Maturity Model Framework, for ways to better assess your organization’s current RIM state and incrementally reach new milestones.
Rimsys has helped global MedTech leaders navigate business and regulatory change with unified RIM software that provides full visibility into their regulatory activities. If you’re looking to stay ahead of upcoming strategic activities or are simply looking for a better way to manage your information amid increasing complexity, contact us to learn how Rimsys can help you streamline and automate your processes for long-term success.
Rimsys POV: Updated EUDAMED timeline
The EU Commission has recently announced updates for completing and implementing EUDAMED based on amendment 2024/1860. This article outlines the current EUDAMED timelines and our point of view on these timelines to help industry prepare accordingly.
Current EUDAMED Timelines:
- The target date for the first mandatory application of functional EUDAMED modules is still January 1, 2026. The Vigilance module is expected to be mandatory beginning in Q3 2026 with full EUDAMED functionality planned for Q2 2027.
- The Actor, UDI & Devices, Certificates, and Market Surveillance modules are currently under audit. The independent Minimum Viable Product (MVP) audit is intended to assess and confirm functionality and interconnectivity of the modules that are deemed audit ready. This audit is foreseen to be completed by Q2 2025.
- Mandatory use of each module is to commence six (6) months after the module is declared fully functional through the independent audit and publication in the Official Journal of the European Union (OJEU). The Actor, UDI & Devices, Certificates, and Market Surveillance modules are expected to be declared fully functional at the end of Q2 2025, leading to their mandatory application date of January 1, 2026.
- The Actor, UDI & Devices, Certificates, and Market Surveillance modules are expected to be declared fully functional by the end of Q2 2025 and mandatory for industry use on January 1, 2026.
- The Vigilance module is not part of the ongoing MVP audit and will not be declared fully functional along with the previously mentioned modules. The revised timeline indicates that the audit of that module will occur between Q2 and Q3 of 2025, with the goal of the mandatory application date in Q2 of 2026.
- The development of the Clinical Investigation/Performance Studies (“CI/PS”) module is intended to continue through Q3 2026. An audit to assess the CI/PS module together with the other five (5) modules will be completed once the CI/PS MVP has been developed.
Photo courtesy of the European Commission
Here is how Rimsys views the impact of this announcement for each stakeholder group:
Rimsys
UDI is front of mind as well as future interaction with the Vigilance module. There is no change to our current plans, as Rimsys will continue to develop UDI and Post Market Surveillance functionality regardless of the updated target dates. We also recognize the potential impact of establishing data transfer (DTX) capabilities to interact with EUDAMED in a machine-to-machine (M2M) capacity. With the publication of the final requirements needed for M2M DTX to EUDAMED, Rimsys is positioned to finalize our connection and deliver M2M capabilities as part of the EUDAMED solution.
Industry/customer
Since the European Commission(EC) has made multiple updates to EUDAMED timelines, we expect industry will have some reluctance to accept the new target dates. As a result, this could delay re-engagement with EUDAMED preparations. However, we do not expect the EC to push these updated timelines. Manufacturers that don’t have a plan to submit data to EUDAMED by Q2 this year should expect significant challenges to meet these deadlines. With the audit of expected modules underway with the associated technical documentation published, Rimsys recommends taking steps to organize regulatory data now and submit their information early to all available EUDAMED modules.
EU Commission
The EC strongly recommends industry continues to establish its solution and to submit data on a voluntary basis. Do not wait. The commission’s position is that submitting data early will give companies an advantage by having their data “in” before the onslaught of the entire global MedTech industry, all trying to add data at the same time EUDAMED becomes mandatory. These companies will also be in front of the line to work with the commission resources if data submission issues occur.
* Note - this article includes regulatory interpretations and opinions from the Rimsys team. We try to be as informative as possible, but this information isn’t intended to serve as a substitute for official guidance from regulatory authorities.
