The EUDAMED market surveillance module is the sixth module of the European Database on Medical Devices established by MDR Article 33. It supports the activities of Competent Authorities under MDR Articles 93 to 100 by aggregating, across all Member States, the information needed to coordinate inspections, non-compliance findings, corrective measures, and enforcement actions. It is primarily an authority-facing module. Manufacturers do not file into it directly, but almost everything the authorities see about a device flows into it from the other five modules and from national market surveillance activity. Article 100 specifically requires a Union market surveillance information system, and the EUDAMED market surveillance module is the implementation of that obligation. The detailed functioning rules are set out in Commission Implementing Regulation (EU) 2021/2078.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • The EUDAMED market surveillance module is the sixth module of EUDAMED and implements the Union market surveillance information system required by MDR Article 100.
  • Its legal anchor is Articles 93 to 100 of Regulation (EU) 2017/745, which set out the Competent Authorities' market surveillance mandate, the procedure for devices presenting unacceptable risk, and the coordination obligations between Member States.
  • The module is primarily authority-facing. Manufacturers do not file into it directly, but it aggregates data from the other five EUDAMED modules plus information that Competent Authorities enter from their national market surveillance activities.
  • Commission Implementing Regulation (EU) 2021/2078 sets the detailed functioning rules: registration, access rights, data ownership, information security, and contingency procedures that apply to every EUDAMED module, including this one.
  • For manufacturers, the practical significance is that the Competent Authority looking at your device sees a consolidated picture drawn from actor registration, device registration, certificates, clinical investigations, vigilance, and market surveillance entries made by authorities across the Union. That picture is the starting point for any inspection, any Article 94 evaluation, and any Article 95 or 97 enforcement action.

A founder asked what the authority actually sees

A founder called after a short letter from a Competent Authority asked for documentation on a specific device. The letter was polite, factual, and referenced a Basic UDI-DI the company had registered in EUDAMED. The founder's first question was not "how do I respond." It was "what do they already know." They had assumed the authority was starting from zero and asking because they had no information. The answer is the opposite. Under the EUDAMED architecture, a Competent Authority opening a file on your device is not starting from zero. They are starting from whatever the EUDAMED market surveillance module has aggregated about you, pulled from every other module and from the activity of authorities across the Union.

This post explains what the module is, what it captures, why it exists, and what it means for a manufacturer to know that the authority on the other side of an inquiry has a consolidated view before the first question is even asked.

What the module is

The EUDAMED market surveillance module is module six of the six-module EUDAMED architecture defined by MDR Article 33 and operationalised by Commission Implementing Regulation (EU) 2021/2078. Its function is to support the Competent Authorities of the Member States in discharging the market surveillance mandate set out in Chapter VII, Section 3 of the Regulation. Specifically Articles 93 to 100.

Article 100 is the provision most directly implemented by this module. It requires the Commission, in collaboration with the Member States, to set up and manage an electronic system to collate and process information on non-compliant devices, preventive health protection measures, and the results of market surveillance activities. That information is then made available to the Commission, to Competent Authorities, and, where relevant, to Notified Bodies and economic operators, so that the enforcement picture is coordinated rather than fragmented across 27 national databases.

Where actor registration (module 1) answers "who is the manufacturer," device registration (module 2) answers "what device," certificates (module 3) answers "who certified it and when," clinical investigations (module 4) answers "what was the clinical evidence," and vigilance (module 5) answers "what has gone wrong," the market surveillance module answers "what have the authorities done about it, and what do they collectively see."

What the module captures

The market surveillance module, read together with Articles 93 to 100 and Implementing Regulation (EU) 2021/2078, is designed to hold and coordinate several categories of information.

Non-compliance findings. When a Competent Authority concludes under Article 97 that a device is non-compliant with the Regulation but does not present an unacceptable risk, the finding and the corrective measures required are recorded so that other authorities can see the situation.

Article 94 evaluations. Where a Competent Authority considers that a device may present an unacceptable risk and opens an evaluation under Article 94, the opening and the outcome of that evaluation are part of the information flow.

Article 95 enforcement actions. Where, following an Article 94 evaluation, the authority requires corrective measures. Bringing the device into compliance, restricting availability, making availability subject to specific requirements, withdrawing the device, or recalling it. Those measures are recorded and made visible to the other Member States so that the same device is handled consistently across the Union.

Preventive health protection measures. Article 98 allows a Member State to take provisional measures on grounds of public health even where there is no established unacceptable risk. Those measures are also captured so that the Commission and the other Member States can assess whether the measure should be extended Union-wide.

Inspection outcomes and campaign data. Market surveillance campaigns under Article 93, cross-border referrals, and the results of inspections are reflected in the module so that a coordinated enforcement picture is possible.

Links back to the other modules. The module does not exist in isolation. It is wired to actor registration, device registration, certificates, clinical investigations, and vigilance, so that when an authority opens a file it sees the consolidated picture rather than a single slice.

The Competent Authority view

The significance of the module for a manufacturer is best understood by imagining what a Competent Authority sees when they pull up your device.

They see the manufacturer entity. The SRN, the registered address, the PRRC under Article 15, the authorised representative if any, the history of changes to that actor record. They see the device. The Basic UDI-DI, the UDI-DIs grouped under it, the risk class, the current status on the market. They see the certificate. The Notified Body, the certificate number, the date of issue, the scope, any restrictions, suspensions, or withdrawals the Notified Body has recorded. For implantable and Class III devices they see the Summary of Safety and Clinical Performance published under Article 32. For clinical investigations they see the sponsor data and summaries flowing through the clinical investigations module. For vigilance they see the serious incident reports, field safety corrective actions, trend reports, and Periodic Safety Update Reports routed through the vigilance module under Articles 87 to 92.

And then, layered on top of all of that, they see what the other Competent Authorities have already entered about the same device. Any Article 94 evaluation opened in another Member State, any Article 95 corrective measure required elsewhere, any Article 97 finding, any Article 98 preventive measure. That is the view the market surveillance module exists to enable.

For a manufacturer, the implication is that the information asymmetry between a small startup and a Competent Authority is not what founders often assume. The authority does not arrive with nothing and ask questions in the dark. The authority arrives with a consolidated view and asks questions that are informed by it. The quality of the answers a manufacturer gives is measured against that consolidated view, not against a blank sheet.

Aggregation across Member States

The harder problem the module solves is Union-wide aggregation. Before MDR, a finding in Germany about a device did not automatically surface in France. A recall in Italy did not automatically inform the authority in Spain. Market surveillance was fragmented by Member State boundaries even when the device was sold across all of them.

Articles 95, 97, and 100 of the MDR close that gap. Article 95(4) and (5) require Member States to inform the Commission and the other Member States of the measures taken and the reasons for them, so that the same corrective action is considered across the Union. Article 97(3) does the same for non-compliance short of unacceptable risk. Article 100 requires the Commission to maintain the electronic system that makes this coordination practical rather than theoretical.

The market surveillance module is the plumbing for that coordination. When an authority in one Member State opens an Article 94 evaluation, the other authorities can see it. When a corrective measure is required under Article 95, the same measure can be coordinated across the Union rather than being negotiated 27 times. When a manufacturer has already been the subject of a non-compliance finding in one country, a new inquiry in another country starts from a position that is aware of the history. The days of hoping that a finding in one Member State would stay in that Member State are gone by regulatory design, not by accident.

What manufacturers should monitor

Because the module is authority-facing, a manufacturer cannot log in and browse it the way they can browse their own actor registration or device registration entries. What a manufacturer can do. And should. Is maintain awareness of the upstream data streams that feed into the Competent Authority view.

The actor registration entry under Article 31 must be current. Name, address, PRRC, authorised representative, change history. The device registration entries under Article 29 must be current. Basic UDI-DIs, UDI-DIs, risk class, market status. The certificate data flowing through the Notified Body must match the scope the manufacturer actually operates under. The SSCP under Article 32 must be the current version. The vigilance entries under Articles 87 to 92 must reflect every report the manufacturer has made, through whatever channel is currently mandatory. Any inconsistency between the manufacturer's own records and what an authority would see by consolidating EUDAMED is a finding in waiting.

The other useful habit is to keep the internal mirror. A startup that maintains its own register of every EUDAMED interaction. Every actor data update, every device registration change, every certificate update, every vigilance report, every response to a Competent Authority inquiry. Can reconstruct, at any point, what the authority view probably looks like. That mirror is not a substitute for the actual module, but it is the closest a manufacturer can come to seeing themselves as the authority sees them.

Transparency implications

Most of the market surveillance module is restricted to authorities. Unlike actor registration, device registration, certificates, and SSCPs, the market surveillance module is not designed to be a public-facing transparency layer. Its purpose is coordination between authorities, not publication to the world.

That said, the distinction between "what the module holds" and "what ends up public" is not a clean wall. Several of the information streams that feed the module are themselves publicly visible or become visible through adjacent channels. Certificate status is public. SSCPs for implantable and Class III devices are public. Field safety notices are, by Article 89(8), made publicly accessible unless confidentiality is justified. A recall action taken under Article 95 is typically reflected in a public field safety notice even if the internal coordination between authorities is not itself published.

The practical implication for a manufacturer is that the commercial footprint of an enforcement action is rarely confined to the authority channel. An Article 95 corrective measure that is coordinated across Member States through the market surveillance module will usually have a public face as well, through the certificate module, the vigilance module, or a field safety notice. Planning a response to any enforcement inquiry has to assume public visibility on the adjacent pieces, even when the module itself is not browsable from outside.

Common misunderstandings

The market surveillance module is one of the EUDAMED modules founders most consistently misunderstand, for four predictable reasons.

First, they confuse it with the vigilance module. The vigilance module (module 5) holds the manufacturer's reports. Serious incidents, FSCAs, trend reports, PSURs. The market surveillance module (module 6) holds the authorities' responses. Evaluations, enforcement actions, coordination data. They meet, but they are not the same, and the legal basis differs: Articles 87 to 92 for vigilance, Articles 93 to 100 for market surveillance.

Second, they assume it is a public database. It is not, or not primarily. The public-facing transparency layer of EUDAMED runs through other modules. The market surveillance module is there for authority coordination.

Third, they assume they can file into it. They cannot, in the way they file actor registration data or device registration data. Manufacturers feed the module indirectly, through the other five modules and through the information they provide to Competent Authorities during inspections and inquiries.

Fourth, they assume it is empty until something goes wrong. It is not. The module aggregates the consolidated view of every device on the Union market, including devices against which no enforcement action has ever been taken. "Nothing in the module about us" is the default state, and a manufacturer should not take it as a signal of either safety or invisibility.

For the broader authority-side context, see the deep dive on market surveillance by Competent Authorities, which walks through Articles 93 to 100 in detail.

The Subtract to Ship angle

The Subtract to Ship framework for MDR applied to the EUDAMED market surveillance module produces a short rule: do not build work for a module you cannot file into. The temptation with any EUDAMED module is to build parallel infrastructure. Internal dashboards that mirror the module, readiness binders specific to the module, consultancy engagements scoped to the module. For module six, that temptation is particularly wasteful because the module itself is authority-facing.

The work that actually matters for module six is upstream. Keep the actor registration data clean. Keep the device registration data clean. Keep the certificate data consistent with the certificate the Notified Body issued. Keep the vigilance reporting compliant under Articles 87 to 92. Keep the SSCP current under Article 32. Maintain a short readiness folder for Competent Authority inquiries as described in the market surveillance post. That is the list. Everything else. "market surveillance module readiness programmes," "EUDAMED module 6 gap analyses," "authority-view simulation dashboards". Is activity in search of a justification, and the justification is not in the Regulation.

What remains after subtraction is an operating discipline a three-person team can actually keep current: the upstream data is accurate, the vigilance loop works, the inquiry response folder is retrievable, and the internal mirror of EUDAMED interactions is maintained. That is enough.

Reality Check. Where do you stand on the market surveillance module?

  1. Do you understand that the EUDAMED market surveillance module is not a module you file into, but a module that aggregates what Competent Authorities see about your device?
  2. Can you name the articles of the MDR (93 to 100) that the module operationalises, and do you know which one specifically mandates the Union-level electronic system?
  3. Is the data your upstream EUDAMED modules carry. Actor registration, device registration, certificates, SSCP, vigilance. Consistent with your internal records and with your Notified Body submission?
  4. Do you maintain an internal mirror of every EUDAMED interaction, so you can reconstruct at any time the consolidated view a Competent Authority would see?
  5. When you responded to the last Competent Authority inquiry. Or when you plan your response to the first one. Did you assume the authority already had a coordinated picture of your device, or did you assume they were starting from zero?
  6. Do you have a documented process for ensuring that an Article 95 or 97 finding in one Member State does not catch your team by surprise when it reappears, via the module, in an inquiry from another Member State?

If you cannot answer four or more of these cleanly, module six is a blind spot in your EUDAMED posture.

Frequently Asked Questions

What is the EUDAMED market surveillance module in one sentence? It is the sixth module of EUDAMED, established under MDR Article 33 and implementing the Union market surveillance information system required by Article 100, used by Competent Authorities to coordinate inspections, non-compliance findings, and enforcement actions across Member States.

Can a manufacturer log in and see the market surveillance module? No, not in the way a manufacturer can log in and see their own actor registration or device registration entries. The module is authority-facing. Manufacturers feed it indirectly through the other EUDAMED modules and through the information they provide to Competent Authorities during inquiries.

Is the market surveillance module the same as the vigilance module? No. The vigilance module (module 5) holds manufacturer-initiated reports under Articles 87 to 92. Serious incidents, FSCAs, trend reports, PSURs. The market surveillance module (module 6) holds authority-initiated information under Articles 93 to 100. Evaluations, enforcement actions, coordination between Member States. The two modules meet, but they are distinct in legal basis and data ownership.

What does MDR Article 100 require? Article 100 requires the Commission, in collaboration with the Member States, to set up and manage an electronic system to collate and process information on non-compliant devices, preventive health protection measures, and the results of market surveillance activities, and to make that information available to the Commission, the Competent Authorities, and. Where relevant. Notified Bodies and economic operators.

Does information in the market surveillance module become public? The module itself is primarily authority-facing. However, several of the information streams that feed it have public faces through adjacent mechanisms. Certificate status is public, field safety notices under Article 89(8) are generally public, and SSCPs under Article 32 are public. A manufacturer should assume that an enforcement action coordinated through module six will usually have a visible public footprint through those adjacent channels.

What governs the detailed functioning of the market surveillance module? Commission Implementing Regulation (EU) 2021/2078 of 26 November 2021 lays down the rules on registration, access rights, nomenclature, data ownership, information security, and contingency procedures for EUDAMED. Those rules apply across all six modules, including the market surveillance module.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 33 (European database on medical devices. Eudamed), Article 34 (functioning of Eudamed), Article 93 (market surveillance activities), Article 94 (evaluation of devices suspected of presenting an unacceptable risk or other non-compliance), Article 95 (procedure for dealing with devices presenting an unacceptable risk to health and safety), Article 96 (other procedures), Article 97 (other non-compliance), Article 98 (preventive health protection measures), Article 99 (good administrative practice), Article 100 (Union market surveillance information system). Official Journal L 117, 5.5.2017.
  2. Commission Implementing Regulation (EU) 2021/2078 of 26 November 2021 laying down rules for the application of Regulation (EU) 2017/745 of the European Parliament and of the Council as regards the European Database on Medical Devices (Eudamed). OJ L 426, 29.11.2021.
  3. European Commission, EUDAMED information page. Current module status, Commission notices on functional declarations under Article 34, and user guides for each module. Readers should consult this page directly on the day they act on any module-specific obligation.

This post is part of the EUDAMED, UDI and Registration series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. The market surveillance module is the quietest of the six modules from a manufacturer's perspective and the loudest from an authority's. Which is exactly why understanding what it aggregates, rather than what you can file into it, is the right posture for a small team that wants to stay ahead of the consolidated view.