EUDAMED transparency is the design choice, built into MDR Articles 33 and 34, that publishes significant portions of the European Database on Medical Devices to the general public — including manufacturer and device data, certificate status, and, for implantable and Class III devices, the Summary of Safety and Clinical Performance under Article 32. For a startup, this means two things at once: your regulatory footprint is readable by competitors, investors, journalists and patients from the moment you enter the market; and theirs is readable by you. A startup strategy that treats EUDAMED as a quiet back-office registration exercise misses both the exposure and the opportunity. The lean posture is to plan your public-facing MDR artefacts as if they will be read — because they will — and to use the same transparency to do competitive intelligence that did not exist before the MDR.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • EUDAMED is built on a transparency principle: MDR Articles 33 and 34 establish the database, and substantial parts of it are designed to be publicly accessible to healthcare professionals, patients, and the general public.
  • For implantable and Class III devices, MDR Article 32 requires a Summary of Safety and Clinical Performance (SSCP) that is validated by the Notified Body and published through EUDAMED — this is the single most consequential public document in the entire MDR.
  • Manufacturer identity, device identity via UDI, risk class, certificate status, and significant portions of vigilance information are part of the public transparency layer, with the detailed functioning rules set out in Commission Implementing Regulation (EU) 2021/2078.
  • The strategic implication for startups is that your MDR footprint is a public artefact the moment you register, and your competitors' footprint is readable by you — EUDAMED is the first structured competitive intelligence source in European medical devices that did not exist under the old Directives.
  • A Subtract to Ship startup strategy treats the public EUDAMED layer as a product surface to be designed deliberately, not as paperwork filed into a black box.

A competitor reads your file before the first sales call

A founder showed up to a partnership meeting with a larger device company and was surprised that the counterparty already knew the SRN, the Basic UDI-DI, the risk class, the Notified Body, the certificate date, and the headline claims from the SSCP. The founder had not sent them any of this. The counterparty had pulled it from EUDAMED on the train ride over. The meeting was not starting from a pitch deck; it was starting from a regulatory dossier the founder had not planned for anyone outside the regulatory team to read.

This is the transparency design of MDR working as intended. Articles 33 and 34 build EUDAMED as a public-facing layer on top of the manufacturer-facing modules. Article 32 goes one step further for implantable and Class III devices and requires a document written explicitly for healthcare professionals and, where relevant, patients. None of this is accidental. All of it is readable. And every founder building a device in scope of the MDR is, whether they have noticed or not, publishing to a public channel from the day they register.

What is public in EUDAMED and what is not

EUDAMED is a six-module database established by MDR Article 33. The detailed rules on registration, access rights, data ownership, and information security are laid down in Commission Implementing Regulation (EU) 2021/2078. Article 33(2) explicitly states that certain parts of EUDAMED shall be publicly accessible, and Article 33(3) envisages different levels of access for the public, for healthcare professionals, for Competent Authorities, for Notified Bodies, for sponsors of clinical investigations, and for economic operators.

In practice, the public-facing layer includes, for the modules and device classes currently in scope, the following kinds of information.

Manufacturer and actor data. The manufacturer's identity, Single Registration Number, registered address, and authorised representative where applicable, drawn from the actor registration module under Article 31.

Device identity. The Basic UDI-DI, UDI-DIs, device name, risk class, and intended purpose summary from the device registration module under Article 29.

Certificates. Certificate information from the Notified Body — including the Notified Body identification number, the certificate number, the scope, the date of issue, and the current status, including any suspensions, withdrawals, or restrictions, as handled under Article 56 and made visible through the certificates module.

Summaries of Safety and Clinical Performance. For implantable devices and for Class III devices other than custom-made or investigational devices, the SSCP required by Article 32. This document is drafted by the manufacturer, validated by the Notified Body during conformity assessment, and made publicly available through EUDAMED. Article 32(2) sets out the minimum content, including the device identification, the intended purpose, the clinical evaluation summary, and the residual risks.

Certain vigilance summaries. Article 92 governs which parts of the vigilance flow end up in EUDAMED and which parts are accessible to which audience. Field safety notices in particular are generally made publicly accessible under Article 89(8), unless confidentiality is justified. The broader public trend and aggregate information on vigilance is also envisaged by Article 92(7) to be publicly accessible to an appropriate extent.

What is not in the public layer is equally important. Manufacturer-internal technical documentation is not published. Individual serious incident reports in their raw form are not published. Commercially confidential information and personal data are protected under Article 109. The Periodic Safety Update Report for the highest risk classes under Article 86 is stored in EUDAMED and accessible to Competent Authorities and Notified Bodies but is not a public document. The market surveillance module (module six) is primarily authority-facing, as covered in the EUDAMED market surveillance module post.

The practical boundary is clear once you internalise it. Identity, certification status, and safety-and-performance summaries are public. Raw technical evidence, individual vigilance reports, and commercial detail are not. Startup strategy lives in the space between those two lines.

The SSCP is the loudest public document you will ever write

Of everything in the public EUDAMED layer, the Summary of Safety and Clinical Performance under MDR Article 32 is the one startups most consistently underestimate. It is only required for implantable and Class III devices other than custom-made or investigational devices, but for the teams inside that scope, it is the single most consequential public document they will produce during certification.

Article 32(1) requires the manufacturer to draw up a summary that is written in a way that is clear to the intended user and, if relevant, to the patient. Article 32(2) sets out the minimum content: identification of the device and manufacturer including the Basic UDI-DI and the SRN; the intended purpose, indications, contraindications, and target populations; a description of the device including a reference to previous generations or variants where they exist; possible diagnostic or therapeutic alternatives; reference to any harmonised standards and common specifications applied; the summary of the clinical evaluation under Annex XIV and relevant information on post-market clinical follow-up; the suggested profile and training for users; information on residual risks, undesirable effects, warnings and precautions.

Article 32(3) then adds the quiet line that makes the document strategic rather than bureaucratic: "the summary of safety and clinical performance shall be validated by the notified body", and Article 32(4) requires that the SSCP be made available to the public via EUDAMED. It is Notified Body-reviewed and it is published. The manufacturer does not get to treat it as a marketing brochure, because the Notified Body will push back on unsupported claims. And the manufacturer does not get to treat it as an internal compliance document, because patients and competitors can read it.

For a startup, the SSCP is the product of the clinical evaluation, the risk management file, and the intended purpose definition, all compressed into a document that has to be truthful, Notified Body-validated, and understandable. It is where the gap between a bloated regulatory narrative and a lean one becomes visible to the outside world. A startup that writes a 40-page SSCP nobody reads has missed the point. A startup that writes a focused SSCP that matches the clinical story in the CER and the risk posture in the 14971 file has produced both a compliance artefact and a public trust document in the same stroke.

Competitive intelligence: what you can learn from a competitor's EUDAMED footprint

The other side of EUDAMED transparency is that every other startup and incumbent in your space is publishing into the same layer. For the first time in European medical devices, there is a structured, searchable, Commission-maintained database where you can look up your competitors' regulatory posture without asking them for anything.

What a startup can reasonably learn from a competitor's EUDAMED footprint:

The regulatory path they chose. The risk class a competitor registered under tells you how they classified the device and which conformity assessment route they took. A Class IIa versus Class IIb versus Class III choice is a strategic fingerprint — it tells you how the competitor framed the intended purpose and how hard their clinical evaluation had to work.

The Notified Body. The certificate entry identifies the Notified Body. That is useful because Notified Bodies differ in throughput, specialism, and review posture. Knowing which NB a competitor used tells you something about the certification market and about which NBs are accepting which kinds of devices in practice.

Certificate status and history. A certificate that has been suspended, restricted, or withdrawn is visible through the certificates module. That is not competitive gossip — it is a material regulatory fact with direct commercial implications.

The clinical story at the public level. For implantable and Class III competitors, the SSCP is readable. That is a gift. You can see the intended purpose they chose, the indications and contraindications they committed to, the alternatives they acknowledged, the residual risks they declared, and the summary of clinical evidence they were willing to put their Notified Body's name next to. You cannot see the underlying technical file, but you can see the contours of it at the level the regulation cares about.

Field safety notices. Public field safety notices under Article 89(8) tell you when competitor devices have had problems serious enough to warrant corrective action in the field. These are not hidden. They are findable.

A startup that treats EUDAMED as a competitive intelligence source rather than just a registration burden gets a free regulatory radar that no amount of pre-MDR desk research could assemble.

The Subtract to Ship playbook for EUDAMED transparency

The Subtract to Ship framework for MDR applied to EUDAMED transparency produces four habits that are small enough for a three-person regulatory function to actually maintain.

One: treat public EUDAMED artefacts as product surfaces. The SSCP, the certificate entry, the device registration entry, and any public-facing vigilance information are artefacts your customers, competitors, and investors will read. Write them deliberately. That does not mean marketing them — the Notified Body will stop you if you try — it means writing them with the same care you would write a landing page, within the limits of regulatory truthfulness.

Two: align the SSCP with the intended purpose you actually want to live with. The SSCP is Notified Body-validated, so the claims in it are constrained by the claims in your clinical evaluation. This means the intended purpose, the CER, and the SSCP should be aligned from the start of the project, not reconciled at the end. A startup that decides the intended purpose in the first month of design and keeps it consistent through the CER and into the SSCP ends up with a clean public document. A startup that tries to broaden the claims at the SSCP stage ends up either rejected by the Notified Body or with a public document that contradicts the rest of the file.

Three: run EUDAMED competitive intelligence quarterly. Once a quarter, one person on the regulatory or product team spends an hour pulling competitor SRNs, device entries, certificate statuses, and SSCPs. The goal is not to obsess, it is to notice changes — a new Class III competitor entering the market, a certificate suspension that opens a window, an SSCP revision that signals a strategic pivot. An hour per quarter is enough. An hour per week is too much. Zero is too little.

Four: plan the publication moment. The day your SSCP goes live in EUDAMED is a public event, even if no one sends an announcement. Know when it is happening. Know what it will say. Know whether it will be read by investors who have already seen your pitch deck and might notice the gap between the deck's claims and the SSCP's claims. Close that gap in advance, in the deck, not in the SSCP.

Everything beyond those four habits — dedicated EUDAMED war rooms, SSCP rewrite projects decoupled from the CER, competitive intelligence dashboards updated weekly — is activity in search of a justification. Subtract it.

For the broader startup-side context, see the dedicated post on the SSCP under MDR Article 32, which walks through the document structure in detail, and the pillar post on what EUDAMED is, which frames the six-module architecture. The companion post on the EUDAMED market surveillance module covers the authority-facing side of the database.

Reality Check — Where does your startup stand on EUDAMED transparency?

  1. Do you know which of your EUDAMED-destined artefacts will be publicly readable by competitors, investors, and patients — and which will not?
  2. If your device is implantable or Class III, do you know that MDR Article 32 requires an SSCP that will be Notified Body-validated and published, and is your clinical evaluation written in a way that supports the SSCP you will want to publish?
  3. Have you read the SSCPs of your three closest competitors? If you have not, you are leaving free competitive intelligence on the table.
  4. Is your intended purpose stable enough that the version in your CER, the version in your labelling, and the version that will appear in the SSCP will match, or are you still changing it?
  5. Do you have a plan for the moment your certificate status or your SSCP becomes public in EUDAMED — specifically who inside the company owns the narrative the day it goes live?
  6. Is there any claim in your pitch deck, on your website, or in your investor memo that your own SSCP, written truthfully and validated by the Notified Body, would not support?

If you cannot answer at least four of these cleanly, EUDAMED transparency is still a blind spot in your strategy rather than a designed surface.

Frequently Asked Questions

What parts of EUDAMED are publicly accessible? Under MDR Article 33(2), significant parts of EUDAMED are designed to be publicly accessible. In practice this includes manufacturer and device identity data, certificate status from the Notified Body, the Summary of Safety and Clinical Performance for implantable and Class III devices under Article 32, and certain vigilance information including field safety notices under Article 89(8). The detailed access rules are set out in Commission Implementing Regulation (EU) 2021/2078.

What is an SSCP and who writes it? The SSCP is the Summary of Safety and Clinical Performance required by MDR Article 32 for implantable devices and Class III devices other than custom-made or investigational devices. It is drafted by the manufacturer, validated by the Notified Body during conformity assessment, and made publicly available through EUDAMED. Article 32(2) sets out the minimum content, including device identification, intended purpose, clinical evaluation summary, and residual risks.

Can I see my competitors' SSCPs? Yes, for competitors whose devices are in scope of Article 32. The SSCP is published through EUDAMED precisely so that healthcare professionals, patients, and the public can read it. A startup building in the same space as an implantable or Class III competitor can and should read those documents — they are a legitimate competitive intelligence source produced by the regulation itself.

Is raw technical documentation public in EUDAMED? No. Manufacturer-internal technical documentation, detailed test data, and the full Clinical Evaluation Report are not part of the public layer. The public view is built from summaries and structured registration data. Commercially confidential information and personal data are protected under Article 109 of the Regulation.

Are vigilance reports public? Raw individual vigilance reports are not generally public. Field safety notices are, as a rule, made publicly accessible under MDR Article 89(8) unless confidentiality is justified. Aggregate vigilance information is envisaged by Article 92(7) to be publicly accessible to an appropriate extent. Periodic Safety Update Reports for the highest risk classes under Article 86 are accessible to Competent Authorities and Notified Bodies rather than to the general public.

How often should a startup check EUDAMED for competitive intelligence? For most startups, one structured review per quarter is the right cadence — enough to catch new entrants, certificate status changes, and SSCP revisions, without turning competitive monitoring into a distraction from the actual device work.

Does EUDAMED transparency apply before a device is certified? Actor registration under Article 31 is required before placing devices on the market, so manufacturer identity can be visible in EUDAMED well before the first certificate is issued. Device-level transparency and SSCP publication follow certification. A startup that is pre-certification is already publishing at the actor level, even if nothing about the device itself is yet public.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 32 (Summary of safety and clinical performance), Article 33 (European database on medical devices — Eudamed), Article 34 (functioning of Eudamed), Article 73 (electronic system on vigilance and on post-market surveillance), Article 89 (analysis of serious incidents and field safety corrective actions), Article 92 (electronic system on vigilance and on post-market surveillance), Article 109 (confidentiality). Official Journal L 117, 5.5.2017.
  2. Commission Implementing Regulation (EU) 2021/2078 of 26 November 2021 laying down rules for the application of Regulation (EU) 2017/745 of the European Parliament and of the Council as regards the European Database on Medical Devices (Eudamed). OJ L 426, 29.11.2021.
  3. European Commission, EUDAMED information page — current module status, public access points, and user guides. Readers should consult this page directly on the day they act on any module-specific obligation, because the public access scope expands as modules become mandatory.

This post is part of the EUDAMED, UDI and Registration series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. EUDAMED transparency is one of the quietest strategic shifts the MDR introduced — every startup in scope is now publishing to a public regulatory channel whether they planned to or not, and every competitor is doing the same. The teams that notice this early build cleaner public artefacts and make sharper competitive decisions. The teams that notice it late discover, at a partnership meeting or an investor call, that someone already read the file.