MDR Article 15(6) sets out the formal qualification floor for the Person Responsible for Regulatory Compliance, but it does not enumerate the technical competencies the job demands day to day. A functional MDR regulatory affairs professional needs fluency in roughly twelve distinct hard skills, spanning the regulation itself, the referenced standards, and the core deliverables of a conformity assessment file.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • MDR Article 15(6) defines formal qualifications (diploma plus experience or four years of experience) but does not enumerate technical competencies.
  • Twelve hard skills carry almost every RA file under MDR: MDR text fluency, Annex VIII classification reasoning, EN ISO 13485 fluency, EN ISO 14971 fluency, EN 62304 for software, EN 62366-1 usability, CER drafting, PMS/PMCF design, vigilance reporting, technical documentation structuring, labeling and IFU compliance, and Eudamed/UDI operations.
  • Each skill has a source to learn from, a measurable proxy for competence, and a typical time to working proficiency.
  • The portfolio approach treats RA career development like an investment: spread exposure across the twelve areas rather than over-specialising in one.
  • Evidence of competence matters under EN ISO 13485 clause 6.2 — keep records of training, deliverables, and audit outcomes that demonstrate each skill.
  • The hard skills are the floor. Without them, soft skills cannot rescue a file. With them, soft skills multiply the output.

Why this matters

A startup founder asks: "What exactly should I hire for when I hire an RA person?" An RA professional asks: "What should I learn next to become the senior person in the room?" Neither question has a clean answer in the regulation. Article 15(6) tells you who can legally sign off as the PRRC, but it does not tell you what a competent RA person can actually do.

In the absence of a clear answer, two failure modes dominate. First, startups hire for a long list of desirable traits and find that the person cannot draft a Clinical Evaluation Report when the notified body asks. Second, RA professionals over-invest in one area — usually the one they started in — and reach mid-career with a lopsided portfolio that limits their options.

This post proposes a twelve-skill portfolio. It is not exhaustive. It is the minimum viable competency set for someone running MDR regulatory affairs at a small or mid-sized manufacturer.

What MDR actually says

MDR Article 15(1) requires that manufacturers have available at least one Person Responsible for Regulatory Compliance with the requisite expertise in the field of medical devices. Article 15(3) lists the PRRC's responsibilities: that the conformity of the devices is appropriately checked, that the technical documentation and EU declaration of conformity are drawn up and kept up to date, that post-market surveillance obligations are complied with, that reporting obligations under Articles 87 to 91 are fulfilled, and, in the case of investigational devices, that the statement referred to in Annex XV is issued.

Article 15(6) then defines the expertise floor: either a diploma in law, medicine, pharmacy, engineering or another relevant scientific discipline plus at least one year of professional experience in regulatory affairs or QMS relating to medical devices, or four years of such professional experience. EN ISO 13485:2016+A11:2021 clause 6.2 adds that the organisation must determine necessary competence, provide training where needed, evaluate effectiveness, and maintain records.

None of this tells you what an RA professional should actually be able to do on a Tuesday morning. The hard-skill portfolio below fills that gap.

The twelve-skill hard-skill portfolio

Each skill includes: what it is, where to acquire it, how to measure progress, and typical time to working proficiency.

1. MDR text fluency

What: The ability to find any provision in Regulation (EU) 2017/745 without a search tool, recognise which articles govern which activities, and trace cross-references across chapters. Source: Repeated reading of the consolidated text, including amendments such as Regulation (EU) 2023/607. Working through every cited article until the structure becomes navigable from memory. Measurement: Can you name the article that governs labeling requirements, clinical evaluation, PRRC, classification, and vigilance without looking? Can you distinguish Chapter II from Chapter VI by contents? Time to proficiency: Six to twelve months of regular use.

2. Annex VIII classification reasoning

What: The ability to classify a device against the twenty-two classification rules in Annex VIII, defend the reasoning in writing, and recognise where Rule 11 or the borderline cases will require extra support. Source: Annex VIII, MDCG 2021-24, the Borderline Manual v4, and for software MDCG 2019-11 Rev.1. Measurement: Given a device description, can you produce a classification justification document citing the applicable rule and excluding others? Time to proficiency: Three to six months of real case exposure.

3. EN ISO 13485:2016+A11:2021 fluency

What: Clause-level knowledge of the QMS standard, including how clauses 4 through 8 map to MDR Article 10(9) and Annex IX QMS-based conformity assessment. Source: The standard itself, internal audit experience, and reviewing real QMS documentation across multiple manufacturers. Measurement: Can you read a procedure and identify which clause it addresses, which clauses it omits, and whether it would survive an audit? Time to proficiency: Twelve months with active audit exposure.

4. EN ISO 14971:2019+A11:2021 fluency

What: Risk management file structure, risk analysis methods, benefit-risk determination, and how the standard connects to the GSPRs in MDR Annex I. Source: The standard, ISO/TR 24971 as a companion, and drafting real hazard analyses against real devices. Measurement: Can you write a hazard analysis, define a risk acceptance matrix with a defensible rationale, and produce a risk management report that an auditor signs off without major findings? Time to proficiency: Six to twelve months.

5. EN 62304:2006+A1:2015 for software

What: The software lifecycle standard — safety classification A/B/C, the deliverables each class requires, SOUP management, maintenance processes, and problem resolution. Source: The standard, plus real software documentation work on at least one Class B or Class C device. Measurement: Can you read a software architecture document and identify the missing 62304 artifacts? Time to proficiency: Three to six months if you have a software background, nine to twelve otherwise.

6. EN 62366-1:2015+A1:2020 usability engineering

What: Use-related risk analysis, formative and summative evaluation design, and the usability engineering file structure. Source: The standard, MDR Annex I §5 and §22, and running at least one summative evaluation. Measurement: Can you write a use specification, identify primary operating functions, and design a summative evaluation that will satisfy a notified body reviewer? Time to proficiency: Three to nine months.

7. Clinical Evaluation Report drafting

What: Writing a CER that meets MDR Article 61 and Annex XIV Part A — literature search, appraisal, equivalence reasoning if applicable, and benefit-risk conclusion. Source: MDR Article 61, Annex XIV, MEDDEV 2.7/1 rev.4, MDCG 2020-5, and MDCG 2023-7. Measurement: Can you draft a CER that survives notified body review with no major findings on methodology? Time to proficiency: Nine to eighteen months; this is one of the slower skills to develop.

8. PMS and PMCF design

What: Writing a PMS plan (Annex III), a PMCF plan (Annex XIV Part B), and the associated reports (PSUR for Class IIa/IIb/III, PMS report for Class I) under MDR Articles 83 to 86. Source: MDR Articles 83-86, Annex III, Annex XIV Part B, and MDCG 2025-10. Measurement: Can you design a PMS system that generates signal rather than paperwork? Time to proficiency: Six to twelve months.

9. Vigilance reporting

What: Identifying serious incidents under MDR Article 87, meeting the reporting timelines, drafting trend reports under Article 88, and managing FSCAs. Source: MDR Articles 87-92 and MDCG 2023-3 Rev.2. Measurement: Can you triage a complaint and determine within minutes whether it is a reportable serious incident? Time to proficiency: Three to six months of active complaint exposure.

10. Technical documentation structuring (Annex II and III)

What: Building a tech file that maps cleanly to Annex II and Annex III, with cross-references that survive scrutiny. Source: MDR Annex II and III directly, plus reviewing real files across multiple device types. Measurement: Can an auditor navigate your file without you in the room? Time to proficiency: Six to twelve months.

11. Labeling, IFU and promotional compliance

What: Applying MDR Annex I Chapter III, Article 7 (prohibitions on misleading claims), ISO 15223-1 symbols, UDI carrier placement, and the eIFU implementing regulation. Source: Annex I Chapter III, Article 7, ISO 15223-1, Commission Implementing Regulation (EU) 2021/2226 as amended by (EU) 2025/1234. Measurement: Can you review a label and an IFU and identify every nonconformity in one pass? Time to proficiency: Three to six months.

12. Eudamed and UDI operations

What: Registering the manufacturer, obtaining an SRN, assigning Basic UDI-DI and UDI-DI, uploading device data, and maintaining the record. Source: MDR Articles 27-29 and 33, Commission Implementing Regulation (EU) 2021/2078. Measurement: Can you complete a device registration in Eudamed without assistance? Time to proficiency: One to three months once Eudamed modules are in scope.

A worked example

Felix coached a seed-stage SaMD startup through a hiring decision. The founder had two candidates for the first RA hire. Candidate A had eight years of experience, almost entirely in CER drafting for large implantable device manufacturers. Candidate B had five years across three companies — less depth in any one area, but hands-on exposure to classification, tech docs, software lifecycle under EN 62304:2006+A1:2015, vigilance, and Eudamed.

The startup was pre-submission, Class IIa SaMD, with no PMS file yet, no CER structure, and no Eudamed registration. Candidate A had the deepest single skill but would have to learn nine of the other eleven on the company's time. Candidate B had working-level competence across most of the portfolio and could start shipping deliverables week one.

The founder hired Candidate B and brought in Zechmeister Strategic Solutions for the CER because it was the one area where depth was load-bearing. The submission shipped on the original timeline. The lesson: portfolio breadth beats single-skill depth when the company does not yet have a mature file.

The Subtract to Ship playbook

For founders hiring and for RA professionals developing a career:

  1. Map the current portfolio. List the twelve skills. Rate yourself or your candidate 1-5 on each with a concrete example for each rating.
  2. Identify the load-bearing gaps. What does the company need in the next twelve months that the current team cannot do?
  3. Decide build vs buy per gap. Some skills (CER, vigilance) can be bought as a service. Others (MDR fluency, tech doc structuring) must be built internally.
  4. Schedule one skill per quarter for deliberate development. Assign real deliverables, not courses alone.
  5. Keep competence records per EN ISO 13485 clause 6.2. Training, deliverables, audit outcomes — all three matter, not just training certificates.
  6. Rotate exposure. Every eighteen months, move the RA person into a new area of the portfolio. Lopsided RA careers hit a ceiling.

Reality Check

  1. Can you name all twelve skills in the portfolio without re-reading this post?
  2. For each skill, do you have a concrete deliverable you have produced in the last twelve months?
  3. Where is the load-bearing gap in your current team — and is it being closed or ignored?
  4. Do your competence records under EN ISO 13485 clause 6.2 actually reflect what your team can do, or do they only reflect training attended?
  5. If you lost your senior RA person tomorrow, which two skills would become single points of failure?
  6. Are you investing in breadth or in one deep specialty? Which does your company actually need right now?
  7. Have you read the MDR consolidated text front to back in the last twelve months?

Frequently Asked Questions

Does MDR Article 15 require all twelve of these skills? No. Article 15(6) only sets qualification floors. The twelve skills are the operational competencies the role demands in practice, not legal requirements.

Can one person realistically hold all twelve skills at a senior level? Rarely. Most senior RA professionals are strong in seven or eight and working-level in the rest. Teams cover the full set through combination.

Which skills are hardest to develop? CER drafting and MDR text fluency take the longest. Both require sustained exposure to real files, not just reading.

Which skills can a startup safely outsource? CER drafting, clinical strategy, and notified body liaison are commonly outsourced. Classification reasoning, tech doc structuring, and PMS design should stay in-house because they touch every future decision.

How do I demonstrate these skills in an interview? Bring anonymised work samples. A real deviation report, a real hazard analysis extract, a real classification justification. One page of real work beats an hour of abstract discussion.

How do I evidence these skills for an EN ISO 13485 audit? Training records plus deliverables plus outcomes. A training certificate alone is not evidence of competence; a training certificate plus a successful deliverable plus a clean audit trail is.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Article 15, Article 52, Article 61, Articles 83-86, Articles 87-92, Annex VIII, Annex XIV.
  2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems. Clause 6.2 (Competence).
  3. EN ISO 14971:2019+A11:2021 — Medical devices — Application of risk management to medical devices.
  4. EN 62304:2006+A1:2015 — Medical device software — Software life cycle processes.
  5. EN 62366-1:2015+A1:2020 — Medical devices — Application of usability engineering to medical devices.
  6. MDCG 2019-11 Rev.1 (October 2019, Rev.1 June 2025) — Guidance on qualification and classification of software.
  7. MDCG 2021-24 (October 2021) — Classification of medical devices.