Nobody starts a MedTech company planning to violate regulations. But non-compliance happens — sometimes through ignorance, sometimes through negligence, sometimes through the genuine complexity of MDR. Understanding what happens when things go wrong is not fear-mongering. It is risk management for your business.

MDR establishes a comprehensive market surveillance and enforcement framework. When a device does not meet requirements, a cascade of actions can follow — from informal requests for corrective action all the way to criminal penalties. The consequences are real, they are enforceable, and they can end a startup.

The Market Surveillance Framework

Market surveillance under MDR is the responsibility of competent authorities in each EU Member State. These authorities have broad powers to monitor medical devices on the market, investigate potential non-compliance, and take enforcement action.

MDR Articles 93-100 and the linked Regulation (EU) 2019/1020 on market surveillance provide the legal framework.

What Triggers Market Surveillance Action

Market surveillance can be triggered by:

  • Routine surveillance programs — competent authorities proactively check devices on the market
  • Serious incident reports — when a vigilance report indicates a potential safety issue
  • Complaints — from patients, healthcare professionals, or other stakeholders
  • Notified Body reports — when a NB identifies compliance concerns during surveillance audits
  • Cross-border alerts — when another Member State's authority identifies an issue
  • EUDAMED data — as EUDAMED becomes more functional, data patterns may trigger surveillance
  • Whistleblower reports — information from current or former employees

What the Authority Can Do

Competent authorities have significant investigatory and enforcement powers:

1. Request documentation. The authority can require you to provide your technical documentation, Declaration of Conformity, QMS documentation, and any other evidence of compliance. You must comply — refusal is itself a violation.

2. Inspect your premises. Authorities can conduct on-site inspections of your manufacturing, storage, and business facilities.

3. Conduct or commission testing. The authority can take samples of your device and have them tested by independent laboratories.

4. Request corrective action. If a non-compliance is identified, the authority can require you to take corrective action within a specified timeframe.

5. Restrict or prohibit market availability. The authority can order the removal of a device from the market, prohibit further sales, or restrict the device's availability to specific conditions.

6. Order a recall. The authority can require the manufacturer to recall devices already in the supply chain or already in use.

7. Inform the public. Authorities can publish information about non-compliant devices, safety alerts, and recalls.

Types of Non-Compliance and Consequences

Administrative Non-Conformities

These are documentation or procedural failures that do not directly endanger patients but violate MDR requirements:

  • Missing or incomplete EUDAMED registration
  • Missing or incorrect UDI labeling
  • Outdated Declaration of Conformity
  • Insufficient post-market surveillance documentation
  • Missing language translations for labeling

Typical consequences: Warning letter, request for corrective action within a specified timeframe, potential administrative fines. If corrected promptly, these typically do not escalate.

Substantive Non-Conformities

More serious failures that indicate the device may not meet safety and performance requirements:

  • Insufficient clinical evidence for the device's claims
  • Inadequate risk management
  • QMS failures that affect product quality
  • Missing or inadequate verification and validation
  • Device not properly classified

Typical consequences: Formal non-compliance finding, mandatory corrective action, potential restriction on market availability until corrective action is complete. If a Notified Body is involved, the NB may suspend or withdraw the certificate.

Failures that present a direct risk to patients or users:

  • Device causes or could cause serious incidents
  • Device does not perform as intended, with potential for patient harm
  • Known safety issues not communicated to users
  • Failure to report serious incidents through the vigilance system

Typical consequences: Immediate market restriction or withdrawal, mandatory recall if devices are already in use, field safety corrective action, public safety notification. These are the most severe non-regulatory consequences.

The Recall Process

A recall is the process of retrieving a device that has already been distributed and is in the supply chain or in use. MDR and the implementing regulations provide the framework.

Recalls can be: - Voluntary — the manufacturer proactively initiates a recall upon discovering a safety issue - Mandatory — the competent authority orders a recall

Field Safety Corrective Actions (FSCA)

A Field Safety Corrective Action is any corrective action taken by the manufacturer for technical or medical reasons to prevent or reduce the risk of a serious incident in relation to a device made available on the market. FSCAs can include:

  • Recall and replacement of the device
  • Modification of the device (on-site)
  • Software update
  • Change to the device's Instructions for Use
  • Recommendation to users regarding additional monitoring or testing of patients

FSCAs must be accompanied by a Field Safety Notice (FSN) — a communication sent to users and, where appropriate, patients, informing them of the corrective action.

What a Recall Costs

Recall costs are substantial and go far beyond the value of the recalled devices:

  • Logistics: Retrieving devices from distributors, hospitals, clinics, and potentially patients
  • Replacement: Providing replacement devices if available
  • Communication: Preparing and distributing FSNs, handling inquiries from users and patients
  • Regulatory reporting: Filing the required reports with competent authorities and EUDAMED
  • Investigation: Root cause analysis and corrective action documentation
  • Legal: Potential litigation from affected patients or business partners
  • Reputation: Damage to your credibility with customers, investors, and regulatory bodies

For a startup, a recall can be a company-ending event. The direct costs may exceed available cash reserves, and the reputational damage can destroy relationships with healthcare facilities and investors.

Penalties Under National Law

MDR Article 113 requires Member States to lay down rules on penalties applicable to infringements of the provisions of the regulation and to take all measures necessary to ensure that they are implemented. Penalties must be effective, proportionate, and dissuasive.

The specific penalties are defined at the national level, meaning they vary by Member State. However, typical penalty frameworks include:

Administrative fines: Monetary penalties for regulatory violations. The amounts vary by Member State and severity of the violation but can range from tens of thousands to millions of euros.

Criminal penalties: For serious violations, some Member States impose criminal sanctions including imprisonment. Placing a device on the market that does not meet safety requirements, falsifying documents, or failing to report serious incidents can constitute criminal offenses in some jurisdictions.

Personal liability: In many jurisdictions, the individuals responsible for regulatory compliance — the Person Responsible for Regulatory Compliance (PRRC) per MDR Article 15, the managing director, the quality manager — can be held personally liable for violations.

Tibor's direct perspective: "Founders sometimes think regulatory penalties are theoretical — that enforcement is weak and nothing really happens. That is a dangerous assumption. I have seen competent authorities shut down manufacturers. I have seen recalls that cost companies everything they had. I have seen individuals face personal liability. The enforcement may not be perfect, but when it happens, it is devastating. Do not gamble with regulatory compliance."

The Vigilance System: Your Reporting Obligations

MDR Articles 87-92 establish the vigilance system — the mandatory system for reporting serious incidents and field safety corrective actions.

What Must Be Reported

Serious incidents: Any incident that directly or indirectly led, might have led, or might lead to: - Death of a patient, user, or other person - Temporary or permanent serious deterioration of a patient's, user's, or other person's state of health - A serious public health threat

Reporting Timelines

The reporting timelines under MDR are strict: - Serious public health threat: Immediately, and no later than 2 calendar days after becoming aware - Death or unanticipated serious deterioration: No later than 10 calendar days after becoming aware - Other serious incidents: No later than 15 calendar days after becoming aware

The Reporting Trap for Startups

Many startups fail to report because they do not recognize reportable events. A customer complaint that seems minor — "the device gave an error message" — might actually be a serious incident if the error occurred during a critical clinical situation and could have led to patient harm.

Your vigilance system must include: - A process for receiving and triaging complaints - Criteria for determining whether an event constitutes a serious incident - A defined process for reporting within the required timelines - A responsible person who monitors the vigilance system

Not having a vigilance system — or having one that fails to identify reportable events — is itself a compliance failure that can trigger enforcement action.

The PRRC: Personal Accountability

MDR Article 15 requires manufacturers to have within their organization at least one Person Responsible for Regulatory Compliance (PRRC) who possesses the requisite expertise.

The PRRC is responsible for: - Ensuring that the conformity of devices is appropriately checked - Ensuring that the technical documentation and Declaration of Conformity are drawn up and kept up to date - Ensuring that post-market surveillance obligations are fulfilled - Ensuring that vigilance reporting obligations are met - Ensuring that the registration obligations are fulfilled

The PRRC is not just a title — it is a role with real accountability. If the company fails in any of these areas, the PRRC may face personal consequences under national enforcement provisions.

For startups, the PRRC is often the CEO or the quality/regulatory lead. Make sure whoever holds this role understands the scope of their responsibility.

How to Protect Your Startup

Build Compliance Into Operations

The best protection against enforcement action is genuine compliance. Not paper compliance — operational compliance. A QMS that is actually used. Technical documentation that is actually maintained. A vigilance system that actually works.

Monitor and Report Proactively

Report serious incidents within the required timelines. Initiate FSCAs proactively when you identify safety concerns. Competent authorities are far more lenient with companies that self-identify and self-correct than with companies that hide problems.

Maintain Your Documentation

Keep your technical documentation, QMS, and Declaration of Conformity up to date. When a competent authority requests documentation, you need to be able to provide it promptly and completely.

Have a Crisis Plan

Know what you will do if a serious incident occurs. Who reports to the competent authority? Who communicates with healthcare facilities? Who manages the recall logistics? Having this plan before you need it — even a simple one-page plan — saves critical time when a real crisis hits.

Insurance

Product liability insurance is essential for medical device manufacturers. Ensure your coverage includes recall costs, which are often excluded from standard product liability policies unless specifically included.

The Bottom Line

MDR enforcement is real, and the consequences of non-compliance range from administrative inconvenience to criminal liability. For a startup, the financial and reputational impact of enforcement action can be existential.

The good news is that compliance is achievable. MDR's requirements are demanding but clear. Companies that take them seriously, build genuine compliance into their operations, and respond proactively when problems arise can operate successfully in the EU market.

The companies that treat compliance as optional, cut corners, or hope that enforcement will not reach them are playing a game they will eventually lose. And when they lose, the consequences affect not just the company, but the patients who depend on safe, effective medical devices.

At the end of the day, every MDR requirement traces back to patient safety. That is not just a regulatory obligation — it is the reason your company exists.