Non-EU documents like FDA guidance, IMDRF papers and AAMI technical information reports have zero legal standing under MDR. But they can support state-of-the-art arguments, fill gaps where MDCG guidance is silent, and strengthen technical documentation when used carefully. Used wrongly, they invite notified body scepticism.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • FDA, IMDRF and AAMI documents are not legally recognised under MDR.
  • They can support state-of-the-art arguments under MDR Article 10 and Annex I GSPR 1.
  • They cannot substitute for binding MDR provisions or for harmonised standards where such standards exist.
  • Notified bodies accept non-EU sources as supporting evidence but expect a clear justification of why each source is relevant.
  • Using FDA guidance to dodge an MDCG recommendation is a known red flag in audits.

Why founders reach for non-EU guidance

Most MedTech startups preparing for CE marking discover, sooner or later, that the EU regulatory library is thinner than the US one. FDA has published thousands of guidance documents. IMDRF has produced structured technical papers on software, cybersecurity, AI and clinical evaluation. AAMI has a deep catalogue of technical information reports on everything from sterilisation to software validation.

By contrast, the MDCG catalogue is focused, interpretive, and sometimes silent on technical questions that a development team needs answered on Monday morning. So founders start borrowing. The FDA guidance on software as a medical device is long and specific. IMDRF's work on SaMD risk categorisation is genuinely useful. AAMI TIRs read like engineering manuals.

The instinct to reach for these documents is correct. The risk is using them as if they had legal weight they do not have.

What MDR actually says about external sources

The MDR does not mention FDA, IMDRF or AAMI. It does, however, set up two legal mechanisms that let non-EU sources enter your technical documentation legitimately.

Article 10(1) — state of the art. The manufacturer must ensure their devices comply with the general safety and performance requirements set out in Annex I, taking account of the state of the art. State of the art is not defined in the MDR itself but is understood as the developed stage of technical capability at a given time, as informed by consolidated scientific, technological and clinical experience. International documents can contribute to establishing state of the art.

Annex I GSPR 1, 2 and 3 — require manufacturers to reduce risks as far as possible, establish and implement a risk management system, and design devices according to a hierarchy of risk control. EN ISO 14971:2019+A11:2021 is the harmonised standard for risk management, and it expressly allows consideration of relevant external sources when establishing context.

EN 62304:2006+A1:2015 on software lifecycle and EN 62366-1:2015+A1:2020 on usability similarly permit the use of external references to support design decisions.

None of this creates a legal path for FDA guidance to become binding on an EU manufacturer. What it does create is space for non-EU sources to serve as evidence — evidence of state of the art, evidence of scientific consensus, evidence that a particular design decision is consistent with international practice.

A worked example: SaMD cybersecurity evidence

A Class IIa SaMD startup is building out the cybersecurity section of its technical documentation. The primary references are obvious:

  • MDR Annex I Sections 17.2 and 17.4 (binding)
  • EN IEC 81001-5-1:2022 (harmonised, presumption of conformity)
  • MDCG 2019-16 Rev.1 (interpretive, non-binding but followed)

But the team wants to go deeper on secure coding practice, threat modelling methodology and vulnerability disclosure handling. MDCG 2019-16 is high-level. EN IEC 81001-5-1 is process-oriented. Where does the team turn for the specifics?

They can legitimately reference:

  • FDA guidance on cybersecurity in medical devices (Final, 2023) — cited as supporting evidence of state of the art in threat modelling and SBOM practice.
  • IMDRF N60:2020 on principles and practices for medical device cybersecurity — cited as international consensus on cybersecurity baseline.
  • AAMI TIR57 — cited as a source of detailed risk-management-aligned cybersecurity methodology.

The correct way to cite them in the technical documentation is explicit: "In the absence of more detailed European guidance on threat modelling methodology, the state of the art as reflected in IMDRF N60 and FDA cybersecurity guidance (2023) was considered. The methodology applied is consistent with the principles of EN IEC 81001-5-1:2022 Clause [X], which remains the primary reference."

This tells the notified body three things. First, the team knows what the binding references are. Second, they are using international sources to enrich, not replace. Third, the justification is explicit and auditable.

Contrast this with the wrong approach: citing FDA guidance to justify not doing something that MDCG 2019-16 expects. That is not gap-filling, it is jurisdiction-shopping, and notified body auditors recognise it immediately.

The Subtract to Ship playbook for non-EU sources

Rule 1 — Never let a non-EU source displace a binding EU source. If there is an applicable harmonised standard, a common specification, or explicit MDR text, that takes priority. Non-EU sources supplement, they do not substitute.

Rule 2 — Cite non-EU sources only when they genuinely add something. Notified body auditors notice when a document is cited for the sake of appearing thorough. If the FDA guidance doesn't add information that affects your design or evaluation, leave it out.

Rule 3 — Always justify the relevance. For every non-EU citation, write one sentence explaining why this specific document is relevant to this specific design decision. Vague references to "international best practice" are a known audit trigger.

Rule 4 — Keep versioning tight. FDA and IMDRF documents are updated. If you cite FDA's 2023 cybersecurity guidance, make sure you are citing the current version. A 2018 FDA guidance document superseded in 2023 makes you look sloppy.

Rule 5 — Know when IMDRF is genuinely useful. IMDRF documents are often the most productive non-EU source because they represent international regulator consensus including EU Commission participation. Documents on SaMD (N10, N12), cybersecurity (N60), adverse event terminology (N43) and clinical evaluation (MDCE N55, N56, N57) are commonly referenced in European technical documentation.

Rule 6 — Treat AAMI TIRs as engineering references, not regulatory. AAMI technical information reports are detailed and practical. They are useful in verification and validation plans, risk management context and software development procedures. But they are US industry consensus documents, not regulatory, and should be cited as engineering references, not as compliance evidence.

Rule 7 — Never cite FDA guidance to justify skipping MDCG expectations. This is the single most common misuse. It is also the fastest way to lose notified body trust.

Rule 8 — Document the hierarchy in your regulatory SOP. Your regulatory affairs SOP should explicitly state the hierarchy of sources: MDR, delegated and implementing acts, common specifications, harmonised standards, MDCG guidance, other European standards, international consensus documents (IMDRF), foreign regulator guidance (FDA, Health Canada, TGA), industry technical reports (AAMI TIRs). Having the hierarchy written down protects you from informal decisions that drift into audit findings.

Reality Check

  1. For every non-EU document cited in your technical documentation, can you explain in one sentence why it is relevant and what gap it fills?
  2. Does any citation of FDA or IMDRF guidance in your documentation displace a binding MDR provision or harmonised standard? (If yes, fix it.)
  3. Are the non-EU documents you cite the current versions?
  4. Is your regulatory SOP explicit about the hierarchy between EU and non-EU sources?
  5. Have you avoided citing FDA guidance to sidestep MDCG recommendations?
  6. Do you distinguish clearly in your own mind between state-of-the-art evidence and compliance evidence?
  7. If your notified body challenged a non-EU citation, could you defend it in writing within an hour?

Frequently Asked Questions

Can I use FDA guidance to claim compliance with MDR? No. FDA guidance is not legally recognised under MDR and cannot substitute for MDR provisions or harmonised standards. It can support state-of-the-art arguments under Article 10 and Annex I, but the primary compliance evidence must come from MDR-aligned sources.

Are IMDRF documents accepted by European notified bodies? Yes, as supporting evidence. IMDRF represents international regulator consensus and the European Commission participates, so IMDRF documents carry more weight in European reviews than pure FDA guidance. They still do not substitute for MDR or harmonised standards.

What about AAMI technical information reports? AAMI TIRs are US industry consensus documents. They are useful as engineering references in verification, validation and risk management, but they are not regulatory guidance. Cite them as engineering references, not as compliance evidence.

Can I cite Health Canada or TGA guidance? You can, under the same rules as FDA guidance: as state-of-the-art evidence, never as a substitute for MDR or harmonised standards. The justification for relevance must be explicit.

What if there is no EU guidance and no harmonised standard on a specific technical point? This is the legitimate gap-filling case. Use the best available international source, cite it explicitly, explain why it is relevant, and document that you reviewed the EU regulatory and standards landscape first and found a genuine gap. Notified body auditors accept this when the justification is honest.

What is the single biggest mistake founders make with non-EU guidance? Using it to avoid an inconvenient MDCG recommendation or a harmonised standard. Notified bodies see this pattern constantly and it damages trust for every subsequent audit.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Articles 8, 9, 10, Annex I.
  2. EN ISO 14971:2019+A11:2021 — Medical devices — Application of risk management.
  3. EN IEC 81001-5-1:2022 — Health software and health IT systems safety, effectiveness and security.