--- title: Regulatory Monitoring Under MDR: A Documented Process description: A documented regulatory monitoring MDR process: how to track amendments, MDCG releases, and standard updates, and turn signals into action. authors: Tibor Zechmeister, Felix Lenhard category: Quality Management Under MDR primary_keyword: regulatory monitoring MDR documented process canonical_url: https://zechmeister-solutions.com/en/blog/regulatory-monitoring-mdr-process source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # Regulatory Monitoring Under MDR: A Documented Process *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Regulatory monitoring under MDR is the documented process by which a manufacturer detects, assesses, and acts on changes to the MDR, MDCG guidance, harmonised standards, and notified body bulletins. It is required by MDR Article 10(9) as part of the QMS and must produce auditable evidence that signals reach decision-makers and close the loop in CAPA, risk management, and technical documentation updates.** **By Tibor Zechmeister and Felix Lenhard.** ## TL;DR - MDR Article 10(9) requires manufacturers to have a QMS that ensures compliance with the Regulation, which includes staying current with its evolving interpretation. - EN ISO 13485:2016+A11:2021 clauses 4.2 (documentation) and 8.2 (monitoring) are the home of the regulatory monitoring procedure in a MDR-conformant QMS. - A defensible process covers four source classes: MDR amendments, MDCG guidance, harmonised standard updates, and notified body bulletins. - Auditors look for four pieces of evidence: a procedure, a monitoring log, an impact-assessment record, and traceable actions in CAPA or change control. - The smallest working system for a startup is one monitoring log and a recurring calendar slot, both owned by the PRRC. - Horizon scanning without a "signal to action" loop is theatre and will be flagged in a stage 2 audit. ## Why this matters On 20 March 2023, Regulation (EU) 2023/607 shifted MDR transitional deadlines by up to four years for a large share of legacy devices. Manufacturers who were not monitoring the Official Journal found out from LinkedIn. Those who had a working regulatory monitoring process received the signal from a named source, logged it, assessed impact within days, and updated their transition plans with a paper trail their notified body could read. That is the practical difference. MDR is not a static text. Between the base Regulation (EU) 2017/745 and today, we have seen corrigenda, the transition amendment, dozens of MDCG documents and revisions, new harmonised standard editions, and regular notified body technical bulletins. A manufacturer who cannot show an auditor how these signals enter the QMS has a systemic gap, not a paperwork gap. The most common failure we see in stage 2 audits is not the absence of monitoring. It is monitoring that happens in one engineer's head, in a browser bookmarks folder, or in a Slack channel with no retention policy. The QMS cannot see it, the PRRC cannot prove it, and the auditor cannot accept it. ## What MDR actually says **MDR Article 10(9)** requires manufacturers of devices (other than custom-made) to establish, document, implement, maintain, keep up to date, and continually improve a quality management system that shall ensure compliance with the Regulation "in the most effective manner" and in a manner "proportionate to the risk class and the type of device." The article then lists the aspects that the QMS must address, including a strategy for regulatory compliance and resource management including supplier selection and control. The plain-language translation: the QMS must ensure ongoing compliance. You cannot ensure ongoing compliance with a moving regulatory target without a process that watches the target. **EN ISO 13485:2016+A11:2021** — the harmonised QMS standard referenced by MDR — anchors this in two clauses. Clause 4.2 (Documentation requirements) makes the procedure itself a required controlled document. Clause 8.2 (Monitoring and measurement) provides the home for process monitoring, and regulatory compliance is a process like any other: it has inputs, outputs, and a measurable state. Neither the MDR nor the standard uses the phrase "regulatory horizon scanning." That is our term for the activity. The obligation is written in plainer terms: ensure compliance, keep the system up to date, demonstrate it. ## A worked example A nine-person SaMD startup in Graz, Class IIa under Rule 11, operates a regulatory monitoring process owned by the PRRC. The procedure is three pages long. It names the following sources: - Official Journal of the EU (MDR amendments, corrigenda, implementing regulations) - European Commission MDCG page (new guidance and revisions) - The harmonised standards summary list published by the Commission - Their notified body's customer bulletin (subscribed, archived in the QMS) - The BSI, DEKRA, and TÜV SÜD public technical newsletters (subscribed) - Competent authority alerts from BASG (Austria) and BfArM (Germany) The process runs on a two-week cadence. Every other Monday, the PRRC spends forty-five minutes working through the source list, logs anything new in a single controlled spreadsheet ("Regulatory Monitoring Log," document ID QMS-8.2-03), and classifies each entry as: no impact, watch, or impact assessment required. When MDCG 2019-11 Rev.1 was published in June 2025, the entry went into the log within fourteen days. The classification was "impact assessment required" because the startup's product sits squarely under Rule 11. The impact assessment — a half-page document — concluded that their existing software classification rationale remained valid but that one paragraph in the classification justification document needed an updated reference. That triggered a controlled document change, linked in the CAPA log as a preventive action. Total elapsed time: three hours of PRRC effort. Total paper trail: one log entry, one impact assessment, one document revision, one CAPA preventive action record. That is the evidence an auditor wants to see. Not a perfect response. A traceable one. ## The Subtract to Ship playbook The goal is the smallest system that closes the loop. Subtract everything that does not directly help a signal reach a decision. **Step 1. Write one procedure.** Maximum three pages. Title: "Regulatory Monitoring." Controlled under clause 4.2. The procedure must name: the owner (usually the PRRC), the sources (by name and URL), the cadence (we recommend every two weeks for active products, monthly for pre-market), the classification scheme (no impact / watch / impact assessment required), the escalation path, and the retention period for log entries. **Step 2. Build one log.** A single controlled spreadsheet or eQMS record type. Columns: date, source, reference (e.g. "MDCG 2023-7"), summary in one sentence, classification, assigned owner, impact assessment link, closure date. Do not create parallel logs. Do not store anything in email or Slack. One log. **Step 3. Subscribe, do not browse.** Set up email subscriptions for every source that offers them. Use a dedicated mailbox the PRRC owns. Browsing a dozen websites every two weeks is a hobby, not a process. If a source does not offer email, put a calendar reminder to check it on cadence. **Step 4. Close every loop.** Every entry in the log must reach a terminal state: either "no impact, closed with rationale" or "action taken, linked to CAPA / change control / document revision / technical documentation update." If an entry has been "in assessment" for more than 30 days, the PRRC flags it in the next management review. **Step 5. Feed management review.** The management review input list under clause 5.6.2 should include regulatory monitoring status. A single slide per review: number of entries logged, number closed without action, number that triggered changes, any overdue. That connects the process to MDR Article 10(9)'s "keep up to date and continually improve." **Step 6. Scale the sources, not the process.** When you add a new market (Germany, France, UK), you add new rows to the source list inside the same procedure. You do not create a new process. The monitoring log grows; the machinery does not. **What not to do.** Do not outsource this entirely. You can use a commercial regulatory intelligence service as one of your sources, but outsourcing the "signal to action" loop breaks the chain of responsibility that sits with the manufacturer under Article 10(9). The PRRC must remain the owner of the log and the impact assessments. ## Reality Check 1. If an auditor asked you today to show the procedure that governs how you track MDR amendments, could you hand them a controlled document within five minutes? 2. Can you name the human being in your company who owns regulatory monitoring? 3. When MDCG 2025-10 on post-market surveillance was published in December 2025, did your log contain an entry for it? 4. What is the cadence of your regulatory monitoring activity, and where is it recorded? 5. Of the last ten log entries, how many reached a terminal state (closed with rationale or closed with action)? 6. Does your management review input include regulatory monitoring metrics? 7. If the same signal arrived twice — once via LinkedIn, once via your formal process — which one would trigger your impact assessment? 8. Could you trace one specific controlled document revision in the last twelve months back to a regulatory monitoring log entry? If you answered "no" or "I'm not sure" to more than two of these, your process is not yet auditable. That is fixable in a single working day. ## Frequently Asked Questions **Does MDR Article 10(9) specifically require a regulatory monitoring procedure?** Article 10(9) requires a QMS that ensures ongoing compliance with the Regulation. Regulatory monitoring is the mechanism by which that ongoing compliance is demonstrated. The procedure itself is a direct consequence of the Article 10(9) obligation combined with EN ISO 13485 clauses 4.2 and 8.2. **How often should we run the monitoring cycle?** For products already on the market, every two weeks is a reasonable default. For pre-market startups, monthly is defensible. The critical factor is not frequency — it is consistency and the ability to show the auditor a log that matches the cadence. **Can we use a third-party regulatory intelligence service to meet this requirement?** Yes, as one source among several. But the impact assessment and the decision to act must remain inside your QMS, owned by the PRRC. Outsourcing the decision layer breaks the responsibility chain. **What counts as a "notified body bulletin" worth monitoring?** Your assigned notified body's customer communications and any public technical newsletters they publish. Large bodies like BSI, DEKRA, TÜV SÜD, and DNV publish regular bulletins on interpretation and common findings. Subscribe to your own first. **Do we need to monitor MDCG documents we are not subject to?** No. Filter by scope. If you are a Class IIa software manufacturer, MDCG documents on implantables do not need an impact assessment — but they should still appear in the log with a "no impact" classification so the auditor can see you looked. **How long do we retain monitoring log entries?** Align retention with your general QMS record retention policy (typically the device lifetime plus the MDR Annex IX retention period of at least ten years after the last device is placed on the market, fifteen for implantables). A single retention rule, applied across the log, is simpler than per-entry decisions. ## Related reading - [What is a quality management system for medical devices](/blog/what-is-quality-management-system-medical-devices) — the QMS context that regulatory monitoring sits inside. - [MDR Article 10(9) and Annex IX QMS requirements](/blog/mdr-article-10-9-annex-ix-qms-requirements) — the legal basis for an ongoing-compliance process. - [Harmonised standards under MDR: complete list 2026](/blog/harmonized-standards-under-mdr-complete-list-2026) — one of the four source classes you must monitor. - [MDR regulatory updates 2026](/blog/mdr-regulatory-updates-2026) — a worked example of the signals a working process should have captured. - [Maintain QMS after certification](/blog/maintain-qms-after-certification) — how monitoring feeds the post-certification maintenance rhythm. ## Sources 1. Regulation (EU) 2017/745 on medical devices, consolidated text. Article 10(9). 2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Clauses 4.2, 5.6, 8.2. 3. Regulation (EU) 2023/607 amending Regulations (EU) 2017/745 and (EU) 2017/746 as regards transitional provisions. --- *This post is part of the [Quality Management Under MDR](https://zechmeister-solutions.com/en/blog/category/quality-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*