--- title: How to Report a Serious Incident to Your Competent Authority: Step-by-Step description: When a serious incident is reportable, you have 15, 10, or 2 days depending on severity. Here is the step-by-step reporting process. authors: Tibor Zechmeister, Felix Lenhard category: Post-Market Surveillance & Vigilance primary_keyword: report serious incident competent authority MDR canonical_url: https://zechmeister-solutions.com/en/blog/report-serious-incident-competent-authority source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # How to Report a Serious Incident to Your Competent Authority: Step-by-Step *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **To report a serious incident under MDR Article 87, the manufacturer confirms the event meets the Article 2(65) threshold, fixes the applicable deadline from the manufacturer's awareness date (15 days by default, 10 days for a serious public health threat, 2 days for death or unanticipated serious deterioration in state of health), assembles the required manufacturer incident report data set, submits through the Eudamed vigilance module under Article 92 where operational or through the relevant national competent authority channel in the interim, follows up with the Article 89 investigation and any field safety corrective action, and documents every step in the QMS. MDCG 2023-3 Rev.2 (January 2025) is the interpretive reference used at every decision point.** **By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.** --- ## TL;DR - MDR Article 87 requires manufacturers to report serious incidents and field safety corrective actions to the relevant competent authority, within 15, 10, or 2 days from the manufacturer's awareness date, depending on severity. - The reporting path runs through the Eudamed electronic system under MDR Article 92 once the vigilance module is fully operational; until then, the applicable national competent authority channel is used as the competent authorities direct. - The manufacturer incident report (MIR) data set is structured: device identification and UDI, incident description, patient and user information in anonymised form, outcome, suspected causal link, initial risk assessment, and planned corrective action. - The clock starts at awareness, not at the end of the internal investigation. MDCG 2023-3 Rev.2 sets out how to determine the awareness date. - After the report goes out, the Article 89 investigation continues, any field safety corrective action under Article 2(68) is launched, and the CAPA loop closes inside the QMS under EN ISO 13485:2016 + A11:2021. --- ## Why the reporting step is its own skill Deciding that an event is reportable is one discipline. Actually filing the report correctly, on time, with the right data in the right fields, through the right channel, is a separate discipline. Teams that are strong on the first part and weak on the second still end up with Notified Body findings, because the audit trail is the deliverable — not the team's private conviction that they did the right thing. For the classification decision that precedes this post, see [Serious Incidents Under MDR: How to Determine If an Event Must Be Reported](/blog/serious-incidents-mdr). For the full legal framework, see [MDR Articles 87 to 92: The Vigilance Reporting Framework](/blog/mdr-articles-87-92-vigilance-framework). This post assumes the classification call has been made and the answer is: yes, reportable. The question now is how to file the report without losing the clock, the data, or the documentation. ## Step 1. Confirm reportability against Article 2(65) and MDCG 2023-3 Rev.2 Before any submission is made, the vigilance owner re-checks the classification call against the Regulation text and the Q&A. This is not a formality. It is the step that protects the manufacturer from both underreporting and overreporting. The three-part test under Article 87(1)(a), read together with Article 2(64) and Article 2(65): - Is there an incident — a malfunction or deterioration in characteristics or performance, a use-error driven by ergonomic features, or an inadequacy in the information supplied by the manufacturer. - Did the incident directly or indirectly lead, might it have led, or could it lead to death, serious deterioration in state of health, or a serious public health threat. - Is there a plausible causal link between the device and the outcome — a reasonable possibility, not proof. If the answer at all three points is yes, the report is on. MDCG 2023-3 Rev.2 is opened next to resolve any edge case — what counts as "serious deterioration," whether a reversible injury crosses the line, whether a near-miss triggers the duty, how to treat an indirect chain through a labelling ambiguity. The classification call and its reasoning are written into the decision log before the submission is prepared. ## Step 2. Fix the deadline from the awareness date Under MDR Article 87(3), the reporting clock runs from the manufacturer's awareness date. The upper limits are: - **2 days** after awareness in the event of death or an unanticipated serious deterioration in a person's state of health. - **10 days** after awareness in the event of a serious public health threat. - **15 days** after awareness for any other serious incident — the default. The awareness date is the date on which the manufacturer — or any person working on its behalf, including distributors, authorised representatives, and service partners — first became aware that an event might qualify as a serious incident. It is not the date on which the internal investigation concluded. MDCG 2023-3 Rev.2 addresses this explicitly and a recurring Notified Body finding is manufacturers pushing the awareness date forward to protect themselves from the clock. That reading does not hold up. Practically, the vigilance owner logs three dates at this step: awareness date, applicable deadline category (2/10/15 days), and deadline date. All three go in the decision log. The deadline date is also added to the calendar as a hard date — not a target, not a "report by" nudge. "Without delay" is the underlying obligation under Article 87, and the numeric limits are ceilings. If the report is ready in four days, it goes in four days. The ceiling is not permission to wait. For the dedicated deep dive on awareness mechanics and the clock, see [Vigilance Reporting Timelines: 15-Day, 10-Day, and 2-Day Clocks](/blog/vigilance-reporting-timelines-15-day-2-day). ## Step 3. Gather the required information The manufacturer incident report data set has a defined shape. The fields follow the Manufacturer Incident Report (MIR) form the Commission and Member States use for vigilance reporting, and the Eudamed vigilance module is built around the same structure. The following fields are assembled before the submission is started so the vigilance owner is not scrambling for data with the deadline bearing down. **Manufacturer identification.** Legal name, registered place of business, Single Registration Number (SRN) once assigned, contact person for the report, and the Article 15 Person Responsible for Regulatory Compliance. **Device identification.** Product name, model, version, software build where applicable, Basic UDI-DI, UDI-DI, UDI-PI, risk class, intended purpose, and the applicable CE certificate reference and Notified Body ID. **Event description.** Date of the event, location (Member State), reporter (patient, user, healthcare professional, distributor, internal), narrative description of what happened, device behaviour observed, and the sequence of events from normal use to the incident. **Patient and user information.** Anonymised patient data — age range, sex, relevant medical context — consistent with GDPR obligations; user role and relevant training or qualification; whether any third parties were involved. **Outcome.** Actual harm (death, serious deterioration, non-serious outcome, near-miss), current patient status, medical intervention performed, and clinical follow-up status. **Causality assessment.** Suspected causal link, alternative explanations considered, whether any other device or factor contributed, and the manufacturer's current view on the device's role — framed as "reasonable possibility," not proof. **Initial risk assessment.** The initial view under EN ISO 14971:2019 + A11:2021 — which hazard, harm, and risk this event maps to in the risk management file, whether the risk was previously identified, and whether the observed severity or frequency differs from the file. **Planned or immediate corrective action.** Any immediate actions already taken, any field safety corrective action being planned under Article 2(68), and the expected timeline for the Article 89 investigation. **Supporting documents.** Photographs where relevant and permissible, service records, complaint records, the relevant section of the risk management file, and the IFU version in use at the time of the event. If a field cannot be filled at the time of the initial report, it is marked as "unknown at time of initial report; follow-up report to be filed." The MDR expects follow-up reports; initial reports with gaps are not a reason to wait out the deadline. ## Step 4. Submit through Eudamed or the applicable national channel MDR Article 92 establishes the Eudamed electronic system on vigilance and on post-market surveillance as the pipe through which serious incident reports, periodic summary reports, trend reports, field safety notices, and PSURs flow. Once the Eudamed vigilance module is fully operational and the applicable transitional arrangements have ended, the manufacturer submits the serious incident report through Eudamed. The system automatically distributes the report to the relevant competent authorities under Article 92(2). In the interim — while the Eudamed vigilance module is in the pre-operational phase for some flows — the manufacturer submits through the applicable national competent authority channel for the Member State in which the event occurred, or the Member State of the manufacturer's place of business, as the competent authorities direct. In Austria this is BASG; in Germany, BfArM; in France, ANSM; in Italy, the Ministry of Health. Each competent authority publishes its current accepted reporting route (email to a dedicated vigilance inbox, upload portal, or national electronic system), and the current route is checked before every submission. MDCG 2023-3 Rev.2 addresses the transitional reporting path in detail and is the first reference when there is any doubt. The submission itself is the filing of the MIR form (or the competent authority's current equivalent) with the data set assembled in Step 3. The submission timestamp is recorded and filed against the deadline date from Step 2. A copy of the submitted report and the submission receipt is saved to the vigilance record for that event. For the broader operational context of Eudamed for vigilance see [Eudamed Vigilance Module: What Manufacturers Need to Know](/blog/eudamed-vigilance-module) and for the related Article 92 framework see [MDR Article 92 Explained](/blog/mdr-article-92-eudamed-vigilance). ## Step 5. Follow up — investigation, FSCA, and further reports Filing the initial report is not the end of the obligation. MDR Article 89(1) requires the manufacturer to perform the necessary investigations in relation to the serious incident and the devices concerned, including a risk assessment and, where appropriate, a field safety corrective action. The competent authority performs its own assessment under Article 89(2), and the coordinating competent authority mechanism under Article 89(4) applies when the device is available in more than one Member State. The manufacturer's follow-up work includes: - **Investigation under Article 89.** Root cause analysis, risk re-assessment against the EN ISO 14971:2019 + A11:2021 file, review of whether other units or batches are affected, and determination of whether a field safety corrective action is required. - **Field safety corrective action.** If an FSCA is triggered under Article 2(68) — a recall, a software update addressing a safety issue, an IFU change driven by a safety concern, a device modification, or a market withdrawal — the FSCA is itself reportable under Article 87(1)(b), and a field safety notice is issued to affected users. See [Field Safety Corrective Actions (FSCAs) Explained](/blog/field-safety-corrective-actions-fscas). - **Follow-up reports.** As the investigation progresses, the manufacturer files follow-up reports with new information — updated causality assessment, investigation findings, corrective action status. - **Final report.** When the investigation is complete and the CAPA is closed, a final report is filed documenting the outcome and the measures taken. - **Cooperation with the competent authority and the Notified Body.** Questions from the authority are answered promptly. Requests for additional information are treated as part of the active vigilance obligation, not as optional correspondence. ## Step 6. Document everything in the QMS Every step from signal to final report lives in the QMS record for that event. The minimum documentation set, under the QMS obligations of EN ISO 13485:2016 + A11:2021 and the risk management obligations of EN ISO 14971:2019 + A11:2021: - The intake record — when, how, and from whom the signal was received. - The classification decision log — the Article 2(64)/2(65) test, the MDCG 2023-3 Rev.2 Q references, and the named decision-maker. - The awareness date determination — the date, the source of the date, and the applicable deadline category. - The initial report as submitted, the submission timestamp, and the competent authority channel used. - The investigation records under Article 89 — root cause analysis, risk re-assessment, CAPA actions. - The FSCA record, if applicable, including the field safety notice issued. - Follow-up reports and the final report. - The closure of the CAPA loop in the QMS with any updates to the technical documentation, the risk management file, the clinical evaluation, the PMS plan, and the IFU. This record is what a Notified Body surveillance audit pulls. It is also what a competent authority asks for if it opens a market surveillance file on the event. The documentation is the evidence that the vigilance obligation was met — and absent the documentation, the fact that the team did the right thing does not survive the audit. ## Common mistakes manufacturers make at the reporting step - **Treating the clock as starting at confirmation.** The clock starts at awareness. Pushing the awareness date forward to buy investigation time is the single most common Article 87 non-conformity we see. - **Waiting for a complete data set.** Initial reports are allowed — and expected — to contain unknowns. The deadline is hard; incompleteness is not a reason to delay. - **Using the wrong competent authority channel.** Channels change over time. Before every submission, the current accepted route for the relevant Member State is checked against the competent authority's published guidance. - **Failing to save the submission receipt.** The submission timestamp and receipt are the evidence of compliance with Article 87(3). Without them, the deadline defence rests on internal email alone. - **Not filing follow-up reports.** The initial report is the start of the obligation, not the end. As investigation findings accrue, follow-up reports go in. - **Disconnecting the reporting step from CAPA.** The event closes when the CAPA closes, not when the report is submitted. Reports filed and then forgotten leave the QMS loop open. - **Forgetting FSCAs triggered in third countries.** Article 87(1)(b) captures FSCAs undertaken in third countries when the same device is also legally on the Union market. Multinational distribution setups miss this most often. ## The Subtract to Ship angle The instinct at this step is to build a heavy workflow — multi-stage approvals, review boards, legal sign-offs, external advisers on every submission. The result is a process nobody runs under deadline pressure, and the deadline wins. The Subtract to Ship version of Article 87 reporting, traced to specific Regulation and MDCG references at every step, fits on a single sheet: one named vigilance owner, one classification checklist mapped to Article 2(65) and MDCG 2023-3 Rev.2, one deadline calculator mapped to Article 87(3), one MIR template pre-populated with manufacturer and device identification so only event-specific fields need to be filled, one current competent authority channel list kept up to date, one submission log, and one CAPA handoff. See [the Subtract to Ship framework for MDR](/blog/subtract-to-ship-framework-mdr) for the general methodology. For every element in the reporting workflow, the test is the same: name the specific article, annex, or MDCG Q the element traces to. If the trace is clean, the element stays. If there is no trace, the element is ceremony and it comes out. What is left runs. ## Reality Check — Where do you stand? 1. If a reportable event occurred today, could you name the deadline (2, 10, or 15 days) and the exact deadline date by end of day? 2. Is your MIR template pre-populated with manufacturer and device identification, or does the vigilance owner assemble it from scratch every time? 3. Do you have the current accepted reporting channel documented for every Member State where your device is available — and has it been checked in the last quarter? 4. Is your awareness date determination written down and tested against MDCG 2023-3 Rev.2, or is it determined on the fly when an event happens? 5. Do you file follow-up reports as investigation findings accrue, or does the initial report sit alone until the CAPA closes? 6. If a Notified Body auditor asked for the last serious incident file, could you produce the intake record, classification log, initial report, submission receipt, Article 89 investigation records, CAPA closure, and technical documentation updates in one session? 7. Is your reporting workflow short enough that your vigilance owner can run it without referring to a twenty-page SOP under deadline pressure? ## Frequently Asked Questions **What is the deadline for reporting a serious incident under MDR?** Under Article 87(3), the upper limit is 15 days after the manufacturer's awareness date for the general case, 10 days in the event of a serious public health threat, and 2 days in the event of death or an unanticipated serious deterioration in a person's state of health. The underlying obligation is to report without delay, and the numeric limits are hard ceilings rather than targets. **Who do I actually submit the serious incident report to?** Under Article 87(1), the report goes to the relevant competent authority of the Member State where the incident occurred or the FSCA was undertaken. Once the Eudamed vigilance module under Article 92 is fully operational, the submission flows through Eudamed and is shared with the relevant competent authorities automatically. In the interim, the applicable national competent authority channel is used — BASG in Austria, BfArM in Germany, ANSM in France, and so on. **What form do I use to report a serious incident?** The Manufacturer Incident Report (MIR) form is the structured data set used across the Union for vigilance reporting, and the Eudamed vigilance module is built around the same structure. The current MIR form and any national adaptations are available from the competent authority's vigilance pages and from the Commission's Eudamed documentation. **What if I do not have all the information by the deadline?** File the initial report with the information you have and mark the unknown fields as pending. The MDR expects follow-up reports as the Article 89 investigation progresses. Waiting out the deadline to assemble a complete data set is not permitted and is a recurring source of Notified Body findings. **Does submitting a serious incident report put my CE certificate at risk?** No. Reporting a serious incident is what the system expects manufacturers to do. What puts a certificate at risk is failure to report, failure to investigate under Article 89, failure to apply CAPA, or a pattern of recurring events that indicates a systemic problem. Correct reporting practice is protective. ## Related reading - [What Is Vigilance Under MDR?](/blog/what-is-vigilance-mdr) — the pillar post for the vigilance cluster. - [MDR Articles 87 to 92: The Vigilance Reporting Framework](/blog/mdr-articles-87-92-vigilance-framework) — the full Regulation text of the vigilance chapter. - [Serious Incidents Under MDR: How to Determine If an Event Must Be Reported](/blog/serious-incidents-mdr) — the classification decision that precedes this post. - [Vigilance Reporting Timelines: 15-Day, 10-Day, and 2-Day Clocks](/blog/vigilance-reporting-timelines-15-day-2-day) — the dedicated deep dive on Article 87(3). - [Field Safety Corrective Actions (FSCAs) Explained](/blog/field-safety-corrective-actions-fscas) — the FSCA leg of Article 87(1)(b). - [Trend Reporting Under MDR Article 88](/blog/trend-reporting-mdr-article-88) — the companion obligation for non-serious patterns. - [Periodic Safety Update Reports (PSUR) Under MDR Article 86](/blog/psur-mdr-article-86) — the PMS-vigilance interface for Class IIa and above. - [The PMS–Vigilance–CAPA Relationship](/blog/pms-vigilance-capa-relationship) — how the three systems connect into one safety loop. - [MDR Article 92 Explained: The Eudamed Vigilance Electronic System](/blog/mdr-article-92-eudamed-vigilance) — the Article 92 reporting pipe in operational detail. - [The Subtract to Ship Framework for MDR](/blog/subtract-to-ship-framework-mdr) — the methodology behind the lean reporting workflow in this post. ## Sources 1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 2(64) (definition of incident), Article 2(65) (definition of serious incident), Article 2(68) (definition of field safety corrective action), Article 15 (Person Responsible for Regulatory Compliance), Article 87 (reporting of serious incidents and field safety corrective actions), Article 89 (analysis of serious incidents and field safety corrective actions), Article 92 (electronic system on vigilance and on post-market surveillance). Official Journal L 117, 5.5.2017. 2. MDCG 2023-3 Rev.2 — Questions and Answers on vigilance terms and concepts as outlined in Regulation (EU) 2017/745 and Regulation (EU) 2017/746, first publication February 2023, Revision 2 January 2025. 3. EN ISO 13485:2016 + A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. 4. EN ISO 14971:2019 + A11:2021 — Medical devices — Application of risk management to medical devices. --- *This post is part of the Post-Market Surveillance & Vigilance series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. Filing a serious incident report correctly, on time, through the right channel, with the right data, is the moment the vigilance system stops being an SOP and starts being a live obligation the team can actually run.* --- *This post is part of the [Post-Market Surveillance & Vigilance](https://zechmeister-solutions.com/en/blog/category/pms-vigilance) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*