--- title: Serious Incidents Under MDR: How to Determine If an Event Must Be Reported description: A serious incident under MDR triggers mandatory reporting. Here is how to determine whether an event meets the threshold — and what to do once it does. authors: Tibor Zechmeister, Felix Lenhard category: Post-Market Surveillance & Vigilance primary_keyword: serious incidents MDR canonical_url: https://zechmeister-solutions.com/en/blog/serious-incidents-mdr source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # Serious Incidents Under MDR: How to Determine If an Event Must Be Reported *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Under the MDR, a serious incident is any malfunction or deterioration in the characteristics or performance of a device, or any inadequacy in the information supplied by the manufacturer, that directly or indirectly led, might have led, or might lead to death, a serious deterioration in a person's state of health, or a serious public health threat. If an event meets that threshold, it must be reported to the relevant competent authority within the timelines set out in MDR Article 87. The decision to report is made against the Regulation and the MDCG 2023-3 Rev.2 Q&A — never against intuition.** **By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.** --- ## TL;DR - A serious incident under MDR is defined in Article 2(65) and triggers mandatory reporting under Article 87. The definition is strict and it is what matters — not the manufacturer's feeling about severity. - The decision to report is a three-part test: was there an incident (malfunction, deterioration, or information inadequacy), did it lead or could it have led to a serious outcome, and is there a plausible causal link to the device. - MDCG 2023-3 Rev.2 (January 2025) is the Q&A document that resolves most edge cases. If a case is borderline, this is the first document to open. - Reporting timelines are short. Article 87 requires reporting without delay, with an upper limit of 15 days, 10 days for serious public health threats, and 2 days for death or unanticipated serious deterioration in state of health. - Vigilance and post-market surveillance feed each other. Many serious incidents are only discovered because a working PMS system was paying attention — not because the device failed loudly. --- ## Why this matters for your startup A few years ago we worked with a company producing a sleep device worn on the arm — a small, elegant product, strapped to the skin for hours every night. Every material in the device had been tested. Biocompatibility work was done per ISO 10993. All lab results came back clean. Certification went through. The product went to market. Then the reports started coming in. Not many, but enough. Skin irritations. Not from any single material in the device — from the interaction of materials in the specific strap blend, amplified by prolonged contact with sweat and skin under real-world conditions. Nothing the lab had tested had predicted it. Nothing the risk file had anticipated. The effect emerged only once real users wore the device in real conditions for real durations. This is why vigilance exists. Lab testing and pre-market clinical data catch what can be caught before launch. Everything else is caught by a PMS system that is actually running and a vigilance process that knows what to do when a signal comes in. The question the team had to answer, quickly, was the same question every manufacturer has to answer when something unexpected happens in the field: is this a serious incident, and does it have to be reported. That decision — made correctly, within the Regulation, and on the clock — is what this post is about. ## What a serious incident is under MDR The MDR defines two related but distinct concepts. Article 2(64) defines an "incident" as any malfunction or deterioration in the characteristics or performance of a device made available on the market, including use-error due to ergonomic features, as well as any inadequacy in the information supplied by the manufacturer and any undesirable side-effect. Article 2(65) then defines a "serious incident" as any incident that directly or indirectly led, might have led, or might lead to any of the following: (a) the death of a patient, user or other person; (b) the temporary or permanent serious deterioration of a patient's, user's or other person's state of health; (c) a serious public health threat. Three things matter in that definition and are easy to miss. First, "directly or indirectly." An incident does not have to cause harm through the device's primary action. A delayed diagnosis because an IFU was unclear is indirect. A missed alarm because a connector corroded is indirect. Indirect harm is still serious harm under MDR. Second, "led, might have led, or might lead." The definition captures actual harm, near-miss harm, and potential future harm. A malfunction that could have killed someone but happened to miss is still a serious incident. This is one of the most frequently misunderstood parts of the vigilance framework — manufacturers assume no injury means no report. That assumption is wrong. Third, "inadequacy in the information supplied by the manufacturer." A labelling error, an IFU ambiguity, a missing warning — these are incidents too, and if they could plausibly lead to a serious outcome, they are serious incidents. Article 87(1) of the MDR requires manufacturers of devices made available on the Union market, other than investigational devices, to report to the relevant competent authorities any serious incident involving their devices, and any field safety corrective action (FSCA) in respect of devices made available on the Union market. ## The decision tree for reportability When a signal comes in — from a user complaint, a PMS data review, a service report, a literature scan, a distributor query — the decision tree is straightforward in structure and difficult in practice. **Step 1. Is this an incident at all?** Was there a malfunction, a deterioration in characteristics or performance, a use-error driven by ergonomic features, an undesirable side-effect, or an inadequacy in the information supplied by the manufacturer? If none of these, it is not an incident and there is nothing to report. Record it in the PMS system and move on. **Step 2. If it is an incident, is it serious?** Did the incident lead, could it have led, or could it lead to death, serious deterioration in state of health, or a serious public health threat? If yes, it is a serious incident under Article 2(65). **Step 3. Is there a plausible causal link between the device and the outcome?** The Regulation does not require proof. It requires a reasonable possibility. If the device might plausibly be involved — even if other factors were also involved — the answer is yes. **Step 4. Does an exemption apply?** Certain specific scenarios are handled differently. Expected side-effects clearly documented in the technical documentation and the IFU, and subject to trend reporting under Article 88, may not each require individual Article 87 reports — but this is an area where MDCG 2023-3 Rev.2 provides detailed criteria and manufacturer judgment must be exercised carefully and documented. **Step 5. If it is reportable, which timeline applies?** See the timelines section below. If the answer at Steps 1–3 is yes and no exemption at Step 4 clearly applies, the event is reportable. The default bias in borderline cases is to report. The Regulation is not built around manufacturers underreporting — it is built around early signal detection so patterns can be caught before harm compounds. ## The role of MDCG 2023-3 Rev.2 in edge cases Most vigilance decisions are not clean. Was the device even involved. Was the outcome serious enough. Was the use-error an ergonomic problem or a user failing to read the IFU. MDCG 2023-3 Rev.2 — Questions and Answers on vigilance terms and concepts as outlined in Regulation (EU) 2017/745 and Regulation (EU) 2017/746, first published February 2023, current revision January 2025 — is the document the Commission and competent authorities use to interpret these cases consistently across the Union. The Q&A covers the distinction between incidents and serious incidents, what "serious deterioration" means in practice, how to treat malfunctions that did not harm anyone, how to handle use-errors versus user errors, how to treat indirect harm, what counts as a public health threat, how to determine the manufacturer's awareness date (which starts the clock), when field safety corrective actions need to be reported, how to handle periodic summary reporting for well-understood repetitive events, and how Eudamed interacts with national reporting. The practical effect for a startup: whenever the vigilance team is not certain whether an event is reportable, the first action is to open MDCG 2023-3 Rev.2 and check whether a Q in there matches the situation. In most cases, one does. The document is not binding law, but competent authorities and Notified Bodies use it as the reference point, and divergence from it has to be defended on the record. In practice, following the Q&A is the safest path, and unnecessary deviation is a risk the startup does not need. In the arm-strap case, the Q&A was exactly where the decision got made. Skin irritation from prolonged contact — reversible, not life-threatening, but real and affecting multiple users. The team worked through the definition of "serious deterioration" in the Q&A, looked at the pattern across complaints, assessed whether it rose to the threshold, and documented every step. Some of the reports ended up being handled as trend reporting under Article 88 rather than as individual Article 87 serious incident reports. Others were reported individually. The documented reasoning — not the final classification — is what holds up in an audit. ## The 15-day, 10-day, and 2-day timelines MDR Article 87(3) sets out the reporting timelines. The clock starts from the manufacturer's awareness of the event. The determination of the awareness date is itself a regulated question — MDCG 2023-3 Rev.2 addresses it in detail. The upper limits in Article 87(3) are: - **Not later than 15 days after awareness** for serious incidents that do not fall into the faster categories below. This is the default. - **Not later than 10 days after awareness** in the event of a serious public health threat. - **Not later than 2 days after awareness** in the event of death or an unanticipated serious deterioration in a person's state of health. "Without delay" is the underlying obligation, and the numeric limits are hard ceilings, not targets. If the manufacturer can report within a day, the manufacturer reports within a day. Waiting out the fifteen days while investigating is not what the Regulation intends. The manufacturer's awareness date is the date on which the manufacturer (or any person working on its behalf, including distributors and authorised representatives) first became aware that an event might qualify as a serious incident. It is not the date on which the investigation concluded. This matters because many startups push the awareness date forward by treating the clock as starting only after internal confirmation. That reading is not correct and has been a recurring source of non-conformities in Notified Body audits. For field safety corrective actions, Article 87(1)(b) requires manufacturers to report any FSCA in respect of devices made available on the Union market. FSCAs have their own procedural requirements and their own timelines — see the dedicated post on FSCAs linked below. ## What happens after reporting Once a serious incident report is submitted to the relevant competent authority, several things happen in parallel, and the manufacturer remains an active participant throughout. **Investigation.** MDR Article 89(1) requires the manufacturer to perform the necessary investigations in relation to the serious incident and the devices concerned. This includes a risk assessment and, where appropriate, a field safety corrective action. The manufacturer cooperates with the competent authority and, where applicable, the Notified Body. **Competent authority oversight.** Under Article 89(2), the competent authority performs its own assessment of reported serious incidents and may take additional measures where necessary to protect public health and patient safety. This is not adversarial by default — the authority's job is the same as the manufacturer's job at this stage, which is to make sure no one else is harmed. **CAPA in the QMS.** The event feeds the CAPA process. A root cause is determined, corrective action is implemented for the cause, and preventive action is applied to prevent recurrence. EN ISO 13485:2016+A11:2021 and EN ISO 14971:2019+A11:2021 structure this work, and the CAPA record is part of the technical documentation evidence. **PMS and PSUR updates.** The event and its handling feed back into the PMS plan, the PMS report, and — for Class IIa and above — the periodic safety update report (PSUR) under Article 86. The pattern that the event revealed may trigger updates to the risk file, the clinical evaluation, the IFU, or the device itself. **Eudamed.** When Eudamed's vigilance module is fully operational, serious incident reports and FSCAs flow through it. Commission Implementing Regulation (EU) 2021/2078 and subsequent Eudamed communications govern timing. In the interim period, national reporting channels remain in use as the competent authorities direct. ## The link between vigilance and PMS Vigilance is reactive — it triggers when an event happens. PMS is proactive — it is the continuous monitoring system that collects data across the device's life. They are not two separate systems. They are one system with two modes. MDR Article 83 requires manufacturers to plan, establish, document, implement, maintain, and update a PMS system proportionate to the risk class and appropriate for the device. The PMS system is required to actively and systematically gather, record, and analyse relevant data on the quality, performance, and safety of a device throughout its entire lifetime. Vigilance reports under Article 87 are one of the inputs to the PMS system — but more importantly, the PMS system is often how vigilance events are discovered in the first place. In the arm-strap case, the PMS system caught the pattern before any individual user escalated a complaint loudly. The customer service log, the user feedback survey, and the pattern across service calls were all inputs into the PMS system. The vigilance decision then happened because the PMS system was doing its job. MDCG 2025-10 (December 2025) describes exactly this interaction: PMS is the detection layer, vigilance is the reporting and investigation layer, CAPA is the correction layer, and the four together form the post-market safety loop. A manufacturer without a functioning PMS system is a manufacturer who will discover their serious incidents the wrong way — through a regulator, a lawsuit, or a news report. None of those paths are survivable for a startup. ## Common reporting mistakes startups make - **Waiting until the investigation is complete to start the clock.** The clock starts at awareness, not at confirmation. Delayed reporting because "we were still investigating" is the single most common Article 87 non-conformity we see in audits. - **Classifying harm too narrowly.** "Serious deterioration" is not limited to life-threatening outcomes. MDCG 2023-3 Rev.2 makes this explicit. A reversible injury requiring medical intervention can qualify. - **Ignoring near-misses.** If an event might have led to a serious outcome, it is reportable even though nothing bad actually happened. The "might have led" language in Article 2(65) is not decorative. - **Treating use-error as user error.** Use-errors driven by ergonomic design or IFU inadequacy are incidents. Blaming the user is a convenient story that does not survive MDCG 2023-3 Rev.2 scrutiny. - **No single vigilance owner.** When everyone is responsible, no one is. The Article 15 PRRC holds the formal responsibility, but the operational vigilance owner needs to be named, trained, reachable, and equipped with the decision tools. - **No documented reasoning for non-reportable events.** A decision not to report is a decision that has to survive audit. It needs to be documented against the Regulation and the Q&A, not just recorded as "team decided not to report." - **Disconnect from PMS.** Vigilance disconnected from PMS is blind — the manufacturer only sees what someone complains loudly about, and the pattern across quiet signals is invisible. ## The Subtract to Ship angle Vigilance is one of those areas where the instinct to "add more" is particularly strong and particularly counterproductive. Founders, rightly scared of getting it wrong, sometimes build enormous vigilance SOPs, multi-level review boards, and elaborate escalation flowcharts — and then those systems are so heavy that the team stops running them. Subtract to Ship applied to vigilance is not about cutting obligations. Every Article 87 obligation stays in scope. It is about cutting the bureaucratic overhead that stops the real work from happening. A lean vigilance process looks like this: one named owner, one short SOP that maps directly to Articles 87–89 and MDCG 2023-3 Rev.2, one intake channel that catches signals from PMS and customer service, one decision log that documents every classification call against the Regulation, and one escalation path to the PRRC. That is the whole system. It fits on two pages. It is auditable. It runs. The alternative — the twenty-page SOP that no one has opened since it was written — is the version that fails the audit and, much worse, fails the patients. The test is the same as every other Subtract to Ship test. For every step in your vigilance process, name the specific MDR article, annex, or MDCG Q&A provision it traces to. If you cannot, cut the step. If you can, keep it and make sure it actually runs. See our [Subtract to Ship framework applied to MDR](/blog/subtract-to-ship-framework-mdr) for the full methodology. ## Reality Check — Where do you stand? 1. Can you name, today, the person responsible for making serious incident classification decisions in your company? Have they read MDCG 2023-3 Rev.2 in full? 2. If a signal comes in at 6pm on a Friday, what is the documented path from signal to classification decision by Monday morning? 3. Does your team distinguish correctly between incident, serious incident, trend-reportable event, and non-reportable observation — and is the reasoning documented for each? 4. Is your awareness date determined at the earliest point a qualifying signal reached any part of your organization, or is it determined at the point of internal confirmation? 5. Is your vigilance process connected to your PMS system, or is it a separate binder that only opens when someone complains? 6. Do you have a documented decision log for non-reportable events, showing the Regulation and Q&A provisions you relied on? 7. When did you last run a dry exercise — a simulated serious incident — through your vigilance process to check it actually works under time pressure? ## Frequently Asked Questions **What is the difference between an incident and a serious incident under MDR?** An incident, defined in Article 2(64), is any malfunction or deterioration in a device, any inadequacy in the information supplied, or any undesirable side-effect. A serious incident, defined in Article 2(65), is an incident that directly or indirectly led, might have led, or might lead to death, serious deterioration in state of health, or a serious public health threat. Only serious incidents trigger the Article 87 reporting obligation; non-serious incidents are recorded in the PMS system but not individually reported. **How quickly does a serious incident have to be reported?** MDR Article 87(3) sets an upper limit of 15 days after the manufacturer becomes aware of the event, reduced to 10 days for a serious public health threat and 2 days for death or unanticipated serious deterioration in state of health. The overarching obligation is to report without delay — the numeric limits are ceilings, not targets, and the clock starts at awareness, not at the end of the investigation. **What is MDCG 2023-3 Rev.2 and why does it matter?** MDCG 2023-3 Rev.2 is the Questions and Answers document on vigilance terms and concepts under Regulation (EU) 2017/745, first published in February 2023 and most recently revised in January 2025. It is the primary interpretive guidance used by competent authorities and Notified Bodies to resolve edge cases in vigilance decisions. Any borderline classification call should be made with this document open. **If we are not sure whether to report, what should we do?** Default to reporting. The Regulation is designed around early signal detection, not manufacturer underreporting. A report that turns out not to have been strictly required is a minor administrative matter; a failure to report a reportable event is a serious non-conformity that can trigger competent authority action and Notified Body findings. Document the reasoning either way, and if the case is genuinely borderline, consider contacting the competent authority or a regulatory expert before the clock runs out. **Does reporting a serious incident mean our certificate is in jeopardy?** Reporting one serious incident, handled correctly and investigated properly, is what the system expects. Manufacturers are expected to have occasional serious incidents — devices are used in the real world and the real world is messy. What puts a certificate at risk is failure to report, failure to investigate, failure to apply CAPA, or a pattern of recurring events that indicates a systemic problem. Correct vigilance practice is protective, not threatening. ## Related reading - [What Is the EU Medical Device Regulation?](/blog/what-is-eu-mdr) — the foundational overview of the MDR and where vigilance sits within it. - [What Is Post-Market Surveillance Under MDR?](/blog/what-is-post-market-surveillance-mdr) — the proactive monitoring system that feeds vigilance. - [MDR Articles 83–86: The PMS Framework](/blog/mdr-articles-83-86-pms-framework) — the specific Regulation text governing PMS obligations. - [What Is Vigilance Under MDR?](/blog/what-is-vigilance-mdr) — the pillar post for the vigilance cluster. - [MDR Articles 87–92: The Vigilance Framework](/blog/mdr-articles-87-92-vigilance-framework) — the full Regulation text of the vigilance chapter. - [How to Report a Serious Incident to the Competent Authority](/blog/report-serious-incident-competent-authority) — the operational step-by-step once a reportable event is confirmed. - [Vigilance Reporting Timelines: 15-Day, 10-Day, and 2-Day Clocks](/blog/vigilance-reporting-timelines-15-day-2-day) — a dedicated deep dive on the timing rules. - [Field Safety Corrective Actions (FSCAs) Explained](/blog/field-safety-corrective-actions-fscas) — what an FSCA is and when one must be launched. - [The PMS–Vigilance–CAPA Relationship](/blog/pms-vigilance-capa-relationship) — how the three systems connect into one safety loop. - [The Subtract to Ship Framework for MDR](/blog/subtract-to-ship-framework-mdr) — the methodology behind the lean vigilance system described in this post. ## Sources 1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 2(64) (definition of incident), Article 2(65) (definition of serious incident), Article 83 (post-market surveillance system), Article 84 (post-market surveillance plan), Article 87 (reporting of serious incidents and field safety corrective actions), Article 88 (trend reporting), Article 89 (analysis of serious incidents and field safety corrective actions). Official Journal L 117, 5.5.2017. 2. MDCG 2023-3 Rev.2 — Questions and Answers on vigilance terms and concepts as outlined in Regulation (EU) 2017/745 and Regulation (EU) 2017/746, first publication February 2023, Revision 2 January 2025. 3. MDCG 2025-10 — Guidance on post-market surveillance of medical devices and in vitro diagnostic medical devices, December 2025. 4. EN ISO 14971:2019 + A11:2021 — Medical devices — Application of risk management to medical devices. --- *This post is part of the Post-Market Surveillance & Vigilance series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. The vigilance decision is where regulatory rigour meets real-world messiness — and where the Regulation, the MDCG Q&A, and a disciplined team keep patients safe.* --- *This post is part of the [Post-Market Surveillance & Vigilance](https://zechmeister-solutions.com/en/blog/category/pms-vigilance) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*