Competent authorities are the national enforcement arms of the MDR. While Notified Bodies assess your conformity before you enter the market, competent authorities monitor the market itself. Checking that devices in circulation are safe, compliant, and properly registered. For a startup, understanding what competent authorities do and when you will interact with them is essential for staying compliant after your CE mark is in place.

What Is a Competent Authority Under the MDR?

Each EU member state designates one or more competent authorities responsible for implementing the MDR within their territory. This obligation comes from Article 101 of the MDR .

Competent authorities are government agencies. They are not private organizations like Notified Bodies. Their powers come directly from the regulation, and they can take enforcement actions including market restrictions, recalls, fines, and referrals for criminal prosecution.

The competent authority landscape across Europe: - Germany: BfArM (Bundesinstitut für Arzneimittel und Medizinprodukte) handles most medical devices. PEI (Paul-Ehrlich-Institut) handles devices related to blood and tissues - Austria: BASG (Bundesamt für Sicherheit im Gesundheitswesen) - France: ANSM (Agence nationale de sécurité du médicament et des produits de santé) - Italy: Ministry of Health - Netherlands: IGJ (Inspectie Gezondheidszorg en Jeugd)

Each competent authority operates under the same MDR text, but practical enforcement approaches can vary. Some competent authorities are more proactive in market surveillance; others are more reactive. Some focus heavily on documentation compliance; others emphasize clinical outcome monitoring.

What Powers Do Competent Authorities Have?

The MDR grants competent authorities broad enforcement powers under Articles 93–100 . These include:

Market surveillance inspections. Competent authorities can inspect your premises, review your technical documentation, and examine devices on the market without prior notice. They can also purchase devices on the market and submit them to examination and testing.

Provisional restrictive measures. If a competent authority has sufficient reason to believe a device presents an unacceptable risk to health or safety, it can take immediate action. Including prohibiting the device from being made available, restricting its availability, or requiring a recall (Article 95) .

Formal non-compliance decisions. If a device does not comply with the MDR, the competent authority can require the manufacturer to bring the device into compliance, restrict availability, recall the device, or prohibit it from the market.

Penalties. Member states are required to establish penalty rules for infringements of the MDR (Article 113) . The specific penalties vary by member state, but they can include fines, market bans, and criminal sanctions.

When Does a Startup Interact with Competent Authorities?

Vigilance Reporting

Your most common interaction with competent authorities will be through vigilance reporting. Article 87 of the MDR requires manufacturers to report serious incidents to the competent authority of the member state where the incident occurred .

The reporting timelines are strict: - Serious incidents: Report within 15 days of becoming aware of the incident - Serious public health threats: Report within 2 days - Deaths or unanticipated serious deterioration: Report within 10 days - Trend reports: When trends of incidents are detected that individually may not be serious but collectively indicate a safety concern

For a startup, having a vigilance process in place before market launch is mandatory. You need: - A defined process for collecting and evaluating complaints and incidents - Clear criteria for determining what constitutes a "serious incident" under the MDR definition - Contact information for the competent authorities in every member state where you sell - Templates for Field Safety Notices and Field Safety Corrective Action reports

Registration

Manufacturers must register in the electronic system (EUDAMED, when fully functional, or the relevant national system in the interim) before placing a device on the market . The competent authority of the member state where the manufacturer is established manages this registration.

Borderline and Classification Disputes

If there is disagreement about whether a product is a medical device or about its classification, the competent authority in the relevant member state can make a formal determination. This can happen proactively (you request a determination) or reactively (the authority challenges your classification).

Clinical Investigation Approvals

If you plan to conduct a clinical investigation under the MDR, you must submit an application to the competent authority of each member state where the investigation will be conducted, and to the relevant ethics committee (Article 70) . The competent authority has defined timelines for reviewing and approving or rejecting the application.

How Should a Startup Prepare for Market Surveillance?

Market surveillance is not something that only happens if you do something wrong. Competent authorities conduct routine surveillance activities, and any manufacturer can be subject to inspection at any time after placing a device on the market.

Maintain accessible documentation. Your technical documentation, QMS records, and post-market surveillance data must be accessible upon request. You do not need to submit these proactively, but you must be able to produce them within a reasonable timeframe when a competent authority requests them.

Keep your registration current. Any changes to your company information, device information, or certificates must be updated in the relevant registration systems. Outdated registrations are a common finding in market surveillance inspections.

Monitor your own devices. Your post-market surveillance system should identify safety signals before the competent authority does. If you detect a trend of incidents or complaints, addressing it proactively demonstrates good faith and responsible manufacturer behavior.

Respond promptly to competent authority requests. When a competent authority contacts you. Whether for routine surveillance or in response to a specific concern. Respond within the timelines they specify. Delayed or incomplete responses escalate the situation.

The Relationship Between Competent Authorities and Notified Bodies

Competent authorities and Notified Bodies have distinct but overlapping roles:

Notified Bodies assess conformity before and during market presence. Through initial certification audits and ongoing surveillance.

Competent authorities enforce the regulation on the market. Through market surveillance, vigilance monitoring, and enforcement actions.

Competent authorities also oversee Notified Bodies. If a competent authority identifies a problem with a device that a Notified Body certified, they can question the Notified Body's assessment and, in serious cases, trigger a review of the Notified Body's designation.

For startups, this means your compliance obligations extend beyond your Notified Body relationship. Even if your Notified Body is satisfied with your documentation and system, a competent authority can independently assess your device and reach a different conclusion. The MDR applies regardless of what any single party has previously determined.

Key Takeaways for Startups

  1. Know your competent authority. Identify the competent authority in the member state where you are established and in every member state where you sell.
  2. Build your vigilance system before market launch. This is not optional, and it is actively checked.
  3. Register properly and keep registrations current. This is one of the first things market surveillance inspections check.
  4. Respond to any competent authority communication promptly and thoroughly. The worst response is a slow or incomplete one.
  5. Maintain your documentation in a state of audit readiness. You may receive a market surveillance inspection at any time.

The competent authority system is the MDR's enforcement mechanism. It ensures that CE-marked devices actually meet the requirements they claim to meet. For startups that take compliance seriously, competent authorities are not a threat. They are a guarantee that the market you are entering is fair and safe.

Next: The Role of the European Commission in MDR Implementation.