MedDeviceGuideMedDeviceGuide
Back
EU MDR / IVDRCE MarkingQuality SystemsRisk ManagementEU

EU MDR GSPR (Annex I) General Safety and Performance Requirements: Complete Walkthrough and Compliance Guide

How to demonstrate compliance with all 23 General Safety and Performance Requirements (GSPR) under EU MDR Annex I — chapter-by-chapter walkthrough, GSPR checklist template, harmonised standards mapping, cybersecurity and AI updates for 2026, and practical strategies for Notified Body submissions.

Ran Chen
Ran Chen
Global MedTech Expert | 10× MedTech Global Access
2026-04-1719 min read

GSPR Compliance Is the Foundation of Every EU MDR Submission

Before any medical device can bear the CE mark and be placed on the European market, the manufacturer must demonstrate conformity with the General Safety and Performance Requirements (GSPR) defined in Annex I of the EU Medical Device Regulation (MDR 2017/745). This is not a formality — it is the backbone of the technical documentation, the core of every Notified Body assessment, and the legal basis for the EU Declaration of Conformity.

The GSPR consists of 23 requirements organized across three chapters. Every requirement that applies to your device must be addressed with specific evidence, linked to harmonised standards or common specifications, and documented in a structured GSPR checklist that Notified Bodies expect to see in your submission.

This guide provides a complete walkthrough of all three chapters, practical strategies for building your GSPR checklist, and the latest 2026 updates including cybersecurity expectations and AI/ML device requirements.

What Are the GSPR?

The General Safety and Performance Requirements are a set of essential principles that every medical device must meet before being placed on the European market. They ensure that devices are designed, manufactured, and used in a way that guarantees patient safety, clinical effectiveness, and regulatory compliance.

The GSPR replaced the "Essential Requirements" from the old Medical Device Directive (MDD 93/42/EEC) and Active Implantable Medical Device Directive (AIMDD 90/385/EEC). The MDR expanded the requirements significantly, adding new provisions for cybersecurity, nanomaterials, and substances.

Where to Find the GSPR

The full text of the GSPR is in Annex I of Regulation (EU) 2017/745 (the MDR). The requirements are structured in three chapters:

Chapter Title GSPR Numbers Key Topics
Chapter I General Requirements GSPR 1–9 Risk management, benefit-risk, state of the art, lifecycle safety
Chapter II Requirements Regarding Design and Manufacture GSPR 10–22 Chemical/biological safety, infection control, environmental, mechanical, thermal, usability, software, labeling
Chapter III Requirements Regarding Information Supplied with the Device GSPR 23 Labels, instructions for use, symbols

Chapter I: General Requirements (GSPR 1–9)

GSPR 1 — Performance and Safety

Devices must achieve the performance intended by their manufacturer and be suitable for their intended purpose during normal conditions of use. They must be safe and effective, and not compromise the clinical condition or safety of patients or users. Any risks must be acceptable when weighed against benefits, considering the generally acknowledged state of the art.

How to demonstrate compliance: Provide clinical evaluation data, performance testing results, and benefit-risk analysis that reflects current state of the art.

GSPR 2 — Risk Reduction Principle

The requirement to reduce risks "as far as possible" means reducing risks without adversely affecting the benefit-risk ratio. This is not zero risk — it is the lowest risk achievable while maintaining clinical benefit.

How to demonstrate compliance: Document your risk management process (ISO 14971) showing iterative risk reduction through design, protective measures, and information for safety.

GSPR 3 — Risk Management System

Manufacturers must establish, implement, document, and maintain a risk management system as a continuous iterative process throughout the device lifecycle. This includes:

  • Establishing a risk management plan for each device
  • Identifying and analyzing known and foreseeable hazards
  • Estimating and evaluating risks
  • Eliminating or controlling risks
  • Evaluating the effectiveness of risk control measures

How to demonstrate compliance: Provide the risk management file per ISO 14971:2019, including the risk management plan, risk analysis, risk evaluation, risk control measures, and overall residual risk evaluation.

GSPR 4 — Risk Control Hierarchy

Risk control must follow this hierarchy:

  1. Eliminate or reduce risks through inherently safe design and construction
  2. Take adequate protection measures including alarms, to reduce residual risks
  3. Provide information for safety (warnings, precautions, contraindications in IFU) and training

How to demonstrate compliance: In your risk management file, show that for each hazard, you considered design-based controls before protective measures before information-based controls.

GSPR 5 — Use Error Reduction

Devices must be designed to eliminate or reduce risks related to use error. This includes considering the ergonomic principles and the intended user environment.

How to demonstrate compliance: Conduct usability engineering per IEC 62366-1, including use-related risk analysis and summative evaluation.

GSPR 6 — Lifetime Performance

The characteristics and performance of the device must not be adversely affected during its intended lifetime, taking into account the instructions for use and normal conditions of use.

How to demonstrate compliance: Provide accelerated aging data, real-time aging data, shelf-life testing, and reliability testing as applicable.

GSPR 7 — Transport and Storage

Devices must be designed, manufactured, and packaged so that characteristics and performance are not adversely affected during transport and storage (temperature, humidity, vibration, etc.).

How to demonstrate compliance: Provide packaging validation, transport simulation testing (ASTM D4169 or ISTA series), and stability data under defined storage conditions.

GSPR 8 — Benefit-Risk Acceptability

All known and foreseeable risks and undesirable side-effects must be minimised and be acceptable when weighed against the evaluated benefits during normal conditions of use.

How to demonstrate compliance: Document the benefit-risk determination in the clinical evaluation report, including comparison with alternative treatments and state-of-the-art devices.

GSPR 9 — State of the Art Consideration

All known and foreseeable risks must be acceptable when weighed against the benefits, taking into account the generally acknowledged state of the art.

How to demonstrate compliance: Include literature review of comparable devices, current clinical guidelines, and technology benchmarks in the clinical evaluation.

Recommended Reading
EU MDR Classification Rules (Annex VIII): Complete Guide to All 22 Rules with 2026 Updates
EU MDR / IVDR CE Marking2026-04-17 · 21 min read

Chapter II: Requirements Regarding Design and Manufacture (GSPR 10–22)

GSPR 10 — Chemical, Physical, and Biological Properties

Devices must be designed and manufactured to ensure that chemical, physical, and biological properties are appropriate for the intended purpose. Specific sub-requirements address:

  • 10.1: General material safety, including toxicity, flammability
  • 10.2: Selection of materials with attention to toxicity and, where relevant, flammability
  • 10.3: Compatibility between materials and biological tissues, cells, or body fluids
  • 10.4: Substances that are carcinogenic, mutagenic, or toxic to reproduction (CMR)
  • 10.5: Nanomaterials
  • 10.6: Devices incorporating tissues or cells of human origin
  • 10.7: Devices incorporating tissues or cells of animal origin
  • 10.8: Substances that may be absorbed or leach from the device
  • 10.9: Medicinal substances incorporated in the device

How to demonstrate compliance: Biocompatibility testing per ISO 10993 series, material certificates, chemical characterization, and where applicable, biological safety evaluation.

GSPR 11 — Infection and Microbial Contamination

Devices must be designed to minimize infection risk, including reducing risks from unintended cuts, enabling safe handling, minimizing microbial leakage, and preventing microbial contamination. Sterile devices must be manufactured and sterilized using appropriate validated methods.

How to demonstrate compliance: Sterilization validation per ISO 11135 (EO), ISO 11137 (radiation), ISO 17665 (steam), or other applicable standard. Packaging validation per ISO 11607.

GSPR 12 — Devices Incorporating Substances

Devices that incorporate substances that may be released or absorbed (including medicinal substances) must meet additional requirements regarding the safety and quality of those substances.

How to demonstrate compliance: Chemical characterization, extractables and leachables studies, and for medicinal substances, consultation with the relevant medicines authority.

GSPR 13 — Environmental Protection

Devices must be designed and manufactured to reduce risks related to the environment, where applicable, during normal use and disposal.

How to demonstrate compliance: Environmental risk assessment, disposal instructions in the IFU, RoHS compliance if applicable, and consideration of end-of-life environmental impact.

GSPR 14 — Radiation Protection (GSPR 14–16)

For devices emitting radiation, specific requirements address:

  • Minimizing exposure while maintaining therapeutic or diagnostic efficacy
  • Physical protection against unintended or stray radiation
  • Accurate delivery and monitoring of intended radiation doses

How to demonstrate compliance: Radiation safety testing, shielding validation, dose calculations, and compliance with applicable radiation protection standards.

GSPR 17 — Software and Connected Devices

This is one of the most scrutinized GSPRs in 2026. Requirements include:

  • 17.1: Software must be designed and manufactured to ensure repeatability, reliability, and performance in line with the intended use
  • 17.2: For devices that incorporate electronic programmable systems (including software), the software must be developed and maintained in accordance with the state of the art, taking into account the principles of development lifecycle, risk management, validation, and verification

2026 cybersecurity update: Notified Bodies and regulators now evaluate cybersecurity as a lifecycle obligation. Manufacturers must demonstrate:

  • Threat modeling and vulnerability assessment (IEC 81001-5-1)
  • Secure development lifecycle
  • Software bill of materials (SBOM)
  • Post-market vulnerability monitoring and patch management
  • Data protection measures in line with GDPR

How to demonstrate compliance: IEC 62304 compliance, cybersecurity documentation, SBOM, vulnerability management plan, and for AI/ML devices, predetermined change control plans.

GSPR 18 — Active Devices

Requirements for devices that rely on a source of electrical energy or any source of power other than the human body, including:

  • Safe energy delivery
  • Protection against energy-related risks
  • Reliable control of delivered energy or substances

How to demonstrate compliance: IEC 60601 series testing (safety, EMC, performance), risk analysis of energy-related hazards.

GSPR 19 — Protection Against Mechanical and Thermal Risks

Devices must be designed to minimize risks from mechanical and thermal hazards, including:

  • Resistance to mechanical stress (vibration, shock, impact)
  • Minimization of risks from vibration, noise, and heat
  • Minimization of risks from electrical interference

How to demonstrate compliance: Mechanical testing, thermal testing, EMC testing per IEC 60601-1-2.

GSPR 20 — Protection Against Risks from Medical Devices Intended to Supply Energy or Substances

Devices that supply energy or substances to the patient must enable accurate setting and maintenance of the delivered amount, with means to prevent or indicate inadequacies.

How to demonstrate compliance: Accuracy testing, alarm validation, infusion pump performance testing.

GSPR 21 — Protection Against Risks from Medical Devices Intended for Self-Administration or Use by Lay Persons

If the device is intended for use by lay persons, it must be designed accordingly, with clear instructions and appropriate safety features.

How to demonstrate compliance: Usability testing with representative lay users, IFU comprehension testing, risk analysis for use errors by non-professionals.

GSPR 22 — Clinical Evaluation

Any claim about the safety and performance of the device must be supported by clinical evidence. This includes data from clinical investigations, published literature, and/or post-market surveillance.

How to demonstrate compliance: Clinical evaluation report per Article 61 and Annex XIV, including systematic literature review, clinical investigation plans (ISO 14155 where applicable), and PMCF plans.

Chapter III: Requirements Regarding Information (GSPR 23)

GSPR 23 — Labels and Instructions for Use

The most extensive single GSPR, covering:

  • 23.1: General requirements for label and IFU — medium, format, content, legibility must be appropriate to the device and intended user
  • 23.2: Label information — device name, contents, intended purpose, manufacturer details, UDI, storage conditions, sterility status, expiry date, lot number
  • 23.3: Instructions for use content — detailed requirements including intended purpose, contraindications, warnings, operating instructions, troubleshooting, disposal instructions
  • 23.4: Specific requirements for sterile devices, devices with measuring functions, and reusable devices

How to demonstrate compliance: Label review checklist, IFU review against GSPR 23.3 requirements, symbol compliance with ISO 15223-1, translation verification for all EU languages required.

Building Your GSPR Checklist

The GSPR checklist is the single most important compliance document in your technical file. While not explicitly required by regulation, it is universally expected by Notified Bodies and is the most efficient way to demonstrate conformity.

Checklist Structure

Column Description
GSPR Number The specific requirement number from Annex I
GSPR Requirement Summary of the requirement (or full text)
Applicable? Yes / No
Rationale (if No) Justification for why this GSPR does not apply
Method of Compliance How compliance is demonstrated (standard, testing, analysis)
Applicable Standard(s) Harmonised standard or common specification used
Evidence of Conformity Specific document(s) proving compliance

Sample GSPR Checklist Entry

Field Example
GSPR Number 17.1
Requirement Software designed for repeatability, reliability, and performance
Applicable? Yes
Rationale N/A
Method of Compliance Software development lifecycle per IEC 62304:2006+AMD1:2015
Applicable Standard IEC 62304:2006+AMD1:2015 Class B
Evidence Software Development Plan (SDP-001), V&V Report (SVV-001), Software Traceability Matrix (STM-001)

Handling "Not Applicable" GSPRs

Every "Not Applicable" entry must have a strong, defensible rationale. Common examples:

GSPR Typical N/A Rationale
11.5 (sterile devices) "Device is not supplied sterile and is not intended to be sterilized"
14–16 (radiation) "Device does not emit ionizing or non-ionizing radiation"
10.6 (human tissues) "Device does not incorporate tissues or cells of human origin"
10.7 (animal tissues) "Device does not incorporate tissues or cells of animal origin"
21 (lay person use) "Device is intended for use by healthcare professionals only"
Recommended Reading
Cost of Quality (CoQ) in Medical Devices: Complete Framework — Prevention, Appraisal, Internal & External Failure Costs
Quality Systems ISO 134852026-04-17 · 14 min read

Harmonised Standards and GSPR Mapping

Harmonised standards provide a presumption of conformity with the GSPRs they cover. Using them is not mandatory, but it significantly simplifies the compliance demonstration.

Key Harmonised Standards for GSPR Compliance

Standard GSPR Coverage Topic
ISO 14971:2019 GSPR 1–5, 8–9 Risk management
ISO 10993 series GSPR 10 Biocompatibility
IEC 62304:2006+AMD1:2015 GSPR 17 Software lifecycle
IEC 62366-1:2015+AMD1:2020 GSPR 5 Usability engineering
IEC 60601 series GSPR 18–20 Medical electrical equipment safety
ISO 11607 series GSPR 11, 7 Packaging for terminally sterilized devices
ISO 11135, 11137, 17665 GSPR 11 Sterilization validation
ISO 14155:2020 GSPR 22 Clinical investigation
ISO 15223-1:2021 GSPR 23 Medical device symbols
IEC 81001-5-1:2021 GSPR 17.2 Cybersecurity

What About Common Specifications (CS)?

Common Specifications (CS) are legally binding requirements adopted by the EU Commission when no harmonised standard exists, or when harmonised standards are insufficient. CS carry the same legal weight as harmonised standards and must be followed if applicable to your device. The EU Commission has adopted CS for certain high-risk device groups (e.g., hip, knee, spinal implants).

2026 Updates: Cybersecurity, AI, and Evolving Expectations

Cybersecurity Under GSPR 17.2

In 2026, cybersecurity is no longer a niche technical concern — it is a core regulatory expectation. The EU Cyber Resilience Act (CRA), expected to become applicable starting 2026–2027, adds horizontal cybersecurity requirements for products with digital elements, including medical devices. Key expectations:

  • Secure by design: Cybersecurity must be integrated from the design phase, not bolted on
  • SBOM: Software Bill of Materials must be maintained and available
  • Vulnerability management: Active monitoring, coordinated vulnerability disclosure, and timely patches
  • Post-market cybersecurity: Cybersecurity events must be integrated into post-market surveillance and vigilance reporting
  • IEC 81001-5-1: This standard provides the framework for cybersecurity in medical device software

AI/ML Devices Under the EU AI Act

The EU AI Act, with high-risk requirements applying from August 2, 2026, and medical device-specific requirements from August 2, 2027, creates a dual compliance landscape for AI-based medical devices. Key intersections with GSPR:

  • GSPR 1: Performance claims must be supported by clinical evidence that accounts for AI model variability
  • GSPR 3: Risk management must include AI-specific risks (bias, drift, adversarial attacks)
  • GSPR 5: Use error analysis must include AI misinterpretation risks
  • GSPR 17: Software lifecycle processes must address model retraining, validation, and deployment
  • MDCG 2025-6: Published June 2025, this guidance clarifies MDR/AI Act interplay for medical device AI

Environmental Sustainability

Environmental considerations under GSPR 13 are receiving increased scrutiny. Notified Bodies are looking for:

  • Environmental impact assessments
  • Sustainable material choices where feasible
  • Disposal and recycling instructions
  • RoHS compliance for electronic devices

Comparison: GSPR vs. MDD Essential Requirements

Aspect MDD Essential Requirements MDR GSPR
Total Requirements ~40 (across MDD and AIMDD) 23 (consolidated in MDR Annex I)
Risk Management Referenced but not explicit Explicit requirement (GSPR 3)
Cybersecurity Not addressed Addressed under GSPR 17
Nanomaterials Not addressed Addressed under GSPR 10.5
Software Minimal requirements Comprehensive requirements (GSPR 17)
Clinical Evidence Referenced Significantly strengthened (GSPR 22)
Environmental Not addressed Addressed (GSPR 13)
UDI Not required Required (linked to labeling GSPRs)
Post-Market Surveillance Minimal Integrated into GSPR compliance
Recommended Reading
EU MDR Common Specifications (CS) Under Article 9: Complete Guide Including Annex XVI Products and 2026 Compliance
EU MDR / IVDR CE Marking2026-04-17 · 14 min read

Common Notified Body Findings on GSPR Compliance

Finding 1: Generic Compliance Statements

What NBs see: "The device complies with GSPR 10." No specific evidence, no standard referenced, no test report cited.

How to fix: Every GSPR entry must reference specific evidence — the test report number, the standard edition, the page in the risk management file.

Finding 2: Weak "Not Applicable" Justifications

What NBs see: "N/A" with no rationale, or "does not apply" without explanation.

How to fix: Every N/A must include a clear, defensible reason that an auditor could not challenge.

Finding 3: Outdated Standards

What NBs see: GSPR checklist references ISO 10993-1:2009, but the current harmonised version is ISO 10993-1:2018.

How to fix: Review the EU Commission's list of harmonised standards annually. Update your GSPR checklist to reference the current harmonised versions.

Finding 4: Disconnected Risk Management

What NBs see: The risk management file identifies risk controls, but the GSPR checklist does not reference the risk management file as evidence.

How to fix: Ensure the GSPR checklist explicitly cross-references the risk management file for GSPR 1–5 and GSPR 8–9.

Finding 5: Missing Cybersecurity Documentation

What NBs see: A connected medical device with no cybersecurity risk assessment, no SBOM, no vulnerability management plan.

How to fix: Implement IEC 81001-5-1, create a cybersecurity risk assessment, maintain an SBOM, and establish a post-market vulnerability monitoring process.

FAQ

Is the GSPR checklist legally required? There is no explicit regulatory requirement to create a GSPR checklist. However, demonstrating conformity with each applicable GSPR is a legal requirement under Article 5(2) of the MDR. The checklist is the universally accepted method for this demonstration, and Notified Bodies expect to see it.

How many GSPRs apply to a typical device? Most devices will have 15–20 applicable GSPRs out of the total 23. Devices without software, radiation, or sterile components will have several N/A entries. Complex active devices may have all 23 applicable.

Do Class I devices need GSPR compliance? Yes. All devices, regardless of classification, must comply with applicable GSPRs. The difference is that Class I devices (with some exceptions) can self-declare conformity without Notified Body involvement, but the GSPR requirements themselves are identical.

Can we use the same GSPR checklist for multiple devices in a product family? You can use a template, but each device must have its own GSPR checklist because the applicable requirements, standards, and evidence will differ. A device family checklist is acceptable only if all devices share identical design, materials, manufacturing processes, and intended uses.

How often should the GSPR checklist be updated? The GSPR checklist should be reviewed at minimum annually and updated whenever:

  • New harmonised standards are published
  • The device design changes (triggering a design change review)
  • Post-market surveillance data reveals new risks
  • New GSPR-relevant regulations come into effect (e.g., CRA, AI Act)
  • The Notified Body issues findings during assessment

What is the relationship between the GSPR checklist and the Declaration of Conformity? The EU Declaration of Conformity (DoC) is the legal document in which the manufacturer declares that the device meets all applicable MDR requirements, including the GSPR. The GSPR checklist is the detailed evidence that supports this declaration. The DoC references the GSPR compliance without listing individual evidence; the checklist provides the granular proof.

Do we need separate GSPR checklists for the EU MDR and the IVDR? Yes. EU MDR 2017/745 and IVDR 2017/746 each have their own Annex I GSPR. While the structure and many requirements are similar, there are differences specific to in vitro diagnostic devices. If you manufacture both medical devices and IVDs, maintain separate GSPR checklists for each.

How does the Cyber Resilience Act affect GSPR compliance? The CRA introduces horizontal cybersecurity requirements for products with digital elements. For medical devices, the MDR remains the primary regulation, but the CRA adds obligations around vulnerability handling, security updates, and incident reporting that complement GSPR 17. Manufacturers should monitor the CRA implementation timeline and integrate its requirements into their GSPR 17 compliance strategy.

Key Takeaways

  1. The GSPR checklist is non-negotiable. Notified Bodies will not accept technical documentation without one. Build it early and maintain it continuously.
  2. Every N/A must be justified. A blank rationale column is an audit finding. Document why each non-applicable GSPR does not apply to your specific device.
  3. Cybersecurity is now a core GSPR concern. For any device with software or connectivity, GSPR 17 compliance in 2026 requires IEC 81001-5-1 documentation, SBOM, and vulnerability management.
  4. Keep standards current. Reference the harmonised standard versions published in the Official Journal of the EU. Outdated standards are a common and easily avoidable finding.
  5. Link everything. Your GSPR checklist should cross-reference the risk management file, the clinical evaluation report, and the design control documentation. Disconnected evidence is weak evidence.
  6. AI/ML devices face dual compliance. Starting August 2026, the EU AI Act adds requirements on top of MDR GSPR. Plan for unified documentation covering both frameworks.

Related Articles

Quality SystemsManufacturing

Batch Records for Medical Devices: Complete Guide to BMR, EBR, and DHR — Paper vs Electronic, 21 CFR 210/211 Compliance, and FDA QMSR Requirements

Master batch manufacturing records (BMR), electronic batch records (EBR), and device history records (DHR) for medical device manufacturing. Covers 21 CFR 210/211, 21 CFR Part 820/QMSR, ISO 13485, paper vs electronic systems, review workflows, deviation management, and FDA inspection readiness.

2026-04-17·21 min read
Sterilization & PackagingStandards & Testing

Bioburden Testing for Medical Devices: Complete ISO 11737-1 Guide

How to perform bioburden testing for medical devices under ISO 11737-1:2018 — method validation, recovery efficiency, extraction techniques, enumeration methods, dose setting, and routine monitoring for sterilization validation.

2026-04-17·14 min read
ManufacturingStandards & Testing

Cleanroom Standards for Medical Devices: Complete ISO 14644 Guide

How to classify, design, validate, and monitor cleanrooms for medical device manufacturing under ISO 14644 — particle count limits, classification methodology, environmental monitoring programs, FDA and EU GMP requirements, and the 2025 update to ISO 14644-5.

2026-04-17·14 min read