Medical Device Policy & Legislation: Key Laws Shaping the Industry in 2026

Navigate the evolving medical device legislative landscape — from MDUFA V and the VALID Act to EU MDR implementation challenges, AI regulation, and global policy trends reshaping how devices reach patients.

Why Medical Device Policy and Legislation Matter

Medical devices are among the most heavily regulated products in the world, and the legislative frameworks that govern them are neither static nor simple. Every device that touches a patient -- from a tongue depressor to an implantable cardiac defibrillator to an AI-driven diagnostic algorithm -- exists within a web of laws, regulations, guidance documents, and international standards that determines how it is designed, tested, manufactured, marketed, and monitored.

For regulatory affairs professionals, quality engineers, and industry executives, understanding the policy landscape is not optional. Legislation sets the boundaries of what the FDA, the European Commission, and other regulatory authorities can require. It determines user fee structures that fund review timelines. It creates new pathways for innovative technologies and closes loopholes for legacy products that have escaped modern scrutiny. And increasingly, policy decisions made in Washington, Brussels, and Beijing have cascading effects across the global supply chain.

This guide provides a comprehensive overview of the legislative and policy landscape for medical devices as it stands in 2026. It covers the foundational U.S. statutes, the major reauthorization cycles, the most consequential proposed legislation, the EU MDR/IVDR implementation saga, and the global trends that are reshaping how devices reach patients worldwide.

The Legislative Framework for Medical Devices in the United States

The U.S. regulatory framework for medical devices rests on a series of federal statutes, each building on and modifying its predecessors. Understanding the current regulatory environment requires understanding the legislative history that produced it.

The Federal Food, Drug, and Cosmetic Act (FD&C Act)

The original FD&C Act of 1938 gave the FDA authority over drugs and cosmetics but said relatively little about medical devices. For nearly four decades, medical devices were regulated primarily under the general adulteration and misbranding provisions of the Act -- a framework that was woefully inadequate for the increasingly sophisticated devices entering the market. It took a series of high-profile device failures -- most notoriously the Dalkon Shield intrauterine device, which caused serious injuries and deaths in thousands of women -- to galvanize Congressional action.

Medical Device Amendments of 1976 (P.L. 94-295)

The Medical Device Amendments of 1976 represent the foundation of modern medical device regulation in the United States. This law established the three-tier classification system (Class I, II, III) that remains in effect today, created the premarket approval (PMA) and 510(k) premarket notification pathways, and gave the FDA explicit authority to establish Good Manufacturing Practice (GMP) requirements for devices.

Key provisions of the 1976 Amendments:

Provision	What It Established
Device classification	Three-class system based on risk (I, II, III)
510(k) premarket notification	Pathway for devices substantially equivalent to predicates
Premarket Approval (PMA)	Rigorous pathway for highest-risk (Class III) devices
Good Manufacturing Practice	Authority for FDA to establish manufacturing requirements
Investigational Device Exemption (IDE)	Framework for clinical investigations of devices
General and special controls	Regulatory controls for Class I and II devices
Medical Device Reporting (MDR)	Post-market adverse event reporting (later expanded)

Key Takeaway: The 1976 Amendments created the regulatory architecture that still governs medical devices today. Every major piece of device legislation since then has been a modification of this framework, not a replacement.

Safe Medical Devices Act of 1990 (SMDA, P.L. 101-629)

The SMDA addressed gaps in the post-market surveillance system. Before this law, healthcare facilities had no obligation to report device-related deaths or serious injuries. The SMDA required hospitals, nursing homes, and other user facilities to report device-related deaths to both the FDA and the manufacturer, and to report serious injuries to the manufacturer. It also gave the FDA authority to order post-market surveillance studies, issue mandatory recalls (a power the agency previously lacked for devices), and temporarily suspend PMA approvals in emergencies.

The SMDA also created the humanitarian device exemption (HDE) pathway, allowing devices intended to treat or diagnose conditions affecting fewer than 8,000 individuals per year in the United States to receive approval based on a lower evidentiary standard -- demonstrating safety and probable benefit, rather than full effectiveness.

FDA Modernization Act of 1997 (FDAMA, P.L. 105-115)

FDAMA was a broad reform law covering drugs, biologics, and devices. For devices, it introduced several significant changes:

De Novo classification: Created an alternative pathway for novel, low-to-moderate-risk devices that had no predicate for 510(k) but did not warrant PMA. Initially cumbersome (requiring a 510(k) refusal first), this pathway was later streamlined and has become increasingly important.
Third-party review: Authorized the FDA to accredit third-party organizations to conduct 510(k) reviews, reducing the burden on FDA reviewers.
Regulatory relief provisions: Eliminated the requirement for certain Class I devices to submit 510(k) notifications and streamlined the exemption process.
Combination products: Clarified procedures for determining the lead FDA center for combination products (drug-device, biologic-device).

FDA Safety and Innovation Act of 2012 (FDASIA, P.L. 112-144)

FDASIA was a reauthorization package that included MDUFA III (discussed below), PDUFA V, and several other titles. For devices, it:

Established the Breakthrough Device Designation (originally called the Expedited Access Pathway and later renamed and codified).
Required FDA to establish a program for the unique device identification (UDI) system.
Mandated improvements to the 510(k) process.
Required FDA to engage with stakeholders on issues related to health information technology and mobile medical applications.

21st Century Cures Act of 2016 (P.L. 114-255)

The Cures Act was landmark legislation that affected virtually every part of the healthcare ecosystem. For medical devices, its most consequential provisions included:

Breakthrough Devices program: Formally codified the Breakthrough Devices program under Section 515B of the FD&C Act, giving the FDA statutory authority and direction to prioritize review of devices that provide more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions.
Exemptions for certain software: Excluded certain categories of clinical decision support (CDS) software, administrative software, and electronic health record software from the definition of "device," narrowing the scope of FDA oversight for health IT.
Real-world evidence: Directed FDA to develop a framework for evaluating the use of real-world evidence (RWE) in regulatory decision-making for devices.
Patient preference information: Required FDA to develop guidance on incorporating patient preference information into benefit-risk assessments.
Humanitarian Device Exemption expansion: Raised the HDE threshold from 4,000 to 8,000 patients per year.

Law	Year	Key Device Provisions
FD&C Act (original)	1938	General adulteration/misbranding authority
Medical Device Amendments	1976	Classification system, 510(k), PMA, IDE
Safe Medical Devices Act	1990	User facility reporting, recalls, HDE
FDA Modernization Act	1997	De Novo pathway, third-party review
FDASIA	2012	Breakthrough Devices, UDI, MDUFA III
21st Century Cures Act	2016	Breakthrough codification, CDS exemptions, RWE

MDUFA: Medical Device User Fee Amendments

What Is MDUFA

The Medical Device User Fee Amendments are the mechanism by which the medical device industry pays fees to the FDA to supplement Congressional appropriations and fund the device review process. The concept parallels the Prescription Drug User Fee Act (PDUFA) for drugs: in exchange for paying fees, the industry receives commitments from the FDA on review performance goals -- specifically, timelines for completing premarket reviews.

MDUFA was first enacted in 2002 (MDUFA I) and has been reauthorized every five years since. Each reauthorization cycle involves extensive negotiations between the FDA and industry stakeholders before the agreed-upon terms are transmitted to Congress for legislative action.

MDUFA V (FY2023-FY2027): Current Law

The current iteration, MDUFA V, was enacted as part of the FDA User Fee Reauthorization Act of 2022 and covers fiscal years 2023 through 2027. It represents a significant expansion of both fees and performance commitments compared to its predecessors.

Key Provisions of MDUFA V:

Feature	MDUFA V Commitment
Total annual fee revenue target	~$398 million (FY2027 adjusted)
510(k) Substantive Interaction goal	FDA provides substantive interaction within 90 days of receipt for standard 510(k)s
PMA review clock	180 FDA-day review cycle with defined milestones
De Novo review goal	Decision within 150 FDA days for standard De Novo requests
Pre-submission program	Formalized feedback timelines for pre-submissions
Total Product Lifecycle Advisory Program (TAP)	New pilot for real-time manufacturer-FDA interaction
Real-world evidence	Commitments to advance RWE use in device reviews
Digital health	Commitments to build regulatory capacity for digital health and AI/ML
Diversity in clinical trials	Reporting requirements for demographic subgroup data

Key Takeaway: MDUFA V user fees now exceed $390 million annually, making industry fees the majority funding source for FDA's device review program. This gives industry substantial leverage in negotiations -- but also creates a dependency that critics argue compromises FDA's independence.

User Fee Structure Under MDUFA V:

MDUFA V collects fees in several categories:

Application fees: Charged for PMA applications, PMA supplements, PMAs requiring clinical data, 510(k) submissions, and De Novo requests. For FY2026, the standard PMA application fee is $579,272 (small business: $144,818), the 510(k) fee is $26,067 (small business: $6,517), and the De Novo fee is $173,782 (small business: $43,446).
Establishment registration fees: Annual fees paid by each establishment registered with the FDA. The FY2026 establishment registration fee is $11,423.
Small business provisions: Qualified small businesses receive significant fee waivers and reductions, including reduced application fees (approximately 25% of the standard rate) and potential waivers of the annual establishment registration fee for businesses with gross receipts and sales of no more than $1 million that can demonstrate financial hardship.

Application Type	FY2026 Standard Fee	FY2026 Small Business Fee
PMA, PDP, PMR, BLA	$579,272	$144,818
Panel-track Supplement	$463,418	$115,855
180-Day Supplement	$86,891	$21,723
De Novo Classification Request	$173,782	$43,446
510(k)	$26,067	$6,517
513(g)	$7,820	$3,910
Real-Time Supplement	$40,549	$10,137
30-Day Notice	$9,268	$4,634
Annual Periodic Reporting (Class III)	$20,275	$5,069
Establishment Registration (Annual)	$11,423	Waiver available

MDUFA VI Reauthorization Outlook

MDUFA V expires at the end of FY2027 (September 30, 2027). The reauthorization process for MDUFA VI is well underway. On June 11, 2025, the FDA published a Federal Register notice initiating the formal reauthorization process, and on August 4, 2025, the FDA hosted its first public meeting to discuss proposed recommendations for MDUFA VI, which will cover fiscal years 2028 through 2032. The FDA has been holding monthly stakeholder consultation meetings throughout late 2025 and 2026, engaging patient and consumer advocacy groups, healthcare professionals, and scientific experts alongside its formal negotiations with industry. MDUFA V authorized more than $427 million in user fee collections for FY2026 alone, making industry fees the dominant funding source for FDA's device review program.

Anticipated issues for MDUFA VI include:

AI/ML review capacity: How to fund and staff the growing volume of AI/ML device reviews.
Review timeline adjustments: Whether current performance goals are achievable and appropriate given increasing submission complexity.
Third-party review expansion: Whether to expand the role of accredited third-party reviewers for 510(k) submissions.
Real-world evidence integration: How to operationalize the use of RWE in device reviews at scale.
Post-market surveillance funding: Whether MDUFA fees should support expanded post-market activities, not just premarket reviews.
International harmonization: Investments in reliance and recognition mechanisms with trusted foreign regulators (such as MDSAP audit results).

Congress must act by October 1, 2027, to avoid a lapse in user fee authority. If history is any guide, the legislative vehicle will be a broader FDA reauthorization package that also includes PDUFA, GDUFA, and BsUFA reauthorizations.

The VALID Act: Reforming Diagnostic Test Regulation

What VALID Proposes

The Verifying Accurate Leading-edge IVCT Development (VALID) Act is among the most consequential -- and most contentious -- pieces of proposed medical device legislation in the past decade. It would create a new, risk-based regulatory framework for in vitro clinical tests (IVCTs), bringing laboratory-developed tests (LDTs) under explicit FDA oversight for the first time.

Under the existing system, LDTs -- diagnostic tests designed, manufactured, and used within a single laboratory -- have historically operated under what the FDA calls "enforcement discretion." The agency has claimed authority over LDTs as medical devices since the 1970s but has chosen not to enforce premarket review requirements for most of them. This enforcement discretion created a de facto two-track system: commercially distributed IVDs go through FDA clearance or approval, while LDTs (including many complex genomic tests, companion diagnostics, and screening panels) reach patients with no FDA review at all.

Legislative History and Current Status

The VALID Act was first introduced in 2018 and has been reintroduced in multiple subsequent Congresses:

2018: First introduction by Representatives Diana DeGette (D-CO) and Larry Bucshon (R-IN).
2020: Reintroduced with bipartisan support but did not advance.
2022: Included in early drafts of the FDA reauthorization package but was stripped from the final bill after opposition from laboratory groups and Senate procedural disputes.
2023-2024: Reintroduced in the 118th Congress. Continued to face opposition from the clinical laboratory community.
2025-2026: As of early 2026, the VALID Act has not been enacted and has not been reintroduced in the 119th Congress. Separately, the FDA's administrative attempt to regulate LDTs has collapsed entirely (see below).

The FDA LDT Final Rule: Rise and Fall

While the VALID Act stalled in Congress, the FDA pursued an administrative approach. In May 2024, the FDA published a final rule that would have phased out enforcement discretion for LDTs over five stages, ultimately requiring most LDTs to comply with the same regulatory requirements as commercially distributed IVDs by 2028. The rule would have affected nearly 80,000 existing tests offered by approximately 1,200 laboratories.

The rule was immediately challenged. On March 31, 2025, the U.S. District Court for the Eastern District of Texas (American Clinical Laboratory Association v. FDA) vacated the final rule in its entirety, holding that the FDA exceeded its statutory authority under the FD&C Act. The court concluded that LDTs are fundamentally different from traditional medical devices -- they are services performed within a laboratory rather than physical products distributed in interstate commerce -- and that Congress intended for CLIA, not the FD&C Act, to govern laboratory testing. The court also pointed to Congress's repeated failure to pass the VALID Act as evidence that the legislature did not intend to grant the FDA this authority.

The FDA chose not to appeal the ruling. The deadline to appeal passed on May 30, 2025, without action. On September 19, 2025, the FDA formally rescinded the 2024 final rule by publishing a new final rule that reverted the definition of "in vitro diagnostic products" in 21 CFR section 809.3 to its pre-2024 language, removing the phrase "including when the manufacturer of these products is a laboratory." The House Appropriations Committee also included report language in its FY2026 funding bill directing the FDA to suspend enforcement of the rule.

The current status as of March 2026: The FDA has returned to its longstanding enforcement discretion policy for LDTs. Laboratories are not required to seek FDA clearance or approval for their tests. However, supporters of the VALID Act are reportedly trying to line up support for reintroduction, and some commentators have suggested that future LDT legislation could be incorporated into a revised VALID Act or even a "21st Century Cures 2.0" package.

Event	Date	Outcome
FDA publishes LDT final rule	May 2024	Five-stage phaseout of enforcement discretion
Federal court vacates rule	March 31, 2025	Rule struck down as exceeding FDA's statutory authority
FDA appeal deadline passes	May 30, 2025	FDA declines to appeal
FDA formally rescinds rule	September 19, 2025	Regulatory text reverted to pre-2024 language
Status quo restored	Current	Enforcement discretion continues; CLIA remains the governing framework

The IVCT Framework

Under the VALID Act, the new product category -- "in vitro clinical test" (IVCT) -- would replace the existing "in vitro diagnostic" (IVD) classification for regulatory purposes. IVCTs would be categorized into risk tiers:

Category	Description	Regulatory Requirement
Low-risk IVCTs	Tests with well-characterized performance and low clinical impact	Technology certification (no individual review)
Moderate-risk IVCTs	Tests with moderate clinical risk	Abbreviated review pathway
High-risk IVCTs	Tests used for critical clinical decisions (e.g., companion diagnostics, oncology panels)	Full premarket review
Grandfathered tests	LDTs on the market before enactment	Phased compliance with reporting and quality requirements

Technology certification is one of the VALID Act's most novel concepts. It would allow test developers to obtain certification for their analytical and clinical validation processes, after which individual tests developed using certified processes could reach the market without individual FDA review. This concept is somewhat analogous to the FDA's pre-certification pilot for digital health technologies (which was paused and reconceived), but tailored to the diagnostic testing context.

Impact on Laboratory-Developed Tests

The LDT community -- represented by organizations like the American Clinical Laboratory Association (ACLA) and the College of American Pathologists (CAP) -- has been the most vocal opponent of both the VALID Act and the FDA's administrative LDT rule. Their arguments include:

LDTs are already regulated under the Clinical Laboratory Improvement Amendments (CLIA) and state laboratory licensing.
FDA premarket review would slow access to innovative tests, particularly for rare diseases and emerging infectious diseases.
The cost of FDA compliance would be prohibitive for academic medical centers and smaller laboratories.
Congress never intended for the FDA to regulate the practice of laboratory medicine.

Supporters of VALID -- including many in the IVD industry (represented by AdvaMed's diagnostics division) and patient advocacy groups -- counter that:

CLIA regulates laboratory processes, not the clinical validity of individual tests.
Some LDTs have reached patients without adequate evidence of clinical accuracy, leading to patient harm.
A level regulatory playing field benefits both patients and legitimate test developers.
The current system disincentivizes IVD manufacturers from investing in commercially distributed tests when competitors can market LDTs without equivalent review.

Key Takeaway: The FDA's administrative attempt to regulate LDTs has been definitively defeated in court, and enforcement discretion has been restored. However, the underlying policy tension has not been resolved. The VALID Act or successor legislation could still be enacted, and the gap between the regulation of commercially distributed IVDs and LDTs remains a live policy issue. Laboratories should continue monitoring legislative developments while maintaining robust internal quality practices under CLIA.

FDA QMSR Final Rule: From QSR to ISO 13485

The Transition

On February 2, 2024, the FDA published the final rule for the Quality Management System Regulation (QMSR), fundamentally changing how medical device quality systems are regulated in the United States. The QMSR replaces the legacy Quality System Regulation (QSR) under 21 CFR Part 820 with a framework that incorporates ISO 13485:2016 by reference.

The compliance date is February 2, 2026. As of this writing (March 2026), manufacturers are now required to comply with the QMSR.

Key Differences Between QSR and QMSR

Aspect	Legacy QSR (21 CFR 820)	New QMSR
Foundation	Prescriptive U.S.-specific requirements	ISO 13485:2016 incorporated by reference
Quality manual	Not explicitly required	Required per ISO 13485
Management representative	Not explicitly required	Required per ISO 13485
Risk management	Referenced but not central	Central; ISO 14971 integration expected
Design controls	Detailed prescriptive requirements in 820.30	ISO 13485 Clause 7.3 (plus FDA supplementary requirements)
Purchasing controls	820.50	ISO 13485 Clause 7.4
Production and process controls	820.70-820.75	ISO 13485 Clause 7.5
CAPA	820.90 (detailed)	ISO 13485 Clause 8.5
Records and documentation	820.180-820.198	ISO 13485 Clause 4.2
FDA supplementary requirements	N/A	Additional requirements for complaint handling, MDR, corrections/removals, UDI

The FDA retained certain requirements that are not covered by ISO 13485, including complaint file requirements, medical device reporting obligations, corrections and removals, and unique device identification. These are specified in the QMSR as supplementary requirements alongside the incorporated standard.

What Manufacturers Needed to Change

For manufacturers who were already certified to ISO 13485 (which includes the vast majority of companies selling into both the U.S. and international markets), the transition was relatively straightforward: conduct a gap analysis between their existing ISO 13485 system and the FDA's supplementary requirements, update procedures as needed, and ensure their documentation reflects the new regulatory references.

For manufacturers who had been operating solely under 21 CFR 820 without ISO 13485 certification -- a group that includes some smaller U.S.-only manufacturers -- the transition required more substantial changes, particularly around the quality manual, management review, risk management integration, and infrastructure and work environment documentation.

Key Takeaway: The QMSR represents a major step toward international harmonization of device quality system requirements. Manufacturers maintaining dual QMS documentation (one for FDA, one for ISO 13485) can now consolidate to a single system -- a genuine reduction in regulatory burden.

New FDA Inspection Framework Under QMSR

The QMSR transition brought significant changes to how the FDA conducts inspections. On February 2, 2026, the FDA began using the updated Compliance Program 7382.850, replacing both the Inspection of Medical Device Manufacturers program (7382.845) and the Medical Device PMA Preapproval and PMA Postmarket Inspections program (7383.001). The legacy Quality System Inspection Technique (QSIT) has been retired.

Key changes to FDA inspections under QMSR include:

ISO 13485-aligned evaluation: FDA inspectors now evaluate a manufacturer's QMS against ISO 13485 clauses plus QMSR-specified supplementary requirements, rather than the prescriptive subparts of the old QSR.
Expanded inspection authority: FDA inspectors now have authority to assess management reviews, internal audit reports, and supplier audit reports -- records that were not routinely reviewable under the old QSR. This represents a significant expansion of inspectable documentation.
Total Product Lifecycle (TPLC) approach: The updated Compliance Program 7382.850 emphasizes a TPLC approach, covering UDI, labeling, tracking, reporting, and post-market surveillance in addition to manufacturing quality.
Risk-based focus: Inspections place greater emphasis on risk management integration throughout the QMS, consistent with ISO 14971 expectations.

Manufacturers should be prepared for inspectors who are asking different questions than they did under the old QSR. The focus has shifted from "do you have this procedure?" to "show me how you made this risk-based decision" -- a more substantive and potentially more challenging inspection posture.

Computer Software Assurance (CSA): The End of Traditional CSV

On February 3, 2026, the FDA released an updated final guidance titled "Computer Software Assurance for Production and Quality Management System Software," superseding the September 24, 2025 final guidance and aligning CSA expectations with the new QMSR. This guidance fundamentally changes how manufacturers validate production and quality system software.

The shift from CSV to CSA: Traditional Computer System Validation (CSV) required extensive scripted testing and documentation for every system, regardless of risk. CSA replaces this with a risk-based assurance approach where validation effort is proportionate to the process risk associated with the software function.

Key principles of the CSA framework:

Feature-level risk assessment: Manufacturers categorize individual software features by process risk (i.e., whether a software failure could result in a quality problem that impacts patient safety), rather than applying uniform validation rigor to entire systems.
Proportionate assurance: High-risk software functions (e.g., automated accept/reject decisions without human review, safety-critical process controls) require comprehensive assurance. Lower-risk functions (e.g., nonconformance tracking, document management) require lighter assurance -- potentially unscripted testing or vendor documentation review.
Cloud and AI/ML coverage: The 2026 guidance formally defines cloud deployment models (IaaS, PaaS, SaaS) and explicitly covers automation, analytics, and AI/ML tools used for production or QMS purposes.
QMSR alignment: The guidance anchors to QMSR and references specific ISO 13485:2016 subclauses (e.g., 4.1.6, 7.5.6, 7.6) for software validation obligations.

Key Takeaway for CSA: The era of documentation-heavy, one-size-fits-all computer system validation is over. FDA inspectors are now asking "explain how you determined what needed to be tested" rather than "where are your test scripts?" Organizations that adopt risk-based assurance early will see faster validation cycles, lower costs, and smoother FDA interactions.

EU MDR/IVDR Implementation: An Ongoing Challenge

MDR Timeline and the Extension Saga

The EU Medical Device Regulation (MDR 2017/745) was published in May 2017 with an original date of application of May 26, 2020. The COVID-19 pandemic forced a one-year postponement to May 26, 2021. Since then, the implementation has been marked by persistent challenges that have led to multiple legislative amendments extending transition periods.

The core problem is straightforward: there are not enough Notified Bodies with sufficient capacity to re-certify the hundreds of thousands of medical devices on the EU market. Under the previous Medical Device Directives (MDD 93/42/EEC and AIMD 90/385/EEC), approximately 80 Notified Bodies operated across Europe. Under the MDR's more rigorous designation requirements, that number dropped to approximately 40 as of early 2026 -- and not all of those have the scope or staffing to handle the full range of device types.

Extension of Transition Periods

Recognizing that a cliff-edge loss of critical medical devices from the EU market would harm patients, the European Parliament and Council adopted Regulation (EU) 2023/607 in March 2023, amending the MDR to extend transition deadlines:

Device Category	Original Deadline	Extended Deadline
Class III and Class IIb implantable (with valid MDD/AIMD certificate)	May 26, 2024	December 31, 2027
Class IIb non-implantable, Class IIa, Class I requiring NB involvement	May 26, 2024	December 31, 2028
Devices without MDD/AIMD certificate ("legacy devices")	No transition available	Still no transition (but see Article 97 derogation)
Class I devices (self-declared under MDD)	May 26, 2021 (already passed)	No extension

These extensions apply only to devices that had a valid MDD or AIMD certificate before May 26, 2021, and only if the manufacturer has applied to a Notified Body for MDR certification by the relevant deadlines and has begun implementing a QMS compliant with MDR requirements.

Article 97 Derogation

Article 97 of the MDR allows individual EU Member State Competent Authorities to grant derogations permitting devices that have not completed MDR conformity assessment to remain on their national market if their withdrawal would pose an unacceptable risk to patient health or safety. Originally intended as a narrow safety valve, Article 97 derogations have become increasingly common as the Notified Body capacity crisis has worsened. Some Member States have granted hundreds of Article 97 derogations.

IVDR Transition

The In Vitro Diagnostic Regulation (IVDR 2017/746) has faced even more severe implementation challenges than the MDR, largely because the shift from the old IVD Directive (98/79/EC) to the IVDR involves reclassification of the vast majority of IVDs into higher-risk categories that require Notified Body involvement for the first time.

Under the IVDD, approximately 80% of IVDs were self-certified by manufacturers. Under the IVDR's risk classification system (Classes A, B, C, D), the majority of those products now require Notified Body review. There are currently fewer than 10 Notified Bodies designated under the IVDR -- a capacity shortfall that dwarfs even the MDR challenge.

The EU adopted Regulation (EU) 2023/1542 (amending the IVDR) to extend transition periods for legacy IVDs:

IVDR Class	Extended Deadline
Class D	May 26, 2025 (for some, extended to 2027 per amendment)
Class C	May 26, 2027
Class B	May 26, 2028
Class A (sterile)	May 26, 2028
Class A (non-sterile, self-declared)	May 26, 2022 (already passed)

Impact on SMEs

Small and medium-sized enterprises have been disproportionately affected by the MDR/IVDR transition. The cost of MDR compliance -- including new clinical evidence requirements, UDI implementation, post-market surveillance system upgrades, and Notified Body fees -- has been estimated at EUR 2-10 million per manufacturer, depending on the size and complexity of their device portfolio. For SMEs with annual revenues below EUR 50 million, these costs are existential.

Industry surveys have consistently shown that significant numbers of SMEs have withdrawn products from the EU market or exited the market entirely rather than bear the cost of MDR transition. MedTech Europe reported that between 2021 and 2025, thousands of medical device certificates expired without being replaced by MDR certificates, representing devices that are no longer available to European patients.

Key Takeaway: The EU MDR/IVDR transition remains the defining regulatory challenge for the European medtech industry. Legislative extensions have prevented the worst-case scenario of mass device withdrawals, but the fundamental capacity problem -- too few Notified Bodies, too many devices -- will take years to resolve.

EUDAMED: Mandatory Modules from May 28, 2026

The European Database on Medical Devices (EUDAMED) has been one of the most delayed elements of the MDR/IVDR framework. After years of postponements, the European Commission published Commission Decision (EU) 2025/2371 on November 27, 2025, formally confirming that four EUDAMED modules are fully functional and meet their required specifications. This triggers a six-month transition period, making these modules mandatory from May 28, 2026.

The four mandatory modules are:

Module	What It Covers	Key Obligations
Actor Registration	Economic operators in the supply chain	Manufacturers, authorized representatives, importers, and system/procedure pack producers must register and obtain a Single Registration Number (SRN)
UDI/Device Registration	Unique device identification data	All devices must be registered before being placed on the EU market; devices already on the market must be registered by November 27, 2026
Notified Bodies & Certificates	NB designation and certificate data	Notified Bodies must upload certificate information
Market Surveillance	Safety and vigilance data	Competent authorities use for market surveillance activities

Key deadlines:

May 28, 2026: All economic operators must be registered; new devices must be registered in the UDI module before being placed on the EU market.
November 27, 2026: Devices already on the market before May 28, 2026 must be registered in the UDI module.

EUDAMED represents a fundamental shift toward transparency and traceability in the European medical device market. For manufacturers, the transition is not a simple registration exercise -- it requires systematic data governance, coordination with authorized representatives for actor registration, confirmation with Notified Bodies on certificate upload timelines, and validation of device data across the entire portfolio. Companies managing both legacy devices under older directives and new products under MDR/IVDR face particular complexity.

EU MDR Legislative Reform Proposals

In December 2025, the EU Parliament and European Council agreed on new legislative reforms aimed at modernizing the medical device regulatory framework. These reforms seek to promote innovation and safety while also recognizing and supporting the clinical use of devices for rare diseases and conditions. The reforms acknowledge the regulatory burden that MDR implementation has placed on manufacturers, particularly SMEs, and aim to reduce unnecessary barriers while maintaining safety and oversight. While full details are still being finalized in 2026, these reforms represent the first significant legislative reconsideration of the MDR framework since its adoption.

AI/ML Medical Device Regulation and Policy

FDA's AI/ML Framework

The FDA has been building a regulatory framework for AI/ML-enabled medical devices iteratively through guidance documents, discussion papers, and pilot programs rather than through a single legislative act. The key policy milestones include:

April 2019: FDA published the AI/ML-Based Software as a Medical Device (SaMD) discussion paper proposing a total product lifecycle (TPLC) approach.
January 2021: FDA published the AI/ML-Based SaMD Action Plan, outlining five areas of focus.
September 2023: FDA finalized guidance on Marketing Submission Recommendations for a Predetermined Change Control Plan (PCCP) for AI/ML-Enabled Device Software Functions.
2024-2025: FDA continued to authorize AI/ML devices and refine expectations through product-specific guidances and the Digital Health Center of Excellence (DHCoE).

Predetermined Change Control Plans (PCCPs)

The PCCP framework is arguably the most important innovation in AI/ML device regulation. Authorized under the 21st Century Cures Act and further developed through MDUFA V commitments, PCCPs allow manufacturers to describe in their premarket submissions:

Description of modifications: What types of changes the manufacturer anticipates making to the AI/ML algorithm post-authorization (e.g., retraining with new data, expanding to new patient populations, improving model performance).
Modification protocol: The specific methods and procedures the manufacturer will follow to develop, validate, and implement each modification.
Impact assessment: How the manufacturer will assess whether each modification continues to meet safety and effectiveness standards.

If the FDA authorizes a device with an approved PCCP, the manufacturer can implement modifications that fall within the scope of the plan without submitting a new premarket submission -- a dramatic departure from the traditional model where virtually any change to a device's algorithm would require a new 510(k) or PMA supplement.

EU AI Act Intersection with MDR

The EU AI Act (Regulation (EU) 2024/1689) entered into force in August 2024, with a phased implementation extending through 2027. For medical device manufacturers, the critical question is how the AI Act interacts with the MDR and IVDR.

Medical devices and IVDs that are regulated under the MDR or IVDR are classified as "high-risk AI systems" under the AI Act by default. However, the AI Act largely defers to the MDR/IVDR frameworks for conformity assessment, meaning that manufacturers must meet AI Act requirements but can do so through the existing MDR/IVDR Notified Body assessment process rather than through a separate AI Act conformity assessment.

Key AI Act requirements applicable to medical device manufacturers include:

Risk management system: Must address AI-specific risks (largely aligning with ISO 14971 requirements).
Data governance: Requirements for training, validation, and testing datasets, including representativeness, completeness, and bias monitoring.
Transparency: Users must be informed that they are interacting with an AI system and be provided with instructions for use that include the system's capabilities and limitations.
Human oversight: High-risk AI systems must be designed to allow effective human oversight.
Accuracy, robustness, and cybersecurity: Requirements aligned with but potentially exceeding MDR essential requirements.
Post-market monitoring: AI-specific post-market monitoring requirements that complement MDR post-market surveillance.

Key Takeaway: Manufacturers of AI/ML-enabled medical devices now face a dual regulatory burden in the EU: MDR/IVDR requirements plus AI Act requirements. While the frameworks are designed to work together, the practical details of compliance -- particularly regarding data governance and transparency -- are still being worked out.

Global AI/ML Device Policies

Other jurisdictions are developing their own approaches to AI/ML device regulation:

Health Canada: Published guidance on Pre-Market Requirements for Machine Learning-Enabled Medical Devices in 2024, with a PCCP-like framework.
Japan (PMDA): Developing a regulatory framework under the MHLW's AI Strategy, with a focus on PCCP-equivalent mechanisms for SaMD.
South Korea (MFDS): Has authorized AI/ML devices under existing frameworks and published AI-specific guidance.
China (NMPA): Published guiding principles for AI medical device registration in 2022, with updates expected.
UK (MHRA): Published a Software and AI as a Medical Device Change Programme roadmap, including proposals for adaptive regulation.

Cybersecurity Legislation for Medical Devices

Section 524B of the FD&C Act

The Consolidated Appropriations Act, 2023 (P.L. 117-328) added Section 524B to the FD&C Act, giving the FDA its first explicit statutory authority over cybersecurity for medical devices. This provision, which took effect on March 29, 2023, requires manufacturers of "cyber devices" to:

Submit a plan to monitor, identify, and address post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure.
Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure.
Make available post-market updates and patches to the device and related systems to address known unacceptable vulnerabilities on a justified, regular cycle.
Provide a Software Bill of Materials (SBOM) including commercial, open-source, and off-the-shelf software components.

A "cyber device" is defined as a device that includes software validated, installed, or authorized by the sponsor, has the ability to connect to the internet, and contains any technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.

FDA Refuse-to-Accept Policy

Beginning October 1, 2023, the FDA implemented a refuse-to-accept (RTA) policy for premarket submissions of cyber devices that do not include the required cybersecurity information. This means the FDA will literally refuse to file and begin reviewing a 510(k), De Novo, or PMA that lacks the required cybersecurity documentation.

The RTA checklist includes:

Cybersecurity risk assessment
Threat model
Security architecture documentation
SBOM
Cybersecurity testing documentation (penetration testing, fuzz testing, etc.)
Vulnerability management plan
Patch/update plan

The PATCH Act

The Protecting and Transforming Cyber Health Care (PATCH) Act was the legislative precursor to Section 524B. First introduced in 2022, the PATCH Act's provisions were largely incorporated into the Consolidated Appropriations Act. The name is still sometimes used colloquially to refer to the cybersecurity requirements now codified in Section 524B.

Pre-Market vs. Post-Market Requirements

Phase	Requirements
Pre-market	Threat modeling, security architecture, SBOM, penetration testing, cybersecurity management plan, secure development lifecycle documentation
Post-market	Coordinated vulnerability disclosure, ongoing monitoring, timely patches and updates, communication with users and FDA

Key Takeaway: Cybersecurity is no longer a nice-to-have for medical device manufacturers. It is a statutory requirement with teeth -- the FDA will refuse to review your submission if cybersecurity documentation is missing or inadequate.

EU Cyber Resilience Act (CRA)

The EU Cyber Resilience Act (CRA), which entered into force on December 10, 2024, introduces horizontal mandatory cybersecurity requirements for products with digital elements placed on the EU market. While medical devices regulated under the MDR and IVDR are largely excluded from CRA requirements (to avoid regulatory overlap with sectoral frameworks that already address cybersecurity), the CRA is still relevant to the medical device industry for several reasons:

Reporting obligations begin September 11, 2026: Even for sectors with partial exclusions, vulnerability reporting requirements take effect in September 2026.
Accessories and components: Non-medical accessories, software tools, or components that are not themselves medical devices but are used in conjunction with medical devices may fall under the CRA rather than the MDR.
Supply chain implications: Medical device manufacturers who source components from suppliers of general-purpose digital products should expect those suppliers to be meeting CRA requirements, potentially affecting procurement and quality agreements.
Full obligations apply from December 11, 2027: The main obligations under the CRA will apply from this date, and manufacturers of products with digital elements must ensure cybersecurity is addressed throughout the product lifecycle.

NIS2 Directive and Healthcare

The NIS2 Directive (EU 2022/2555) classifies healthcare organizations -- including hospitals, clinics, and laboratories -- as "essential entities" subject to mandatory cybersecurity risk management and incident reporting obligations. Member States were required to transpose NIS2 into national law by October 2024, with enforcement ramping up through 2025 and 2026.

While NIS2 directly regulates healthcare organizations rather than medical device manufacturers, it has significant indirect implications:

Procurement requirements: Healthcare organizations subject to NIS2 are increasingly requiring their medical device suppliers to demonstrate robust cybersecurity capabilities as part of procurement specifications.
Incident reporting: Healthcare organizations must report cybersecurity incidents involving medical devices to national authorities, creating additional pressure on device manufacturers to ensure their products are secure and to support customers' incident response obligations.
Supply chain security: NIS2 explicitly requires essential entities to address cybersecurity risks in their supply chains, which includes medical device procurement.

Together, the CRA, NIS2, and the MDR's own cybersecurity requirements create a layered EU cybersecurity framework that medical device manufacturers must navigate. Companies selling connected devices into the EU should conduct a comprehensive mapping of which requirements apply to their products, accessories, and supply chain relationships.

Right to Repair and Device Servicing

The Servicing Debate

The question of who may service (repair, refurbish, remanufacture) medical devices has been a simmering policy issue for years, and it has intensified as the broader consumer right-to-repair movement has gained momentum.

Under existing law, the FDA distinguishes between:

Servicing: Returning a device to the safety and performance specifications established by the original equipment manufacturer (OEM). The FDA has historically exercised enforcement discretion over servicing -- it considers servicing to be outside the scope of device manufacturing and does not require servicers to register as manufacturers.
Remanufacturing: Processing, conditioning, renovating, repackaging, restoring, or any other act done to a finished device that significantly changes the device's performance or safety specifications or intended use. Remanufacturing is regulated, and remanufacturers must register with the FDA and comply with QSR/QMSR requirements.

OEM vs. Third-Party Servicing

OEMs argue that their devices are complex, safety-critical products that require OEM-trained technicians and OEM-supplied parts to maintain safe performance. They contend that third-party servicers may lack the technical expertise, quality systems, and access to proprietary documentation needed to service devices safely.

Third-party servicers and the right-to-repair movement counter that:

OEM service contracts are expensive and create anti-competitive lock-in, particularly harmful to resource-constrained hospitals and healthcare systems.
Third-party servicers have decades of experience maintaining complex medical equipment safely.
OEMs increasingly use software locks, proprietary diagnostic tools, and parts restrictions to prevent third-party servicing -- practices that drive up costs without improving safety.
The FDA's own 2018 report found "no evidence that the current statutory framework, regulatory approach, or agency practices have resulted in harm or a risk to patient safety from the servicing of medical devices by entities other than the original equipment manufacturer."

Legislative Activity

Several states have introduced or enacted right-to-repair legislation that includes or could be interpreted to include medical devices. At the federal level, no comprehensive medical device servicing bill has been enacted as of early 2026, but Congress has held hearings on the topic and it remains an active area of policy debate.

The FTC has also weighed in, issuing a 2021 report titled "Nixing the Fix" that found manufacturer restrictions on repair -- across industries, including medical devices -- harmed consumers and competition.

Drug-Device Combination Product Regulation

Regulatory Framework

Combination products -- products composed of two or more regulated components (drug/device, biologic/device, drug/biologic) -- are regulated under 21 CFR Part 3, with the lead FDA center (CDER, CBER, or CDRH) determined by the product's primary mode of action (PMOA).

PMOA	Lead Center	Examples
Drug	CDER	Pre-filled syringes, drug-eluting stents, metered-dose inhalers
Biologic	CBER	Cell therapy delivery devices, biologic-coated implants
Device	CDRH	Device with an integral drug component where the device function is primary

Recent Regulatory Developments

Combination product regulation has seen several notable developments in 2024-2026:

Current Good Manufacturing Practice (CGMP) requirements: The FDA clarified in final guidance how manufacturers should apply CGMP requirements from both the drug/biologic and device regulations to combination products, depending on the product type and lead center.
Post-market safety reporting: The FDA finalized rules consolidating post-market safety reporting requirements for combination products, reducing confusion about which reporting framework applies.
RLD designation: For generic drug-device combinations, the Reference Listed Drug (RLD) designation and the pathway for demonstrating biosimilarity/interchangeability of the device constituent part have been clarified through guidance.
Human factors and usability: The FDA has emphasized the importance of human factors studies for combination products, particularly drug delivery devices where use errors can have serious consequences.

Key Takeaway: Combination products sit at the intersection of drug, biologic, and device regulation. Early engagement with the FDA -- including requesting a pre-RFD meeting (Request for Designation) -- is essential to avoid costly regulatory pathway miscalculations.

Global Policy Trends

IMDRF Harmonization Initiatives

The International Medical Device Regulators Forum (IMDRF), successor to the Global Harmonization Task Force (GHTF), continues to drive international convergence in medical device regulation. Key active work items include:

Software as a Medical Device (SaMD): The IMDRF's SaMD framework documents have been influential globally, providing a risk-based classification approach and clinical evaluation principles adopted or referenced by multiple jurisdictions.
Unique Device Identification (UDI): IMDRF has published guidance on global UDI implementation to reduce duplication across markets.
Regulatory reliance and recognition: Work on frameworks for regulators to leverage each other's reviews and decisions, reducing duplicative effort.
Cybersecurity: Harmonized principles for pre-market and post-market cybersecurity management.
Clinical evidence for IVDs: Harmonized approaches to clinical evidence requirements.

MDSAP Expansion

The Medical Device Single Audit Program (MDSAP) allows a single quality management system audit conducted by an MDSAP-recognized auditing organization to satisfy the requirements of multiple participating regulatory authorities. As of 2026, the participating authorities are:

Australia (TGA)
Brazil (ANVISA)
Canada (Health Canada) -- mandatory since 2019
Japan (MHLW/PMDA)
United States (FDA)

The EU has observer status but has not joined as a full participant, a situation that continues to generate frustration among manufacturers who must maintain separate MDSAP and Notified Body audits for their quality systems.

MDSAP expansion to additional markets and the potential for deeper reliance by participating authorities (e.g., the FDA accepting MDSAP audit results in lieu of its own inspections in a broader range of cases) are active policy topics.

China's Medical Device Regulation

China continues to refine its medical device regulatory framework under the National Medical Products Administration (NMPA). Key developments include:

Regulations on the Supervision and Administration of Medical Devices (State Council Order No. 739): The revised regulations, effective June 2021, modernized China's device classification, registration, and post-market surveillance systems.
Unique Device Identification: China has been implementing its own UDI system, with phased requirements for different device classes.
Conditional approval pathways: China has introduced expedited pathways for innovative devices and urgently needed devices, roughly analogous to FDA's Breakthrough Device Designation.
Data localization: China's requirements for clinical data and data storage continue to present challenges for multinational manufacturers.

UK Post-Brexit Regulatory Sovereignty (UKCA Marking)

Since Brexit, the UK has been developing an independent medical device regulatory framework under the Medicines and Healthcare products Regulatory Agency (MHRA). The transition from CE marking to UKCA marking has been repeatedly delayed:

The UK government initially set a deadline of June 2023 for UKCA marking to become mandatory, then pushed it to June 2024, then to June 2025, and most recently to 2027 or later for most device types.
In practice, the MHRA continues to accept CE marking for most medical devices placed on the Great Britain market.
The MHRA has published its own regulatory roadmap, including proposals for a new classification system, post-market surveillance requirements, and Software and AI as a Medical Device regulations.
Northern Ireland continues to follow EU MDR rules under the Windsor Framework.

The repeated delays reflect the practical challenges of standing up a fully independent device regulatory system, including the need for UK Approved Bodies (the equivalent of EU Notified Bodies) and the risk that a separate UK framework would impose additional compliance costs on manufacturers selling into a relatively small market.

Innovation and Expedited Pathways

Breakthrough Device Designation

Priority review and more frequent interactions with FDA during development.
Ability to submit data on a rolling basis during the premarket review.
Senior management involvement in the review process.
Flexibility in clinical study design, including use of real-world evidence and post-market data collection.

As of early 2026, over 900 devices have received Breakthrough designation, and more than 100 have been authorized. The program has been particularly important for novel technologies in areas such as AI/ML diagnostics, gene therapy delivery devices, and neurostimulation.

Safer Technologies Program (STeP) / SNED

The FDA's Safer Technologies Program (STeP), formerly known as the Safer New or Existing Devices (SNED) program, is designed for devices that offer a safer alternative to existing treatments, even if they are not necessarily more effective. Unlike Breakthrough designation (which requires a more effective device), STeP applies to devices where the primary benefit is improved safety.

De Novo Improvements

The De Novo pathway has been increasingly streamlined and has become a critical tool for novel, low-to-moderate-risk devices. Legislative and administrative improvements include:

Direct De Novo requests (eliminating the requirement for a prior 510(k) NSE determination) per the FDA Reauthorization Act of 2017.
MDUFA V performance goals establishing 150-day review timelines for De Novo requests.
Growth in De Novo authorizations: from fewer than 20 per year before 2017 to over 40 per year by 2025.

Total Product Lifecycle Advisory Program (TAP)

TAP, established under MDUFA V, is a voluntary program that allows manufacturers to engage with the FDA on a real-time basis throughout the total product lifecycle -- from early development through post-market. The program is designed to provide more efficient and predictable interactions than the traditional pre-submission and formal meeting process.

Pathway	Eligibility	Key Benefits
Breakthrough Device	Life-threatening/irreversibly debilitating conditions; more effective treatment or diagnosis	Priority review, rolling submissions, senior management involvement
STeP (SNED)	Safer alternative to existing treatment	Priority review, flexible clinical evidence
De Novo	Novel device, low-to-moderate risk, no predicate	Creates new classification regulation; new predicate for future 510(k)s
TAP	Any device (voluntary)	Ongoing real-time FDA interaction throughout lifecycle
Priority Review	Specific qualifying criteria	Expedited review timelines

Industry Advocacy and Trade Associations

The medical device legislative landscape is shaped not only by regulators and lawmakers but also by the industry associations that represent manufacturers, laboratories, and regulatory professionals. Understanding who these organizations are and how they influence policy is essential for anyone involved in the regulatory space.

AdvaMed (Advanced Medical Technology Association)

AdvaMed is the largest medical device trade association in the United States, representing over 400 member companies ranging from large multinationals to small startups. AdvaMed plays a central role in MDUFA negotiations, legislative advocacy (including VALID Act debates), and FDA policy engagement. Its annual MedTech Conference is one of the largest industry gatherings globally.

MedTech Europe

MedTech Europe represents the European medical technology industry, including both medical device and IVD manufacturers. The association has been a leading voice on MDR/IVDR implementation challenges, Notified Body capacity, and the need for legislative amendments to prevent device shortages.

APACMed (Asia Pacific Medical Technology Association)

APACMed represents the medical device industry across the Asia-Pacific region, advocating for harmonized regulatory standards and policies that facilitate market access while maintaining patient safety. APACMed has been instrumental in promoting MDSAP adoption and IMDRF alignment in the region.

RAPS (Regulatory Affairs Professionals Society)

RAPS is a professional society for individuals working in regulatory affairs across the healthcare product sectors. While not a trade association or lobbying group, RAPS plays an important role in education, professional development, and convening stakeholders. Its Regulatory Focus publication is a widely read source of regulatory intelligence.

Other Important Organizations

ACLA (American Clinical Laboratory Association): Key voice in the LDT/VALID Act debate.
CAP (College of American Pathologists): Represents pathologists; influential on diagnostic regulation.
MDMA (Medical Device Manufacturers Association): Represents smaller and mid-size device companies; often takes positions distinct from AdvaMed.
AAMI (Association for the Advancement of Medical Instrumentation): Standards development organization; publishes consensus standards used by the FDA.

The FDA in 2025-2026: Political and Institutional Upheaval

Leadership Changes and HHS Reorganization

The political landscape for medical device regulation has undergone dramatic shifts since early 2025. Following the start of the new Trump administration, the Department of Health and Human Services (HHS) underwent a sweeping reorganization under Secretary Robert F. Kennedy Jr. Dr. Marty Makary was confirmed as FDA Commissioner in March 2025, bringing a leadership philosophy that emphasizes scientific rigor, deregulation of low-risk products, and modernization of the agency's approach to innovation.

FDA Workforce Reductions

The HHS reorganization included significant FDA workforce reductions. Approximately 1,900 employees were affected by reductions in force, with an additional 1,200 or more accepting early retirement packages. Commissioner Makary has stated that no scientific reviewers or inspectors were cut, and that the reductions focused on administrative functions -- HR, contracts and budget, communications (reduced from approximately 380 to 160 positions), travel coordination, and duplicative strategy offices.

However, the workforce cuts have raised concerns among Congressional overseers and industry stakeholders about the FDA's capacity to maintain its review timelines and inspection schedules. The Senate Appropriations Committee has questioned whether the cuts were based on adequate analysis of mission-critical staffing needs. While Commissioner Makary has repeatedly stated that "the trains are running on time" and that all PDUFA and MDUFA performance targets remain on track, the long-term effects on institutional capacity remain a point of debate.

The broader concern for the medical device industry is whether these structural changes will affect FDA's ability to handle the increasing complexity and volume of submissions -- particularly as AI/ML-enabled devices, combination products, and digital health technologies continue to grow. Companies should monitor whether FDA review timelines remain consistent with MDUFA V performance goals and plan for potential variability.

Deregulatory Signals in Digital Health

Commissioner Makary has signaled a distinctly pro-innovation, deregulatory posture for digital health and software products. In January 2026 remarks at the Consumer Electronics Show (CES), he stated that the FDA needs to move at "the speed of Silicon Valley" and announced plans to reduce the number of digital health and software-related guidance documents by 50% or more, consolidating the approximately 27 existing guidances into fewer, clearer documents.

At the same time, Commissioner Makary drew a clear line: products that claim to be "medical grade" will be held to full FDA review and compliance requirements. The message to industry is that the FDA wants a "clear lane" for consumer wellness products that does not require FDA oversight, alongside robust regulation of products that make clinical claims.

2026 Digital Health Policy Developments

Updated General Wellness Guidance (January 2026)

On January 6, 2026, the FDA issued a revised final guidance, "General Wellness: Policy for Low Risk Devices," superseding the 2019 version. The updated guidance significantly expands the category of products that may qualify for enforcement discretion and be marketed without FDA premarket review.

The most significant change concerns products that sense, estimate, infer, or output physiologic parameters such as blood pressure, oxygen saturation, blood glucose, and heart rate variability. The 2019 guidance was silent on these products; the 2026 update clarifies that such products may be considered general wellness products if they meet specific conditions:

Non-invasive and not implanted
No higher-risk intervention or technology
Not intended for disease diagnosis or treatment
Not intended to substitute for an FDA-authorized device
No functionality or outputs prompting specific clinical action or medical management
No clinically mimicking values unless appropriately validated

The guidance also clarifies that products may inform users to consult a healthcare professional when outputs fall outside normal thresholds and still qualify as general wellness products, as long as the alerts do not constitute ongoing monitoring or specific treatment recommendations.

Updated Clinical Decision Support (CDS) Guidance (January 2026)

On the same day, the FDA also issued revised guidance on Clinical Decision Support Software, superseding the 2022 version. The CDS guidance clarifies the scope of the statutory exemption under Section 520(o)(1)(E) of the FD&C Act, which excludes certain CDS software from the definition of a medical device if it meets all four statutory criteria.

Key changes in the 2026 CDS guidance:

Single clinically appropriate recommendation: Previously, the FDA considered CDS software that provided a single treatment recommendation as failing Criterion 3 (which requires that the software enable the healthcare professional to independently review the basis for the recommendation). The 2026 guidance recognizes that there is sometimes only one clinically appropriate recommendation, and introduces enforcement discretion for such CDS products, provided all other criteria are met.
Risk probability scores: The guidance now recognizes that risk probability scores may represent cases where there is only one clinically reasonable output, potentially qualifying for enforcement discretion.
Automation and time sensitivity: Analysis of automation level and time-critical decision-making has been moved from Criterion 3 to Criterion 4, reflecting a more nuanced assessment of whether software allows clinicians to independently review its output.
Transparency emphasis: Greater emphasis on transparency regarding data inputs, underlying logic, and how recommendations are generated -- particularly for algorithmic or AI-driven CDS.

TEMPO Pilot for Digital Health Devices

In December 2025, the FDA announced the Technology-Enabled Meaningful Patient Outcomes (TEMPO) for Digital Health Devices Pilot, launched in connection with the CMS Center for Medicare and Medicaid Innovation (CMMI) ACCESS (Advancing Chronic Care with Effective, Scalable Solutions) model. The TEMPO pilot, which began accepting statements of interest on January 2, 2026, is a voluntary program that evaluates a new, risk-based enforcement approach for digital health devices.

Key features of the TEMPO pilot:

Clinical focus areas: The pilot targets digital health devices intended to improve outcomes in four clinical areas: cardio-kidney-metabolic conditions, musculoskeletal conditions, behavioral health, and a fourth to be determined.
Enforcement discretion: For devices not yet authorized for the proposed intended use, manufacturers may request that the FDA exercise enforcement discretion while participating in the pilot.
Up to 10 manufacturers per clinical area: The FDA plans to select a limited number of participants.
Real-world data collection: Participants will collect real-world data on device performance and patient outcomes.
Connection to TAP: The pilot builds on lessons from the Total Product Lifecycle Advisory Program (TAP), emphasizing early engagement and "sprint" discussions.

The TEMPO pilot is part of the FDA's broader "Home as a Health Care Hub" initiative, aiming to expand access to digital health technologies that can be used safely and effectively in home settings.

Key Takeaway: The combination of the updated General Wellness guidance, the revised CDS guidance, and the TEMPO pilot represents a significant shift in the FDA's digital health posture under Commissioner Makary's leadership. Companies developing wearables, wellness software, and CDS tools should carefully reassess their regulatory classification in light of these changes -- some products that previously required FDA authorization may now qualify for enforcement discretion.

Tariffs, Supply Chain, and Reshoring

The Tariff Landscape for Medical Devices

Trade policy has become a defining factor for the medical device industry in 2025-2026. Tariffs on medical devices and components imported from China reached 145% in 2025, creating significant cost pressures across the industry. Johnson & Johnson projected that tariffs would cost its MedTech division $400 million in a single year.

The impact extends beyond direct cost increases:

Supply chain disruption: Approximately 13% of overseas-manufactured medical devices currently originate from China, according to GlobalData. Tariffs at these levels have forced manufacturers to rapidly evaluate alternative sourcing and manufacturing strategies.
Reshoring momentum: More than $100 billion in reshoring commitments have been announced in the medical device and broader healthcare manufacturing sector. New manufacturing capacity is being built in locations including North Carolina, Costa Rica, and Japan.
Small manufacturer vulnerability: Smaller device companies with less diversified supply chains have been disproportionately affected, as they often lack the negotiating leverage or capital to rapidly shift production.

China's Response

China announced tariff reductions on certain medical products effective January 2026, lowering duties on items including artificial blood vessels (from 4% to 2%), diagnostic reagent kits for certain infectious diseases (from 3% to zero), and specialized bearings for medical equipment (from 8% to 4%). However, it remains unclear whether these reductions will significantly restore China's position as a medical device manufacturing hub, given the scale of tariffs imposed by the U.S. and the competitive alternatives that have emerged.

Legislative and Policy Implications

Several legislative proposals related to medical device supply chain resilience have been introduced or discussed in Congress:

Domestic manufacturing incentives: Tax credits and grant programs to encourage reshoring of critical medical device manufacturing.
Supply chain transparency: Proposals requiring manufacturers to disclose the country of origin for medical device components and raw materials.
Strategic stockpiling: Continued support for domestic reserves of critical medical supplies.
Trade agreements: Negotiations around medical device tariff exclusions for products where no domestic manufacturing alternative exists.

Key Takeaway: The tariff environment has fundamentally reshaped medical device supply chains. Manufacturers who were heavily dependent on Chinese manufacturing are being forced to diversify, and supply chain strategy has moved from a back-office procurement function to a C-suite priority. Companies should conduct tariff impact assessments and develop multi-source procurement strategies as a matter of urgency.

What's Coming Next: The 2026-2028 Policy Outlook

Anticipated Legislative Activity

The next two years will be critical for medical device policy. Key items on the horizon include:

MDUFA VI reauthorization (2027): The single most consequential legislative event for the U.S. device industry. Negotiations are already underway, and the final package will determine FDA review timelines, user fee levels, and programmatic commitments for FY2028-FY2032.

VALID Act or successor LDT legislation: With the FDA's administrative LDT rule vacated and rescinded, the path to LDT oversight now runs exclusively through Congress. The VALID Act or successor legislation could be reintroduced in the 119th Congress or incorporated into the MDUFA VI reauthorization package. Some commentators have suggested that LDT provisions could be part of a broader "21st Century Cures 2.0" legislative initiative. The clinical laboratory community remains divided, with ACLA and ASCP opposing FDA-centric approaches while AdvaMed's diagnostics division and patient advocacy groups continue to push for oversight reform.

AI/ML legislation: As AI/ML-enabled devices proliferate, there is growing pressure for Congress to provide explicit statutory authority for the FDA's PCCP framework and to address broader questions about AI transparency, liability, and oversight. The EU AI Act's implementation will also create pressure for U.S. legislative action.

Post-market surveillance reform: The 2025-2026 period has seen increasing attention to the FDA's post-market surveillance capabilities, particularly for high-risk implantable devices. Legislative proposals to expand mandatory post-market studies and improve adverse event reporting systems are circulating.

Drug-device combination product reform: Ongoing discussions about streamlining the combination product regulatory framework, including clearer guidance on PMOA determinations and lead center assignments.

Key Areas to Watch

Real-world evidence: The FDA's continued development of frameworks for using RWE in device regulatory decisions, including potential expansion to support 510(k) clearances and PMA approvals.
Health equity and diversity in clinical trials: Growing regulatory and legislative attention to ensuring that device clinical evidence reflects the diversity of the patient population.
Supply chain resilience: Post-pandemic attention to medical device supply chain vulnerabilities, including potential legislative requirements for supply chain transparency and domestic manufacturing incentives.
Environmental sustainability: Emerging policy interest in the environmental impact of single-use medical devices, including potential legislation encouraging reusable alternatives and sustainable manufacturing.
Decentralized clinical trials: The shift toward decentralized and hybrid clinical trial designs for medical devices, supported by FDA guidance and potentially by future legislation.
FDA institutional stability: Whether workforce reductions and HHS reorganization affect the FDA's ability to meet MDUFA performance goals and maintain inspection schedules. The outcome will directly influence MDUFA VI negotiations.
Digital health regulatory consolidation: Commissioner Makary's stated goal of reducing the number of digital health guidances by 50% or more, and the results of the TEMPO pilot, will shape the regulatory landscape for software and AI-enabled products.
Tariffs and supply chain reshoring: The ongoing impact of tariffs on Chinese medical device imports and the pace of domestic manufacturing reshoring will affect costs, availability, and competitive dynamics across the industry.
EUDAMED full implementation: Beyond the four modules mandatory from May 2026, remaining EUDAMED modules (including clinical investigations and vigilance) will continue to be developed and deployed, progressively increasing transparency requirements in the EU.

How to Stay Informed and Engaged

Regulatory professionals who want to influence policy -- or at least avoid being blindsided by it -- should:

Monitor Federal Register notices: The FDA publishes proposed rules, final rules, and guidance documents in the Federal Register. Subscribe to relevant categories.
Track Congressional activity: The Congressional Research Service (CRS) publishes reports on pending device legislation. The FDA-related committees (Senate HELP, House Energy and Commerce) publish hearing schedules and mark-up calendars.
Submit public comments: The FDA and other agencies are required to consider public comments on proposed rules and draft guidance. Substantive, data-driven comments are read and can influence final policy.
Engage with trade associations: AdvaMed, MedTech Europe, and RAPS provide regulatory intelligence, host working groups, and coordinate industry positions on pending legislation.
Attend FDA public workshops and advisory committee meetings: These are valuable opportunities to hear FDA thinking, ask questions, and provide input.
Monitor IMDRF publications: For global manufacturers, IMDRF documents signal the direction of international harmonization.

Key Takeaway: The pace of legislative and regulatory change in the medical device sector is accelerating. Companies that treat regulatory affairs as a purely reactive compliance function will be at a disadvantage compared to those that proactively monitor, analyze, and engage with the policy environment.

Frequently Asked Questions

What is the most important piece of medical device legislation currently in effect in the United States?

The Federal Food, Drug, and Cosmetic Act (FD&C Act), as amended, is the foundational statute. All FDA authority over medical devices derives from this law. Within it, the most consequential sections for device manufacturers are Section 510(k) (premarket notification), Section 513 (classification), Section 515 (premarket approval), Section 515B (Breakthrough Devices), and Section 524B (cybersecurity). The current MDUFA V reauthorization (part of the FDA User Fee Reauthorization Act of 2022) governs the fee structure and review timelines through FY2027.

What is the VALID Act and has it been enacted?

The VALID Act (Verifying Accurate Leading-edge IVCT Development Act) is proposed legislation that would create a new regulatory framework for in vitro clinical tests (IVCTs), including laboratory-developed tests (LDTs). As of March 2026, the VALID Act has not been enacted into law and has not been reintroduced in the 119th Congress. The FDA's separate administrative attempt to regulate LDTs through a 2024 final rule was vacated by a federal court in March 2025, and the FDA formally rescinded the rule in September 2025 after declining to appeal. The status quo -- FDA enforcement discretion for LDTs, with CLIA as the governing framework -- has been restored. However, legislative action through the VALID Act or successor legislation remains possible, particularly as a potential rider on the MDUFA VI reauthorization package.

When did the QMSR compliance date take effect, and what changed?

The QMSR compliance date was February 2, 2026. The QMSR replaces the legacy Quality System Regulation (21 CFR Part 820) with a framework that incorporates ISO 13485:2016 by reference. Manufacturers must now comply with ISO 13485 as incorporated into the QMSR, plus FDA-specific supplementary requirements for complaint handling, medical device reporting, corrections and removals, and unique device identification. Companies already certified to ISO 13485 had a relatively straightforward transition; those operating solely under the old QSR needed more substantial system updates.

What are the current EU MDR transition deadlines?

As amended by Regulation (EU) 2023/607, the transition deadlines for devices with valid MDD/AIMD certificates are December 31, 2027 (for Class III and Class IIb implantable devices) and December 31, 2028 (for Class IIb non-implantable, Class IIa, and Class I devices requiring Notified Body involvement). These deadlines are contingent on manufacturers having applied to a Notified Body for MDR certification and having begun implementing MDR-compliant quality management systems.

How does the EU AI Act affect medical device manufacturers?

Medical devices and IVDs regulated under the EU MDR or IVDR are classified as "high-risk AI systems" under the AI Act. However, the AI Act largely defers to the MDR/IVDR for conformity assessment. Manufacturers must meet AI Act requirements -- including data governance, transparency, human oversight, and post-market monitoring provisions -- but can do so through the existing MDR/IVDR Notified Body process. The AI Act is being implemented in phases, with full application expected by 2027.

What cybersecurity documentation does the FDA now require for premarket submissions?

Since October 1, 2023, the FDA has implemented a refuse-to-accept policy for "cyber devices" -- devices that include software, can connect to the internet, and could be vulnerable to cybersecurity threats. Required documentation includes a cybersecurity risk assessment, threat model, security architecture documentation, Software Bill of Materials (SBOM), cybersecurity testing documentation (including penetration testing), vulnerability management plan, and patch/update plan. Submissions lacking this documentation will be refused before substantive review begins.

What is the Breakthrough Device Designation and how do manufacturers obtain it?

The Breakthrough Device Designation (Section 515B of the FD&C Act) is available for devices that provide more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions. Manufacturers submit a Breakthrough designation request to the relevant FDA review division, providing evidence that the device meets the statutory criteria. Benefits include priority review, rolling submission, senior management involvement, and flexibility in clinical study design. Over 900 devices have received Breakthrough designation as of early 2026.

How does MDSAP work, and which countries participate?

The Medical Device Single Audit Program (MDSAP) allows a single quality management system audit by an MDSAP-recognized auditing organization to satisfy the regulatory requirements of all participating authorities. Current participants are Australia (TGA), Brazil (ANVISA), Canada (Health Canada), Japan (MHLW/PMDA), and the United States (FDA). Canada has made MDSAP mandatory since January 2019. The EU has observer status but has not joined as a full participant. MDSAP reduces audit burden for manufacturers selling into multiple markets, though it does not eliminate the need for market-specific regulatory submissions.

What should manufacturers be doing now to prepare for MDUFA VI?

Manufacturers should monitor the MDUFA VI negotiation process through AdvaMed, MDMA, and FDA public communications. The key actions are: participate in public meetings and stakeholder consultations when announced; provide input on review timeline goals and fee structure through trade association channels; assess how current MDUFA V performance goals are affecting your submission timelines and document any issues; and plan for potential changes in fee levels that may take effect in FY2028. Companies with specific policy priorities -- such as expanded third-party review, AI/ML review capacity, or real-world evidence integration -- should engage with their trade associations to ensure those priorities are represented in negotiations.

Conclusion

The legislative and policy landscape for medical devices is more dynamic in 2026 than at any point in the industry's history. The U.S. framework continues to evolve through MDUFA reauthorizations, the VALID Act debate, QMSR implementation, and new cybersecurity requirements. The EU is grappling with the largest regulatory transition in the history of its medtech sector, with MDR/IVDR implementation challenges that will persist for years. Globally, the rise of AI/ML-enabled devices, international harmonization efforts through IMDRF and MDSAP, and the emergence of new regulatory powers like China's NMPA are reshaping the competitive landscape.

For regulatory affairs professionals, the imperative is clear: policy literacy is not optional. Understanding the legislative framework -- not just the regulations that flow from it -- is essential for strategic planning, resource allocation, and risk management. The companies that thrive in this environment will be those that treat regulatory policy as a strategic function, engaging proactively with the legislative process rather than simply reacting to the rules that emerge from it.