How to determine regulatory requirements according to ISO 13485:2016

It doesn’t matter if your organization has implemented ISO 13485 – or not – complying with regulatory requirements is critical to production and service delivery in the medical device industry. That means, if you want your business to be successful, you need to understand the regulatory requirements that pertain to your product and/or service. Such regulations ensure the safety and effectiveness of medical devices, and although some requirements may be seen as a burden, they really are in the best interest of both customers and suppliers.

Where do regulatory requirements come from?

ISO 13485:2016 covers regulatory requirements in the same breath as customer requirements right from the start. Clause 0.2 Clarification of Concept states: “When the term ‘regulatory requirements’ is used, it encompasses requirements contained in any law applicable to the user of this International Standard (e.g. statutes, regulations, ordinances or directives). The application of the term ‘regulatory requirements’ is limited to requirements.”


The reason for this is the impact that regulatory requirements have on an organization’s ability to provide its products or services. The standard requires the organization to determine which regulatory requirements are relevant to its Quality Management System (QMS), and the effects they can have on the QMS.

Regulatory bodies set requirements pertaining to various aspects of the medical device industry, including product and service provision, utilization of raw materials, communication with customers, and other elements of a company’s operations. A lack of compliance, whether knowingly or not, can result in serious consequences—not the least of which are expensive fines and injury or death to a patient.

Almost everyone in the industry understands the importance of these regulations, but it can sometimes be difficult to identify all applicable requirements. Generally speaking, you need to investigate the regulatory authorities in your own country, as well as those in any countries to which you provide products or service. Let’s look in more detail at which groups you need to pay attention to when trying to identify regulatory requirements:

  • Regulatory bodies: Every nation has a regulatory body that oversees the medical device industry. For example, in the United States, the Food and Drug Administration (FDA) regulates medical device manufacturers and service providers. Companies providing medical device products or services must meet the requirements set forth in FDA 21 CFR section 820, or the FDA will revoke the company’s license to operate in the United States.
  • Acts or directives: In some countries, Acts or Directives regulate the provision of medical devices and services. One such Directive is the European Commission’s Medical Device Directive (Council Directive 93/42/EEC), which sets requirements related to expected levels of durability and performance in medical devices in Europe. Like the regulatory requirements mentioned above, there can be high costs associated with failure to comply with Acts and Directives.
  • Medical device statutory instruments: Some countries also have statutory instruments regulating the medical device industry. In Ireland, this is statutory instrument No. 252/1994 – European Communities (Medical Devices) Regulations, 1994, and all manufacturers and suppliers of medical devices in Ireland must also comply with these requirements.

What is the correlation between regulatory requirements and ISO 13485?

Certification according to ISO 13485, as with any other international standard, shows stakeholders and interested parties that an organization goes over and above applicable legal requirements, holding itself to a higher standard. A company cannot be compliant with the standard if it does not meet regulatory requirements.

ISO 13485:2016 includes a handful of requirements that deal with the knowledge you should have gained while identifying applicable regulatory requirements. After all, you will have to understand such requirements in order to carry out your QMS processes properly. Some of these requirements include:

  • Section 4.1.1 states that the QMS must include the requirements for roles undertaken by the organization for applicable regulatory bodies.
  • Section 8.2.3 says that advisory notices must be made available to applicable regulatory bodies as appropriate.
  • According to Section 7.5.9.1, traceability of measurement must be maintained according to the needs of relevant regulatory bodies.
  • Section 7.2.2 states that requirements for products and services should include requirements from applicable regulatory bodies.
  • Sections 7.3.3, 7.3.7 & 7.3.9 require the design and development process to consider the requirements of regulatory bodies, such as the level of control that is expected in the process.
  • Sections 5.6.2 & 5.6.3 state that management review must include reports to regulatory bodies as inputs; and, as outputs, any necessary changes in response to new or changing issues with regard to relevant regulatory bodies.

A properly planned QMS includes relevant regulatory requirements

The first step along your path of ISO 13485 implementation, and becoming more competitive in your market, is understanding and complying with regulatory requirements. By doing so, your company will be well equipped to provide safe products and services, and prevent the problems (and penalties) associated with noncompliance. The ISO 13485:2016 standard gives you a solid foundation for identifying applicable regulatory requirements, and assessing your organization’s level of compliance. Now, that’s in everyone’s best interest.

Why not find out more about the changes in ISO 13485 with this Infographic: What’s new in the 2016 revision of ISO 13485.