Implantable medical devices face the highest level of scrutiny in healthcare regulation, and for good reason. Their direct and often long-term interaction with the human body means safety, performance, and clinical benefit must be carefully demonstrated. For manufacturers, success is not only about innovation and technology, but also about understanding and managing complex regulatory requirements under frameworks such as EU MDR and FDA regulations.
Companies developing implantable medical devices must deal with different regional requirements. A one-size-fits-all approach rarely works, and in many cases a flexible regulatory strategy is the best solution.
Regulatory strategy should not be treated as something handled only at the end of development. For implantable devices, it needs to be part of the product development process from the beginning. Decisions made early in design can directly affect classification, clinical evidence requirements, testing needs, and time-to-market.
How MDR and FDA Define Implantable Devices
According to MDR Chapter I Article 2, an implantable device is a device intended to be:
- totally introduced into the human body, or
- used to replace an epithelial surface or the surface of the eye
through clinical intervention and intended to remain in place after the procedure.
This also includes devices that are partially or fully absorbed by the body, and devices partially introduced into the human body and intended to remain in place for at least 30 days.
According to the FDA (21 C.F.R. § 860.3), a device placed into a surgically or naturally formed cavity of the human body and intended to remain there continuously for 30 days or more is considered an implant.
These definitions are important because they directly affect device classification and the regulatory requirements that apply.
A Higher Bar for Safety and Performance
The risk-based classification system for medical devices in both the US and the EU includes three main risk classes (I, II and III), with the EU further splitting Class II into IIa and IIb. The classification of an implantable medical device depends on factors such as how invasive the device is, what it is intended to do, and how long it remains in the body. For example, a surgically invasive device intended to administer medicinal products for long-term use (over 30 days) is generally classified as Class III.
Because of this higher risk classification, manufacturers of implantable medical devices are expected to provide extensive clinical evidence, robust risk management, and long-term safety data. Manufacturers must demonstrate the safety, performance, and clinical benefit of the device using reliable clinical and technical data. For many novel implantable devices, clinical investigations are difficult to avoid.
MDR and Its Practical Implications
The requirements set out in MDR for implantable devices are particularly rigorous:
Clinical evaluation under MDR is a continuous process and often requires clinical investigations to generate sufficient evidence.
Post-Market Clinical Follow-up (PMCF): PMCF is a mandatory part of MDR compliance for implantable devices.
Manufacturers are expected to continuously collect and evaluate real-world data to confirm:
- long-term safety
- continued performance
- acceptability of remaining risks
This is especially important for implantable devices because some issues may only become visible after years of use.
Summary of Safety and Clinical Performance (SSCP): Certain implantable devices require an SSCP document.
This document is intended for healthcare professionals and, when relevant, patients. It is made publicly available through EUDAMED.
Traceability: Information allowing the identification of the device must be provided for the patient on an implant card delivered with the device. This entails implementing and maintaining Unique Device Identification (UDI) systems.
Technical Documentation: Deep, clearly structured, and consistently updated.
The role of Notified Bodies has become more stringent, with increased scrutiny on technical documentation and quality management systems. Additionally, the period for which the documentation of implantable devices must remain available for competent authorities is at least 15 years after the last device has been placed on the market.
The US Approach: FDA and Premarket Approval for implantable Devices
In the United States, implantable devices typically require Premarket Approval (PMA) from the FDA. This pathway demands extensive clinical data, often generated through Investigational Device Exemption (IDE) studies.
The FDA places strong focus on:
- benefit-risk analysis
- scientific validity
- manufacturing controls
- software validation
- cybersecurity
- long-term safety
While the FDA process is demanding, it can sometimes be more predictable when manufacturers communicate with the agency early during development.
Programs such as the Breakthrough Devices Program can accelerate timelines for qualifying technologies, but they do not reduce the burden of evidence
Risk Management as a continuous Process
Risk management for medical devices is a regulatory requirement in all major markets.
MDR regulations require manufacturers to perform a benefit-risk analysis for each individual risk and overall residual risk of the device. FDA requires to submit a benefit-risk analysis in premarket submission for Class III devices.
Standards such as ISO 14971 highlight the importance of continuous risk management throughout the full lifecycle of the device.
This is especially crucial for implantable devices, where long-term performance and rare adverse events may only be revealed over time. Effective risk management systems include clinical data, user feedback and vigilance reporting as part of an integrated process.
The Aspects of Usability and Human Factors
Even highly advanced implants can fail if the implantation procedure, user interface, or supporting tools are difficult to use.
Because of this, human factors and usability engineering have become an important part of regulatory expectations.
Authorities increasingly expect usability validation studies, especially for devices involving:
- complex implantation procedures
- software interfaces
- programming functions
- user-dependent workflows
Cybersecurity and Connected Implantable Devices
Modern implantable devices that are connected for monitoring, updates, or data transmission require regulatory considerations around cybersecurity and data protection.
This also means cybersecurity requirements have become more important under both MDR and FDA frameworks.
Manufacturers are expected to address:
- cybersecurity risks
- secure software development
- threat management
- authentication controls
- update mechanisms
For implantable devices, cybersecurity can be particularly challenging because software updates may not always be straightforward after implantation.
Building a Practical Regulatory Strategy
Successful regulatory strategy for implantable devices usually requires:
- early planning
- collaboration between teams
- scalable documentation systems
- continuous collection of clinical and post-market data
A proactive and practical regulatory approach supports compliance, helps avoid delays, improves patient safety, and supports long-term product success.
At Nometech Oy, we support medical device companies with MDR and FDA regulatory strategy, technical documentation, risk management, clinical evaluation support, and quality management systems for implantable and other high-risk medical devices.
How Nometech can help you?
Implantable medical devices often require extensive regulatory planning already in the early stages of development. In practice, many of the biggest challenges are related to clinical evidence, risk management, technical documentation, usability, and understanding how MDR and FDA expectations differ from each other.
At Nometech Oy, we support medical device companies with practical regulatory and quality work related to implantable and other high-risk medical devices. This can include MDR and FDA regulatory strategy, technical documentation support, ISO 14971 risk management, clinical evaluation support, post-market activities, and quality management systems.