ISO 13485 and Beyond: Key Updates Shaping the Medical Device Regulatory Landscape

Within the European regulatory environment, standards that have been ‘harmonised’ provide a ‘presumption of conformity’ with the General Safety and Performance Requirements (GSPRs), which are a set of mandatory criteria medical devices must meet in order to be sold in the EU.  This means that manufacturers who align with these harmonised standards are able to demonstrate that they meet the GSPRs without having to prove their compliance through other, more complex means.

However, the time taken between a standard’s publication and its harmonisation is often lengthy, with the process frequently spanning a number of years.  During this period, advances in knowledge, technology and accepted ‘state of the art’ (not necessarily the most advanced technology available, but the developed stage of technical capability and/or accepted clinical practice based on the findings of science, technology, and experience) inevitably occur.  In fact, the Medical Device Coordination Group (MDCG) guidance document MDCG 2021-5 Guidance on standardisation for medical devices (Section 3.5) references the use of the most recent published standards that have not yet been harmonised as reflecting the ‘state of the art’.  As such, it can be argued that manufacturers should consider a published standard that represents ‘state of the art’ for use within the design, development and management of their medical device, due to the protracted and lengthy process of a new standard gaining harmonisation status.

A number of standards, guidance document and regulations have been or are in the process of being developed or updated.  It is essential for organisations operating within the medical device space to remain informed about evolving standards and guidance, with updates to these documents reflecting the latest technical and clinical best practices that manufacturers should consider, even before harmonisation occurs.

ISO 13485:2016 – Medical devices — Quality management systems — Requirements for regulatory purposes

ISO 13485 was last reviewed and confirmed in 2020.  ISO operates a five-year review cycle for standards, and this Standard is currently designated as ‘under review’.  It is considered that changes related to the new ISO Harmonized Structure (including a focus on climate change) that have been implemented for other management system standards may be considered at the next ISO 13485 review in 2026.  Additionally, the integration of new technologies like AI into medical devices may lead to future amendments or new editions of ISO 13485.

ISO 14971:2019 – Medical devices — Application of risk management to medical devices

ISO 14971 was last reviewed and confirmed in March 2025 with no updates, and is expected to be reviewed again in 5 years.

IEC 62304:2006/AMD1:2015 – Medical device software - Software life cycle processes

The set of processes, activities, and tasks described in this Standard establish a common framework for medical device software life cycle processes.  IEC 62304 applies to the development and maintenance of medical device software, including:

• Software that’s part of a medical device (SiMD)
• Software embedded in health hardware (SiMD)
• Software as a Medical Device (SaMD)
• Software-only products for health management or care delivery (SaMD)
• Health software powered by AI and machine learning.

IEC 62304 has been under review and the updated version expected for some time.  It is currently understood that the updated version will be published in September 2026.

The updated version is expected to include:

• The introduction of ‘software process rigour levels’, replacing the current safety classifications.  Class A – Low rigour level, Classes B & C – High rigour level.
• Revisions to requirements related to development plans, requirements analysis and architecture design.
• Updates to risk management requirements, aligned to the new rigour levels, and simplifying the classification of software.
• Updates to the maintenance process definitions to assist organisations in better monitoring, updating, and managing products throughout their lifecycle.
• The removal of the general requirements for a quality management system in Clause 4.1, with organisations instead needing to rely on a wider QMS to deal with the quality aspects of their products more broadly.  This may include using ISO 13485 as the QMS reference Standard.
• An annex specifying how updates to IEC 62304 need to be managed for legacy software, including reviewing the software development plan and ensuring compliance with the updated guidance.
• Additional requirements in Clause 5.1 – Software development planning that relate to AI planning.  This will include AI process planning, documentation and performance evaluation planning.

Most changes outside of these areas seemingly relate to rewording and focus on the new rigor levels rather than the current classifications.  IEC has published a more detailed breakdown in SC62A/MT49/N0166 – 2304 2^nd Edition Change Rationales, which is publicly available here.

IEC 81001-5-1:2021 - Health software and health IT systems safety, effectiveness and security Part 5-1: Security — Activities in the product life cycle

This Standard is in the process of being harmonised by the EU, however the deadline for this and other critical standards has now been shifted to 27 May 2028.

In the USA, IEC 81001-5-1 has been recognised as a consensus standard since 2022, and the FDA’s latest cybersecurity guidance also recommends adapting this Standard as a framework for secure product development and maintenance.

IEC 81001-5-1 specifies the life cycle requirements for the development and maintenance of health software. It defines the processes, activities, and tasks establishing a common framework for secure health software life cycle processes, with the aim of increasing the cybersecurity of health software.

European Union’s Artificial Intelligence Act 2024/1689

The EU AI Act presents both opportunities and challenges to the medical device industry.  The Act is applicable from 2 August 2026, however for high-risk AI systems obligations apply one year later, on 2 August 2027.

The Act defines prohibited AI practices due to the practices presenting unacceptable risks, some of which will apply to AI used in or as medical devices.

The Act requires risk-based classification of AI; while some medical practices may not fall under the high-risk category, such as medical administrative tasks, many will.  Stricter requirements for high-risk AI include third-party conformity assessment, risk management systems, post-market monitoring and transparency obligations.

There are some discrepancies between the requirements of the AI Act and the EU Medical Device Regulation (MDR), including around alignment of risk classifications, how software updates are managed (the MDR uses the concept of significant modification whereas the AI Act adopts a managed evolution approach) and in transparency obligations.  Additionally, bias mitigation is treated differently; the AI Act explicitly requires manufacturers to identify and correct algorithmic biases and, while the MDR addresses clinical safety and effectiveness from a broader perspective, it does not impose explicit bias control requirements for AI.

Although the first compliance date for the AI Act is several months away, it is recommended that any device manufacturers currently or considering utilising AI in or as a medical device assess the implications in their development life cycle and for their regulatory compliance requirements as early as possible.

FDA 21 CFR PART 820 - Quality System Regulation (QSR)

The QSR is being revised to fully incorporate and harmonise with ISO 13485:2016 through the new Quality Management System Regulation (QMSR), which comes into effect on 2 February 2026.  The change will bring FDA medical device quality requirements in line with the international consensus.

The harmonisation includes the adoption of terms such as ‘top management’, and the strengthening of requirements for traceability and risk management.

The regulatory landscape for medical devices continues to develop rapidly.  Staying informed about updates to standards, emerging guidance, and new regulations is essential for manufacturers to maintain compliance and align with the latest ‘state of the art’.  Proactive engagement with these changes will not only support regulatory conformity but also enhance product quality, patient safety, and market competitiveness.