Decoding EU Regulation 2024/1860: Key Changes and Their Impact on EU MDR and IVDR Compliance

As the medical device landscape continues to evolve, the introduction of Regulation (EU) 2024/1860 marks a significant shift in the regulatory environment within the European Union. This regulation, published as an amendment to the existing EU Medical Device Regulation (MDR) and In vitro Diagnostic Medical Device Regulation (IVDR), introduces several critical changes that will affect the compliance landscape for medical device manufacturers. At Evalueserve IP and R&D, we understand the complexities of these regulatory updates. We are committed to helping manufacturers understand the changes and ensure their products remain compliant in this evolving environment. The article sheds light on the evolving world of regulatory guidelines around the medical device industry, and we have also addressed the most frequently asked questions along with justifications.

Part I: Key Features of Regulation (EU) 2024/1860

The regulation addressed several challenges during the EU MDR and IVDR implementation. Below are some of the critical features of this new regulation:

A. Gradual Roll-Out of EUDAMED

One of the most significant aspects of Regulation (EU) 2024/1860 is the structured, phased implementation of the European Database on Medical Devices (EUDAMED). EUDAMED is a cornerstone of the EU’s approach to medical device regulation, designed to enhance transparency, traceability, and post-market surveillance. However, the roll-out has been delayed due to the database’s complexity, leading to a gradual implementation strategy under the new regulation.

• Current Status: Four of the seven interconnected electronic systems within EUDAMED are complete, with the remaining modules expected by 2024. This staggered approach ensures that each component is thoroughly tested and verified, reducing the risk of errors or oversights that could impact patient safety or market access.
• Impact on Manufacturers: While this gradual roll-out provides more time for manufacturers to adapt, it also requires continuous attention to updates and changes. Staying informed about the status of each module and understanding how it affects your regulatory obligations is essential.

B. Extension of the IVDR Transitional Period

The transition from the previous In vitro Diagnostic Devices Directive (IVDD) to the In vitro Diagnostic Medical Device Regulation (IVDR) has proven challenging for many manufacturers, particularly in meeting the stricter conformity assessment requirements. Regulation (EU) 2024/1860 extends the transitional period to May 26, 2025, particularly for high-risk devices (Class D).

• Purpose: This extension aims to prevent shortages of critical diagnostic devices and reduce potential disruptions in the healthcare system. It provides manufacturers additional time to meet the rigorous demands of the IVDR, including reclassification and more detailed documentation.
• Impact on Manufacturers: For manufacturers, this means a crucial window to complete necessary assessments, update technical documentation, and engage with Notified Bodies. However, it also requires them to proactively manage their transition process to avoid non-compliance or market withdrawal.

How Evalueserve Can Assist

As a trusted partner to medical device manufacturers, Evalueserve offers tailored services to help you navigate the complexities of Regulation (EU) 2024/1860. Our team of experts is well-versed in the intricacies of both the MDR and IVDR, and we are equipped to support your organization in several key areas:

• Regulatory Strategy and Planning: We provide in-depth analysis and strategic guidance to help you understand how the gradual roll-out of EUDAMED and the extended IVDR transition period impact your products and market strategy.
• Toxicological Risk Assessments: Our toxicology consultancy ensures your products meet the highest safety standards, addressing potential risks arising from new regulatory requirements.
• Technical Documentation and Compliance: We assist in updating and preparing the necessary documentation to ensure compliance with the latest EU regulations, including the meticulous requirements for high-risk devices under the IVDR.

The roll-out of Regulation (EU) 2024/1860 marks a pivotal moment for medical device manufacturers in the European market. This new regulation introduces critical updates and refinements that aim to enhance the safety, efficacy, and oversight of medical devices, aligning with the evolving landscape of healthcare technology. For manufacturers, this means navigating a more complex regulatory environment with updated requirements that impact every stage of device development and lifecycle management.

From conducting detailed gap analyses and revising compliance strategies to offering targeted toxicological risk assessments and regulatory documentation support, we are here to ensure that your products meet the highest safety and efficacy standards.

Read more >>> Unveiling Medical Device Solutions.

By partnering with Evalueserve, you can ensure that your medical devices meet the highest safety and efficacy standards while staying ahead of regulatory changes. We aim to support you in achieving compliance and maintaining a competitive edge in the evolving market.

Part II: Q&A to White Paper (Unveiling Medical Device Solutions)

1. Are there any apps and algorithms used in medical devices? How are they regulated?

Yes, apps and algorithms are increasingly integrated into medical devices, particularly in digital health, diagnostics, and personalized medicine. These software applications, often called Software as a Medical Device (SaMD), can range from diagnostic tools to treatment monitoring apps or algorithms that assist clinical decision-making.

In terms of regulation, both EU MDR (Regulation (EU) 2017/745) and EU IVDR (Regulation (EU) 2017/746) provide a framework for regulating Software as a medical device. The regulation depends on the intended use and risk classification of the Software:

• Risk Classification: SaMD is classified into different risk categories (Class I, IIa, IIb, or III) based on the potential impact on patients’ health. Higher-risk software (e.g., diagnostic tools influencing critical treatment decisions) falls under stricter regulatory scrutiny.
• Compliance Requirements: SaMD developers must comply with clinical evaluation, conformity assessments, and post-market surveillance requirements. Special provisions are also made for AI-based algorithms that learn and evolve, as they require robust risk management and validation to ensure safety over time.
• Cybersecurity is a growing concern for Medical device software, and manufacturers must ensure robust data protection and safety measures.

2. What about combination products involving a drug and a medical device? Example: drug-eluting stent.

Combination products, such as drug-eluting stents, are a unique category in the medical field, as they involve both a medical device and a drug component. These products are regulated under a specific framework depending on the primary mode of action (PMOA):

• EU MDR or EU Drug Regulation: If the product’s primary function is that of a medical device (as in the case of a drug-eluting stent, where the stent primarily provides mechanical support), it will fall under the EU MDR. However, the drug component must still comply with relevant pharmaceutical regulations, ensuring the safety and efficacy of both elements.
• Consultation Procedure: A consultation procedure with a national competent authority or the European Medicines Agency (EMA) is mandatory for combination products where the device incorporates a medicinal substance. This approach ensures that both the drug and device components are rigorously assessed.
• Due to their dual components, market surveillance and post-market obligations are more stringent for combination products.

For instance, in the European Union (EU), the regulation of combination products is covered under the Medical Device Regulation (MDR) 2017/745 and the Medicinal Products Directive 2001/83/EC. The regulatory path depends on the primary mode of action (PMOA) of the product:

A. Drug-Primary Combination (e.g., pre-filled syringes or inhalers):

• 
  
  • If the product’s primary mode of action is pharmacological, immunological, or metabolic (e., drug-related), it is regulated as a medicinal product under Directive 2001/83/EC.
  • However, the medical device component must still comply with relevant MDR aspects to ensure safety and performance.

B. Device-Primary Combination (e.g., drug-eluting stents):

• 
  
  • If the primary mode of action is device-related, the product is regulated under MDR 2017/745.
  • Manufacturers must submit evidence of the drug component’s quality, safety, and usefulness and seek consultation from a national medicinal product authority or the European Medicines Agency (EMA).

3. How does the FDA regulate combination products, and what should manufacturers understand about navigating the regulatory pathways for these products?

In the U.S., combination products—those that combine two or more types of medical products, such as drugs, devices, or biological products—are regulated by the U.S. Food and Drug Administration (FDA) under the oversight of the Office of Combination Products (OCP).

The regulatory pathway for a combination product is primarily determined by its Primary Mode of Action (PMOA). The PMOA is the predominant mechanism through which the combination product achieves its intended therapeutic effect. Depending on the PMOA, the product will be assigned to one of three FDA centers for review:

• Center for Devices and Radiological Health (CDRH): For device-led products (e.g., a drug-coated stent),
• Center for Drug Evaluation and Research (CDER): For drug-led products (e.g., pre-filled syringes with drugs),
• Center for Biologics Evaluation and Research (CBER): For biologic-led products (e.g., a combination of a biologic and a device).

While no singular regulation is specific to combination products, these products are subject to combined oversight. Depending on the product’s nature, manufacturers must ensure compliance with medical device regulations (21 CFR 820) and the drug/biological product regulations (21 CFR 211 and 600).

Key Considerations:

• PMOA and Assignment: Understanding the PMOA is crucial as it defines the lead regulatory pathway. For instance, if a product is a drug-device combination, but the drug is the primary therapeutic component, it will be reviewed primarily by CDER but with input from CDRH.
• Compliance with Dual Regulations: Combination products must comply with both medical device regulations (Quality System Regulation for devices, 21 CFR 820) and the regulations relevant to the drug or biologic components (Current Good Manufacturing Practices for drugs, 21 CFR 211, or for biologics, 21 CFR 600). This dual compliance can complicate manufacturing, quality control, and post-market surveillance.
• Innovative Products: For novel combination products, manufacturers may engage early with the FDA through Pre-Request for Designation (Pre-RFD) or Request for Designation (RFD) processes to determine the PMOA and streamline the regulatory process.
• Post-Market Requirements: Combination products may also be subject to post-market surveillance from more than one FDA center. For example, a drug-coated stent must meet the drug and device components’ post-market safety and efficacy requirements.

Manufacturers of combination products should engage with the FDA early in development to ensure clarity around regulatory expectations and ensure that all aspects of the product meet the required standards for safety, efficacy, and quality.

4. How will the EU AI Act impact the development and regulation of AI-driven healthcare technologies and medical devices, particularly in the high-risk category?

The EU AI Act is a legislative proposal introduced by the European Commission in April 2021 to regulate the use and development of artificial intelligence (AI) within the European Union. It is one of the first comprehensive laws specifically focused on AI, and it seeks to balance innovation with the protection of fundamental rights and safety.

However, it came into force on August 1, 2024, as the European Artificial Intelligence Act (AI Act), establishing a unified framework for AI regulation across the EU. It aims to balance innovation with safeguarding citizens’ rights and safety, introducing a risk-based classification for AI systems:

• Minimal risk: AI-like spam filters face no obligations but may follow voluntary codes.
• Specific transparency risk: AI systems like chatbots must disclose their use to users.
• High risk: Critical AI, including medical Software, must adhere to strict standards for transparency, data quality, and human oversight.
• Unacceptable risk: AI systems that threaten fundamental rights, such as social scoring, are prohibited.

The AI Act also includes provisions for a Code of Practice on General Purpose AI (GPAI), focusing on transparency and risk management. After consulting with stakeholders, the Commission expects to finalize this by April 2025.

5. What new cybersecurity requirements does FDA Section 524B introduce for medical devices, and how can manufacturers ensure compliance with these standards?

FDA Section 524B, effective October 1, 2023, imposes new cybersecurity standards for medical devices to safeguard patient safety against cyber threats. To comply, manufacturers must integrate security measures from the design phase through post-market monitoring. Essential compliance requirements include:

1. Cybersecurity Plan: Manufacturers must develop a robust plan for identifying, monitoring, and addressing cybersecurity vulnerabilities post-market, including a straightforward process for vulnerability disclosure.
2. Security by Design: Devices must be designed with cybersecurity in mind. This step involves conducting thorough risk assessments, often using frameworks like the Common Vulnerability Scoring System (CVSS) to prioritize and mitigate risks.
3. Software Bill of Materials (SBOM): A comprehensive list of all proprietary and open-source software components must be provided. This process allows for easier tracking and managing of vulnerabilities associated with each element.
4. Incident Response Plan: Manufacturers need to have a clear, actionable plan for responding to cybersecurity incidents that arise over the device’s lifecycle, ensuring quick action in the event of a security breach.

Failure to meet these guidelines can result in the FDA rejecting premarket submissions and delaying product approvals. Manufacturers are encouraged to consult cybersecurity experts and leverage FDA resources to ensure they remain compliant with these updated regulations, improving the overall security of connected medical devices.