The VP’s 2026 Roadmap for MedTech Quality: Turning Compliance into Advantage

A clear, actionable guide for Quality Assurance & Regulatory Affairs (QARA) teams and VP‑level leaders, what’s changing and how to prepare.

Summary

This guide explains: (1) the FDA QMSR alignment with ISO 13485 and what remains uniquely U.S., (2) EU AI Act dual‑compliance expectations for AI‑enabled devices, (3) EUDAMED mandatory use and datasets, (4) the FDA’s final cybersecurity guidance (secure‑by‑design, SBOM, vulnerability management), (5) Post‑Market Surveillance (PMS)/Post‑Market Clinical Follow‑Up (PMCF) under MDR/IVDR, and (6) global UDI trends. You’ll find beginner tips, VP‑level actions, checklists per topic, a 180‑day roadmap, a glossary.

2026 is the year medtech quality becomes proactive, secure‑by‑design, and digitally traceable.
In the United States, the Food and Drug Administration (FDA) will inspect to its ISO‑aligned Quality Management System Regulation (QMSR) on February 2, 2026, while preserving critical U.S.‑specific controls (e.g., labeling inspections, complaint/servicing records, Unique Device Identification (UDI)). In the European Union, EUDAMED (European Database on Medical Devices) becomes mandatory on May 28, 2026 for core modules, and the European Union Artificial Intelligence Act (EU AI Act) begins applying broad obligations August 2, 2026 with a special timeline for AI used in devices regulated under the Medical Device Regulation (MDR)/In Vitro Diagnostic Regulation (IVDR) hitting August 2, 2027. Combined with the FDA’s June 27, 2025 final premarket cybersecurity guidance already in force, these milestones mean compliance must be engineered across the product lifecycle, not bolted on at the end.

What’s Changing

1) FDA’s QMSR Aligns to ISO 13485

The FDA has aligned 21 CFR Part 820 with ISO 13485:2016, creating the Quality Management System Regulation (QMSR) effective February 2, 2026. It retains select U.S.‑specific expectations, e.g., labeling/packaging inspection, complaint/servicing records, and UDI record control, so ISO 13485 compliance is necessary but not wholly sufficient.

VP action: Run a QMSR gap audit (structure, terminology, risk‑based processes, supplier controls), refresh SOPs and training, and update internal audit programs ahead of inspections shifting to the new Part 820 framework.

2) EU AI Act: Dual Compliance for AI‑Enabled Devices

The EU AI Act introduces risk‑based obligations. Most obligations apply August 2, 2026. For AI systems that are safety components in products covered by EU harmonization legislation (including MDR/IVDR devices), high‑risk AI obligations apply August 2, 2027. You must prepare AI‑specific technical documentation (datasets, bias/robustness, logs), establish human oversight, and conduct risk management, in addition to MDR/IVDR evidence.

VP action: Map AI in your devices and manufacturing systems, run an MDR/IVDR ↔ AI Act gap analysis, plan conformity assessment with Notified Bodies (NBs), and track emerging harmonized standards and NB capacity as deadlines approach.

3) EUDAMED Goes Mandatory in 2026: UDI, Actor Registration & Certificates

The European Commission confirmed four modules are fully functional and mandatory from May 28, 2026: Actor Registration, UDI/Device, Notified Bodies & Certificates, Market Surveillance. New devices must be registered before market placement; legacy devices on the market must be registered by November 28, 2026; many certificate uploads will be due by May 28, 2027.

Without a Single Registration Number (SRN), you cannot proceed. EUDAMED also raises the bar for master data quality (e.g., Basic UDI‑DI, packaging levels, certificate linkages), so set up machine‑to‑machine publishing to minimize manual errors.

VP action: Obtain your Single Registration Number (SRN) early. Prepare your UDI data model and bulk‑upload/M2M workflows (device, packaging levels, Basic UDI‑DI, certificate linkages) to avoid last‑minute data scrambles. Drive portfolio‑level EUDAMED readiness: validate Actor profiles/SRNs, cleanse UDI‑DI data, stage NB certificate datasets, and align vigilance/market surveillance processes to the 2026/2027 timelines.

4) Cybersecurity is Now Treated as Safety

The FDA’s June 27, 2025 final guidance “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” is in effect. It expects secure‑by‑design architecture, SBOM, vulnerability management (coordinated disclosure and patching plans), appropriate labeling, and submission documentation and applies to any device containing software, not only network‑enabled devices.

VP action: Embed threat modeling, secure architecture, SBOM management, coordinated vulnerability disclosure, and patch/update plans in design controls; explicitly distinguish software risk vs. cybersecurity risk in submissions and risk files.

5) Post‑Market Surveillance & PMCF: Evidence That Lives with the Device

Under MDR/IVDR, PMS and PMCF must proactively confirm real‑world safety and performance across the device lifetime. Fresh MDCG 2025‑10 guidance details PMS system expectations and how PMS data updates Clinical Evaluation Report (CER), Summary of Safety and Clinical Performance (SSCP), risk management, and labeling. PMCF methods should be selected based on evidence gaps (e.g., registries, targeted follow‑ups, focused clinical studies).

MS/PMCF is not optional; it is your ongoing proof that benefits outweigh risks. It must feed Periodic Safety Update Report (PSUR)/Post‑Market Surveillance Report (PMSR) and EUDAMED vigilance.

VP action: Create a PMS/PMCF playbook per device family; connect PMS signals to Corrective and Preventive Action (CAPA) and risk files; ensure EUDAMED vigilance feeds and trend reporting are embedded in management reviews.

6) Traceability & Labeling: UDI Is Your Global Backbone

UDI systems are expanding, e.g., Canada proposals, Australia Therapeutic Goods Administration (TGA) AUS UDI, Brazil ANVISA SNIPS, each with different timelines and database schemas. The goal is consistent identification, faster recalls, and improved patient safety.

UDI errors ripple into recalls, vigilance, and inventory. Establish global master‑data governance and machine‑to‑machine publishing to reduce manual re‑keying.

VP action: Launch a UDI master‑data governance program and machine‑to‑machine (M2M) publishing capability to reduce manual upload risk, consistent with International Medical Device Regulators Forum (IMDRF) recommendations.

Practical Steps

For QARA Teams

• Learn what’s changing: QMSR (FDA alignment with ISO 13485, effective February 2, 2026), EUDAMED (four modules mandatory by May 28, 2026), EU AI Act timelines (2026–2027), IEC 62304 and IEC 81001-5-1, PMS/PMCF expectations, and UDI fundamentals.
• Follow the data: Understand where device master data, certificates, UDI records, and vigilance events are managed—and how they populate and synchronize with EUDAMED.
• Think risk-based: Higher-risk devices and AI components require deeper documentation, validation, and testing; explicitly link clinical, cybersecurity, and manufacturing evidence to risk classification.

For VPs (Strategy & Governance)

• QMSR transition: Gap‑audit vs ISO 13485, update labeling/complaints/UDI controls, retrain auditors ahead of 2026 inspections.
• AI governance: Classify AI use cases, build AI tech files, define human oversight, and plan NB engagement for 2026/2027.
• EUDAMED readiness: Secure SRNs, cleanse UDI data, stage certificates, and rehearse vigilance workflows by May/Nov 2026.
• Secure-by-design: Adopt SPDF aligned to IEC 81001‑5‑1/IEC 62304; institutionalize SBOM, threat modeling, disclosure, patch policies.
• PMS / PMCF operations: Select methods per evidence gaps; wire outputs into CER/SSCP/PSUR/PMSR/CAPA; publish vigilance in EUDAMED.
• Global UDI program: Stand up master‑data governance and M2M publishing across EU/U.S./Canada/TGA/ANVISA.

Topic Checklists (Quick Wins)

QMSR (United States)

• Map ISO 13485 controls to QMSR; identify gaps.
• Retain FDA‑specific elements: labeling/packaging inspection, complaint & servicing records, UDI records.
• Train to February 2, 2026 inspection focus.

EU AI Act (AI‑enabled devices)

• Inventory AI uses; classify high‑risk under Article 6/Annex I.
• Build AI technical documentation: datasets, robustness/bias, logging, oversight.
• Plan conformity assessment/NB engagement for 2026/2027

EUDAMED (EU)

• Obtain SRNs (Actor module).
• Cleanse UDI/Device data; configure bulk/M2M uploads.
• Stage certificate datasets and SSCP with NBs; rehearse vigilance workflows.

Cybersecurity (Premarket & Lifecycle)

• Implement SPDF aligned to IEC 81001‑5‑1/IEC 62304.
• Document threat models, secure architecture, SBOM, vulnerability handling/patching, labeling.
• Verify submission packages meet June 27, 2025 guidance.

PMS/PMCF (EU)

• Establish a documented PMS plan; define data sources and analyses.
• Create PMCF plan per evidence gaps (registries, targeted follow‑ups, focused studies).
• Update CER/SSCP/risk/labeling; synchronize PSUR/PMSR and EUDAMED vigilance.

Global UDI

• Map jurisdictional timelines (EU, U.S., Canada, Australia/TGA, Brazil/ANVISA, etc.).
• Stand up master‑data governance and M2M publishing.
• Validate UDI‑DI/UDI‑PI across packaging levels; link to recalls/vigilance/inventory.

Your 180‑Day Roadmap

Days 0–30: Baseline & Plan

• QMSR gap analysis vs ISO 13485; priority updates to labeling/complaints/UDI procedures.
• AI use case inventory & classification; outline AI tech‑file contents and oversight.
• EUDAMED readiness: SRNs, UDI data quality checks, certificate datasets, vigilance interfaces.
• Cyber posture against June 27, 2025 guidance; define SPDF adoption plan.

Days 31–90: Build Controls

• Update QMS with QMSR‑aligned SOPs ; train teams/internal auditors.
• Draft AI technical documentation (datasets, logging, oversight); plan NB engagement.
• Implement UDI master‑data governance; pilot bulk/M2M uploads to EUDAMED.
• Formalize SPDF + IEC 62304/81001‑5‑1 processes; create cyber submission templates.

Days 91–180: Validate & Scale

• Audit to the QMSR structure; close CAPAs ahead of 2026 inspections.
• Validate EUDAMED data integrity; rehearse vigilance workflows; stage NB certificate uploads.
• Finalize EU AI Act conformity path; document dual‑compliance rationale (MDR/IVDR + AI Act).
• Run cybersecurity penetration/threat tests; verify SBOM and update pipelines; align labeling.

Glossary

• QMSR (Quality Management System Regulation): FDA’s ISO‑aligned Part 820 rule effective February 2, 2026.
• MDR (Medical Device Regulation)/IVDR (In Vitro Diagnostic Regulation): EU frameworks governing devices and IVDs; drive PMS/PMCF, UDI, and EUDAMED use.
• EUDAMED (European Database on Medical Devices): EU database of actors, devices, certificates and surveillance; mandatory May 28, 2026 for four modules.
• UDI (Unique Device Identification): Global system comprising UDI‑DI (static identifier) and UDI‑PI (production identifier) to support traceability.
• EU AI Act (European Union Artificial Intelligence Act): Risk‑based AI law; obligations apply August 2, 2026; special case for devices under MDR/IVDR August 2, 2027.
• IEC 62304 (Medical device software—software lifecycle processes) and IEC 81001‑5‑1 (Security activities in the product lifecycle): Standards to structure software and cybersecurity in devices.
• SPDF (Secure Product Development Framework): Structured processes embedding cybersecurity across the product lifecycle, referenced by FDA guidance.
• PMS (Post‑Market Surveillance)/PMCF (Post‑Market Clinical Follow‑Up): Proactive evidence collection and clinical follow‑up to maintain benefit‑risk and update CER/SSCP.
• CER (Clinical Evaluation Report)/SSCP (Summary of Safety and Clinical Performance)/PSUR (Periodic Safety Update Report)/PMSR (Post‑Market Surveillance Report): EU clinical and safety documentation updated via PMS/PMCF.
• NB (Notified Body)): EU‑designated conformity assessment organization for MDR/IVDR devices.
• SBOM (Software Bill of Materials): List of software components enabling vulnerability tracking and updates.