Practical EUDAMED guide for QA and RA teams

If you work in medical devices in the EU, the question is no longer what EUDAMED is, but whether your data and ownership model will survive mandatory use.

Even after years of announcements, guidance documents, and partial rollouts, many QA and RA professionals face the same problem: plenty of acronyms and high-level updates, but limited clarity on what becomes mandatory, when it applies, and who is responsible.

The EUDAMED database isn't just another EU database; it's becoming the backbone for registering, tracking, and investigating medical devices across Europe, as it moves from voluntary to mandatory.

With EUDAMED, regulatory data is turned into a transparent dashboard that authorities can check without waiting for an audit. Incomplete or inconsistent data stop being internal inconveniences and become regulatory risks.

The majority of issues are not caused by a lack of procedures, but by unclear ownership, fragmented data, and a lack of synergy between regulatory and quality processes.

In this EUDAMED guide, you’ll learn:

• What is EUDAMED? And what it isn’t.
• Which modules are live today, and which become mandatory in 2026
• Which economic operators must register, and what data they are responsible for
• And what QA and RA teams should be preparing now to avoid last-minute pressure

If you can’t point to one owner for actor, device, and certificate data today, EUDAMED will surface that gap for you, the same way a reconciliation report surfaces missing entries. And it won’t ask politely.

Key takeaways

Here’s what matters if you’re responsible for compliance:

Read the rest with one goal: identify what you must register, who owns the data, and what breaks first when visibility goes EU-wide.

What is EUDAMED?

EUDAMED is the European Database on Medical Devices, the European Commission’s central digital system supporting the implementation of the Medical Device Regulation (MDR) and the In Vitro Diagnostic Regulation (IVDR).

In practical terms, EUDAMED becomes the reference source for regulatory data. If your internal device master says the intended purpose changed last quarter, but EUDAMED still shows the old version, you’ve created a visible inconsistency.

EUDAMED brings together regulatory data that was previously scattered across national databases, notified bodies, and company systems. It centralises information on economic operators, devices and UDIs, certificates, clinical investigations, vigilance, and market surveillance.

Once your data is in EUDAMED, it stops being an internal working copy and becomes the reference version others check against.

By connecting this data across the full device lifecycle, EUDAMED allows authorities to verify regulatory status, detect safety signals, and coordinate enforcement across Member States. For manufacturers and QA/RA teams, this means regulatory data is no longer local or siloed.

Once your data is in EUDAMED, it stops being your internal working copy and becomes the reference version others check against.

Why was EUDAMED necessary?

Before EUDAMED, safety signals could sit in national lanes, like traffic moving on parallel roads that never intersect. A signal visible in one Member State was not automatically visible in others.

EUDAMED forces those lanes to merge by bringing devices, actors, certificates, and surveillance data into one connected view.

Regulatory oversight for medical devices in the EU was decentralised by design before EUDAMED. Authorities relied on national databases, local vigilance systems, and fragmented certificate records. There was no single, authoritative view of devices, manufacturers, or safety signals across Member States.

This created structural blind spots:

• Devices could not be reliably traced across borders
• Vigilance signals were slow to correlate
• Certificate data was not consistently accessible
• Market surveillance actions were largely reactive

High-profile safety failures exposed these weaknesses. The issue was not individual non-compliance, but a system that lacked shared data and visibility across a single market.

EUDAMED addresses this gap by providing a shared regulatory infrastructure built on connected, EU-wide data across the full device lifecycle.

In short, risk moved faster than coordination. EUDAMED is the EU’s attempt to close that gap.

EUDAMED structure: What are the 6 modules of EUDAMED?

EUDAMED consists of six connected compliance pipelines, each feeding data into the same regulatory system across the medical device lifecycle.

The system is modular. Each module becomes usable and legally enforceable once it is declared functional, which allows EUDAMED to be rolled out in phases rather than all at once.

The six EUDAMED modules are:

• 1. Actor registration (ACT)
• 2. UDI and Device (UDI/DEV)
• 3. Notified Bodies & Certificates (NB/CRF)
• 4. Clinical Investigations and Performance Studies (CI/PS)
• 5. Vigilance and Post-Market Surveillance (VGL)
• 6. Market surveillance (MSU)

Your workload is module-driven: what is declared functional determines what becomes mandatory, and when.

Which EUDAMED modules are mandatory?

Four EUDAMED modules become mandatory on 28th May 2026. From that date, regulatory data for these areas must be managed through EUDAMED:

• Actor Registration (ACT)
• UDI/Devices (UDI/DEV)
• Notified Bodies and Certificates (NB/CRF)
• Market Surveillance (MSU)

The remaining modules:

• Clinical Investigations and Performance Studies (CI/PS), and
• Vigilance and Post-Market Surveillance (VGL)

will become mandatory only after they are declared functional and complete their own transition periods.

If you do nothing else, align ownership and data readiness for ACT, UDI/DEV, NB/CRF, and MSU now.

What are the different actor roles in EUDAMED?

EUDAMED does not register companies in a generic sense. It registers actors with clearly defined regulatory roles under MDR and IVDR.

Each role carries specific legal obligations. Organizations performing more than one role must register separately for each, even if the same legal entity is involved.

EUDAMED pins each regulatory obligation to a named role, like labels on a wiring diagram, making accountability explicit and traceable. Actors fall into three categories: supervising entities, economic operators, and sponsors.

Supervising entities of EUDAMED

Supervising entities control how EUDAMED operates and how regulatory compliance is validated at the EU and national levels. They do not place devices on the market, but they define, enforce, and oversee the rules that economic operators must follow.

The main supervising entities in EUDAMED are:

• European Commission (EC)

Acts as the system owner and controller of EUDAMED, including registration of Competent Authorities and Designating Authorities.

• Competent Authorities (CA)

National authorities are responsible for validating actor registrations and carrying out market surveillance within their territory.

• Designating Authorities (DA)

Authorities responsible for designating and overseeing Notified Bodies, including validating their access to EUDAMED.

• Notified Bodies (NB)

Designated organizations that perform conformity assessments. In EUDAMED, they register certificates, refuse applications, and link certificates to devices.

What this means for companies: validation and oversight are mandatory, standardised, and not negotiated on a case-by-case basis.

Economic Operators at EUDAMED

Economic operators carry the operational burden of EUDAMED. These are the roles where data quality issues, timing failures, and ownership gaps surface first.

Manufacturers

Manufacturers are the primary regulatory actors under MDR and IVDR. Their responsibilities include:

• registering themselves and obtaining a Single Registration Number (SRN),
• registering devices and UDI information,
• linking devices to certificates,
• conducting post-market surveillance,
• reporting serious incidents and field safety corrective actions.

Regulatory accountability starts with the manufacturer when a device issue occurs. Under EUDAMED, that accountability becomes visible at the EU level.

Authorised Representatives

Authorised Representatives (AR) are EU-based entities acting on behalf of non-EU manufacturers. Their responsibilities include:

• verifying the non-EU manufacturer’s actor registration,
• acting as the EU regulatory contact point,
• supporting interactions with competent authorities,
• shaking legal liability in specific cases defined by MDR and IVDR.

AR involvement is a critical dependency in the registration process for QA/RA teams working with non-EU manufacturers.

Importers

Importers place devices from non-EU manufacturers on the EU market. Their responsibilities include:

• registering as a separate actor and obtaining their own SRN,
• linking themselves to the devices they import,
• verifying that manufacturers and devices are correctly registered.

Importers play a key role in supply chain traceability. EUDAMED allows authorities to see exactly who introduced a device into the EU market.

System/Procedure Pack Producers

System and procedure pack producers assemble multiple CE-marked devices into a system or procedure pack and place it on the market as a single offering. Their responsibilities include:

• registering as a distinct actor,
• taking responsibility for the correct combination and compatibility of devices,
• having device-level obligations depending on how the system is assembled.

This role exists to ensure accountability when devices are combined, even if they are not redesigned.

If your device, certificate, and post-market records don’t reconcile internally, EUDAMED will make that mismatch visible externally.

Sponsors in EUDAMED

In EUDAMED, the sponsor is the legally accountable party for the lifecycle of a clinical investigation (under MDR) or a performance study (under IVDR), regardless of who manufactured the device.

Sponsor responsibilities include:

• registering and managing clinical investigation or performance study applications,
• submitting notifications or authorisation requests,
• maintaining study information throughout its lifecycle,
• reporting substantial modifications and serious adverse events,
• notifying study completion, temporary halt, or early termination.

What matters is not who manufactured the device, but who holds legal responsibility for the study. The sponsor is the primary regulatory contact point if a study is inspected or challenged.

When the study is questioned, the sponsor becomes the inbox. Build your documentation and ownership model accordingly.

Recommended learning:

What are the MDCG documents and why are they important.

EUDAMED timeline: A system rolled out in phases

EUDAMED isn’t late. It’s modular. Each module becomes mandatory only after a published functionality notice (Regulation (EU) 2024/1860) and a transition window.

Each module follows the same mechanism:

• development and independent audit
• publication of a notice of functionality in the Official Journal of the European Union (OJEU)
• a six-month transition period, and
• mandatory use under MDR and IVDR

The rollout has been divided into two phases.

Phase 1 - First four modules: Actor, UDI/Device, Notified Bodies and Certificates, and Market Surveillance Modules

For the first four modules, the notice of functionality was published on 27 November 2025, making 28 May 2026 the mandatory start date.

The key implications for economic operators are:

• Economic operators must be registered as actors.
• Devices must be registered in the UDI/Devices module within the applicable timelines.
• Notified Bodies must upload MDR/IVDR certificates.
• Market surveillance activities are coordinated through EUDAMED.

Phase 2 - Remaining modules

The remaining modules under development (Clinical Investigations & Performance Studies, and Vigilance & Post-Market Surveillance) will follow the same legal mechanism as Phase 1. Mandatory use will begin only after each module is declared fully functional through an official notice of functionality, followed by a six-month transition period.

Under the applicable transition timelines, registration of legacy (MDD/AIMDD/IVDD) devices will become mandatory. Notified Bodies will also complete the upload of certificates issued before May 2026.

Until mandatory use begins, national systems may continue to apply where permitted under MDR and IVDR.

The only dates that matter are those tied to your specific module obligations, not the ones that make the best headlines.

Key dates in the EUDAMED timeline

25 May 2017

Regulations (EU) 2017/745 on medical devices (MDR) and (EU) 2017/746 on in vitro diagnostic medical devices (IVDR) entered into force on 25 May 2017.

Article 33 of the MDR and Article 29 of the IVDR specifically mandate the European Commission to set up, maintain, and manage the EUDAMED database for device registration, UDI, vigilance, and other modules to enhance transparency and traceability.

EUDAMED was expected to be ready by no later than 25 March 2020.

2024-2025

EUDAMED becomes available in stages for voluntary use. Economic operators, notified bodies, and authorities begin onboarding. They are encouraged to register themselves, their devices, and certificates in EUDAMED early to avoid the deadline rush of 27 November 2025.

National systems continue to apply where EUDAMED modules are not yet declared functional.

On 13 June 2024, an amendment to MDR and IVDR was published in Regulation (EU) 2024/1860, which extended the phased rollout without altering its core establishment date.

27 November 2025

The EC officially declared modules 1, 2, 3, and 6, functional. This triggers the 6-month countdown for these first four modules.

28 May 2026

Mandatory use of ACT, UDI/DEV, NB/CRF, and MSU.

Actors, UDI, Certificates, and Market Surveillance will become legally required for new MDR/IVDR registrations.

Notified Bodies will begin uploading new certificates.

After the OJEU notice

CI/PS and VGL modules will follow the same transition model after they pass functional audits.

Registration of legacy (MDD/AIMDD/IVDD) devices will become mandatory under the applicable transition timelines. Notified Bodies will also complete uploading certificates issued before May 2026.

Note: Exact dates for the remaining modules will be confirmed via OJEU notices.

EU MDR - Medical Device Regulation Course at the Scilife Academy

Four EUDAMED modules are now functional. What does this mean for you? 

This is the turning point: EUDAMED has moved from a voluntary system to an enforceable one. The European Commission declared four EUDAMED modules fully functional in November 2025 after they passed independent audits and met all legal and technical requirements:

• Actors registration

• UDI/Devices

• Notified Bodies & Certificates

• Market Surveillance

Mandatory use of these four modules begins on 28 May 2026.

The practical implication is simple. Your best preparation is boring: clean master data, controlled updates, and explicit ownership.

Below, I break down what changes in practice for each module and where responsibilities now sit.

What changes in practice for EUDAMED?

The biggest change is visibility.

Data that was previously managed internally or reviewed only during audits is now centrally accessible, cross-checked, and visible to multiple authorities. As a result, inconsistencies between device data, certificates, vigilance records, and quality documentation are easier to detect and harder to explain.

Preparation is no longer about learning how EUDAMED works. It is about ensuring the data feeding EUDAMED is accurate, controlled, and kept up to date.

Actor Registration module

Once the Actor Registration module is mandatory, authorities can clearly see who is responsible for a device, under which role, and in which Member State.

Organizations must have validated actor registrations, clearly defined regulatory roles, and internal ownership of actor data. Unclear mandates, outdated details, or missing SRNs become immediately visible.

UDI/Devices module

The UDI/Devices module exposes how well device master data is managed in the EU market. 
Manufacturers must ensure that basic UDI-DI and UDI-DI information is correct and complete, device descriptions, classifications, and intended purposes are aligned, and device records are linked to the correct certificates.

Weak change control shows up as mismatched device descriptors across systems. For example, a label and certificate scope may reflect a recent change, while the UDI/DEV record still shows the previous intended purpose or classification. That mismatch becomes a flagged discrepancy that can be traced back to its source.

Core principles

Under MDR and IVDR, medical devices are identified using the Unique Device Identification (UDI) system, which follows a defined hierarchy:

Under MDR and IVDR, medical devices are identified using the Unique Device Identification (UDI) system, which follows a defined hierarchy:

• the basic UDI-DI, identifying groups of devices with the same intended purpose, risk class, and essential design characteristics,

• one or more UDI-DIs, identifying specific device models or configurations,

• and, where applicable, packaging-level identifiers.

Manufacturers must register this information in the UDI and Devices module before placing devices on the EU market, in line with applicable timelines.

Device registration at scale

Each relevant device or device group must be registered in EUDAMED with its corresponding identification data. For manufacturers with large portfolios, EUDAMED supports:

• XML bulk upload via the user interface, and

• machine-to-machine (M2M) data exchange for automated submissions from external systems.

These mechanisms support volume, but they do not remove the need for data consistency and traceability. Once registered, device records become visible and linkable to certificates, vigilance reports, and market surveillance activities.

Notified Bodies and Certificates module

When Notified Bodies register MDR and IVDR certificates in EUDAMED, including status, scope, and validity, that information becomes visible at the EU level.

At that point, “we’re sorting it with our NB” stops working as an explanation. If a device record links to a certificate that appears expired, suspended, or out of scope, the question is immediate: why is this device still represented as compliant?

For QA teams, this increases the need for tight coordination between regulatory submissions, certificate management, and device data.

Market Surveillance module

The Market Surveillance module enables competent authorities to share findings, coordinate actions, and track non-compliant devices across borders, reducing the time between detection and enforcement.

Findings no longer stay local. One authority’s action can be referenced by others, like a case file that travels. If your explanation changes by country, EUDAMED makes that inconsistency easier to spot.

Access to this module is largely restricted to Supervising bodies and the Commission, with limited visibility granted to Notified Bodies where explicitly referenced.

What is expected to change for the two remaining modules?

The next shift is centralization. Clinical and post-market reporting will move from national systems into a single EU platform, changing how information is submitted, reviewed, and compared across Member States.

The underlying regulatory obligations do not change. What changes are in visibility and coordination at the EU level?

Clinical Investigations and Performance studies module

The CI/PS module will centralise regulatory data for clinical investigations under MDR and performance studies under IVDR.

Manufacturers and sponsors will use this module to manage the full study lifecycle, including:

• study notifications and applications,
• authorisation decisions,
• substantial modifications,
• and study status updates throughout the lifecycle.

Competent authorities and ethics committees will assess and oversee studies through EUDAMED rather than separate national portals.

Public visibility and transparency

Certain high-level study information will become publicly accessible through EUDAMED, in line with MDR and IVDR transparency requirements. This applies only to defined data elements, not confidential documentation or clinical datasets.

For sponsors, this increases the need for consistent, controlled study information across regulatory submissions and internal documentation.

Regulatory timelines and notifications

There is no single notification timeline for all studies. Applicable timelines depend on factors such as:

• whether the study is interventional or non-interventional,
• whether additional invasive procedures are involved,
• the applicable regulation (MDR or IVDR),
• and the risk profile of the study.

Once mandatory, notifications and applications will be submitted via EUDAMED, and studies may only start once the applicable regulatory conditions are met.

Vigilance and post-market surveillance module

The Vigilance and Post-Market Surveillance module will support EU-wide coordination of device safety activities after devices are placed on the market.

Manufacturers will use it to report serious incidents, field safety corrective actions, and defined post-market surveillance activities. The module enables structured reporting and coordinated assessment between manufacturers and competent authorities as investigations progress.

Certain vigilance and post-market surveillance information will become publicly accessible through EUDAMED. Detailed investigations and confidential data will remain restricted to authorities.

This module will make trends, delays, and inconsistencies in post-market activities more visible across Member States, increasing scrutiny on response times and data quality.

When CI/PS and Vigilance become mandatory, delays stop being narratives and start showing up as timestamps and status changes. Your timelines no longer live only in your QMS or emails. They become part of the regulatory record.

What changes for companies?

EUDAMED turns compliance into a continuous data test, not an occasional audit performance.

This requires organizations to maintain aligned data across regulatory and quality processes, respond quickly to incidents, certificate changes, and authority findings, and ensure clear ownership of regulatory updates.

If your system depends on spreadsheets and heroics, EUDAMED will expose it. Heroics work in small rooms. EUDAMED operates at system scale.

Common EUDAMED challenges companies face

Most EUDAMED “problems” are not technical. They are ownership and data governance failures that become visible under increased scrutiny.

In practice, many medical device companies encounter the same issues when preparing for EUDAMED:

• fragmented device and actor data across multiple systems,

• slow or inconsistent change control affecting regulatory updates

• limited visibility of post-market and vigilance status,

• and unclear ownership of EUDAMED-related actions.

Fix the owners first. Tools come second.

How can Scilife’s eQMS support your EUDAMED compliance? 

EUDAMED doesn’t replace your QMS. It audits it in public.

As regulatory data becomes centrally visible, weaknesses that were once manageable locally become harder to contain. Manual tools, fragmented systems, and informal handovers struggle under this level of scrutiny.

This is where an eQMS becomes critical. The goal isn’t to impress auditors. It’s to avoid improvising when they ask simple questions.

Scilife supports EUDAMED compliance by providing a controlled digital foundation for EUDAMED-relevant processes:

• a single, controlled source of regulatory and quality data,

• structured workflows for changes, incidents, and CAPAs,

• Traceable links between devices, certificates, complaints, and corrective actions,

• documented decisions that support continuous audit readiness.

In practice, Scilife makes the EUDAMED-critical chain auditable end to end, without gaps between links: a controlled device record, linked certificate evidence, linked post-market signals (complaints, investigations, CAPAs), and a change workflow showing who approved what and when.

When a regulatory update is needed, you’re not reconciling multiple sources of truth. You update one controlled record and trace the decision back to the initiating event.

This isn’t about efficiency. It’s about preventing avoidable regulatory exposure when your data becomes visible.

Prepare your QMS for EUDAMED - before it becomes mandatory 

28 May 2026 is a compliance operating date, and organizations with weak foundations will feel the pressure first.

EUDAMED does not require new processes. It requires existing ones to work consistently, with data that is accurate, current, and traceable across the device lifecycle.

Preparing for EUDAMED is therefore not about learning how to use a database. It is about ensuring your quality system can support controlled device and actor data, timely updates after changes or incidents, clear ownership of regulatory responsibilities, and documented decisions that stand up to scrutiny.

Start with one decision: who owns each critical dataset, and how changes become controlled updates. Everything else follows from that.

Where to start preparing your QMS for EUDAMED?

Start here if you want a clear view of your readiness. Preparation starts by asking a few uncomfortable but necessary questions:

• Do we know exactly who owns device, certificate, and actor data?

• Can we update regulatory information quickly when something changes?

• Are post-market and vigilance activities clearly linked to devices and certificates?

• Can we demonstrate compliance continuously, not just during audits?

If any answer is “not consistently,” you’ve just found your first EUDAMED risk register item.

Turning EUDAMED preparation into control

Control comes from repeatable workflows, not last-minute clean-ups.

A digital, integrated eQMS helps move EUDAMED readiness from a reactive exercise into a controlled way of working, where regulatory obligations are executed consistently rather than managed ad hoc.

This is not about technology for its own sake. It is about reducing regulatory risk as visibility increases and expectations shift from periodic audits to continuous oversight.

EUDAMED rewards organizations that treat data like a product: versioned, owned, and maintained, not filed and forgotten.

See how Scilife supports EUDAMED compliance.