NAALA | Not An Average Legal Advisor

Regulatory Agenda

2022 Regulatory Agenda


Anne Sophie Dil

Co-founder of NAALA

Published on 12 January, 2022

By: Anne Sophie Dil – Co-founder of NAALA 

Published on 12 January, 2022

Holidays are over, and most people are back in full swing at work. Time to look ahead and prepare for what the new year will bring. What’s to come in terms of laws and regulations on (in vitro) medical devices, information security, data exchange and personal data protection?


On May 26, 2022, the In Vitro Diagnostics Regulation (IVDR) will become applicable.

The application date of the Medical Devices Regulation (MDR) was pushed back by one year due to the COVID-19 pandemic. Although the industry expected – or clung to hope – that the same would apply to the IVDR, the European Commission chose not to push back its application date. Instead, the two-year transition phase was extended by 1 to 3 years. This should give IVD makers more time to get their products certified under the renewed legislation.

Products covered by the scope of the IVDR, but not requiring the involvement of a notified body, must comply with IVDR requirements by May 26, 2022.

On January 4th of this year, the European Commission officially recognized nine harmonized standards for medical devices, including ISO 13485 (quality management system). Recognizing these standards, the European Commission indicates that medical device manufacturers/developers can use these standards to implement the Medical Devices Regulation (MDR). The nine recognized harmonized standards follow an earlier set of harmonized standards recognized by the European Commission in July 2021.

The following standards are currently recognized as harmonized, and thus deemed appropriate to implement the MDR requirements:

July 2021:

  • EN ISO 10993-23:2021 Biological evaluation of medical devices – Part 23: Tests for irritation (ISO 10993-23:2021)
  • EN ISO 11135:2014 Sterilization of health care products – Ethylene oxide – Requirements for the development, validation and routine control of a sterilization process for medical devices (ISO 11135:2014)
  • EN ISO 11137-1:2015 Sterilization of health care products – Radiation – Part 1: Requirements for development, validation and routine control of a sterilization process for medical devices (ISO 11137-1:2006, including Amd 1:2013)
  • EN ISO 11737-2:2020 Sterilization of health care products – Microbiological methods – Part 2: Tests of sterility performed in the definition, validation and maintenance of a sterilization process (ISO 11737-2:2019)
  • EN ISO 25424:2019 Sterilization of health care products – Low temperature steam and formaldehyde – Requirements for development, validation and routine control of a sterilization process for medical devices (ISO 25424:2018)

January 2022

  • EN ISO 10993-9:2021 Biological evaluation of medical devices – Part 9: Framework for identification and quantification of potential degradation products (ISO 10993-9:2019)
  • EN ISO 10993-12:2021 Biological evaluation of medical devices – Part 12: Sample preparation and reference materials (ISO 10993-12:2021)
  • EN ISO 11737-1:2018 Sterilization of health care products – Microbiological methods – Part 1: Determination of a population of microorganisms on products (ISO 11737-1:2018)
  • EN ISO 13408-6:2021 Aseptic processing of health care products – Part 6: Isolator systems (ISO 13408-6:2021)
  • EN ISO 13485:2016 Medical devices – Quality management systems – Requirements for regulatory purposes (ISO 13485:2016)
  • EN ISO 14160-2021 Sterilization of health care products – Liquid chemical sterilizing agents for single-use medical devices utilizing animal tissues and their derivatives – Requirements for characterization, development, validation and routine control of a sterilization process for medical devices (ISO 14160:2020)
  • EN ISO 15223-1:2021 Medical devices – Symbols to be used with information to be supplied by the manufacturer – Part 1: General requirements (ISO 15223-1:2021)
  • EN ISO 17664-1:2021 Processing of health care products – Information to be provided by the medical device manufacturer for the processing of medical devices – Part 1: Critical and semi-critical medical devices (ISO 17664-1:2021)
  • EN IEC 6061-2-83:2020 Medical electrical equipment – Part 2-83: Particular requirements for the basic safety and essential performance of home light therapy equipment

Initially, the intention was to make the European medical device database EUDAMED available at the same time as the Medical Devices Regulation (MDR) and In Vitro Diagnostics Regulation (IVDR) respectively become applicable. However, in the run-up to the application date of the MDR, it became apparent that they were jumping the gun regarding the launch of EUDAMED. As a result, the launch of the database was postponed until the IVDR’s application date: May 26, 2022.

Currently, some of EUDAMED’s modules are available , but a timeline has not yet been shared for the launch of other modules.

MDCG’s guidance provides further explanation of the requirements set forth in both the Medical Devices Regulation (MDR) and the In Vitro Diagnostics Regulation (IVDR). Several guidelines have already been published to date, and it appears that this trend will be continued this year.

The following MDCG guidelines are expected in 2022:


  • Person Responsible for Regulatory Compliance guidance (update) – 2022
  • Incident Reporting template form (new) – Q1 2022
  • Post-Market Surveillance guidance (new) – Q2 2022
  • Vigilance Q&A document (new) – Q3 2022


  • Performance Evaluation guidance (new) – 2022
  • Summary of Safety & Performance template (new) – 2022
  • In-house Devices guidance (new) – 2022
  • ‘IVDR in context of hypothetical scenarios of an urgent response to a health crisis’ analysis (new) – 2022

Information security

‘ISO 27002 Information security, cybersecurity and privacy protection – Information security controls’ will be updated this year. The standard contains practical management controls for information security and is linked to ISO 27001 through links to Annex A and the declaration of applicability of that standard.

Every five years it is decided whether a revision of ISO standards is deemed necessary. The current ISO 27002 standard dates from 2013 and 2018 and is currently under revision. The updated version of the standard is expected to be published in February 2022.

A proposal for a European Cyber Resilience Act is expected to be published in Q3 of 2022. The aim of this proposal is to establish a common standardization standard for cybersecurity products. Minimum cybersecurity requirements will be set for connected devices, given the expected (exponential) growth of the Internet of Things in the coming years.

Non-personal data sharing

On November 30, 2021, the European Commission adopted a proposal for a regulation on data governance (the Data Governance Act). The aim of this Data Governance Act is to improve the availability of data – including public-sector data – while ensuring full control over and security of the data. It sets rules for data marketplaces: intermediary services where companies can voluntarily share their data.

The European Commission is expected to present the Data Act on February 23, 2022. The new data law would establish, among other things:

  • obligations about non-personal data sharing between platforms and consumers and business users,
  • data monetization (the economic value attributed to data), and
  • rules for (privately held) non-personal data access by public bodies for public interest purposes.

Personal data protection

The European Data Protection Supervisor Wojciech Wiewiórowski has proposed a June 2022 review of the effectiveness of enforcement of the European General Data Protection Regulation (GDPR). He mentioned not being sure if they would want to change the GDPR, but it could be “a good time to look at the future and what our forecast should be in the prospect of five years and 10 years.”

Curious about how these changes may affect your organization? 

Please get in touch if you wish further information on the topics above, or if you need hands-on support.

Questions? We are happy to discuss your specific case.


The Medical Devices Regulation (MDR) and ISO 13485 are often spoken of interchangeably. Does an ISO 13485 certification carry the same value as a CE mark under the MDR?

The proposed AI Act: yet another set of new regulations following GDPR and MDR. Are the various legislations overwhelming for medical technology developers, or does it provide a comprehensive system?

Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only. Changes in legal or regulatory requirements may occur at short notice, which we cannot reflect on a daily basis.