← CRA Compliance Checklists
HealthcareDeadline: September 2026

CRA Compliance Checklist: Dental Equipment & Devices

Excluded from CRA if classified as medical devices under MDR 2017/745 — but dental practice management software and non-MDR digital equipment are fully in CRA scope

Dental equipment falls into two CRA categories. Dental devices classified as medical devices under MDR (imaging systems, diagnostic sensors, implant-planning software as SaMD) are excluded from CRA if properly MDR-compliant. However, dental practice management software, appointment systems, patient record platforms, and non-MDR dental IT are fully in CRA scope. Manufacturers must carefully verify their product's regulatory classification.

14
checklist items
14
high priority
September 2026
deadline
Healthcare
sector
Track progress free →
CRA Classification:Excluded from CRA if classified as medical devices under MDR 2017/745 — but dental practice management software and non-MDR digital equipment are fully in CRA scope

1. Scope & Classification

Confirm whether each product is classified as a medical device under MDR 2017/745 — only MDR-compliant products benefit from the CRA exclusion

highArticle 3(2)(a), CRA

Dental imaging sensors, intraoral cameras with diagnostic software, and implant planning software may qualify as MDR medical devices or IVDs. Verify classification with a Notified Body.

Confirm that MDR exclusion only applies to products actively under MDR compliance — intention is insufficient

highArticle 3(2)(a), CRA

A dental device not yet MDR-certified does not benefit from the CRA MDR exclusion. Ensure your MDR compliance is active before claiming the exclusion.

Apply full CRA to all dental practice management software, patient scheduling, and billing systems — these are not MDR devices

highArticle 3(1), CRA

Dental practice IT — EHR, scheduling, billing, imaging viewers without diagnostic AI — is not MDR-classified and is fully in CRA scope.

Compile SBOM for non-MDR dental software products covering all application libraries, database components, and third-party integrations

highArticle 10(6)

Dental practice software often integrates with imaging systems, insurance claim systems, and patient communication platforms. Track all components.

2. Product Security (Annex I Part I)

Implement role-based access control for dental staff — separate dentist, nurse, receptionist, and administrator roles

highAnnex I, Part I(2)

Patient dental records are sensitive health data. Enforce RBAC with minimum-privilege and MFA for all access to patient data.

Encrypt all patient dental records, imaging data, and treatment histories at rest and in transit

highAnnex I, Part I(3)

Dental imaging files (DICOM) can be large but must still be encrypted. Use AES-256 for storage and TLS 1.3 for all network communications.

Provide a secure, authenticated remote support channel for software maintenance — avoid generic remote desktop credentials

highAnnex I, Part I(2)

Dental practices often rely on vendor remote support. This access must be authenticated, time-limited, and audit-logged. Generic shared credentials are prohibited.

Implement automatic security update delivery for dental practice software with minimal disruption to practice operations

highAnnex I, Part I(9)

Dental practices have limited IT staff. Security updates must be straightforward to apply, ideally automated outside clinical hours, with clear patient data backup procedures.

3. CVD Policy & Vulnerability Handling

Publish a CVD policy and security contact for non-MDR dental software products

highArticle 13(1)

Dental practice software is increasingly targeted due to patient data value. A CVD policy enables responsible disclosure and faster remediation.

Define security support lifecycle for dental software — minimum 5 years from last version release

highAnnex I, Part II(5)

Dental practices invest in software over many years. Publish per-product security support end dates. Provide migration paths when products reach end of security support.

4. Article 14 Incident Reporting

Define Article 14 triggers for dental system incidents — focus on patient data exfiltration and system availability disruption

highArticle 14(1)

Ransomware against dental practices targeting patient records is an active threat. Define what exploitation events trigger Article 14 reporting.

Coordinate Article 14 reporting with GDPR breach notification — dental patient data breaches trigger both

highArticle 14(2), CRA / GDPR Article 33

Dental patient data is health data (GDPR special category). A breach triggers both CRA Article 14 and GDPR Article 33. Prepare coordinated response templates.

5. CE Marking & Technical Documentation

For MDR-excluded dental devices, maintain MDR technical documentation as the primary compliance evidence

highArticle 3(2)(a), CRA / MDR Article 10

For MDR-classified dental devices, your MDR technical file and Notified Body certificate are the basis for CRA exclusion. Keep these current.

For non-MDR dental software, prepare CRA technical file and issue EU Declaration of Conformity

highArticle 23, Annex V / Article 20

Dental practice management software requires a full CRA DoC and technical file. Ensure all non-MDR products have completed CRA compliance before September 2026.

Track your Dental Equipment & Devices compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Our dental imaging software produces clinical reports — is it SaMD under MDR?+

Software that produces diagnostic outputs for clinical decision-making may qualify as SaMD under MDR. However, imaging viewers that only display images without diagnostic AI functions are generally not SaMD. Use the MDCG 2019-16 qualification framework and, if uncertain, obtain a formal opinion from a Notified Body. Correct classification determines whether you benefit from the CRA MDR exclusion.

We supply dental software to a distributor who rebrands it — does the CRA apply to us or the distributor?+

If you manufacture the underlying software and a distributor rebrands it, the distributor who places it on the market under their name becomes the 'manufacturer' for CRA purposes and takes on full obligations. However, you as the original developer must provide the distributor with the technical documentation, SBOM, and CVD process they need to fulfil their obligations. Contractual arrangements should clearly assign CRA responsibilities.

Do dental X-ray machines need CRA compliance?+

Dental X-ray machines are medical devices under MDR and, if properly MDR-compliant, are excluded from CRA scope. However, the X-ray machine's network-connected management software, patient scheduling integration, or remote service access system may not be MDR-classified and could be in CRA scope. Map all digital components carefully.

Related compliance checklists

Medical Devices

Healthcare

Hospital IT & Clinical Information Systems

Healthcare

Health Monitoring Wearables

Healthcare

Assistive Technologies & AAC Devices

Healthcare

Need a CVD policy for Dental Equipment & Devices?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →