HealthcareDeadline: September 2026

CRA Compliance Checklist: Medical Devices

Excluded from CRA if covered by MDR/IVDR — but manufacturers should verify their product's regulatory classification

Medical devices regulated under the EU Medical Device Regulation (MDR) or In Vitro Diagnostic Regulation (IVDR) are generally excluded from the CRA. However, software products used in healthcare that are not classified as medical devices under MDR may fall within CRA scope. Manufacturers should carefully verify their product's regulatory classification.

checklist items

high priority

September 2026

deadline

Healthcare

sector

Track progress free →

CRA Classification:Excluded from CRA if covered by MDR/IVDR — but manufacturers should verify their product's regulatory classification

1. Regulatory Classification Check

Confirm your product is classified as a medical device under MDR 2017/745 or IVDR 2017/746

highArticle 3(2)(a), CRA

MDR/IVDR exclusion from CRA only applies to products that are actually classified as medical devices. General wellness apps and non-medical healthcare software may not qualify.

Verify your Notified Body has issued or is processing your MDR technical documentation

highArticle 3(2)(a), CRA

CRA exclusion applies to products 'already covered' by MDR/IVDR — this requires active MDR compliance, not just an intention to comply.

Identify any connected software components (hospital IT integration, remote monitoring) that are not MDR-classified

highArticle 3(1), CRA

A medical device may interface with non-medical software that IS in scope for the CRA. Map all digital components carefully.

Review MDCG 2019-16 guidance on software qualification under MDR/IVDR

mediumArticle 3(2)(a), CRA

MDCG guidance helps determine whether software is a medical device (Software as a Medical Device — SaMD) or general purpose software.

2. MDR Cybersecurity Requirements (also satisfy CRA where applicable)

Implement cybersecurity requirements per MDR Annex I Chapter II (General Safety Requirements)

highMDR Annex I, Chapter II

MDR Annex I §17 addresses cybersecurity, requiring ITsecurity measures, secure by design, and software lifecycle management.

Follow MDCG 2019-16 guidance on cybersecurity for medical devices throughout the lifecycle

highMDR Annex I §17

MDCG 2019-16 is the reference cybersecurity guidance for medical devices and closely parallels CRA Annex I requirements.

Implement and document a post-market surveillance (PMS) plan covering cybersecurity incidents

highMDR Article 83

MDR PMS obligations for cybersecurity incidents overlap with CRA Article 14 reporting. Align both processes.

Publish a security.txt and vulnerability disclosure contact for your device software

highArticle 13(1), CRA / MDR Annex I §17

Even MDR-covered devices benefit from a clear vulnerability disclosure channel. Security researchers increasingly target medical devices.

3. Non-MDR Healthcare Software — CRA Obligations

For non-MDR software, establish a CVD policy per CRA Article 13

highArticle 13(1), CRA

Hospital information systems, clinical decision support tools, and health IT software not classified as SaMD are likely subject to CRA.

Conduct CRA risk assessment for all healthcare software products not covered by MDR

highArticle 10(2), CRA

Non-MDR healthcare software often has access to sensitive patient data. CRA risk assessment must account for this.

Review whether hospital-deployed software falls under CRA or whether the hospital is the 'manufacturer'

mediumArticle 3, CRA

Software developed specifically for a single hospital by an internal team may not be 'placed on the market' and could be outside CRA scope. Consult legal counsel.

Track your Medical Devices compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

My product is a Class IIa medical device under MDR — is it exempt from the CRA?+

If your product is classified and regulated as a medical device under MDR 2017/745, it is generally excluded from the CRA scope. The CRA lists medical devices regulated under MDR/IVDR as an explicit exclusion. However, you should verify that all digital components of your product are within the MDR's scope — connected companion apps or hospital integration software may not be.

We make health and fitness wearables that are not classified as medical devices — does CRA apply?+

Yes. Wearable devices that are not classified as medical devices under MDR (e.g. general fitness trackers, step counters) are not excluded from the CRA. They fall within the standard CRA scope as products with digital elements and must comply with all CRA requirements.

How do Article 14 CRA reporting obligations relate to MDR Serious Incident Reporting?+

MDR requires reporting of serious incidents to competent authorities within specified timelines. CRA Article 14 adds requirements for reporting actively exploited vulnerabilities to ENISA within 24/72h/14-day windows. These are separate obligations to different authorities. Manufacturers should design processes that satisfy both simultaneously.

Need a CVD policy for Medical Devices?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →