This article represents the final part of the series of blog posts entitled “What’s changing in 2023”, in which the experts from the Produktkanzlei team summarize the relevant topics from their respective areas of expertise in an overview format. Here, we highlight the measures taking effect in 2023 to minimize the increasing threat of supply shortages of medical devices under Regulation (EU) 2017/745 (“MDR”): An extension of the transition periods for the MDR (see A.) and the now officially propagated path of toleration of medical devices with expired old certificates according to Art. 97 MDR (see B.) are intended to remedy the situation. We also take a look at the planned European Health Data Space, for which a proposal for a regulation is available, in interaction with other European legal acts (see C.).
A. MDD certificates will be extended – New transitional provisions for legacy devices
The MDR has been in effect since 26.05.2021. While pure class I products must be MDR-compliant since that date, for all medical devices requiring a new certificate according to MDR requirements, the insufficient capacities of available notified bodies are increasingly becoming a real (albeit long foreseeable) problem. Last October, for example, only 1,990 of the more than 8,000 applications submitted by medical device manufacturers for MDR certificates could be processed. This is exacerbated by the increased effort involved in the certification of medical devices associated with the implementation of the MDR, with the result that corresponding supply bottlenecks, particularly for niche and existing products, have already been apparent for years.
Under the current version of Art. 120 para. 3 MDR, “legacy” certificates in accordance with Directives 90/385/EEC and 93/42/EEC expire no later than 27.05.2024. The so-called legacy devices affected, which still meet the requirements of the previous directive law, could no longer be placed on the market by then. A significant number of the old directive certificates expire even earlier. According to evaluations by the European Commission, more than 21,000 valid directive certificates are expected to expire between January 2023 and May 2024. To remedy this situation, the European Commission presented a proposal for a further extension of the transitional periods of the MDR on 06.01.2023. The most important changes at a glance:
Certificates issued by notified bodies in accordance with Directives 90/385/EEC and 93/42/EEC as from 25.05.2017 that were valid on 26.05.2021 and that have not been withdrawn afterwards shall remain valid after the end of the period indicated on the certificate until the dates indicated in the proposal. The end date is determined according to the risk-based approach underlying the MDR, depending on the product class.
- The validity of certificates for class III devices and for class IIb implantable devices, except sutures, staples, dental fillings, dental braces, tooth crowns, screws, wedges, plates, wires, pins, clips and connectors is extended for three years and scheduled to expire 31.12.2027.
- For the remaining class IIb devices, class IIa devices, and class Im (with measuring function) and Is (sterile) devices, a transition period will apply until 31.12.2028.
- The transition period, which has been extended to 31.12.2028, is also intended to benefit all products classified higher under the MDR that will require the involvement of a notified body for the first time; in practice, this applies in particular to reusable surgical instruments and regularly software as medical device.
- The proposal provides a special regulation for class III custom-made implantable devices. These can also be placed on the market or put into service without a certificate until 26.05.2026, provided that the manufacturer, or the authorised representative of the manufacturer, has lodged a formal application for the applicable conformity assessment no later than 26.05.2024 and the manufacturer signs no later than 26.09.2024 a written agreement with the notified body in accordance with Sec. 4.3, second subpara. of Annex VII.
- In addition, the so-called sell-off date, which is relevant for distributors by name, is omitted without replacement. The proposal provides that the time limit for medical devices that have been placed on the market in accordance with Art. 120 para. 4 MDR on the basis of a directive certificate and can continue to be made available on the market or put into service until 26.05.2025, will be completely abolished. Thus, the “sell-off” is no longer to be limited in time.
The adoption of the proposal by the European Parliament is expected to take place promptly. This is supported not only by the time pressure to prevent bottlenecks within the EU, but also by the fact that the European Commission has granted a very short deadline, namely from 11.01.2023 to 18.01.2023 for commenting on the proposal, which was initially scheduled until mid-March.
B. Application of Art. 97 MDR to „Legacy Devices“
Closely related to the new transition periods is the issue of toleration of legacy devices, which can be handled by applying Art. 97 MDR. MDCG published new guidance in December 2022 on the application of Art. 97 MDR to legacy devices for which a MDD/AIMDD certificate expires before a MDR certificate can be issued. It is important to note that the temporary toleration of products with expired certificates is not an automatism. In the context of market surveillance, the competent authority must make a case-by-case decision as to whether the expired certificate can be tolerated as „other non-compliance“ until a MDR certificate is obtained. As an aside, the case-by-case examination necessary for this will raise another capacity issue in practice, namely that of the processing capacities of the competent surveillance authorities.
The advantage of a toleration (compared to the special authorization according to Art. 59 MDR, which is only possible in very exceptional cases) is that the CE marking is formally retained and may continue to be affixed to the product. Thus, Free Sales Certificates may continue to be issued.
The central requirement of Art. 97 MDR is that the product does not present an unacceptable risk to health or safety of patients, users or other persons, or to other aspects of the protection of public health. This assessment is to be made by the competent authorities on a case-by-case basis, for example on the basis of data gathered by the manufacturer through its post-market surveillance system. Furthermore, the expiration of the product certificate and thus the “other non-compliance” of the legacy device must be due to the limited capacity of the notified bodies. However, toleration is not intended to obviate the need for certification under the MDR and, therefore, the competent authorities shall require the relevant economic operator to bring the non-compliance concerned to an end within a reasonable period that is clearly defined and communicated to the economic operator and that is proportionate to the non-compliance. It will play a role when the notified body is expected to issue an MDR certificate. It is still possible for the authority to extend the initial deadline under Art. 97 MDR in justified cases, if necessary.
If toleration is granted to the manufacturer, it should be noted that, under the provisions of Art. 120 para. 3 MDR, no significant changes may be made to the design or intended purpose of the legacy device until the non-compliance is resolved. Therefore, the solution via Art. 97 MDR may not always be feasible, especially for products that need to be continuously developed and optimized in the field.
The guideline as well as its practical implementation in each individual case is likely to lead to a large number of practical questions and risks for manufacturers this year. The market surveillance provision in Art. 97 MDR is not designed to cope with mass expirations of certificates. It is to be hoped that competent authorities – nationwide and EU-wide – will find an implementation line, which is as uniform as possible on the basis of the MDCG guidance and which will be applied with a sense of proportion.
C. Establishing the European Health Data Space in interaction with other EU legal acts
This year, the European Commission’s project to create an European Health Data Space (EHDS) is likely to take further shape. The use of health data remains a challenge, particularly for providers of digital health services and products, due to the limited options under the General Data Protection Regulation (“GDPR”). Research institutions and manufacturers also have limited access to health data for research purposes and innovation in the health sector.
Against this background, the European Commission announced 2020 in its European Data Strategy, among other things, the establishing of an European Health Data Space, which is to be of essential importance for progress in the prevention, detection and cure of diseases. On this basis, the Commission published a proposal for a Regulation on the European Health Data Space (EHDS-Regulation) last year. According to its Art. 1 para. 1, the regulation is intended to establish the European Health Data Space by providing for rules, common standards and practices, infrastructures and a governance framework for the primary and secondary use of electronic health data.
I. EHR systems as a new product category
The regulation applies, amongst others, to manufacturers and suppliers of EHR systems (electronic health record system) and wellness applications placed on the market and put into service in the Union and the users of such products (Art. 1 para. 3 EHDS-Regulation). ‘EHR system’ means any appliance or software intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records (Art. 2 para. 2 lit. n EHDS-Regulation). With the introduction of EHR systems as a new product category, the legislator has also imposed obligations on the manufacturers and suppliers of these systems (Art. 17 et seq. EHDS), which must be complied with before placing them on the market or putting them into service.
However, these obligations are not to be considered in isolation, but rather in interaction with the MDR and in the future also with the Artificial Intelligence Act (AIA) (cf. our blog post What’s changing in 2023 – product-related IT and AI Regulation and product liability). For example, Art. 14 EHDS-Regulation provides that manufacturers of medical devices and providers of high-risk AI systems under the AIA, who each claim interoperability with EHR systems, must meet the essential requirements according to Annex II EDHS-Regulation in the context of conformity assessment and CE marking according to MDR or the AIA. On the other hand, Art. 14 of the EDHS-Regulation does not mention Regulation (EU) 2017/746 on in vitro diagnostic medical devices, which may indicate an editorial error on the part of the EU legislature.
In any case, it remains to be seen how this interaction with the above-mentioned legal acts will be structured in detail.
II. Primary and secondary use of electronic health data
A central goal of the EHDS-Regulation is to strengthen the linking of national health systems through the secure and efficient exchange of health data for primary and secondary use. When processing electronic health data, the EHDS-Regulation distinguishes between processing for the purpose of healthcare (primary use) and further processing for other purposes (secondary use). These can be, in particular, regulatory activities, research, innovation and development of health products, training of AI algorithms or policy-making.
Although the European Commission emphasizes in its proposal that the data protection framework should not be weakened, the planned processing possibilities could open up countless research and development opportunities in the medical device sector. For example, so-called data holders must grant access to certain minimum categories of electronic data for secondary use (Art. 34 para. 1 lit. a-o EHDS-Regulation). If a so-called data user requests access to electronic health data, he receives it via a secure processing environment provided by a national access point (Art. 50 para. 1 EHDS-Regulation). Upon request, the latter checks beforehand whether a particular secondary use fulfils a legitimate purpose.
However, in view of recital 41 of the EHDS-Regulation, according to which access to the data should be granted to non-profit entities and serve the general interest of society, it remains unclear whether the secondary use of electronic health data is intended to cover commercial research and development projects, in particular of conformity assessment medical devices, as a legitimate purpose. The EHDS-Regulation is expressly intended to serve the uniform implementation of the GDPR. However, secondary use under the research privilege of the GDPR does not apply for commercial purposes, which is why the benefit of a European data space for these constellations could be doubted.
The legislative process for a European Health Data Space is still ongoing. What is certain, however, is that the regulation is to enter into force one year after its adoption. It provides for several transitional periods for the application of various elements of the proposal, in particular to the priority use of health data.
As outlined, the proposal still contains many inconsistencies that need to be clarified in the further legislative process. Both the details of the practical implementation of the regulation and the planned interaction with other European legal acts, in particular the GDPR, the MDR and the AIA, will continue to occupy the health sector well beyond 2023.
Do you have any questions about this news, or would you like to discuss it with the author? Please contact: Dr. Boris Handorn