For Class II / III Device, IVD, SaMD + Combination Product Manufacturers
Medical device companies face the densest US + EU device-quality + cybersecurity regulatory stack of any sector. FDA 21 CFR Part 820 transitions to QMSR in February 2026. EU MDR + IVDR Notified Body audit cycles. ISO 13485:2016 device QMS. ISO 14971 risk management. IEC 62304 software lifecycle. IEC 62366 usability. FDA Cybersecurity Premarket SBOM submission. 21 CFR 803 MDR + 21 CFR 830 UDI. RiskWatch handles all of it as one survey-based assessment platform sized for Regulatory + Quality + V&V teams.
Trusted by Class II / III device, IVD, SaMD, combination-product, and contract manufacturers managing FDA QMSR, EU MDR, IVDR, ISO 13485, ISO 14971, FDA Cybersecurity Premarket Guidance, post-market surveillance, and UDI across design, V&V, manufacturing, and post-market operations.
Why Regulatory + Quality + V&V Teams Pick RiskWatch
RiskWatch runs FDA 21 CFR Part 820 QSR / QMSR, EU MDR, EU IVDR, ISO 13485:2016, ISO 14971:2019, IEC 62304, IEC 62366, FDA Cybersecurity Premarket Guidance, 21 CFR 803 MDR, 21 CFR 830 UDI, and 21 CFR Part 11 as one program on one platform, scored against the same controls library, and tracked through a single Notified Body + FDA inspection-ready evidence trail. Built for device, IVD, SaMD, and combination-product manufacturers where one Regulatory + Quality team covers every regulator, every device family, and every audit cycle, without enterprise GxP-suite overhead.
21 CFR Part 820 (transitioning to QMSR in Feb 2026) + EU MDR Annexes I + II + III + ISO 13485:2016 cross-mapped. Design controls, CAPA, MDR, technical-file evidence, and Notified Body audit responses share the same vault, no parallel binders.
ISO 14971:2019 risk-management file, IEC 62366 usability files, IEC 62304 software lifecycle, and the FDA Cybersecurity Premarket Guidance 2023 (with SBOM submission) are tracked as overlays. Post-market surveillance feedback closes back into the risk-management file automatically.
VP Regulatory + Quality + V&V director + post-market lead share one platform. Pre-built libraries cut prep time. White-glove implementation in 30 days, not 6 months.
The Medical Device Regulatory Landscape
FDA's Quality Management System Regulation (QMSR) becomes effective February 2026, replacing the QSR after 28 years and incorporating ISO 13485:2016 by reference. EU MDR (Regulation 2017/745) has been in force since May 2021 with transition extensions through 2027. EU IVDR (Regulation 2017/746) is in force with staggered transition through 2028. The FDA Cybersecurity Premarket Guidance (2023) now requires SBOM submission for all cyber devices. Each regulator wants its own evidence package.
Three Domains, One Platform
RiskWatch covers all three. Each domain has a dedicated workflow, scoring model, and remediation queue. They share data so a single design-control change satisfies 21 CFR 820.30 / QMSR, ISO 13485 §7.3, EU MDR Annex II technical-file requirements, and ISO 14971 risk-management file updates simultaneously.
Survey-based risk assessment across ISO 14971 risk-management file, IEC 62366 usability, IEC 62304 software lifecycle, and FDA Cybersecurity Premarket SBOM, aligned to QMSR + EU MDR + IVDR.
FDA 21 CFR Part 820 QSR / QMSR, EU MDR (2017/745), EU IVDR (2017/746), 21 CFR 803 MDR, 21 CFR 830 UDI, and 21 CFR Part 11 in one cross-mapped library.
ISO 13485:2016 device QMS, ISO 14971:2019 risk management, IEC 62366 usability, IEC 62304 software lifecycle, and ISO 27001 manufacturer infosec across every device family.
The Coverage Gap
Device-QMS platforms cover design controls + CAPA + DHF. CSV / validation tools cover Part 11 + computer-system validation. EU MDR specialty covers technical files + Eudamed. Internal audit covers ERM. Cyber premarket covers SBOM. Each does one job. Regulatory + Quality teams still operate four parallel programs.
| Platform Category | FDA QMSR | EU MDR | IVDR | ISO 13485 | Cyber Premarket | Post-market |
|---|---|---|---|---|---|---|
| Device QMS PlatformsGreenlight Guru, Qualio, MasterControl | Yes | Partial | Partial | Yes | · | Partial |
| CSV / Validation ToolsValGenesis | Partial | · | · | Partial | · | · |
| EU MDR SpecialtyRegDesk, Eudamed-only tools | · | Yes | Partial | · | · | Partial |
| Internal Audit / ERMWorkiva, AuditBoard | Partial | Partial | Partial | Partial | · | · |
| Cybersecurity PremarketMedcrypt | · | · | · | · | Yes | · |
| Spreadsheets & Email | · | · | · | · | · | · |
| RiskWatchThe unified Notified Body + FDA inspection-ready platform | Yes | Yes | Yes | Yes | Yes | Yes |
RiskWatch is the only platform covering all six medical-device compliance domains: FDA QMSR, EU MDR, EU IVDR, ISO 13485, FDA Cybersecurity Premarket Guidance, and post-market surveillance. Device-QMS platforms cover design controls + CAPA. CSV / validation tools cover Part 11. EU MDR specialty covers technical files. Cybersecurity premarket covers SBOM. Each does one job. RiskWatch unifies all six in one survey-based assessment workflow.
How It Works
RiskWatch is a survey-based assessment platform. The work is structured around questionnaires that capture design-control, manufacturing, validation, post-market, and cybersecurity posture in a consistent format, then scored against every framework you align to.
For medical-device manufacturers, that workflow runs continuously across FDA 21 CFR Part 820 QSR (transitioning to QMSR in February 2026), EU MDR Annexes I + II + III, EU IVDR, ISO 13485:2016, ISO 14971:2019, IEC 62304, IEC 62366, FDA Cybersecurity Premarket Guidance, 21 CFR 803 MDR, and 21 CFR 830 UDI. A single design-control update scores against 21 CFR 820.30, QMSR §820.30, ISO 13485 §7.3, and EU MDR Annex II technical-file requirements simultaneously.
The same platform runs all of it, surfaces gaps before Notified Body or FDA arrival, assigns remediation owners, and tracks completion. Replace the four parallel tools and the spreadsheet bridge between them.
Built For Your Role
Owns enterprise-wide RA + QA program, FDA + EU + Health Canada submissions, Notified Body relationships, and board-level quality posture.
QMSR + EU MDR + IVDR scoring continuous. ISO 13485 audit-ready. Board metrics + post-market signals surface from the same vault.Owns design-control program (21 CFR 820.30 / QMSR §820.30 / ISO 13485 §7.3), DHF, and design-history-file integrity across product lines.
Design controls scored continuously. DHF backlog visible. Design-input + design-output traceability tracked through every change.Owns process validation (IQ/OQ/PQ), software validation (IEC 62304), CSV (21 CFR Part 11), and verification + validation across device + production-equipment scope.
V&V evidence captured. CSV protocols + Part 11 audit trails ready. Validation-state visibility across every system + device.Owns 510(k) / PMA / De Novo / IDE submissions, FDA correspondence, establishment registration, and listing, including the QMSR transition.
Submission-ready packages on demand. QMSR transition checklist tracked. FDA-483 + Warning-Letter response evidence at fingertips.Owns FDA Cybersecurity Premarket Guidance compliance, SBOM submission, MDCG 2019-16 (EU), threat modeling, and post-market cyber.
FDA cyber premarket evidence captured. SBOM tracked across components. Post-market cyber feedback closes into the risk file.Owns 21 CFR 803 MDR reporting, EU MDR Article 83-86 PMS + PSUR, complaint handling, vigilance, and post-market surveillance.
MDR + PSUR cycle continuous. Complaint-to-CAPA lineage tracked. Post-market signals close the loop on the ISO 14971 risk file.Built For Your Segment
510(k) pathway moderate-risk devices under FDA 21 CFR Part 820 / QMSR + EU MDR Class IIa / IIb classification + ISO 13485 + ISO 14971 risk management.
PMA-pathway high-risk implantable + life-sustaining devices under FDA 21 CFR Part 820 / QMSR + EU MDR Class III + Notified Body audits + extended PMS.
In-vitro diagnostic device manufacturers under EU IVDR (Regulation 2017/746) + FDA CDRH IVD pathways + ISO 13485 + ISO 15189 lab-quality cross-mapping.
FDA-regulated software (mobile, cloud, AI/ML) under FDA SaMD pathway + EU MDR Rule 11 + IEC 62304 software lifecycle + cybersecurity premarket guidance.
Drug-device + biologic-device combination products under FDA 21 CFR Part 4 + 21 CFR Part 820 (device cGMPs) + 21 CFR Part 211 (drug cGMPs) cross-coordination.
Contract design + manufacturing organizations under FDA establishment registration + ISO 13485 + client-imposed quality agreements + supplier-controls cascades.
Frameworks We Cover
RiskWatch ships with pre-built libraries for every major US + EU medical-device regulation + ISO + IEC standard. Map controls once. Score against the framework that matters this audit cycle.
Trusted by 1,500+ risk and compliance teams
We had four program owners running QMSR transition, EU MDR technical files, ISO 14971 risk, and FDA cybersecurity premarket on four different tools. Now it's one platform. QSR-to-QMSR readiness, EU MDR Annex II technical files, Notified Body audit response, ISO 14971 risk-management file, and SBOM submissions all run from the same evidence vault. Our last Notified Body audit produced two minor non-conformities instead of nine.
Resources
Class II · Class III · IVD · SaMD · Combination
30-minute walkthrough of the medical-device library, your device-family + regulator inputs, and the single evidence-trail output. No slideware, no consulting upsell.
Or call US: +1 941-500-4525
