Post-market surveillance is where the EU Medical Device Regulation stops being a documentation exercise and starts being a way of operating. It is also where notified bodies keep finding the same gaps, in the same order, across manufacturers of every size. The regulation raised the bar deliberately — and a surprising number of companies are still clearing the old one.

Under the previous Medical Device Directive, surveillance was largely reactive: collect complaints, investigate adverse events, respond when something went wrong. The MDR (Regulation (EU) 2017/745) rewrote that expectation. Articles 83 through 92 describe a proactive, continuous, systematic process for gathering and acting on real-world data across a device's entire lifecycle. The word that matters is systematic.

PMS is a system, not a document

The regulation's architecture is a connected chain, not a set of independent files. A PMS plan (Article 84 and Annex III) defines what data you will collect and how. That data feeds a PMS report for Class I devices (Article 85) or a Periodic Safety Update Report, the PSUR, for Class IIa, IIb, and III devices (Article 86). Post-market clinical follow-up, PMCF (Annex XIV, Part B), generates the ongoing clinical evidence. Trend reporting (Article 88) and vigilance (Article 87) capture signals that require action. And every one of those outputs must flow back into the risk management file and the clinical evaluation report.

When a notified body opens a technical file, it is not grading each document in isolation. It is checking whether the chain is real — whether the data you collected actually changed your risk conclusions, updated your clinical evaluation, and, where warranted, drove a corrective action. Manufacturers who build the documents but not the loop are the ones who get findings.

Where notified bodies keep finding gaps

The recurring deficiencies are remarkably consistent across the industry:

  • Generic, templated PMS plans. A plan that could describe any device describes none. Notified bodies routinely reject plans that are not specific to the device, its intended purpose, its risk profile, and its actual data sources.
  • PMCF plans without measurable objectives. “We will monitor safety and performance” is not an objective. The regulation expects defined questions, defined methods, and defined, quantitative acceptance thresholds you can measure against.
  • Weak justifications for not conducting PMCF. Declaring PMCF unnecessary is permissible only with a robust, evidence-based rationale. Thin justifications are among the most common triggers for a major finding.
  • PMS treated as complaint-handling. Complaints are one input. A compliant system also mines literature, registries, similar-device data, user feedback, and trend data — proactively, on a defined cadence.
  • A broken feedback loop. Data that never updates the risk file (ISO 14971) or the clinical evaluation is a documentation dead end. The connection has to be demonstrable.
The question behind every PMS finding
  • Does the plan describe this device, or any device?
  • Can you point to the measurable threshold PMCF is testing against?
  • When the data moved, did your risk file and CER move with it?
  • Can you show a proactive source of data beyond complaints?

The PMCF problem

Post-market clinical follow-up is the single element that most often generates major findings in surveillance audits, and the reason is nearly always the same: objectives that cannot be measured. A defensible PMCF plan states the specific clinical questions it exists to answer, the method it will use, the sample and timeframe, and the quantitative thresholds that define success or trigger action. In 2026, notified bodies and competent authorities expect clinical evidence generation to be continuous, risk-based, and statistically justified — not a survey that produces reassurance without rigor.

A PMS plan that could describe any device describes none. Specificity is not a stylistic preference — it is the compliance requirement. The most common notified body finding, restated

EUDAMED is changing the operational picture

The European database on medical devices, EUDAMED, is moving from voluntary to mandatory in stages. Commission Decision (EU) 2025/2371 confirmed that the first modules became functional in late November 2025, with mandatory use from 28 May 2026. Critically, the Vigilance and Post-Market Surveillance module — the channel through which PSURs and vigilance reporting will eventually flow — is on a later track, with full functionality expected around the fourth quarter of 2026 and mandatory use roughly six months after that.

The practical message is not “wait.” It is the opposite. When the PMS module goes live, it will expect structured, submission-ready data. Manufacturers who have built their PMS outputs as clean, structured, queryable data now will simply connect them. Those still generating PMS reports as one-off narrative documents will face a conversion project under deadline pressure.

Getting it right

Building a PMS system that survives audit
  1. Write device-specific plans. Anchor every PMS and PMCF plan in the device's intended purpose, risk profile, and real data sources. Delete anything that could be copied to another product.
  2. Set measurable PMCF thresholds. Define the clinical questions, methods, and quantitative acceptance criteria before data collection starts, aligned to MDCG 2020-7 and 2020-8 templates.
  3. Close the loop explicitly. Make the path from PMS data to the risk file and clinical evaluation traceable and dated. Reviewers want to see the connection, not infer it.
  4. Structure your data for EUDAMED. Generate PSUR and vigilance outputs as structured data now, so the PMS module is a connection, not a migration.
  5. Diversify your inputs. Build proactive data sources — literature surveillance, registries, similar-device data, structured user feedback — into the plan, not just the complaint file.

The manufacturers who treat post-market surveillance as a living evidence engine — one that continuously sharpens the benefit-risk story and feeds the next submission — find that MDR compliance stops being an annual scramble. The ones who treat it as a set of documents to be produced before an audit keep meeting the same findings, because the regulation was written to detect exactly that gap.

Sources & further reading

  1. Regulation (EU) 2017/745 (Medical Device Regulation), Articles 83–92 and Annexes III and XIV. eur-lex.europa.eu
  2. MDCG 2020-7 and 2020-8, PMCF Plan and Report templates; MDCG 2022-21, PSUR guidance. European Commission.
  3. Commission Decision (EU) 2025/2371 on EUDAMED module functionality. Official Journal of the European Union.
  4. ISO 14971:2019, Application of risk management to medical devices.

This article is provided for general informational purposes and reflects the regulatory landscape as of June 2026. It is not legal or regulatory advice. EUDAMED timelines and MDCG guidance continue to evolve; confirm current requirements with your notified body or qualified counsel before acting.