CRA vs MDR: Compliance Guide for Medical-Adjacent Products and Digital Health

The boundary between consumer wellness products and regulated medical devices isn't always clear. Some connected health products fall under the CRA, some under MDR/IVDR, and some under both. Understanding which regulations apply is critical to avoid both over-compliance and non-compliance.

This guide clarifies the CRA-MDR boundary for manufacturers of health-related connected products.

The CRA Medical Device Exemption

What the CRA Says

CRA Article 2(2) explicitly exempts products already covered by certain regulations:

"This Regulation shall not apply to products with digital elements that are [...] medical devices as defined in Regulation (EU) 2017/745 [MDR] or Regulation (EU) 2017/746 [IVDR]..."

The exemption is clear: If a product is classified as a medical device or IVD under MDR/IVDR, the CRA does not apply to it.

Why the Exemption Exists

MDR and IVDR already contain cybersecurity requirements:

• Annex I Section 17.2 (MDR): Software lifecycle and IT security
• Annex I Section 17.4 (MDR): Network-connected device security
• MDCG guidance on cybersecurity (MDCG 2019-16)

The EU avoided double regulation by exempting MDR/IVDR products from CRA.

Product Classification: The Key Question

Is It a Medical Device?

The critical question for any health-related product:

Medical device (MDR Article 2(1)):

"any instrument, apparatus, appliance, software, implant, reagent, material or other article intended by the manufacturer to be used [...] for one or more of the following specific medical purposes:

• diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease
• diagnosis, monitoring, treatment, alleviation of, or compensation for, an injury or disability
• [...] "

Key factors:

• Intended purpose (what manufacturer claims)
• Medical claim (diagnosis, treatment, monitoring of disease/condition)
• Target population (patients vs. general wellness)

Classification Examples

PRODUCT CLASSIFICATION EXAMPLES

MEDICAL DEVICE (MDR applies, CRA exempt):
✓ Continuous glucose monitor (diabetes management)
✓ Smart insulin pump
✓ Cardiac rhythm monitoring app
✓ Digital therapeutic for depression
✓ AI diagnostic software
✓ Connected blood pressure monitor (clinical use)
✓ Pulse oximeter (medical grade)

WELLNESS PRODUCT (CRA applies, MDR does not):
✓ Fitness tracker (step counting, general activity)
✓ Sleep quality monitor (lifestyle, non-diagnostic)
✓ Meditation/relaxation app
✓ General wellness wearable
✓ Smart scale (non-medical claims)
✓ Sports heart rate monitor

BORDERLINE (Classification determines):
? Blood pressure monitor (depends on claims)
? SpO2 measurement device (depends on intended use)
? Stress monitoring device
? Sleep apnea screening (screening vs. diagnosis)
? Period tracking app (wellness vs. fertility treatment)

Understanding the Boundary

Intended Purpose Drives Classification

The same hardware can be either a medical device or a wellness product based on intended purpose:

SAME TECHNOLOGY, DIFFERENT CLASSIFICATION

EXAMPLE: Heart Rate Monitor

AS WELLNESS PRODUCT (CRA):
"Track your fitness goals and monitor heart
rate during workouts"
→ No medical claim
→ General wellness
→ CRA applies

AS MEDICAL DEVICE (MDR):
"Monitor cardiac rhythm and detect arrhythmias
for patients with heart conditions"
→ Medical claim (diagnosis, monitoring)
→ Patient population
→ MDR applies

Be Careful with Claims

Warning: You cannot avoid MDR by simply not making medical claims if the product is obviously medical in nature.

MDCG 2019-11 provides guidance on borderline and classification. If your product:

• Has obvious medical purpose
• Is marketed alongside medical devices
• Is purchased by healthcare providers for patient care
• Has features only relevant for medical use

...it may be classified as a medical device regardless of marketing claims.

Hybrid Situations

Medical Device + Non-Medical Components

Some systems include both medical and non-medical components:

HYBRID SYSTEM EXAMPLE

TELEMEDICINE PLATFORM:
┌─────────────────────────────────────────┐
│ Patient Monitoring Software (MDR)       │
│ - ECG analysis algorithm                │
│ - Diagnostic decision support           │
└─────────────────────────────────────────┘
            │
            ▼
┌─────────────────────────────────────────┐
│ Communication Infrastructure (CRA?)     │
│ - Video conferencing                    │
│ - Data transmission                     │
│ - Patient portal                        │
└─────────────────────────────────────────┘
            │
            ▼
┌─────────────────────────────────────────┐
│ Consumer Wearable (CRA)                 │
│ - Fitness tracking                      │
│ - Wellness metrics                      │
└─────────────────────────────────────────┘

Approach:

• Clearly separate medical device components
• Apply appropriate regulation to each
• Document boundaries and interfaces
• Consider system-level security

Software as a Medical Device (SaMD)

Software can be a medical device independent of hardware:

SaMD CLASSIFICATION

CLASS I (Low risk):
- Administrative software
- Simple monitoring

CLASS IIa (Medium-low):
- Treatment suggestions
- Monitoring non-vital functions

CLASS IIb (Medium-high):
- Diagnosis support
- Vital function monitoring

CLASS III (High):
- Diagnostic decisions
- Life-critical functions

If software is SaMD: MDR applies, CRA does not If software is wellness: CRA applies

Requirements Comparison

Cybersecurity Requirements: MDR vs. CRA

Both regulations require cybersecurity, with significant overlap:

Key Differences

MDR CYBERSECURITY vs. CRA

MDR-SPECIFIC:
- Part of broader safety/performance requirements
- Notified Body assessment (Class IIa+)
- Post-market surveillance for safety
- Clinical evaluation requirements
- UDI (Unique Device Identification)

CRA-SPECIFIC:
- Dedicated cybersecurity regulation
- SBOM explicitly required
- ENISA vulnerability reporting
- Harmonized standards track
- Important/Critical classification

OVERLAP:
- Security-by-design
- Vulnerability management
- Update mechanisms
- Risk assessment
- Documentation requirements

Guidance for Product Categories

Fitness Trackers and Wearables

FITNESS WEARABLES

TYPICAL FEATURES:
- Step counting
- Heart rate (exercise zones)
- Sleep tracking (duration, phases)
- Activity classification
- Calorie estimation

CLASSIFICATION: Wellness (CRA applies)

AVOID CROSSING INTO MDR:
✗ "Detect irregular heartbeat patterns"
✗ "Monitor symptoms of sleep disorders"
✗ "Track vital signs for health conditions"
✗ "Diagnose" anything

Smart Scales

SMART SCALES

WELLNESS (CRA):
- Weight tracking
- BMI calculation
- Body composition estimation
- Goal tracking

MEDICAL (MDR):
- Intended for patient monitoring
- Clinical weight management
- Linked to treatment decisions
- Healthcare provider integration

Blood Pressure Monitors

BLOOD PRESSURE MONITORS

This category is typically medical:

MOST ARE MDR:
- Measuring blood pressure is inherently clinical
- Even consumer BP monitors are usually Class IIa
- Very difficult to claim "wellness only"

EXCEPTION MIGHT BE:
- Pure trend tracking without measurements
- No numerical BP readings
- Clearly wellness-positioned

RECOMMENDATION:
- Assume MDR applies for BP monitors
- Consult Notified Body if uncertain

Sleep Monitoring Devices

SLEEP MONITORING

WELLNESS (CRA):
"Understand your sleep patterns for
better lifestyle choices"
- Sleep duration tracking
- Sleep phase estimation
- Environment monitoring (temp, noise)
- General sleep quality score

MEDICAL (MDR):
"Screen for or monitor sleep apnea"
- SpO2 monitoring during sleep
- Apnea/hypopnea detection
- Sleep disorder screening
- Prescribed sleep monitoring

Health Apps

HEALTH APPS

WELLNESS (CRA):
- Meditation and relaxation
- General fitness tracking
- Nutrition logging
- Mental wellness (non-therapeutic)
- Symptom diaries (informational)

MEDICAL (MDR):
- Digital therapeutics
- Diagnosis support
- Treatment management
- Clinical decision support
- Prescribed apps

Telemedicine Equipment

TELEMEDICINE EQUIPMENT

VIDEO CONFERENCING (Usually CRA):
- General communication
- Non-diagnostic video
- Administrative scheduling

DIAGNOSTIC EQUIPMENT (Usually MDR):
- Remote examination tools
- Diagnostic image capture
- Patient monitoring devices
- Clinical measurement devices

Decision Framework

Step-by-Step Classification

CLASSIFICATION DECISION TREE

START: Does product have digital elements?
│
├─ NO → Neither CRA nor MDR
│
└─ YES → Does manufacturer intend medical purpose?
    │
    ├─ YES → Is it regulated under MDR/IVDR?
    │   │
    │   ├─ YES → MDR/IVDR applies, CRA EXEMPT
    │   │
    │   └─ UNCLEAR → Consult competent authority/NB
    │
    └─ NO → Is there obvious medical use?
        │
        ├─ YES → Risk of reclassification
        │        Consider MDR anyway
        │
        └─ NO → CRA applies
                Wellness product

When to Get Expert Advice

Seek regulatory expert advice when:

• Product function is similar to medical devices
• Uncertain about intended purpose positioning
• Features could support medical claims
• Healthcare providers may use the product
• Borderline between wellness and diagnosis
• Competitor products are MDR-regulated

Compliance Strategies

For Pure Wellness Products

If your product is clearly wellness/lifestyle:

WELLNESS PRODUCT CRA STRATEGY

1. DOCUMENT INTENDED PURPOSE:
   - Clear wellness positioning
   - No medical claims in marketing
   - User documentation avoids medical terms

2. IMPLEMENT CRA REQUIREMENTS:
   - Security by design
   - SBOM generation
   - Vulnerability handling
   - 5-year support
   - CE marking (under CRA)

3. MAINTAIN BOUNDARIES:
   - Monitor marketing for claim creep
   - Train sales team on limitations
   - User feedback for medical use → address

4. STANDARD ALIGNMENT:
   - EN 303 645 for consumer IoT
   - Relevant CRA harmonized standards

For Medical Devices

If your product is a medical device:

MEDICAL DEVICE STRATEGY (CRA EXEMPT)

1. FOLLOW MDR/IVDR:
   - Classify correctly (Rule 11 for software)
   - Conformity assessment per class
   - Notified Body involvement (if required)
   - MDCG 2019-16 cybersecurity

2. CYBERSECURITY UNDER MDR:
   - Annex I Section 17 requirements
   - IEC 62443 or equivalent
   - MDCG 2019-16 guidance
   - Post-market cybersecurity monitoring

3. DOCUMENT EXEMPTION:
   - Clear MDR classification
   - Evidence of MDR compliance
   - Cybersecurity addressed under MDR

4. NOTE FOR TECHNICAL FILE:
   "This product is classified as a medical
   device under MDR 2017/745 and is therefore
   exempt from CRA per Article 2(2)."

For Borderline Products

If classification is uncertain:

BORDERLINE PRODUCT STRATEGY

1. ASSESS CAREFULLY:
   - Review MDCG 2019-11 guidance
   - Consider intended use precisely
   - Evaluate all features

2. CONSULT IF NEEDED:
   - National competent authority
   - Notified Body (preliminary opinion)
   - Regulatory consultant

3. DOCUMENT RATIONALE:
   - Why product is/isn't medical device
   - Intended purpose statement
   - Risk-based justification

4. PREPARE FOR EITHER:
   - Have MDR pathway ready if reclassified
   - Have CRA compliance ready if wellness
   - Be prepared to adapt

Future Considerations

Convergence of Requirements

MDR and CRA cybersecurity requirements may converge:

• Common standards development
• Aligned vulnerability handling
• Shared terminology
• Potential guidance on interaction

AI and Machine Learning

AI-based health products add complexity:

• AI Act may also apply
• Medical AI typically MDR-regulated
• Wellness AI typically CRA-regulated
• Classification challenges for adaptive systems

Checklist for Health-Related Products

HEALTH PRODUCT REGULATORY CHECKLIST

CLASSIFICATION:
[ ] Intended purpose documented
[ ] Medical claims reviewed (marketing, docs)
[ ] MDCG 2019-11 considered
[ ] Classification decision documented

IF MEDICAL DEVICE:
[ ] MDR classification determined
[ ] Notified Body selected (if required)
[ ] Cybersecurity per Annex I Section 17
[ ] CRA exemption documented

IF WELLNESS PRODUCT:
[ ] CRA classification determined
[ ] Security-by-design implemented
[ ] SBOM capability
[ ] Vulnerability handling
[ ] 5-year support plan
[ ] CE marking (CRA)

DOCUMENTATION:
[ ] Technical file prepared (appropriate reg)
[ ] Intended purpose statement
[ ] User documentation (no medical claims if wellness)
[ ] Risk assessment

Key Resources

REGULATORY RESOURCES

MDR/IVDR:
Regulation (EU) 2017/745 (MDR)
Regulation (EU) 2017/746 (IVDR)
https://health.ec.europa.eu/medical-devices-sector_en

MDCG Guidance:
MDCG 2019-11 (Borderline classification)
MDCG 2019-16 (Cybersecurity guidance)
MDCG 2021-5 (Software qualification)
https://health.ec.europa.eu/medical-devices-sector/new-regulations/guidance-mdcg-endorsed-documents-and-other-guidance_en

CRA:
Regulation (EU) 2024/2847
https://eur-lex.europa.eu

STANDARDS:
IEC 62443 (Cybersecurity)
IEC 82304-1 (Health software)
ISO 14971 (Medical device risk management)

Related guides:

• CRA Product Classification: Is Your Product Default, Important, or Critical?
• The CRA Technical File: What Goes in Each Section (Annex VII Breakdown)

How CRA Evidence Helps

For wellness products under CRA, CRA Evidence provides:

• Clear boundary documentation: Document why CRA (not MDR) applies
• Wellness product templates: Technical file structures for health-adjacent products
• SBOM management: Required for CRA, beneficial for MDR
• Vulnerability tracking: Aligned with both regulatory frameworks
• Multi-product management: Handle portfolio with different regulations

Start your CRA compliance at app.craevidence.com.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, particularly regarding medical device classification, consult with qualified regulatory counsel.