Skip to main content
Back to Blog
Regulatory Compliance13 min read

Medical Device E-Signatures Under QMSR, ISO 13485 & EU MDR

The FDA's QMSR replaced the QSR on February 2, 2026, incorporating ISO 13485:2016 by reference. This guide covers how e-signatures interact with the new QMSR, Part 11's independent requirements, EU MDR documentation obligations, and validation strategies for dual-market medical device companies.

C
Certivo Team

On February 2, 2026, the FDA's Quality Management System Regulation (QMSR) replaced the legacy Quality System Regulation (QSR) under 21 CFR Part 820. The QMSR incorporates ISO 13485:2016 by reference, aligning the U.S. regulatory framework for medical devices with the international standard used in over 55 countries. For QA/RA teams and IT/validation groups at medical device companies, this transition changes how e-signatures interact with your quality management system, but it doesn't eliminate the need for compliant electronic signatures. Meanwhile, the EU Medical Device Regulation (EU MDR 2017/745) imposes its own documentation and quality system requirements that demand strong electronic record management. This guide covers what changed, what stayed the same, and exactly where e-signatures fit across all three frameworks.

Key Takeaways

  • The QMSR replaced the old Part 820 QSR effective February 2, 2026, incorporating ISO 13485:2016 by reference into U.S. federal regulation.
  • 21 CFR Part 11 remains a separate, independent regulation. The QMSR doesn't replace or absorb Part 11's electronic signature and electronic records requirements.
  • ISO 13485 doesn't contain explicit signature requirements, but FDA expects that where the standard says “approved,” a signature and date are implied.
  • EU MDR requires a quality management system (Article 10(9)) with thorough technical documentation (Annex II/III) that benefits from validated e-signature workflows.
  • Medical device companies selling in both the U.S. and EU now have a more aligned, but still dual-track, compliance obligation.

What Changed: QMSR Replaces Part 820 QSR

The old Quality System Regulation (QSR) under 21 CFR Part 820 was published in 1996 and hadn't been substantially updated in nearly three decades. It contained FDA-specific requirements for design controls, production controls, document controls, CAPA, and other quality system elements that overlapped with, but didn't mirror, ISO 13485.

The QMSR final rule, published in the Federal Register on February 2, 2024, with a two-year compliance date of February 2, 2026, fundamentally restructured Part 820. Instead of maintaining parallel FDA-specific language, the QMSR incorporates ISO 13485:2016 by reference. This means that the text of ISO 13485 now carries the force of federal law for medical device manufacturers marketing products in the United States.

That said, the QMSR isn't a wholesale adoption of ISO 13485 without modification. The FDA retained several additional requirements in the new Part 820 that go beyond what ISO 13485 covers:

  • Section 820.10 — Identifies “applicable FDA requirements” that manufacturers must meet alongside ISO 13485, including UDI requirements, medical device reporting (MDR), corrections and removals, and device tracking.
  • Section 820.35 — Adds record control requirements beyond ISO 13485 Clause 4.2.5, including documentation for complaint activities, UDI compliance, and confidentiality of records submitted to or received from FDA.
  • Section 820.45 — Retains FDA-specific labeling and packaging controls not covered by ISO 13485.

For e-signature practitioners, here's the key change: the old QSR contained explicit signature requirements in several subsections (e.g., design review approvals, CAPA approvals, production record sign-offs). The QMSR, by adopting ISO 13485, doesn't carry forward those explicit signature mandates. ISO 13485 uses the term “approved” rather than “signed”, and the FDA has stated in the final rule preamble that where ISO 13485 requires approval, the Agency expects a signature and date to be present as the mechanism demonstrating that approval.

Part 11 Still Applies — Separately

One of the most common points of confusion in the QMSR transition is the relationship between Part 820 and 21 CFR Part 11. Here's the essential distinction: Part 11 is a standalone regulation. It was published in 1997 as a separate part of Title 21, and it applies independently to any organization that uses electronic records or electronic signatures to satisfy FDA predicate rules, including the QMSR.

The QMSR doesn't incorporate, replace, or modify Part 11. If your medical device QMS uses electronic records (and virtually all modern QMS platforms do), then Part 11's requirements for audit trails, access controls, system validation, and electronic signatures continue to apply in full. The fact that ISO 13485 doesn't contain signature requirements is irrelevant to Part 11 compliance. Part 11 is triggered by the use of electronic records and signatures, not by the predicate rule's specific language about signatures.

Don't assume the QMSR eliminates e-signature obligations. While the QMSR itself doesn't contain explicit signature mandates, Part 11 applies independently whenever electronic records or electronic signatures are used to meet any FDA requirement. Medical device companies using an eQMS must comply with both the QMSR and Part 11 simultaneously. FDA inspectors will evaluate Part 11 controls during routine QMS inspections.

Key E-Signature Touch Points in a Medical Device QMS

Regardless of whether you frame your compliance obligations under the old QSR, the new QMSR, or ISO 13485, medical device quality systems require documented approvals at dozens of points. Each of these approvals is an e-signature touch point when managed electronically:

Design Controls

Design inputs, design outputs, design reviews, design verification, design validation, and design transfer all require documented approvals. Under ISO 13485 Clause 7.3, each design phase must be “approved” before proceeding, and the Design History File (DHF) must contain records of every approval decision. In an electronic system, each approval is an e-signature event subject to Part 11.

CAPA (Corrective and Preventive Action)

CAPA records under ISO 13485 Clause 8.5.2 and 8.5.3 require documented investigation results, root cause analysis, corrective action plans, and effectiveness checks, each needing approval signatures. CAPA closures are among the most audit-scrutinized records in any QMS.

Production Records and Device History Records (DHR)

Device History Records document the manufacturing of each production unit or batch. ISO 13485 Clause 7.5 requires that production processes be controlled and documented. Operator sign-offs, in-process inspection approvals, and release decisions are all e-signature events in an electronic DHR system.

Complaint Handling

ISO 13485 Clause 8.2.2 mandates documented procedures for handling customer complaints, including investigation, evaluation, and determination of whether the complaint constitutes a reportable event. QMSR Section 820.35 adds additional record requirements for complaint data linked to FDA MDR reporting obligations.

Management Review

ISO 13485 Clause 5.6 requires top management to review the QMS at planned intervals. The outputs of management review, including decisions and action items, must be documented and approved. These approval records carry significant weight during regulatory inspections.

Document Control

ISO 13485 Clause 4.2.4 requires approval of documents prior to issue and after revision. Every SOP, work instruction, form template, and specification in your QMS needs documented approval, making document control one of the highest-volume e-signature workflows in a device company.

EU MDR E-Signature Requirements

The European Medical Device Regulation (EU) 2017/745, commonly known as the EU MDR, has been fully applicable since May 26, 2021, replacing the Medical Devices Directive (MDD 93/42/EEC). While the EU MDR doesn't reference electronic signatures with the same specificity as FDA Part 11, its documentation requirements effectively make strong e-signature capabilities necessary for any manufacturer using electronic quality and regulatory systems.

Technical Documentation (Annex II)

EU MDR Annex II requires manufacturers to compile and maintain thorough technical documentation that enables conformity assessment. This documentation must be “presented in a clear, organised, readily searchable and unambiguous manner” and includes device descriptions, design and manufacturing information, benefit-risk analysis, product verification and validation, and general safety and performance requirements. Each section requires documented approvals that, in an electronic environment, become e-signature events.

Post-Market Surveillance Documentation (Annex III)

Annex III covers post-market surveillance technical documentation. Article 10(10) requires manufacturers to implement and maintain a post-market surveillance system as an integral part of their QMS. PMS plans, periodic safety update reports (PSURs), post-market clinical follow-up (PMCF) reports, and field safety corrective actions all require documented approvals.

Clinical Evaluation (Article 61)

Clinical evaluation reports must be updated throughout the device lifecycle and form part of the technical documentation. The evaluation, its methodology, and its conclusions require approval by qualified personnel, another e-signature touch point.

Quality Management System (Article 10(9))

Article 10(9) requires manufacturers to establish, document, implement, maintain, and continually improve a quality management system. While the EU MDR doesn't mandate ISO 13485 certification, ISO 13485 is the harmonized standard recognized by Notified Bodies for demonstrating compliance. Organizations using ISO 13485 for both FDA QMSR and EU MDR purposes can use a single QMS, and a single e-signature platform, for dual-market compliance.

Comparison: Old Part 820 QSR vs QMSR vs EU MDR

This table compares e-signature-relevant requirements across the three frameworks:

Requirement AreaOld Part 820 QSRQMSR (ISO 13485 + FDA)EU MDR 2017/745
Effective DateOctober 7, 1996February 2, 2026May 26, 2021
QMS StandardFDA-specific (Part 820)ISO 13485:2016 + FDA add-onsISO 13485 (harmonized, not mandated)
Explicit Signature RequirementsYes (multiple subsections)No (uses “approved”; FDA expects signature + date)No (approvals implied in documentation requirements)
E-Signature Regulation21 CFR Part 11 (separate)21 CFR Part 11 (separate, still applies)eIDAS Regulation (EU) 910/2014
Audit Trail RequirementPart 11 Section 11.10(e)Part 11 Section 11.10(e)Implied by traceability and QMS obligations
Design Control Approvals820.30 (explicit)ISO 13485 Clause 7.3Annex II, Section 4
CAPA Approvals820.90 (explicit)ISO 13485 Clause 8.5.2/8.5.3Article 10(9)(a); ISO 13485 if used
Document Control820.40ISO 13485 Clause 4.2.4 + Section 820.35Annex II/III documentation requirements
Record RetentionDuration of device commercial life + 2 yearsISO 13485 Clause 4.2.5 + FDA requirementsMinimum 10 years (15 years for implantables)
Inspection AuthorityFDAFDA (ISO certification does not exempt)Notified Bodies + Competent Authorities

ISO 13485 Alignment: What the QMSR Inherits

By incorporating ISO 13485:2016, the QMSR inherits a process-based quality management framework that's already familiar to device companies selling internationally. For e-signature compliance, the most relevant ISO 13485 clauses are:

  • Clause 4.2.4 (Control of Documents) — Requires approval of documents prior to issue, review and re-approval after changes, and identification of current revision status. In an eQMS, every document approval is an e-signature event.
  • Clause 4.2.5 (Control of Records) — Requires records to remain legible, readily identifiable, and retrievable. The QMSR's Section 820.35 adds FDA-specific record-keeping requirements on top of this clause.
  • Clause 7.3 (Design and Development) — Requires documented outputs, reviews, verification, and validation at each design phase, with records of approvals.
  • Clause 7.5.1 (Control of Production and Service Provision) — Requires documented procedures, work instructions, and acceptance criteria with associated approvals.
  • Clause 8.2.2 (Complaint Handling) — Requires documented investigation and evaluation of complaints with approval of conclusions and any resulting actions.
  • Clause 8.5.2/8.5.3 (Corrective/Preventive Action) — Requires documented root cause investigation, action plans, and verification of effectiveness.

A key benefit of the QMSR's ISO 13485 alignment is that companies already certified to ISO 13485 for EU or other international markets now have a single quality system framework for both U.S. and global compliance. The e-signature platform you use to manage document approvals, design reviews, and CAPA closures can serve both markets, provided it meets 21 CFR Part 11 requirements for the U.S. and eIDAS requirements for the EU.

Validation Requirements for Device Companies

Whether operating under the QMSR, EU MDR, or both, medical device companies must validate the computerized systems they use to manage quality records. This includes your eQMS, e-signature platform, document management system, ERP, and any integrated laboratory or manufacturing execution systems.

FDA Expectations Under the QMSR

ISO 13485 Clause 4.1.6 requires validation of computer software used in the quality management system. The FDA's 2025 Computer Software Assurance (CSA) guidance further clarifies that validation should follow a risk-based approach, focusing testing effort on the highest-risk functions. For e-signature systems, those high-risk functions include signature authentication, audit trail integrity, access controls, and record immutability.

Part 11 Section 11.10(a) independently requires that systems used to maintain electronic records be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. This means e-signature system validation is required by both the QMSR (through ISO 13485) and Part 11, a dual obligation that reinforces the need for thorough qualification.

EU MDR Expectations

The EU MDR doesn't contain a direct equivalent to Part 11, but Notified Bodies expect that electronic systems used to generate technical documentation and quality records are validated and controlled. Where manufacturers use ISO 13485 as their QMS framework (which most do), the validation requirements of Clause 4.1.6 apply. The EU GMP Annex 11 standard for computerized systems, while technically scoped to pharmaceutical manufacturing, is often referenced as a benchmark for device company system validation in Europe.

Certivo and medical device compliance: Certivo provides FDA 21 CFR Part 11 compliant e-signatures with two-factor authentication, immutable SHA-256 hash-chained audit trails, and role-based access controls built specifically for GxP-regulated environments. Device companies can use a single platform for design control approvals, CAPA closures, document control, and management review sign-offs across both U.S. and EU markets.

Practical Validation Approach

For medical device companies transitioning to QMSR compliance, here's what your e-signature system validation strategy should cover:

  1. Risk assessment — Classify the system per GAMP 5 categories and identify GxP-critical functions (signature capture, audit trail, access control, record integrity).
  2. Installation Qualification (IQ) — Verify that the platform is deployed per vendor specifications, including infrastructure, integrations, and configuration settings.
  3. Operational Qualification (OQ) — Test that all Part 11 controls function as specified: two-factor authentication, signature meaning capture, audit trail completeness, role-based access, and record immutability.
  4. Performance Qualification (PQ) — Execute end-to-end workflows using production-representative data to confirm the system performs reliably under real-world conditions.
  5. Ongoing periodic review — Requalify after system updates, configuration changes, or regulatory changes. The QMSR transition itself may warrant a re-evaluation of your current validation documentation.

For a step-by-step walkthrough, see our guide on choosing an e-signature platform for life sciences.

What This Means for Dual-Market Manufacturers

Medical device companies that sell in both the United States and the European Union now have a more aligned regulatory environment than at any point in the past three decades. The QMSR's adoption of ISO 13485 means that a single quality management system can, in principle, serve both markets. But important differences remain:

  • E-signature regulation: U.S. operations are governed by 21 CFR Part 11. EU operations fall under the eIDAS Regulation (EU) 910/2014. A compliant e-signature platform must satisfy both frameworks.
  • Record retention: The QMSR (through ISO 13485) requires retention for the lifetime of the device plus applicable regulatory periods. EU MDR requires a minimum of 10 years (15 years for implantable devices). Your e-signature platform must support these retention obligations with tamper-evident, long-term accessible records.
  • Audit trail expectations: Part 11 mandates specific audit trail capabilities (Section 11.10(e)). EU MDR expects traceability as part of QMS obligations but doesn't prescribe audit trail technical specifications to the same degree. Best practice is to implement Part 11-grade audit trails globally.
  • Notified Body vs. FDA inspection: EU Notified Bodies audit your QMS for CE marking. The FDA inspects your facility independently. ISO 13485 certification doesn't exempt you from FDA inspection; the QMSR final rule explicitly states this.

The Bottom Line

The QMSR is the most significant structural change to U.S. medical device quality regulation in thirty years. By incorporating ISO 13485:2016, it aligns FDA expectations with the international standard that most global device companies already follow. But for e-signature compliance, the practical impact is more subtle than it first appears: the QMSR shifts quality system language from FDA-specific terminology to ISO terminology, while Part 11 continues to operate as the independent authority on electronic records and electronic signatures.

Medical device QA/RA teams should take three actions now:

  1. Confirm that your e-signature platform meets Part 11 independently of your QSR/QMSR compliance posture. Part 11 hasn't changed. Your e-signature system still needs validated audit trails, two-factor authentication, signature meaning capture, and access controls.
  2. Map your ISO 13485 “approval” touch points to e-signature workflows. Every clause that requires a documented approval is now an e-signature event under the QMSR. Make sure your workflows capture signature, date, and meaning at each point.
  3. If you sell in the EU, confirm that your platform also satisfies EU MDR documentation and eIDAS requirements. A single, purpose-built platform that addresses Part 11, ISO 13485, and EU MDR documentation needs will reduce duplication and audit risk.

The regulatory environment for medical device e-signatures has become more aligned across markets, but not simpler. Companies that invest in a compliant e-signature platform purpose-built for regulated industries will be positioned to handle QMSR, Part 11, and EU MDR requirements with a single system of record, reducing validation burden, simplifying inspections, and protecting the integrity of every approval in their quality management system.

Explore Certivo

Compliance Overview

See how Certivo meets FDA 21 CFR Part 11, EU GMP Annex 11, and GDPR requirements.

Validation Documentation

IQ/OQ/PQ protocols and traceability matrices for system qualification.

Plans & Pricing

Compare plans for clinical research sites, pharma QA teams, and enterprise.

Related Articles

Regulatory Compliance

FDA 21 CFR Part 11: Complete Compliance Guide (2026)

FDA 21 CFR Part 11 defines requirements for electronic records and electronic signatures in FDA-regulated industries. This guide covers all three subparts, audit trail requirements, common 483 findings, and a compliance checklist for pharma, biotech, and medical devices.

February 21, 202612 min read
Regulatory Compliance

GxP Compliance for Electronic Records: GLP, GMP, GCP Guide

GxP compliance requires electronic records to be attributable, immutable, and audit-trailed. This guide covers GLP, GMP, GCP, GDP, and GVP requirements, ALCOA+ principles, EU Annex 11, system validation (IQ/OQ/PQ), and best practices for life sciences.

February 28, 202610 min read
Regulatory Compliance

eIDAS vs ESIGN Act: Complete Comparison Guide (2026)

The EU eIDAS Regulation defines three signature tiers (SES, AES, QES) while the US ESIGN Act is technology-neutral with a single tier. This guide compares legal frameworks, cross-border recognition, eIDAS 2.0 changes, and compliance strategies for multinational organizations.

March 3, 20269 min read

Ready for Compliant E-Signatures?

Start your free trial and see how Certivo meets compliance requirements for your regulated industry.

Start Free TrialView Compliance