New MDR/IVDR Standards Published + Greenlight Guru's ISO 42001

Two announcements this week signal how the compliance landscape is quietly reshaping beneath our feet. The Official Journal of the European Union just published new harmonised standard references supporting MDR and IVDR—covering everything from biological evaluation to surgical implants. Meanwhile, Greenlight Guru became the first electronic Quality Management System (eQMS) vendor to secure ISO 42001 certification for AI governance across its platform. On the surface, these stories seem unrelated. Dig deeper, and they're pointing toward the same inflection point: compliance infrastructure is no longer static. Standards are evolving faster, and the tools you use to manage them now carry their own regulatory obligations—especially when AI enters the frame.
What's New in the Harmonised Standards Update
The latest batch of harmonised standards published in the Official Journal covers substantial ground. For MDR, the update includes references for biological evaluation (ISO 10993 series), symbols (ISO 15223), medical electrical equipment (IEC 60601 series), transfusion equipment, ophthalmic optics, surgical implants, washer-disinfectors, and prosthetics. For IVDR, new references address in vitro diagnostic medical devices and their accompanying performance evaluation requirements.
Harmonised standards matter because they offer a presumption of conformity—comply with them, and you're presumed to meet the corresponding essential requirements of the regulations. But there's a catch: not all standards are harmonised, and not all harmonised standards are up to date with MDR/IVDR expectations. The notified body community has been vocal about this gap, particularly around clinical evaluation and post-market surveillance, where legacy standards don't fully reflect current regulatory thinking. This update helps close some of those gaps, but it's not comprehensive. Manufacturers still need to map their technical documentation against both the standards and the General Safety and Performance Requirements (GSPRs) directly.
The practical implication? If you're mid-conformity assessment or planning a submission, check whether your referenced standards are now formally harmonised. If they are, your technical file and Declaration of Conformity need to cite the correct Official Journal reference. If they're not, you'll need stronger justification for equivalence—and notified bodies are getting stricter about what constitutes sufficient rationale. This is especially true for novel device categories or those involving software, where older standards may not address risk management or cybersecurity adequately.
ISO 42001 and the AI Governance Question
Greenlight Guru's ISO 42001 certification is the first of its kind for an eQMS vendor, and it's not just a marketing milestone. ISO 42001 is the international standard for AI management systems—it sets out requirements for responsible development, deployment, and continuous oversight of AI. The certification covers Greenlight Guru's eQMS and electronic data capture (EDC) products, meaning the AI features baked into those platforms—whether it's automated document tagging, risk signal detection, or workflow recommendations—are now independently audited for governance, explainability, and accountability.
Why does this matter for device manufacturers? Because if you're using AI-powered compliance tools, those tools are part of your quality management system. They're making decisions—or assisting decisions—that affect product release, post-market surveillance, and regulatory submission content. When an auditor or notified body asks, 'How do you ensure the integrity of your QMS processes?', you need to be able to answer for every component in that system, including the software. If your eQMS vendor can't demonstrate robust AI governance, that's a gap in your own audit readiness.
ISO 42001 also intersects with the emerging regulatory expectations around AI explainability and transparency. FDA and EU regulators are increasingly clear: if your device uses AI, you need to explain how it works, how it's validated, and how you monitor it post-market. The same logic applies to the tools you use to manage compliance. If your QMS is powered by AI you can't interrogate or validate, you're introducing risk into your compliance process—and regulators are starting to notice.
The Convergence: Standards, Tools, and Vendor Qualification
Here's where the two stories converge. The harmonised standards update reflects a regulatory environment that's maturing—slowly, but deliberately—toward more granular, evidence-based compliance. At the same time, the tools manufacturers use to demonstrate compliance are themselves becoming more complex, more automated, and more dependent on AI. That creates a new layer of vendor qualification responsibility.
Historically, vendor qualification for software tools focused on validation: does the system do what it claims to do? Can you demonstrate traceability, audit trails, and data integrity? Those requirements haven't gone away. But now, if your vendor's platform includes AI, you need to ask: Is the AI governed? Is it auditable? Can the vendor demonstrate compliance with ISO 42001 or an equivalent framework? If not, you're introducing unvalidated decision-making into your QMS—and that's a nonconformity waiting to happen.
This isn't theoretical. During notified body audits and FDA inspections, the line of questioning is shifting. Auditors are asking: 'How do you validate your document management system?' 'How do you ensure your risk management software doesn't introduce bias or omit critical data?' If your vendor can't provide independent certification—like ISO 42001—you'll need to perform that validation yourself. And for most manufacturers, that's not a scalable or cost-effective approach.
What This Means for Your Team
For regulatory affairs and quality teams, the implications are immediate. First, review your current technical files and declarations of conformity against the newly published harmonised standards. If you're citing standards that are now formally harmonised, update your references. If you're relying on non-harmonised standards, strengthen your justification and ensure your gap analysis is robust. This is particularly critical if you're in the queue for a notified body review or planning a major design change.
Second, audit your compliance tools—especially your QMS, EDC, and regulatory intelligence platforms. If they use AI, ask your vendors for evidence of governance. ISO 42001 certification is the gold standard, but at minimum, you need documentation on how the AI is trained, validated, and monitored. If your vendor can't provide that, it's time to either push for it or reassess your tooling strategy. Remember: audit readiness isn't a one-time event—it's a continuous posture, and your tools are part of that posture.
Third, if you're a startup or scaling manufacturer, factor vendor certification into your build-vs-buy decisions. The regulatory bar for compliance infrastructure is rising. Choosing a vendor with ISO 42001 or equivalent certification doesn't just reduce your validation burden—it signals to investors, notified bodies, and FDA reviewers that you're taking quality and governance seriously from the ground up. That matters when you're trying to accelerate time to market or secure funding.
Looking Ahead: Standards, AI, and the Compliance Stack
The updates to MDR and IVDR harmonised standards are welcome, but they're also a reminder: the regulatory framework is still catching up to the pace of innovation. Standards take years to develop, harmonise, and publish. Meanwhile, AI is embedding itself into every layer of the compliance stack—from device functionality to the tools used to manage submissions, post-market surveillance, and risk management.
What's emerging is a new compliance reality: you're not just responsible for your device. You're responsible for the entire ecosystem that supports it—including the software, the vendors, and the standards you rely on. That means vendor due diligence is now as critical as clinical evaluation. It means your QMS needs to account for AI governance, even if your device doesn't use AI. And it means staying on top of harmonised standard updates isn't optional—it's foundational.
For teams already stretched thin, this can feel like yet another layer of complexity. But there's an upside: as standards mature and vendors step up with certifications like ISO 42001, the compliance infrastructure is becoming more transparent, more auditable, and—ultimately—more reliable. The manufacturers who adapt fastest won't just meet regulatory expectations. They'll build competitive advantage on the back of better systems, better tools, and better governance.
Key Takeaways
- New harmonised standards for MDR and IVDR have been published, covering biological evaluation, medical electrical equipment, surgical implants, and IVD performance evaluation—update your technical files and declarations of conformity accordingly.
- Greenlight Guru is the first eQMS vendor to achieve ISO 42001 certification for AI governance, setting a new benchmark for vendor qualification in compliance tools.
- If your QMS or regulatory intelligence platform uses AI, you need documented evidence of how that AI is governed, validated, and monitored—ISO 42001 certification is the strongest signal your vendor can provide.
- Vendor due diligence is now as critical as clinical evaluation—unvalidated AI in your compliance tools introduces risk that auditors and notified bodies are actively scrutinising.
- As standards and tools evolve, the manufacturers who invest in robust, auditable compliance infrastructure will gain both regulatory confidence and competitive speed to market.
The regulatory landscape isn't slowing down—and neither is the technology powering it. Whether you're navigating MDR conformity assessments, scaling post-market surveillance, or evaluating your compliance stack, the question isn't whether to adapt. It's how fast you can move without introducing new risk. That's where expertise, systems, and the right partners make all the difference.