EU MDR vs FDA: Quick Guide to Digital Therapeutic Evidence Rules

Digital therapeutics (DTx) sit at the intersection of healthcare and technology, demanding rigorous evidence to prove safety, effectiveness, and quality. In 2026, the European Union’s Medical Device Regulation (EU MDR) and the U.S. Food and Drug Administration (FDA) have distinct yet overlapping frameworks for evidence requirements. This guide unpacks those differences side‑by‑side, offering practical compliance checklists for developers, regulators, and stakeholders navigating the regulatory landscape.

1. Regulatory Context: Who’s In Charge?

EU MDR: The European Market Gatekeeper

The EU MDR, effective from May 2021, replaced the 1997 Medical Device Directive. It expands device classification, enhances post‑market surveillance, and places a premium on clinical evidence. Digital therapeutics are typically class IIb or III devices, depending on risk, and must undergo a notified body assessment or, in some cases, a self‑declaration if risk is low.

FDA: The U.S. Health Authority

In the United States, the FDA regulates DTx as Software as a Medical Device (SaMD) under the Digital Health Innovation Action Plan. The FDA’s 2020 guidance on SaMD, updated in 2023, emphasizes a risk‑based approach, defining evidence tiers that correlate with intended use, patient population, and device complexity.

2. Evidence Hierarchy: What the Regulators Expect

EU MDR Evidence Requirements

• Clinical Evaluation: A systematic review of clinical data, including literature, post‑market data, and, if necessary, dedicated clinical studies.
• Clinical Investigation: For class IIb/III devices, mandatory clinical investigations (phase I‑III) are required unless the device falls under an exemption (e.g., low‑risk).
• Post‑Market Surveillance (PMS): Continuous monitoring and reporting of adverse events, with a 5‑year PMS plan.
• Technical Documentation: Detailed risk analysis, software development life cycle, and design validation.

FDA SaMD Evidence Requirements

• Clinical Evidence Tiers:
  1. Tier 1: Limited evidence (e.g., pilot studies, feasibility data) for low‑risk interventions.
  2. Tier 2: Moderate evidence (prospective, controlled studies) for moderate‑risk interventions.
  3. Tier 3: Robust evidence (randomized controlled trials) for high‑risk interventions.
• Pre‑Market Notification (510(k)): Many DTx seek clearance through 510(k), demonstrating substantial equivalence to predicate devices.
• De Novo Classification: For novel devices without a predicate, a De Novo request can establish a new classification.
• Post‑Market Commitments: Required for certain devices, involving registries, risk mitigation plans, and ongoing data collection.

3. Clinical Study Design: EU vs. FDA Approaches

While both regulators value rigorous data, the EU MDR’s mandatory clinical investigations for higher‑risk devices often require larger sample sizes and longer follow‑up periods than FDA’s tiered approach. The FDA’s flexibility allows developers to start with pilot studies (Tier 1) and progressively build evidence, whereas the EU mandates full investigations sooner.

For instance, a DTx aimed at glycemic control in type 2 diabetes (class IIb in EU, moderate‑risk SaMD in FDA) would need a multicenter, randomized controlled trial (RCT) with at least 300 participants in the EU, while the FDA might accept a 100‑participant pilot followed by a larger post‑market study.

4. Data Collection & Real‑World Evidence (RWE)

EU MDR: Structured Post‑Market Data

• Manufacturers must implement a Risk Management System that collects adverse event reports, user complaints, and device performance data.
• Data must be stored for at least 10 years and made available to the European Database on Medical Devices (EUDAMED).
• RWE can support Post‑Market Clinical Follow‑Up (PMCF) to refine risk assessments.

FDA: Accelerated RWE Pathways

• The FDA’s Real-World Evidence (RWE) Framework allows health plans and manufacturers to submit data from electronic health records, claims, and registries.
• RWE is often used to support Post‑Approval Studies (PAS) and to satisfy Risk Evaluation and Mitigation Strategies (REMS).
• Developers can leverage Adaptive Clinical Trial Designs and Registry‑Based Studies to collect longitudinal data.

5. Digital Evidence Standards & Cybersecurity

EU MDR

• Adopts the ISO 14971:2022 risk management standard, integrating cybersecurity as a risk factor.
• Requires a Cybersecurity Risk Management Plan with threat modeling, mitigation, and post‑market monitoring.
• Notified bodies must verify that security controls are implemented and updated.

FDA

• Uses the FDA’s Cybersecurity Guidance for Medical Devices, focusing on Device Security Posture and Software Update Management.
• Imposes Post‑Market Cybersecurity Updates obligations, especially for connected devices.
• Encourages developers to adopt ISO 27001 or NIST Cybersecurity Framework as part of their security strategy.

6. Compliance Checklists

EU MDR Quick Compliance Checklist

1. Define device classification (IIb/III).
2. Prepare Clinical Evaluation Report (CER) with systematic review.
3. Design and conduct required Clinical Investigation (if applicable).
4. Develop and maintain Technical Documentation (TDD).
5. Establish Risk Management System (RMS) including cybersecurity.
6. Implement Post‑Market Surveillance (PMS) plan and submit annual reports to EUDAMED.
7. Ensure Notified Body engagement for CE marking.

FDA SaMD Quick Compliance Checklist

1. Determine risk tier and select appropriate submission pathway (510(k), De Novo, PMA).
2. Conduct evidence generation aligned with tier requirements (pilot, RCT).
3. Prepare Software Design Documentation (SDD) and Risk Management Plan (RMP).
4. Implement cybersecurity controls per FDA guidance.
5. Plan Post‑Market Commitments (registries, REMS).
6. Submit required documents to FDA and maintain ongoing communication.
7. Establish a mechanism for real‑world data collection and analysis.

7. Key Takeaways for Digital Therapeutic Developers

• Risk‑Based Evidence: Both regulators use risk to determine evidence intensity, but the EU is more prescriptive for higher‑risk devices.
• Early Engagement: Engage with notified bodies (EU) or FDA reviewers early to clarify expectations and avoid costly redesigns.
• Lifecycle Approach: Build evidence incrementally, starting with pilot studies and progressing to RCTs and post‑market surveillance.
• Data Integrity: Maintain robust data collection pipelines; RWE is increasingly valued as a complement to traditional clinical studies.
• Cybersecurity: Treat security as a core design requirement, not an afterthought, to satisfy both EU and FDA requirements.

While the EU MDR and FDA frameworks share common goals—protecting patient safety and ensuring therapeutic efficacy—their pathways and documentation demands differ. Understanding these nuances, coupled with diligent evidence planning and compliance execution, can streamline market access for digital therapeutics worldwide.