MDR 2017 Does Not Mandate ISO 13485. Here Is What It Actually Requires.

Is ISO 13485 Mandatory Under MDR 2017? The Answer Is More Nuanced Than Most People Think

By Ankur Khare — Biomedical Engineer | Regulatory Affairs Specialist | Founder, MedReg Intel


A question comes up regularly in Indian MedTech regulatory discussions.

Is ISO 13485 mandatory under MDR 2017?

The answer you most commonly hear is one of two things.

Either — yes, ISO 13485 is mandatory for all medical device manufacturers in India.

Or — no, ISO 13485 is just recommended, not required.

Both answers are incomplete. And the incompleteness of each one creates practical problems for manufacturers who act on either without understanding what MDR 2017 actually requires.

This article gives you the complete answer — from the primary source.


What MDR 2017 Actually Says

MDR 2017 does not contain the words "ISO 13485 is mandatory" anywhere in its text.

Search the gazette notification G.S.R. 78(E) dated 31 January 2017 from beginning to end. You will not find a provision that explicitly mandates ISO 13485 certification as a condition of manufacturing licence grant.

What you will find is this.

Rule 20 of MDR 2017 — the manufacturing licence provision — requires that manufacturers comply with the Quality Management System requirements specified in the Fifth Schedule.

Rule 20(4) for Class A devices states that after licence grant, a Notified Body must verify compliance with Fifth Schedule requirements within 120 days.

Rule 20(6) for Class B devices requires that a Notified Body audit verifying Fifth Schedule compliance must occur before licence grant.

Rule 23 for Class C and D devices requires that CDSCO's inspection team verify Fifth Schedule compliance before licence grant.

The mandatory requirement under MDR 2017 is Fifth Schedule QMS compliance — not ISO 13485 certification specifically.


What the Fifth Schedule Actually Contains

This is where the distinction becomes practically important.

The Fifth Schedule of MDR 2017 is titled "Quality Management System Requirements for Medical Devices."

Its content is substantially derived from ISO 13485:2016 — the international standard for quality management systems for medical devices. The Fifth Schedule covers the same core elements — management responsibility, resource management, product realisation, measurement analysis and improvement — using a structure that closely mirrors ISO 13485.

But the Fifth Schedule is not identical to ISO 13485:2016. It is an Indian regulatory document that draws from the international standard while adapting it to the Indian regulatory context.

The critical implication: what is explicitly mandatory is compliance with the Fifth Schedule. ISO 13485 certification — the act of obtaining a certificate from an accredited certification body — is not explicitly required by MDR 2017.


The Practical Reality That Closes the Gap

Here is where the technical distinction meets operational reality.

Notified Bodies accredited under MDR 2017 — the organisations that conduct QMS audits for Class A, B, C, and D manufacturers — use ISO 13485:2016 as their primary assessment framework when auditing Fifth Schedule compliance.

Why? Because the Fifth Schedule and ISO 13485 are substantively aligned, and ISO 13485 provides the detailed interpretive guidance, audit checklists, and nonconformance categories that Notified Bodies need to conduct structured assessments. The Fifth Schedule alone does not provide this operational detail.

The practical consequence is this: a manufacturer who builds and maintains a QMS that genuinely meets Fifth Schedule requirements will, in virtually every case, also meet ISO 13485:2016 requirements — because the two frameworks are substantially equivalent in their core demands.

A manufacturer who attempts to build a Fifth Schedule compliant QMS without reference to ISO 13485 will find that their system has significant gaps — because the Fifth Schedule does not provide the implementation detail that ISO 13485 guidance and certification infrastructure provides.


The Three Conclusions That Matter

Conclusion 1 — ISO 13485 is not explicitly mandatory under MDR 2017.

The provision that is mandatory is Fifth Schedule QMS compliance. If you read MDR 2017 carefully you will not find an explicit ISO 13485 mandate. This is technically accurate and worth knowing — because it means a manufacturer who has achieved Fifth Schedule compliance through a robust internal QMS system, without a formal ISO 13485 certificate, is not in violation of MDR 2017 on that basis alone.

Conclusion 2 — Fifth Schedule compliance without ISO 13485 is practically very difficult.

The Fifth Schedule does not provide the implementation detail, interpretive guidance, or audit framework that building a compliant QMS requires. In practice, every serious QMS implementation for a medical device manufacturer in India is built on ISO 13485 — because that is where the operational detail lives. A manufacturer claiming Fifth Schedule compliance whose system does not align with ISO 13485 will almost certainly fail a Notified Body audit.

Conclusion 3 — For CDSCO audit and inspection purposes, treat ISO 13485 as effectively mandatory.

Notified Bodies conducting Fifth Schedule audits use ISO 13485 as their assessment framework. CDSCO inspection teams conducting Class C and D pre-grant inspections are familiar with ISO 13485 standards and use them as reference benchmarks. A manufacturer who has ISO 13485 certification from an accredited body has documented evidence of QMS compliance that is immediately recognisable and defensible in the audit and inspection process. A manufacturer who has only an internal claim of Fifth Schedule compliance — without the external verification that ISO 13485 certification provides — faces a significantly more difficult audit conversation.


What This Means for Specific Situations

For Class A manufacturers — post-grant Notified Body audit within 120 days:

Your QMS will be audited against Fifth Schedule requirements. Build it using ISO 13485 as your framework. You do not need to hold an ISO 13485 certificate before your licence is granted — the audit happens after grant. But you need to be audit-ready by day 120.

For Class B manufacturers — pre-grant Notified Body audit:

Your QMS must be audit-ready before your licence is granted. In practice this means your QMS must be substantially ISO 13485 compliant before you file your manufacturing licence application — because the Notified Body audit will use ISO 13485 as its assessment framework.

For Class C and D manufacturers — CDSCO pre-grant inspection:

CDSCO's inspection team will assess your manufacturing site and QMS before your licence is granted. ISO 13485 certification from an accredited body provides the most defensible evidence of QMS compliance in this context.

For importers — MD-14 application:

Importers must ensure their overseas manufacturer holds a QMS that meets Fifth Schedule equivalent requirements. In practice this means ISO 13485 certification from the overseas manufacturer is the standard document that CDSCO expects to see in an MD-14 technical dossier.


The One-Sentence Answer

ISO 13485 is not explicitly mandatory under MDR 2017 — but Fifth Schedule QMS compliance is mandatory, and achieving Fifth Schedule compliance without building your system on ISO 13485 is practically almost impossible.

Treat ISO 13485 as effectively mandatory. Not because MDR 2017 says so explicitly. Because every assessment framework used to verify Fifth Schedule compliance is built on it.


Why This Distinction Matters Beyond Compliance

Understanding the technical distinction between explicit mandate and practical requirement matters for one specific reason beyond compliance — commercial negotiation.

A manufacturer who knows that ISO 13485 certification is not explicitly required by MDR 2017 — only Fifth Schedule compliance is — has a defensible position if a Notified Body or consultant tells them they must obtain ISO 13485 certification as a precondition of anything that MDR 2017 does not actually require as a precondition.

The certification itself has value. But the certification is not the legal requirement. The Fifth Schedule compliance is.

Knowing the difference gives you the ability to have an informed conversation about what is legally required versus what is best practice — a distinction that matters when you are managing regulatory timelines and budgets.


MedReg Intel tracks regulatory developments, compliance strategy, and policy analysis relevant to India's medical device sector at medregintel.com

Ankur Khare is a Biomedical Engineer and Regulatory Affairs Specialist and the founder of MedReg Intel. This article is for informational purposes and does not constitute formal regulatory or legal advice.

Comments