Book a demo
Euformatics Blog

A Guide to IVDR Requirements for Subsidiaries and Subcontracting: Key Aspects Explained

Introduction

Understanding the regulatory requirements for subsidiaries and subcontracting under the In Vitro Diagnostic Regulation (IVDR) is crucial for ensuring compliance. Navigating these rules can be complex, particularly for organizations managing multiple legal entities or collaborating with external partners. The IVDR sets clear expectations regarding how responsibilities are delegated, managed, and documented throughout the supply chain.

This article provides a clear breakdown of the key IVDR provisions related to subsidiaries and subcontracting, helping manufacturers and stakeholders understand how to maintain compliance while working with affiliated entities and third parties.

What is In Vitro Diagnostic Medical Devices Regulation (IVDR)?

The In Vitro Diagnostic Medical Devices Regulation (IVDR 2017/746) establishes a robust framework to ensure the safety, performance, and reliability of in vitro diagnostic (IVD) medical devices within the European Union. It replaces the previous IVD Directive (IVDD 98/79/EC), requiring all IVD devices, including those already on the market, to comply with its updated provisions. The transition is mandatory, as the IVDR does not allow the grandfathering of existing devices.

The IVDR introduces a significantly broader and more comprehensive framework for regulating IVD medical devices within the European Union. Reflecting advancements in diagnostic technologies and the growing complexity of the market, the IVDR expands the definition of IVD medical devices to include:

  • Predictive Genetic Tests – Devices that assess genetic predisposition to diseases or conditions
  • Companion Diagnostics – Tests that guide treatment decisions by determining patient suitability for specific therapies
  • Standalone Software – Software that performs diagnostic functions, including data analysis, interpretation, or disease risk prediction.
  • Devices Sold via Distance Sales – If a company, no matter where it’s located (EU and non EU) intends to sell or offer IVD devices to users in the EU, whether online or directly, IVDR compliance is mandatory

This expanded scope is grounded in IVDR Article 2 (Definitions) and further supported by Article 6 (Distance Sales). It ensures that all relevant diagnostic products, including those enabled by digital health and personalized medicine, fall under the purview of the regulation.

In addition to broadening the scope, the IVDR introduces a fundamental shift from the previous list-based classification system to a risk-based classification framework, detailed in Annex VIII. Devices are now classified into four risk categories—Classes A, B, C, and D—with regulatory requirements scaling according to the potential risk to patients and public health:

  • Class A: Low-risk devices (e.g., laboratory instruments, specimen containers)
  • Class B: Moderate-risk devices (e.g., some self-testing devices)
  • Class C: High-risk devices (e.g., infectious disease tests, companion diagnostics, cancer diagnosis and screening)
  • Class D: Highest-risk devices (e.g., blood screening for HIV, hepatitis, and other critical infectious diseases)

Higher-risk classes (C and D) are subject to stricter regulatory scrutiny, including increased involvement of Notified Bodies, more rigorous clinical evidence requirements, and enhanced quality management systems. This risk-based approach aligns with international best practices and ensures that the level of oversight is proportional to the device’s impact on patient and public health.

Together, the expanded scope and the risk-based classification system represent a major evolution in EU regulatory oversight for IVDs. This framework ensures that both traditional and emerging diagnostic technologies meet robust standards for safety, performance, and reliability across the European market.

The IVDR also emphasizes a lifecycle approach to IVD compliance. Manufacturers have to conduct continuous evaluations of devices during both pre-market and post-market phases. This approach imposes more comprehensive requirements than the IVDD, ensuring that devices remain safe and effective throughout their lifecycle.

Definitions: Subsidiaries, Subcontractors, and Critical Suppliers under IVDR

  1. Critical supplier

A critical supplier is a party that provides materials, components, or services that are essential to the conformity of the IVD device and may directly impact its safety or performance.

While IVDR does not define the term explicitly, the commonly accepted definition is found in the NBOG_BPG_2010_1, section 2.2: “A critical supplier is a supplier delivering materials, components, or services that may influence the safety and performance of the device.”

This definition is widely used by Notified Bodies during conformity assessments under IVDR.

  1. Subcontractor

A subcontractor is a third party that performs regulated activities on behalf of the manufacturer, such as design, manufacturing steps, sterilization, testing, or packaging. While not formally defined in IVDR, the regulation refers to subcontracting in multiple sections. Notably: Annex VII, 3.4, and Annex IX, Section 2.3: Requires manufacturers to provide access to and oversight of subcontractors involved in production and final verification.

Subcontractors must be evaluated, qualified, and included in the manufacturer’s quality management system (QMS).

  1. Subsidiary

A subsidiary refers to a legal entity controlled by a parent organization, usually through majority ownership or governance. Though the IVDR does not define “subsidiary,” the commonly accepted legal definition is taken from: Directive 2013/34/EU, Article 2(10):
subsidiary undertaking‧ means an undertaking controlled by a parent undertaking, including any subsidiary undertaking of an ultimate parent undertaking”.

If a subsidiary is involved in the manufacture, design, or quality-related functions of an IVD device, it must be included in the scope of the manufacturer’s QMS and subject to Notified Body audit under IVDR.

Strengthened Supply Chain Accountability Under IVDR

The IVDR significantly reinforces supply chain accountability by clearly defining the responsibilities of all economic operators involved in placing IVD devices on the EU market. This includes manufacturers, authorized representatives, importers, and distributors, each of whom is legally obligated to ensure compliance with applicable regulatory requirements (Articles 10–14, IVDR).

A key requirement introduced under the IVDR is the mandatory appointment of a Person Responsible for Regulatory Compliance (PRRC) by manufacturers and authorized representatives (Article 15, IVDR). The PRRC is responsible for ensuring that devices meet IVDR requirements, overseeing technical documentation, conformity assessments, post-market surveillance, and vigilance activities.

 Impact on Supplier and OEM Relationships

To comply with IVDR requirements, manufacturers must:

  • Review and update quality agreements with critical suppliers and subcontractors, ensuring that responsibilities for compliance, documentation, and traceability are clearly defined (Annex IX, Section 2.2; Annex XI, IVDR).
  • Perform thorough evaluations of Original Equipment Manufacturers (OEMs) and private-label partners. While the IVDR does not explicitly use the term “OEM,” it requires manufacturers to demonstrate full control over outsourced processes within their quality management systems (QMS) (Annex IX, Section 2.2, IVDR) and to ensure that all components and services meet the General Safety and Performance Requirements (GSPR) in Annex I, IVDR.

These measures ensure that every actor in the supply chain—from component suppliers to final distributors—is held to the same high standards of quality and compliance as the manufacturer.

Critical Supplier Oversight at Euformatics: Managing OCI and AWS for Compliance and Performance

In the context of IVDR compliance and the development of regulated Software as a Medical Device (SaMD), Oracle Cloud Infrastructure (OCI) and Amazon Web Services (AWS) are designated as critical suppliers for Euformatics GenomicsHub. These suppliers are essential to the operation, availability, security, and compliance of the GenomicsHub platform, which provides genomic assay validation, quality control, and variant interpretation for diagnostic and clinical applications.

Role of OCI and AWS in GenomicsHub and their evaluation by Euformatics

OCI and AWS provide the cloud infrastructure and services upon which GenomicsHub is hosted, deployed, and operated. OCI and AWS are evaluated against a standardized set of criteria maintained within Euformatics’ QMS, in alignment with ISO 13485 and IVDR Annex IX. The key evaluation areas include:

  1. Performance and Availability
  2. Service Level Agreements (SLAs)
  3. Technology stack
  4. Security and Compliance
  5. Cost

Management in the QMS

Euformatics has integrated OCI and AWS into its QMS through the following measures:

  • Supplier Qualification: OCI and AWS have undergone a formal qualification process, including risk assessment, due diligence, and approval by management representatives
  • Quality Agreements: Although both OCI and AWS operate under standard Terms of Service, Euformatics maintains documented expectations and internal procedures to ensure regulatory alignment
  • Supplier Risk Management: Risks associated with cloud infrastructure providers (e.g., service disruption, compliance breach, data residency violation) are recorded in the risk register
  • Periodic Review: The performance and compliance status of OCI and AWS are re-evaluated at minimum annually or after any significant change (e.g., major service update, pricing structure changes, or reported incidents).
  • Technical Documentation Inclusion: The service details of OCI and AWS are fully documented in the Technical Documentation as required under IVDR Annex II.
Illustration of IVDR compliance for subsidiaries and subcontractors

Importance of Compliance for Manufacturers and Notified Bodies

Compliance with IVDR regulations is critical for manufacturers and notified bodies, as it directly influences both patient safety and product integrity. The regulation prioritizes data security and product quality, aligning with broader frameworks like the General Data Protection Regulation (GDPR) and international standards such as ISO 13485. These standards ensure that medical devices meet strict safety and performance criteria throughout their lifecycle.

For manufacturers, compliance demands robust systems to protect sensitive patient data and prevent breaches. Devices have to not only function safely but also adhere to data protection laws. This dual focus means you need to integrate data security protocols into both product design and operational workflows, ensuring compliance with overlapping regulatory frameworks.

Notified bodies play a critical role in this ecosystem. Their responsibility is to verify that manufacturers meet IVDR requirements, particularly in areas like risk management, product safety, performance, and supply chain oversight. This includes evaluating adherence to ISO 13485, a standard that governs quality management systems for medical devices. Failing to meet these expectations can compromise the safety of diagnostic devices and expose entities to significant legal and financial risks.

Understanding Subsidiaries and Subcontracting in IVDR

Subsidiaries and subcontractors play a critical role in the implementation of the IVDR because these entities are often important for manufacturing, testing, distribution, or other operational components. However, their involvement introduces additional layers of responsibility for ensuring compliance with IVDR and ISO 13485 standards.

Manufacturers are required to establish clear oversight mechanisms to manage subsidiaries and subcontractors. This includes ensuring that any processes or services they provide align with the strict quality, safety, and performance requirements set by the regulation. Without proper oversight, non-compliance risks escalate, potentially leading to penalties, product recalls, or market access issues.

Key responsibilities for oversight include:

  • Verification of compliance: Manufacturers must ensure that their subsidiaries and subcontractors adhere to all applicable IVDR requirements, including but not limited to compliance with relevant standards and regulations such as data protection (e.g., GDPR), cybersecurity, and software lifecycle requirements where applicable
  • Regulatory audits: Notified bodies are granted authority under IVDR to audit subcontractors and suppliers, making it important to ensure that these entities are consistently prepared for such evaluations.These audits can be announced or unannounced. Manufacturers must ensure that their partners are fully audit-ready and cooperate with Notified Bodies
  • Quality agreements: Manufacturers need to establish formal agreements that define roles, responsibilities, and expectations for compliance, ensuring accountability across all parties involved
  • Documentation and traceability: IVDR requires complete traceability of all critical suppliers and subcontractors (Annex II). Manufacturers must maintain:
  • Technical documentation
  • Records of audits
  • Evidence of contractual and QMS compliance

Effective management of these relationships requires a proactive approach. By carefully monitoring and engaging with subsidiaries and subcontractors, manufacturers can better safeguard compliance and reduce risks associated with regulatory breaches.

Regulatory Requirements for Notified Bodies

Notified Bodies  play a central role in ensuring that IVDs comply with the stringent regulatory framework set by IVDR. Their responsibilities extend beyond assessing manufacturers—they must also evaluate and monitor subcontractors, subsidiaries, and critical suppliers involved in any stage of the device’s lifecycle. This broader oversight ensures uniform compliance with IVDR standards throughout the supply chain.

1. Oversight of Subcontractors and Subsidiaries

Under Annex VII of the IVDR, Notified Bodies are required to operate competently, impartially, and consistently when carrying out conformity assessments. To fulfill these obligations, they must assess whether entities performing subcontracted activities—such as manufacturing steps, testing, or data analysis—maintain compliance with regulatory requirements.

Key areas of assessment include:

  • Quality Management Systems, especially ISO 13485 certification
  • Technical competence and training
  • Documented procedures and traceability mechanisms

This evaluation ensures that subcontracted work does not compromise the safety, performance, or conformity of the IVD device.

2. Conformity Assessment Obligations (Annex IX)

During the conformity assessment process (e.g., under Annex IX or XI), Notified Bodies must:

  • Review technical documentation covering any outsourced activities
  • Verify that manufacturer agreements with subcontractors clearly define responsibilities
  • Conduct audits of critical subcontractors when necessary (including unannounced audits under Article 88)

Notified Bodies are also permitted to inspect subsidiaries if they perform regulated functions such as design, production, or post-market surveillance.

3. External Quality Assessment Participation

When subcontractors are responsible for diagnostic testing or laboratory analysis, Notified Bodies are expected to verify participation in e.g., External Quality Assessment (EQA) programs. Leading organizations providing these schemes include:

  • EMQN – European Molecular Genetics Quality Network
  • GenQA – Genomics Quality Assessment

Participation in these schemes helps demonstrate the technical competence and analytical performance of laboratories, ensuring consistent reliability and mitigating risk across the diagnostic process.

4. Emphasis on Risk-Based Oversight

The IVDR encourages a risk-based approach to oversight. Notified Bodies must tailor their assessments based on the classification of the device, the criticality of outsourced activities, and the performance history of subcontractors. For Class D IVDs, the scrutiny is especially high, often including independent lab testing and batch verification.

Manufacturer Obligations Regarding Subcontracting

Under the IVDR, manufacturers are ultimately responsible for the compliance, safety, and performance of their devices—regardless of whether certain processes are outsourced. This includes any subcontracted activities related to design, manufacturing, testing, distribution, or post-market surveillance. To maintain compliance, manufacturers must implement robust and proactive systems to manage subcontracting arrangements. Manufacturers operating under the IVDR framework have to take proactive steps to manage subcontracting arrangements effectively. These responsibilities are integral to maintaining compliance and ensuring the safety, performance, and quality of in vitro diagnostic devices.

Manufacturers are required to integrate the management of subcontractors into your quality management system (QMS). This ensures that all subcontracted activities align with IVDR standards. A robust QMS allows manufacturers to establish clear oversight mechanisms for subcontractors, including procedures for assessing their qualifications and monitoring their ongoing compliance. In the context of genetic testing, where precision and data integrity are critical, automation tools such as omnomicsQ can significantly enhance the QMS and support compliance with the IVDR. omnomicsQ, can streamline workflows by monitoring sample quality in real-time, flagging issues before they progress further. By automating quality control processes, you reduce the risk of oversight errors and improve efficiency in managing regulatory requirements. 

Quality contracts between manufacturers and subcontractors have to also be reviewed and updated regularly. These contracts should clearly define roles, responsibilities, and expectations to ensure adherence to IVDR requirements.

Quality Management and Compliance

Quality management systems play an essential role in ensuring compliance with IVDR regulations. A robust QMS is foundational for ensuring compliance with the IVDR. These systems are critical not only for maintaining the integrity of processes and products, but also for managing external partnerships—including subsidiaries and subcontractors—within the IVD supply chain partnerships, particularly in areas involving subsidiaries and subcontractors. 

By integrating robust quality assurance measures, you can systematically address compliance risks while meeting the strict standards set by the IVDR framework. One effective measure is the use of automated validation systems. In the context of genetic testing, tools like omnomicsV streamline the validation of diagnostic systems by minimizing manual errors and providing consistent, reproducible results. These systems are particularly valuable for ensuring that complex processes meet the strict requirements of the IVDR. Automation not only improves accuracy but also reduces time spent on repetitive tasks, allowing you to focus on higher-level quality control activities.

Regular inter-laboratory benchmarking is another critical component of a strong quality management system. By comparing performance metrics across multiple laboratories, you can identify discrepancies, standardize practices, and ensure uniformity in diagnostic outcomes. This process also fosters continuous improvement, as benchmarking highlights areas requiring refinement, ensuring your operations remain aligned with IVDR standards. Both automated validation systems and benchmarking are essential tools, but their effectiveness depends on proper implementation and monitoring. A well-structured quality management system integrates these tools seamlessly into daily operations, ensuring compliance is not just a goal but an ongoing practice.

Implications of Non-Compliance

Failing to comply with IVDR regulations in the context of subsidiaries and subcontracting carries significant risks that can disrupt operations and compromise trust. Regulatory penalties are among the most immediate consequences. These might include fines, suspension of certifications, or even prohibition from marketing products within the EU. Such outcomes not only damage manufacturers financial standing but also erode credibility with regulators and clients. Additionally, non-compliance can result in the loss of device certification. 

Without valid certification, manufacturers cannot legally sell or distribute their product, potentially leading to considerable revenue loss and market share decline. Beyond financial and operational penalties, non-compliance can jeopardize patient safety. Inadequate oversight of subcontractors or subsidiaries might lead to errors in manufacturing or testing processes, increasing the risk of faulty or inaccurate diagnostic results. This can have serious health implications for patients, underlining the critical need for strict controls. Tools like omnomicsNGS, which support accurate variant interpretation, can play a key role in maintaining compliance and ensuring patient safety by providing reliable data analysis.

Best Practices for Managing Subsidiaries and Subcontractors

1. Establish Clear Agreements and Communication

To effectively manage subsidiaries and subcontractors under the IVDR framework, establishing clear agreements and fostering precise communication is important. This ensures that all parties involved operate in alignment with regulatory expectations and international quality standards. A structured approach not only minimizes compliance risks but also helps maintain consistent oversight throughout the supply chain.

In the context of genetic testing and variant interpretation, an important aspect of the process involves standardizing variant interpretation procedures and ensuring alignment with established international guidelines such as those from the ACMG (American College of Medical Genetics and Genomics) and CAP (College of American Pathologists). Standardized processes clarify roles and responsibilities, reducing ambiguity in operational workflows. 

By referencing these globally recognized benchmarks, you can ensure that both subsidiaries and subcontractors comply with strict regulatory and quality requirements. This alignment also facilitates smoother audits and inspections, as it demonstrates adherence to widely accepted standards.Additionally, formalizing agreements in the form of detailed contracts is necessary. These agreements should clearly outline performance expectations, compliance obligations, and accountability measures. Contracts have to specify responsibilities regarding data management, reporting requirements, and adherence to IVDR mandates.

By explicitly defining these aspects, you establish a foundation for accountability and create a framework for resolving potential disputes or non-compliance issues effectively.Regular and structured communication channels with subsidiaries or subcontractors play an essential role in ensuring transparency and alignment. This includes scheduled meetings, timely updates on regulatory changes, and clear escalation paths for addressing compliance concerns. Miscommunication or lack of clarity can lead to critical compliance gaps, so prioritizing precise and consistent communication is irreplaceable.

2. Regular Performance Evaluations and Audits

To maintain compliance with the IVDR, conducting regular performance evaluations and audits is important. These processes help ensure that both subsidiaries and subcontractors consistently meet regulatory requirements and maintain high-quality standards in their operations.

Performance monitoring tools play a key role in this effort. By utilizing software or systems designed for ongoing performance tracking, you can identify potential compliance gaps early and address them before they escalate into significant issues. These tools often provide real-time insights into key performance indicators, enabling a proactive approach to managing compliance risks.

3. Performance Monitoring Tools for IVDR Compliance 

Performance monitoring, document creation and maintenance platforms help to manage QMS documents, processes, audits, CAPAs (Corrective and Preventive Actions), supplier management, and training—all critical for IVDR compliance. Examples:

4. Importance of External Quality Assessments

In addition to internal audits, external quality assessments play a critical role in maintaining compliance. These independent audits, conducted by third-party experts, provide an unbiased evaluation of whether subsidiaries and subcontractors meet the requirements of the IVDR. External audits can:

  • Uncover hidden inefficiencies or non-compliance issues that internal audits might miss
  • Provide manufacturers with greater assurance of supply chain integrity
  • Strengthen readiness for Notified Body assessments and regulatory inspections.

5. Continuous Improvement and Training Initiatives

To maintain compliance with IVDR, adopting continuous improvement practices and implementing targeted training initiatives is critical. These measures ensure that your organization stays aligned with evolving regulatory requirements while fostering a culture of quality and accountability. Adapting to new regulatory updates requires systems that support proactive responses. 

Automated re-evaluation tools can play a key role in this process. By integrating these tools into your quality management system, manufacturers can systematically assess changes in IVDR requirements and their impact on your operations. This allows manufacturers to address compliance gaps immediately and prevent delays in meeting new standards. Additionally, automated systems reduce the risk of human error during regulatory assessments, improving the reliability of your compliance efforts.

Training modules designed to address regulatory updates are equally important. Regularly updating and delivering focused training ensures that your team understands the implications of new IVDR requirements and how to apply them in practice. This includes training for personnel involved in subcontractor and subsidiary management, as their roles are directly tied to compliance. Providing clear, role-specific guidance helps your team implement processes that align with IVDR’s strict expectations, reducing the likelihood of oversight or errors.

Conclusion

Effective compliance with IVDR regulations requires a balanced focus on both regulatory understanding and proactive management of subsidiaries and subcontractors. These rules are not just administrative obligations—they are critical safeguards for quality and accountability in the diagnostic field. By prioritizing transparency, strict oversight, and ongoing improvement, organizations can safeguard both compliance and trust, building a foundation for sustainable success in a highly regulated industry.

Euformatics offers practical solutions designed to help diagnostic laboratories navigate the complexities of IVDR compliance. From tools like omnomicsQ for quality control to omnomicsNGS for variant interpretation, we support accurate and efficient genomic analysis. Our Genomics Hub price configurator provides a transparent and customizable way to budget for your compliance and analysis needs—explore it here. Ready to enhance your lab’s compliance and efficiency? Book a demo today to see how Euformatics can empower your success.

FAQ

What Are the Key Differences Between IVDR and IVDD?

The IVDR introduces stricter requirements, including reclassification of devices by risk, enhanced clinical evidence, mandatory unique identification, and greater involvement of notified bodies, focusing on safety and performance.

How Do the New Classification Rules Under IVDR Impact My Devices?

Devices are reclassified into higher-risk categories, requiring stricter assessments, more clinical evidence, and closer oversight. Previously self-certified devices may now need notified body evaluation.

What Are the Requirements for Performance Evaluation and Clinical Evidence Under IVDR?

Performance evaluation includes scientific validity, analytical performance, and clinical performance. Clinical evidence must show safety and effectiveness through studies, peer-reviewed data, or literature.

When Do the IVDR Regulations Apply to My Specific Devices?

The timeline for IVDR compliance depends on your device’s risk classification and intended use. For most new IVDs, compliance has been mandatory since May 26, 2022. However, certain devices previously certified (legacy devices) under the In Vitro Diagnostic Directive (IVDD) may benefit from transitional provisions.

These extensions allow continued market access until 2027, 2086, or 2098, depending on the device’s risk class and whether it requires notified body involvement under the IVDR. After these deadlines, all devices must fully comply with IVDR requirements, including updated conformity assessments, quality systems, and performance evaluations.

The transition timeframes for legacy IVDs are as follows:

  • Legacy IVDs Class D (IVDR) must be compliant by December 2027
  • Legacy IVDs Class C (IVDR) must be compliant by December 2028
  • Legacy IVDs Class B and Class A sterile (IVDR) must be compliant by December 2029

What Are the Key Responsibilities of Economic Operators (Manufacturers, Importers, Distributors, Etc.) Under IVDR?

Manufacturers, importers, distributors, and authorized representatives must ensure safety, maintain documentation, verify compliance, and address post-market surveillance to meet IVDR standards.

References

  • Cobbaert, Christa, Ettore D. Capoluongo, Florent JLA Vanstapel, Patrick MM Bossuyt, Harjit Pal Bhattoa, Peter Henrik Nissen, Matthias Orth et al. “Implementation of the new EU IVD regulation–urgent initiatives are needed to avert impending crisis.” Clinical Chemistry and Laboratory Medicine (CCLM) 60, no. 1 (2022): 33-43.
  • Harer, Johann. “Manufacturing and Quality Assurance in Compliance with the MDR and IVDR.” In Medical Devices and In Vitro Diagnostics: Requirements in Europe, pp. 505-542. Cham: Springer International Publishing, 2023.
  • Machado, Gisselle Pérez, S. L. EpiDisease, Rafael Barajas Cenobio, Ester Berenguer Pascual, Eva Garcia Lopez, Salvador Mena Molla, and José Luis García Gimenez. “Quality Management System and the In Vitro Diagnostic Medical Devices Regulation: a challenge to start-up companies.”
  • MDCG 2021-27 Rev.1 Questions and Answers on Articles 13 & 14 of Regulation (EU) 2017/745 and Regulation (EU) 2017/746.

Back to news listing

At the forefront of science

Our latest scientific publication “One byte at a time” is now free to download.

Evidencing the quality of clinical service next-generation sequencing for germline and somatic variants.

  • This field is for validation purposes and should be left unchanged.

Brought to you by:

EMQN logo