COMMISSION IMPLEMENTING REGULATION (EU) 2021/2078
of 26 November 2021
laying down rules for the application of Regulation (EU) 2017/745 of the European Parliament and of the Council as regards the European Database on Medical Devices (Eudamed)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (1), in particular Article 33(8) thereof:
Whereas:
(1) Regulation (EU) 2017/745 requires the Commission to lay down the detailed arrangements necessary for the setting up and maintenance of the European database on medical devices (‘Eudamed’).
(2) Regulation (EU) 2017/746 of the European Parliament and of the Council (2) requires the Commission to set up, maintain and manage Eudamed, in accordance with the conditions and detailed arrangements established by Regulation (EU) 2017/745.
(3) As provided for in Regulations (EU) 2017/745 and (EU) No 2017/746, the Commission, competent authorities, authorities responsible for notified bodies, notified bodies, manufacturers, authorised representatives, importers, natural or legal persons referred to in Article 22(1) of Regulation (EU) 2017/745 (system or procedure pack producers) and sponsors of clinical investigations and performance studies should have access to and use Eudamed for the purpose of complying with their obligations and carrying out their tasks under those Regulations. It is, therefore, necessary to provide for the accessibility of Eudamed via a restricted website. In addition, Eudamed should provide the public with adequate information about devices placed on the market, the corresponding certificates issued by notified bodies, the relevant economic operators and clinical investigations. It is, therefore, also necessary to make Eudamed accessible via a public website. Moreover, in order to allow for the exchange of data between Eudamed and national databases, it is necessary to make Eudamed accessible through machine-to-machine data exchange services.
(4) As regards natural and legal persons that need to be able to access Eudamed via the restricted website, it is necessary to specify the conditions and the procedure for granting such access.
(5) The Commission has established the European Medical Device Nomenclature (EMDN) as provided for in Regulations (EU) 2017/745 and (EU) No 2017/746. The EMDN should therefore be made available in Eudamed free of charge and used for providing information on medical devices in Eudamed.
(6) In order to ensure that users of Eudamed receive the support needed when using the database, the Commission should provide them with timely technical and administrative assistance on Eudamed.
(7) In case of technical unavailability or malfunction of Eudamed, authorised users should still be able to fulfil their obligations. It is therefore necessary to specify alternative mechanisms to be used to exchange data in such events and to lay down contingency rules for such mechanisms.
(8) Rules on IT security set out in Commission Decision (EU, Euratom) 2017/46 (3) apply to Eudamed. In order for Eudamed to function in a secure manner, protected against threats to the availability, integrity and confidentiality of its functions and data, additional security rules should be laid down.
(9) In order to mitigate risks and address potential fraudulent use of Eudamed, specific provisions on fraudulent user activity in Eudamed should be laid down.
(10) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (4) and delivered an opinion on 9 July 2021.
(11) The measures provided for in this Regulation are in accordance with the opinion of the Committee on Medical Devices,
HAS ADOPTED THIS REGULATION:
Article 1
Definitions
For the purposes of this Regulation, the following definitions apply:
(1) ‘actor’ means the Commission, a competent authority, an authority responsible for notified bodies, a notified body, a manufacturer, an authorised representative, an importer, a system or procedure pack producer or a sponsor, who has been registered in Eudamed in accordance with Article 3 of this Regulation in order to fulfil its obligations set out in Regulations (EU) 2017/745 and (EU) No 2017/746;
(2) ‘authorised user’ means a natural person who has been granted access to Eudamed via the restricted website to act on behalf of an actor;
(3) ‘local actor administrator’ (LAA) means an authorised user who has the right to manage certain information regarding the details of the actor and to grant access to Eudamed via the restricted website to other natural persons to act on behalf of that actor;
(4) ‘local user administrator’ (LUA) means an authorised user who has the right to grant access to Eudamed via the restricted website to other natural persons to act on behalf of an actor;
(5) ‘malfunction’ means a significant failure of the functioning of Eudamed, including any failure caused by unforeseeable circumstances or by force majeure, that could adversely affect the IT security or hinder the availability of any of the functionalities of Eudamed’s electronic systems referred to in Article 33(2) of Regulation (EU) 2017/745.
Article 2
Modes of access
1. Eudamed shall be accessible for authorised users via a restricted website (‘the restricted website’) and for non-identified users via a public website (‘the public website’).
2. Eudamed shall be accessible through machine-to-machine data exchange services to competent authorities as referred to in Article 101 of Regulation (EU) 2017/745 and Article 96 of Regulation EU 2017/746 (‘competent authorities’) and notified bodies registered in Eudamed in accordance with Article 3 of this Regulation. The Commission shall provide each Member State and notified body with data exchange access points enabling them to use such data exchange services upon their request.
Eudamed shall be accessible through machine-to-machine data exchange services to actors other than the competent authorities and notified bodies, provided that the LAA of the actor concerned submits a request for such access as referred to in Article 3(8), first subparagraph. The Commission shall approve that request under the condition set out in Article 3(8), second subparagraph.
Article 3
Registration in Eudamed and access to Eudamed via the restricted website
1. In order to be granted access to Eudamed via the restricted website, a natural person shall create an account on the Commission authentication service website.
2. The Commission shall register the competent authorities and the authorities responsible for the notified bodies and shall grant access to the restricted website to a first natural person to act on their behalf. For that purpose, the Member States shall provide to the Commission information on their competent authorities, the authorities responsible for notified bodies and the natural persons to become the first authorised users of those authorities.
3. The Commission shall register the notified bodies in Eudamed on the basis of the information in the database of notified bodies developed and managed by the Commission (NANDO).
In order to be granted access to Eudamed via the restricted website, the first natural person acting on behalf of an actor that is a notified body shall submit an access request via the restricted website. The authority responsible for the notified body shall approve the request.
4. In order for other entities than the ones mentioned in paragraphs 2 and 3 to be registered in Eudamed, a natural person acting on behalf of the prospective actor shall submit an actor registration request, via the restricted website. The actor registration request shall include the signed declaration on information security responsibilities referred to in Article 10(1). A national competent authority shall approve the actor registration request, except when the request concerns a sponsor of a clinical investigation or a performance study.
Upon approval of the actor registration request or, in case of a sponsor, when the actor registration request has been submitted, the natural person who submitted that request as referred to in the first subparagraph shall be automatically granted access to the restricted website and become the first authorised user, provided that the conditions in paragraph 6 are fulfilled.
For the purposes of this paragraph, the national competent authority shall be the authority of the place of establishment of the prospective actor. As regards manufacturers established outside of the Union, the national competent authority shall be the authority responsible for the authorised representative mentioned in the actor registration request. As regards system or procedure pack producers established outside of the Union, the national competent authority shall be the authority of the Member State, where the first system or procedure pack of that producer is to be placed on the market.
5. In order for a natural person to be granted access to the restricted website to act on behalf of an actor, he or she shall submit an access request via the restricted website. A LAA or LUA of that actor shall approve the access request.
6. In order to become authorised users, natural persons shall accept the user rights and obligations as set out in the document referred to in Article 10(1), point (a), and consult the privacy statement referred to in point (c) of that Article.
7. The first authorised user of an actor shall automatically be the first LAA of that actor.
8. A LAA may via the restricted website make a request to the Commission for a machine-to-machine connection for performing data exchanges between the actor’s database and Eudamed.
The Commission may approve the request referred to in the first subparagraph provided that the LAA has confirmed that the actor complies with the information security requirements for data exchange referred to in Article 10(1).
Article 4
Nomenclature
Authorised users shall use the open access codes of the European Medical Device Nomenclature (EMDN) when providing information on medical devices in Eudamed.
The Commission shall make the EMDN available in Eudamed free of charge.
Article 5
Technical and administrative support
1. The Commission shall set up an application support team to provide timely assistance to users of Eudamed, reachable via a dedicated functional mailbox.
2. The Commission shall make available to the users of Eudamed the relevant technical documentation on Eudamed, Frequently Asked Questions regarding Eudamed and the documentation in support of machine-to-machine data exchange services.
Article 6
Ownership and processing of personal data
1. The Commission shall be the owner of Eudamed and shall have full administration rights.
2. Personal data shall be processed in Eudamed for the purpose of complying with the obligations set out in Regulations (EU) 2017/745 and (EU) No 2017/746.
3. The following categories of personal data shall be processed:
(a) names of actors and authorised users;
(b) contact details of actors and authorised users;
(c) identification and contact details, and data on professional qualifications of other natural or legal persons, which shall be reported in Eudamed for the purpose of complying with the obligations set out in Regulations (EU) 2017/745 and (EU) No 2017/746.
Article 7
Functioning rules
1. The submission of data in Eudamed shall be deemed executed at the date and time when the data is successfully registered in Eudamed. The date and time of submission shall be determined based on Central European Time (CET) or Central European Summer Time (CEST), as applicable.
2. Eudamed shall be accessible at all times, except during necessary and previously announced downtime periods due to maintenance activities, including new releases. The Commission shall display in advance a notice to that regard on the restricted website or the public website, as applicable.
Article 8
Malfunction
1. The Commission shall take all necessary measures to prevent any malfunction and to identify it, without undue delay, when it occurs.
2. Where an actor or an authorised user suspects a malfunction, it shall immediately inform the Commission thereof.
3. Where the Commission identifies a malfunction, it shall take the following measures:
(a) display, without delay, a notice to that regard (‘malfunction notice’) on the restricted website or the public website, as applicable, unless the nature of the malfunction prevents the Commission from doing so, in which case it shall, to the extent possible, display the notice on the Commission’s dedicated website for medical devices;
(b) suspend the periods for submission of data in Eudamed set out in Regulations (EU) 2017/745 and (EU) No 2017/746, where the malfunction hinders entering of the relevant data.
Where the Commission suspends the periods for submission of data to Eudamed as provided for in the first subparagraph, point (b), the malfunction notice shall specify the time of the display of that notice and the likely duration of the suspension.
4. In addition to the suspension of periods referred to in paragraph 3, first subparagraph, point (b), of this Article, where a malfunction hinders compliance with any of the obligations referred to in Article 80, Article 87(1), Article 89(5), (7), (8) and (9), Article 95(2), (4) and (6), or Article 98(2) of Regulation (EU) 2017/745, or in Article 76, Article 82(1), Article 84(5), (7), (8) and (9), Article 90(2), (4) and (6) or Article 93(2) of Regulation (EU) 2017/746, either of the following procedure shall apply:
(a) where the malfunction lasts more than 12 hours following the display of the malfunction notice, the actor shall without delay provide general information about the relevant data and an indication that the submission of data is pending due to the malfunction to the Commission, to the national competent authorities concerned and to the notified body that issued the certificate of conformity referred to in Article 56 of Regulation (EU) 2017/745 or Article 51 of Regulation (EU) 2017/746, as applicable;
(b) where the malfunction lasts more than 24 hours following the display of the malfunction notice, or where the malfunction lasts less than 24 hours and it is requested by the national competent authorities concerned after receiving the information referred to in point (a) of this paragraph, the actor shall without delay provide the relevant data to those authorities, in the manner prescribed by them.
5. In addition to the suspension of periods referred to in paragraph 3, first subparagraph, point (b) of this Article, in the event of a malfunction that hinders compliance with one of the obligations set out in Regulation (EU) 2017/745 or Regulation (EU) 2017/746 other than the obligations referred to in paragraph 4 of this Article, the following procedure shall apply:
(a) where the malfunction lasts more than 36 hours following the display of the malfunction notice, the actor shall without delay provide general information about those data and an indication that the submission of data is pending due to the malfunction to the Commission, to the national competent authorities concerned and to the notified body that issued the certificate of conformity referred to in Article 56 of Regulation (EU) 2017/745 or Article 51 of Regulation (EU) 2017/746, as applicable;
(b) where the malfunction lasts more than five days following the display of the malfunction notice, the actor shall inform the national competent authorities concerned thereof and shall, if they so request, provide them with the relevant data, in the manner prescribed by them.
6. When the Commission has established that the malfunction has ceased, it shall communicate that information to the competent authorities. In addition, the Commission shall display a notice to that regard on the restricted website and/or the public website, as applicable. Both the communication and the notice shall indicate the duration of the malfunction and of the suspension of periods referred to in paragraph 3, point (b).
7. When the Commission has displayed the notice referred to in paragraph (6), actors shall without delay enter the data that they were hindered to submit during the malfunction in Eudamed.
Article 9
Websites for testing and training purposes
1. The Commission shall make available to the actors websites for the purposes of testing and training with regard to using Eudamed (‘websites for testing and training’).
Data entered in the websites for testing and training shall be considered fictitious and shall not be made available to the public.
2. Before using for the first time machine-to-machine data exchange services, an actor shall make at least one successful attempt of submission of data through machine-to-machine using a website for testing and training.
3. Any changes that the Commission intends to introduce to the Eudamed machine-to-machine data exchange services shall first be introduced by it in the websites for testing and training and shall be available on those websites for a period to be defined in advance by the Commission in collaboration with the Medical Device Coordination Group established under Article 103 of Regulation (EU) 2017/745.
The Commission shall inform the concerned actors via Eudamed in advance of the envisaged changes and of the period of their availability on the websites for testing and training.
Article 10
IT Security
1. The Commission shall make the following documents available on the restricted website:
(a) a document on user rights and obligations;
(b) the declaration on information security responsibilities;
(c) the privacy statement;
(d) the information security requirements for data exchange.
2. Actors shall comply with the terms and conditions set out in the documents referred to in paragraph 1, point (b), and, where applicable, point (d) of that paragraph.
3. Where the Commission suspects that an IT security incident, IT security risk or IT security threat, as defined in Article 2, points (15), (22) and (25), of Decision (EU, Euratom) 2017/46, which it considers as potentially harmful for Eudamed, its data or their confidentiality (‘IT security incident, IT security threat or IT security risk’) has occurred or is present, the Commission may suspend all access to Eudamed.
4. The Commission may suspend all or part of the functionalities of Eudamed’s electronic systems, where it identifies an IT security incident, IT security threat or IT security risk.
If the suspension referred to in the first subparagraph hinders the entering of data in Eudamed, Article 8(3), (4) and (5) shall apply
mutatis mutandis
.
5. Any actor or authorised user who becomes aware of or suspects an IT security incident, IT security threat or IT security risk, shall immediately inform the Commission and the concerned Member States thereof.
Article 11
Fraudulent user activity within Eudamed
1. Where a competent authority, an LAA or an LUA suspects a fraudulent request for access to Eudamed, they shall refuse the request and immediately inform the Commission of such refusal via the application support team referred to in Article 5(1), specifying that it concerns a suspected fraudulent access request.
2. Where the Commission has a reasonable suspicion of fraudulent activity by an authorised user affecting the IT security of Eudamed, it shall temporarily suspend that authorised user’s access to Eudamed. In that case, the Commission shall without delay inform all Member States and the concerned actors of the suspension and its justification.
3. Any actor or authorised user who suspects a fraudulent activity by an authorised user shall without delay inform the Commission and the Member States of the suspected fraudulent activity via the application support team referred to in Article 5(1).
4. Where the Commission establishes a fraudulent activity in Eudamed, it shall immediately terminate the relevant authorised users’ access to Eudamed and take the necessary measures, including, where appropriate, preventing any future access to Eudamed from the related accounts created on the Commission authentication service website. The Commission shall without delay inform the relevant national competent authorities and the concerned actors of any measures taken pursuant to this paragraph.
Article 12
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 26 November 2021.
For the Commission
The President
Ursula VON DER LEYEN
(1)
OJ L 117, 5.5.2017, p. 1
.
(2) Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (
OJ L 117, 5.5.2017, p. 176
).
(3) Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission (
OJ L 6, 11.1.2017, p. 40
).
(4) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
Feedback