What is the primary objective of ISO 13485?

ISO 13485:2016 specifies requirements for a quality management system (QMS) where organizations demonstrate ability to consistently provide medical devices and related services that meet customer and applicable regulatory requirements. This standard, structured in Clauses 4–8, emphasizes documented processes, risk-based controls, validation, traceability, and post-market surveillance across the device lifecycle—from design through decommissioning. It functions as a regulatory-ready framework, requiring objective evidence of established, implemented, and maintained processes.

Who is legally or professionally required to comply with ISO 13485?

ISO 13485 applies to organizations involved in one or more stages of the medical device lifecycle, including manufacturers, production, storage, distribution, installation, servicing, and suppliers of related services. Target entities encompass medical device manufacturers (design/manufacture), contract manufacturers, importers, distributors, sterilization/calibration providers, and software developers for Software as a Medical Device (SaMD). Organizations must identify their regulatory roles and incorporate applicable requirements into the QMS.

Does ISO 13485 require an external audit or third-party certification?

ISO 13485 certification is performed by accredited certification bodies through a two-stage process: Stage 1 (documentation review) and Stage 2 (implementation audit), followed by annual surveillance and triennial recertification. While the standard itself mandates internal audits (Clause 8.2.4), third-party certification provides formal recognition, often required for market access by regulators and customers, demonstrating QMS conformity.

How often should an assessment for ISO 13485 be performed?

Internal audits for ISO 13485 must be conducted at planned intervals per Clause 8.2.4, with management reviews at planned intervals per Clause 5.6. Certifications involve annual surveillance audits and full recertification every three years. Frequency aligns with risk-based planning, considering process performance, nonconformities, and regulatory changes.

What are the consequences of non-compliance with ISO 13485?

Non-compliance with ISO 13485 risks regulatory enforcement, including product holds, recalls, fines, market withdrawal, and loss of certification. Audits reveal gaps in documentation, CAPA, or validation, leading to corrective actions; persistent issues trigger major nonconformities, enforcement by notified bodies, or FDA observations under aligned regimes like QMSR (effective February 2, 2026). Record retention failures (minimum two years post-release or device lifetime) exacerbate traceability issues.

Can ISO 13485 be mapped to other international frameworks?

Yes, ISO 13485 Annex B provides explicit correspondence to ISO 9001:2015, though conformity to ISO 13485 does not imply ISO 9001 compliance. It integrates with ISO 14971 (risk management), IEC 62366-1 (usability), and supports regulatory alignments like EU MDR QMS expectations and FDA QMSR (incorporating ISO 13485 by February 2, 2026), enabling harmonized implementation without claiming dual certification.

What is the first step to begin implementing ISO 13485?

The first step is establishing and documenting the QMS scope per Clause 4.1, including process identification, risk-based controls, exclusions justification, and outsourced process oversight. Develop the quality manual (Clause 4.2.2) detailing scope, procedures, and interactions, followed by medical device files for each device type/family.

What is the primary objective of EU AI Act?

The primary objective of the EU AI Act is to establish a risk-based regulatory framework that prohibits unacceptable-risk AI practices, imposes strict obligations on high-risk AI systems, mandates transparency for limited-risk systems, and fosters trustworthy AI while ensuring safety, fundamental rights protection, and innovation across the EU market. Regulation (EU) 2024/1689, effective from 1 August 2024, classifies AI into unacceptable, high, limited, and minimal risk tiers per Articles 5-6 and Annexes I-III, operationalizing safety through lifecycle controls like risk management (Article 9) and conformity assessments (Article 43).

Who is legally or professionally required to comply with EU AI Act?

Providers, deployers, importers, distributors, and authorized representatives of AI systems whose outputs are used in the EU must comply with the EU AI Act, regardless of location. Providers (Article 3(3)) develop or place high-risk systems on the market; deployers (Article 3(4)) are professional users ensuring oversight and monitoring. Scope captures third-country entities via the "EU output nexus" (Article 2), with GPAI providers facing Chapter V duties (Articles 51-56).

Does EU AI Act require an external audit or third-party certification?

High-risk AI systems require conformity assessment, which may involve third-party notified bodies and external audits, but internal assessments suffice in some cases. Article 43 mandates assessments per Annexes VI-VII; Annex III systems like biometrics often need notified bodies (Articles 28-39). CE marking (Article 48) and EU database registration (Article 49) follow successful assessment; harmonized standards (Article 40) presume conformity.

How often should an assessment for EU AI Act be performed?

Conformity assessments for high-risk AI must occur before market placement or service, with ongoing post-market monitoring and reassessment for substantial modifications. Article 61 requires evaluation upon changes (Article 3(23)); post-market monitoring (Article 72) is continuous, with serious incident reporting (Article 73) without undue delay and logs retained per Article 19 (minimum 6 months).

What are the consequences of non-compliance with EU AI Act?

Non-compliance with the EU AI Act incurs tiered administrative fines up to 7% of worldwide annual turnover or €35 million for prohibited practices, plus market bans and corrective actions. Article 99 sets fines: up to 7% (€35M) for Article 5 bans; 3% (€15M) for other Chapter III obligations; 1.5% (€7.5M) for supplying incorrect information. Enforcement by national authorities (Article 70) includes suspensions, recalls, and AI Office oversight for GPAI (Article 101).

Can EU AI Act be mapped to other international frameworks?

No, the EU AI Act cannot be directly mapped to other international frameworks in this standalone FAQ.

What is the first step to begin implementing EU AI Act?

The first step to implement the EU AI Act is to conduct an AI inventory and classify all systems by risk tier against Article 5 prohibitions and Annexes I-III. Document classification rationale (Article 6(4)); prioritize ceasing prohibited practices (effective 2 February 2025) and preparing high-risk conformity (from 2 August 2026).

Standards Comparison

ISO 13485 vs EU AI Act

ISO 13485

Mandatory

2016

International standard for medical device quality management systems

EU AI Act

Mandatory

2024

EU regulation for risk-based AI safety and governance

Quick Verdict

ISO 13485 provides QMS certification for medical devices globally, enabling market access and risk control. EU AI Act mandates risk-based compliance for AI systems in EU, prohibiting harms and requiring conformity assessments to ensure safety.

Quality Management

ISO 13485

ISO 13485:2016 Medical devices Quality management systems

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based controls for device safety and compliance
Full medical device lifecycle coverage
Mandatory medical device files for traceability
Process and software validation requirements
Post-market surveillance and complaint handling

Artificial Intelligence

EU AI Act

Regulation (EU) 2024/1689 Artificial Intelligence Act

Cost

€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Risk-based four-tier AI classification framework
Prohibitions on unacceptable-risk AI practices
High-risk conformity assessment and CE marking
GPAI model systemic risk obligations
Lifecycle post-market monitoring and fines

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 13485 Details

What It Is

ISO 13485:2016 is an international certification standard titled Medical devices — Quality management systems — Requirements for regulatory purposes. It provides a risk-based framework for organizations to demonstrate consistent provision of safe medical devices across the lifecycle, from design to disposal, integrating customer and regulatory requirements.

Key Components

Organized into Clauses 4–8: QMS/documentation, management responsibility, resources, product realization, measurement/improvement.
Emphasizes documented procedures, medical device files, process validation, traceability, and post-market surveillance.
Built on process approach with ISO 9001 compatibility but enhanced for regulatory needs.
Third-party certification via accredited bodies with stage audits and surveillance.

Why Organizations Use It

Enables market access (EU MDR, FDA QMSR alignment by 2026).
Mitigates risks of recalls, liabilities via robust controls.
Builds stakeholder trust, supplier partnerships, operational efficiency.
Strategic for scaling, international expansion, regulatory convergence.

Implementation Overview

Phased: gap analysis, process design, validation, audits (9–18 months typical).
Applies to manufacturers, suppliers, distributors globally.
Requires eQMS, training, CAPA; certification every 3 years.

EU AI Act Details

What It Is

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) is a comprehensive EU regulation and the world's first horizontal AI framework. It ensures safe, transparent AI respecting fundamental rights across sectors. Employing a risk-based approach, it tiers systems as unacceptable (prohibited), high-risk, limited-risk (transparency), or minimal-risk.

Key Components

Prohibitions (Art. 5), high-risk obligations (Arts. 9-15: risk management, data governance, documentation, oversight, cybersecurity), GPAI rules (Chapter V)
Lifecycle controls via conformity assessment, CE marking, EU registration
Aligned with GDPR, product safety laws; presumption via harmonized standards
Enforced by AI Office, national authorities with fines to 7% global turnover

Why Organizations Use It

Mandatory EU market access, avoiding severe penalties
Mitigates safety, rights risks; builds deployer/provider accountability
Enhances trust, competitiveness in regulated sectors like HR, biometrics
Enables innovation sandboxes, global compliance leadership

Implementation Overview

Phased (6-36 months): inventory, classify, build QMS/RMS, conformity
Cross-functional governance, documentation-heavy; audits/notified bodies
Applies to providers/deployers in EU scope, all sizes/industries

Key Differences

Aspect	ISO 13485	EU AI Act
Scope	Medical device QMS lifecycle	Risk-based AI systems lifecycle
Industry	Medical devices globally	All sectors in EU
Nature	Voluntary certification standard	Mandatory EU regulation
Testing	Process validation, audits	Conformity assessment, notified bodies
Penalties	Loss of certification	Up to 7% global turnover fines

Scope

ISO 13485

Medical device QMS lifecycle

EU AI Act

Risk-based AI systems lifecycle

Industry

ISO 13485

Medical devices globally

EU AI Act

All sectors in EU

Nature

ISO 13485

Voluntary certification standard

EU AI Act

Mandatory EU regulation

Testing

ISO 13485

Process validation, audits

EU AI Act

Conformity assessment, notified bodies

Penalties

ISO 13485

Loss of certification

EU AI Act

Up to 7% global turnover fines

Frequently Asked Questions

Common questions about ISO 13485 and EU AI Act

ISO 13485 FAQ

EU AI Act FAQ

You Might also be Interested in These Articles...

CIS Controls v8.1 IG1 Ransomware-Resilience Sprint: A 30-60-90 Day Action Plan (With Evidence Checklist)

Tactical CIS Controls v8.1 IG1 playbook for ransomware resilience. 30-60-90 day sprint with tool-agnostic tasks, ownership & evidence checklists to prove progre

CMMC Scoping Mastery for Defense Supply Chains: Enclave Mapping, Subcontractor Flow-Down, and CUI Inventory Blueprint

Master CMMC scoping for DIB: delineate FCI/CUI boundaries, segment enclaves, manage subcontractor flow-down. Prevent 80% assessment failures with SSP templates,

Breaking Down NIST CSF 2.0 Structure: Core, Tiers, Profiles, and Real-World Application

Master NIST CSF 2.0 structure: Govern + 5 Core functions, Tiers (Partial-Adaptive), Profiles for gaps, and real-world apps. Build effective cyber risk strategie

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how ISO 13485 and EU AI Act compare against other standards

Other ISO 13485 Comparisons

Other EU AI Act Comparisons

What It Is

Key Components

Organized into Clauses 4–8: QMS/documentation, management responsibility, resources, product realization, measurement/improvement.

Emphasizes documented procedures, medical device files, process validation, traceability, and post-market surveillance.

Built on process approach with ISO 9001 compatibility but enhanced for regulatory needs.

Third-party certification via accredited bodies with stage audits and surveillance.

What It Is

Key Components

Prohibitions (Art. 5), high-risk obligations (Arts. 9-15: risk management, data governance, documentation, oversight, cybersecurity), GPAI rules (Chapter V)

Lifecycle controls via conformity assessment, CE marking, EU registration

Aligned with GDPR, product safety laws; presumption via harmonized standards

Enforced by AI Office, national authorities with fines to 7% global turnover

Aspect

ISO 13485

EU AI Act

Scope

Medical device QMS lifecycle

Risk-based AI systems lifecycle

Industry

Medical devices globally

All sectors in EU

Nature

Voluntary certification standard

Mandatory EU regulation

Testing

Process validation, audits

Conformity assessment, notified bodies

Penalties

Loss of certification

Up to 7% global turnover fines