The Regulatory Decisions Most Likely to Trigger Audit Findings

If a notified body challenged your current list of applicable regulatory requirements and standards tomorrow, how confident are you that your organisation could explain every decision behind it?

Not just why MDR applies. Not just why GDPR appears on the list. But why one regulation was included while another was excluded. Why a requirement was considered relevant. Why a local implementation was deemed equivalent to the European version. Why a regulatory update was assessed as having no impact.

Most regulatory professionals instinctively answer that question with confidence.

After all, the organisation has been operating under those assumptions for years. Products have been certified. Audits have been completed. Regulatory submissions have been accepted.

But there is an uncomfortable difference between having a regulatory position and being able to defend it.

That distinction is becoming increasingly important.

Over the past decade, regulatory affairs has quietly undergone a fundamental shift. The profession was once primarily concerned with understanding regulations and implementing requirements. Today, regulatory teams are increasingly expected to demonstrate how decisions were reached, how they were maintained over time and how they continue to remain valid as regulations, products and markets evolve.

In other words, regulators, notified bodies and auditors are no longer interested only in the answer.

Consider a relatively common situation.

In 2021, a manufacturer launches a software medical device in Europe. The regulatory team performs an assessment under MDR Rule 11 and concludes that the software should be classified as Class IIa. The assessment is reviewed internally, accepted by the notified body and incorporated into the technical documentation.

The decision is made.

The product moves forward.

The company grows.

People leave.

New people arrive.

Three years later, during a surveillance audit, the classification is reviewed again.

Nothing about the product has fundamentally changed. The original conclusion may still be entirely correct.

The problem is that nobody involved in the original assessment remains within the organisation.

Which MDCG guidance was considered?

Which alternative interpretations were evaluated?

What assumptions were made regarding intended purpose and clinical decision-making?

Why was Class IIa selected rather than Class IIb?

And that is where many organisations become vulnerable.

One of the biggest misconceptions in regulatory affairs is that audit findings are primarily caused by missing regulations, incomplete procedures or documentation gaps. Those issues certainly occur, but they are often symptoms rather than root causes.

The process usually happens slowly.

An applicability assessment is performed during product development.

A market-specific interpretation is agreed during a project meeting.

A regulatory update is reviewed and considered non-impacting.

A local requirement is judged to be equivalent to an existing obligation.

Each decision makes perfect sense at the time.

The people involved understand the context. The reasoning is obvious. Nobody sees an immediate need to preserve the discussion because everyone assumes the logic will remain self-evident.

It rarely does.

As organisations grow, regulatory reasoning becomes fragmented across emails, meetings, spreadsheets, personal notes and institutional memory. Eventually the conclusion survives while the rationale disappears.

That creates a governance risk that many organisations do not recognise until someone external starts asking questions.

This is one reason why MDR Article 10 is so significant. Although much attention is given to specific regulatory requirements, the broader expectation is that manufacturers establish and maintain systems capable of ensuring continued compliance. Implicit within that expectation is the ability to demonstrate how regulatory decisions are made, maintained and reassessed over time.

ISO 13485 reinforces the same principle through its emphasis on objective evidence, traceability and controlled processes.

Neither framework is really asking whether an organisation can make regulatory decisions.

Every organisation does that.

The real question is whether the organisation can still explain those decisions years later.

That is a much higher standard.

And it is becoming the standard that matters.

The regulatory decisions most likely to trigger difficult audit findings are not necessarily the wrong ones.

In many cases they are decisions that were perfectly reasonable when they were made.

The regulation is known.

The conclusion exists.

The product remains on the market.

When that happens, organisations often discover that a compliant regulatory position and a defensible regulatory position are not the same thing.