Compliance à trois – When SaMD, MDR and C5 have to work together

A drama in three acts – featuring the cloud, classification and control authorities.

In the world of medtech compliance, there is a love triangle of a special kind – and no, we're not talking about the love triangle between medical staff, development teams and the coffee machine in the break room. We're talking about SaMD, MDR and C5. Three abbreviations that regularly cause awkward silences in meetings – and, when combined, provide real food for discussion.

But it is precisely this trio that medtech companies must orchestrate today if they want their cloud-based software solutions to not only revolutionise patient care, but also overcome regulatory hurdles.

Act I: SaMD – When software suddenly becomes medicine

‘Imagine if your app could diagnose you!’ Sounds cool, right? Welcome to the world of ‘Software as a Medical Device’ (SaMD). But as soon as your application can do more than just record your pulse or send reminders – for example, analyse symptoms or make therapy suggestions – it's no longer just a ‘nice to have’. Then things get serious: you're entering the regulatory arena.

And that means: MDR ahoy.

Act II: MDR – The regulator with a deluxe questionnaire

The Medical Device Regulation (MDR) is the European watchdog for patient safety. It doesn't just ask, ‘Does it work?’ – but above all, ‘Is it safe, traceable and documented?’ And it does so on an epic scale.

For SaMD, this means, among other things:

• Clinical evaluation and risk-benefit assessment.
• Risk management throughout the entire software lifecycle.
• Validated usability (yes, even the UI has to play along).
• Technical documentation (spoiler: not a weekend project).
• And: an understanding of cyber security – because no product is secure if it lives in the cloud and no one knows who is looking at it.

And this is where it gets exciting. Because with the cloud, a new player is entering the stage: the BSI – with its C5 catalogue.

Act III: C5 – The cloud wants to have a say (and it wants to be heard)

C5 sounds like a passive component from a circuit board. But it's actually the BSI's Cloud Computing Compliance Criteria Catalogue and one of the most important references when it comes to cloud security in Germany.

In short, C5 ensures that cloud providers (and their users) do more than just backups.

It covers:

• secure storage and traceable data flows,
• strict access controls,
• comprehensive logging and monitoring,
• incident management, emergency plans and physical security.

C5 is not a MedTech standard, but it is a must when processing health data. And, as we all know, SaMD has no shortage of that.

The problem: Compliance in silos = drama waiting to happen

Many medtech teams still work separately: Regulatory manages the MDR, IT takes care of the cloud – and in the end, the project team wonders why the notified body is having a panic attack.

The bottom line:

• C5 alone does not constitute MDR approval.
• MDR without IT security is not patient safety.

SaMD in the cloud only works if MDR compliance and C5 conformity are considered together from the outset – not just when the launch is imminent.

The solution: integration instead of parallel processes

Anyone building cloud-based medical devices needs more than a few cross-links in the dossier. What is needed:

• Select cloud providers according to C5 criteria. Certified is better, auditable is a must.
• Expand technical documentation to include security concepts, logging strategies and access paths.
• Integrate IT security into risk analysis. Not as a footnote, but as a real risk factor.
• Promote cross-functional working. IT, QA, regulatory and product development must understand each other – ideally on a regular basis over coffee and concept papers.

Bonus insight: C5 as a business booster

C5 is more than just a compliance stamp. In a world full of cyber attacks, data protection lawsuits and IT uncertainties, practised cloud security is a real competitive advantage.

Those who can prove that they process sensitive health data in a structured, secure and transparent manner not only score points with auditors, but also with:

• Hospitals
• Health insurance companies
• Patients and
• Investors

Because trust is not claimed – it is documented.

Conclusion: Compliance à trois – not a fling, but a strategic marriage

Yes, the combination of SaMD + MDR + C5 is challenging. But it is also the future: cloud-ready. Regulatorily sound. Secure. Marketable. Those who think as a team instead of working in silos will not only make the notified body happy – but also the users.

Because as in any good relationship, the following applies:communication, trust – and clear responsibilities.