June 2025 — Are Your Legacy Assumptions Defensible?

Closing Legacy Gaps Starts with a Traceable, Auditable Applicable List

Most RA/QA teams are now in the middle of Article 120-based legacy assessments, evaluating whether their past assumptions still hold under MDR or IVDR. Notified Bodies are increasingly rejecting vague references, static lists, or outdated checklists. They now expect traceable, version-controlled evidence of regulatory control — aligned with Article 10.9, Annex II Section 4, and ISO 13485 §4.1.3.

If your Applicable List of Regulations is static, undocumented, or unclear, you will not be able to defend your legacy position — nor demonstrate that you have system-level regulatory control.

This is the moment to move beyond “gap spotting” and start building an operational control system.

You may use AI-enhanced regulatory tools such as Hoodin to structure, monitor, and maintain a versioned Applicable List — fully traceable and audit-ready.

Operational Focus

Build a structured Applicable List of Regulations — per product, per selected markets — with justification, traceability, and version control

This Applicable List is no longer just a table in your technical files. It is now the core of your regulatory control system — and must document:– Which markets you distribute in– Which regulations apply (EU, national, cross-domain)– Why each regulation is included or excluded– How it is monitored and versioned — ready for NB review

Step-by-Step Execution

1. Define your product configurationIdentify product name, MDR/IVDR classification, and technical scope, including:– Intended purpose– Risk class– Current distribution markets (EU, UK, CH, etc.) — limit to current distribution– Product-specific regulatory attributes (e.g. manages patient data, contains hazardous substances, software/AI functionality, blood-contacting materials)
   

2. Generate the Applicable List of RegulationsUse AI-enhanced regulatory tools such as Hoodin to generate a tailored list based on your product and selected markets. The list should include:– EU-level regulations (MDR/IVDR, delegated acts, implementing acts, CS)– National/local counterparts (e.g. UK MDR 2002, Swiss MedDO, national IVDR laws)– Cross-domain acts (GDPR, REACH, RoHS, cybersecurity)– Deviation flags — where national regulations add new requirements or differ in enforcement
   

3. Map each regulation to technical documentationFor example: link GDPR to Annex II §4 for data-related claims, or REACH to GSPR 10 for chemical safety. Document traceability paths.
   

4. Justify inclusion or exclusion of each regulationProvide a clear rationale for each item — especially if a regulation is excluded but may be expected by an auditor.
   

5. Apply version control and live monitoringYour list must be:– Dated and versioned– Linked to change history in both regulatory sources and product design– Reviewed at defined intervals within your QMS

How Hoodin Helps

Hoodin’s Smart Compliance List allows you to:

• Define each product using classification, attributes, and markets

• Automatically generate a tailored Applicable List of Regulations, with deviations clearly flagged

• Monitor 1,500+ European regulations, including national counterparts

• Track and justify updates, removals, and additions over time

• Maintain a fully version-controlled, traceable Applicable List, audit-ready for notified body review. Start you 14-day free trial here