Why overlapping regulatory requirements create scope gaps

Most Applicable Lists are built around a single primary framework. For medical device manufacturers, that framework is often MDR or IVDR. The structure reflects the regulation: articles, annexes, essential requirements. Applicability decisions are made within that defined scope, documented, and maintained accordingly.

This model works as long as regulatory obligations are treated as largely self-contained. Increasingly, they are not.

When scope no longer fits inside one regulation

Today’s regulatory landscape extends well beyond a single domain. Data protection requirements intersect with product data flows. Cybersecurity expectations influence risk management and post-market activities. AI-related obligations begin to shape documentation and oversight structures. Environmental and sustainability regulations introduce reporting and lifecycle considerations that sit alongside product compliance.

Each of these domains carries its own logic, terminology, and supervisory expectations. Yet in many organisations, applicability is still managed as if regulatory scope can be cleanly separated by regulation.

How cross-domain pressure exposes structural limits

The Applicable List remains structured around one primary framework. Cross-domain requirements are then handled separately: in parallel documents, specialised assessments, or by different teams. The result is fragmentation.

A requirement under MDR may depend on data handling practices governed by GDPR. Cybersecurity guidance may influence how risk controls are interpreted under Annex I. AI-related oversight may reshape post-market surveillance expectations. But when these connections are not reflected in a shared applicability structure, traceability becomes partial.

Each requirement is addressed somewhere. But when an auditor asks how GDPR-driven data handling assumptions influenced your MDR Annex I risk controls, the reasoning cannot be reconstructed without manual cross-document interpretation.

The Applicable List still exists, but it no longer represents the full regulatory reality the organisation operates within. It captures a single-domain interpretation in a multi-domain environment.

When applicability is structured per regulation rather than per product and market context across domains, the Applicable List ceases to represent the true regulatory baseline.

When applicability decisions start to conflict

As cross-domain interactions increase, inconsistencies begin to surface. A requirement marked as non-applicable in one context becomes indirectly relevant through another domain. Similar products are assessed differently depending on which regulatory lens was applied first. Teams interpret overlapping obligations in isolation, without visibility into how decisions interact.

The Applicable List still exists, but it no longer represents the full regulatory reality the organisation operates within. It captures a single-domain interpretation in a multi-domain environment.

Why this becomes visible under pressure

Cross-domain breakdown rarely surfaces during routine work. It becomes visible when decisions need to be defended holistically: during audits, inspections, regulatory questions, or major product changes.

At that point, authorities do not assess compliance one regulation at a time. They look at how obligations intersect. If applicability decisions have been documented in isolation, the organisation struggles to show how cross-domain requirements were considered together.

The issue is not lack of effort. It is structural misalignment between how regulatory scope is documented and how it is enforced.

Why this matters now

Regulatory expectations increasingly assume that organisations understand and manage the interaction between domains, not just individual regulations in isolation. Under MDR and IVDR, manufacturers are responsible for maintaining compliance throughout the product lifecycle — a responsibility that now intersects with data protection, cybersecurity, AI governance, and environmental obligations.

Quality system requirements reinforce this by placing responsibility on organisations to maintain control over regulatory scope as it evolves. In practice, this means that applicability decisions must remain coherent not only within a single framework, but across domains that influence one another.

As more organisations encounter cross-domain scrutiny, the limitations of single-domain applicability structures become visible. The challenge is no longer identifying requirements, but maintaining a defensible, cross-domain view of regulatory scope over time.

As part of exploring how this challenge can be addressed in practice, we are preparing early access to Hoodin Compliance Studio — a workspace focused on maintaining defensible regulatory scope and applicability reasoning across domains — for organisations already experiencing pressure in multi-domain regulatory environments.

Early Access may be relevant if this situation feels familiar and you want early insight into how the product takes shape, or the opportunity to contribute perspectives grounded in real RA/QA workflows.