As of February 2, 2026, the medical device industry officially entered a new regulatory era. The long-anticipated transition is complete: the Quality Management System Regulation (QMSR) has modernized 21 CFR Part 820 by integrating ISO 13485:2016. But for manufacturers, this is more than a paperwork update. It represents a fundamental shift in how the FDA conducts inspections, moving from a checklist-driven audit to a dynamic, risk-based investigation.

For those expecting a simple “ISO 13485 conformance check,” the reality will be a surprise. FDA investigators are not notified body auditors. Their mandate is to enforce the Food, Drug, and Cosmetic Act, and their new playbook, outlined in the Compliance Program (CP) 7382.850, reflects a hybrid approach that is both process-based and enforcement-driven. There is no grace period. Inspections under this new framework are happening now.

The Core Mindset Shift: From Conformance to Compliance

The most significant change is the philosophical pivot. The FDA investigator’s mindset is not verifying conformance to a standard, it’s ensuring compliance with public health laws. The new inspection framework is centered on the patient, with the manufacturer’s own risk management documentation acting as the roadmap for the investigation.

Investigators are now trained to:

1. Identify Product Risks: Using pre-market reviews, complaints, MDRs, and recalls.

2. Review Your Risk Files: Your own documentation will guide their focus.

3. Select Elements to Evaluate: Based on the identified risks.

4. Follow the Connections: A single finding in one area, like a complaint, will lead them to interconnected areas like Design & Development, Production, and MDR reporting.

This interconnected approach is organized in the “Six QMS Areas” model:

• Change Control, Design & Development,
• Management Oversight,
• Measurement/Analysis/Improvement,
• Outsourcing/Purchasing, and
• Production/Service Provision.

Significantly, “Other Applicable FDA Requirements” (OAFRs) such as:

• 21 CFR Part 803, Medical Device reporting (MDR)
• 21 CFR Part 806, Corrections and Removals (Recalls)
• 21 CFR Part 807, Registration and Listing
• 21 CFR Part 830, Unique Device Identification (UDI)
• Section 524B of the FD&C Act, Cybersecurity

are now explicitly integrated into these areas, not treated as separate “satellite” reviews.

The Top Critical Gaps: Where Manufacturers Will Be Tested

The transition from QSR to QMSR has exposed several critical gaps that will be a primary focus during inspections. Here are the key areas where manufacturers must be ready to provide more than just a procedure.

1. Complaint Handling & MDR Integration

Under the old QSR, complaint handling was often reactive. The new QMSR demands a proactive feedback loop. Investigators will ask, “Show me how this complaint updated your risk file.” Every complaint, service report, and piece of returned product must be evaluated not just for MDR criteria, but for its impact on your overall risk analysis. Your decision not to file an MDR must be risk-justified and documented.

2. Supplier Management Transparency

The days of labeling supplier audit reports as “confidential” are over. The QMSR now requires that you provide these reports to the FDA upon request. Expect investigators to scrutinize your control over sub-tier suppliers based on risk and to ask tough questions about why findings from previous audits remained open.

3. Training vs. Competency Evidence

A signed training log is no longer sufficient. The QMSR requires objective evidence of competency. For critical processes, be prepared to answer: “How do you know this operator is competent?” This means showing evidence of effectiveness, periodic re-evaluation, and verification that the employee truly understands the procedure.

4. Management Responsibility & Visibility

Management review is no longer a private, internal affair. Investigators will request these records and expect to see active, documented oversight. They will look for evidence that management acted on previous audit findings, allocated resources to address quality trends, and reviewed the effectiveness of CAPAs. Full transparency is now the expectation.

5. Risk Management Integration

Risk is now more than a design-phase activity. It is a living document, updated with real-world data from production, service, and complaints. When a service report notes an unexpected failure mode, investigators will want to see how that information flowed back into the risk management file and whether it changed the risk acceptability.

6. The New Frontier: Cybersecurity

For applicable “cyber devices,” cybersecurity is now a core compliance element under Section 524B of the FD&C Act. It must be integrated into Design & Development, Risk Management, and Postmarket Surveillance. Investigators will ask to see how recent cybersecurity threats were assessed in your risk file and what actions were taken, from patching to customer communication.

Conclusion: Preparing for the New Reality

For manufacturers, the path forward requires a definite shift. Siloed systems will be problematic. The focus should be on process integration, ensuring that data flows seamlessly from post-market feedback back into design and risk management.

The QMSR isn’t just a new regulation; it’s a new partnership based on risk and transparency. By embracing this mindset, manufacturers can move beyond mere compliance and build a culture of quality that stands up to the FDA’s new, more dynamic playbook.

NOTE: This blog is based on key insights from a one-hour webinar I recently presented on this topic. The response was overwhelming, and given the February 2, 2026 effective date, the time to act is now. If your team needs to get up to speed, I am happy to discuss bringing this training to your organization contact us at contact@QLeaRAdvisors.com or 1-833-QLaRity (1-833-752-7489).