A Cyber Alchemy × Mantra Systems Perspective.
This article is published in partnership with Cyber Alchemy. Their focus is on cybersecurity, helping teams develop and evidence security for software-enabled and connected medical devices. Together, we’re producing a practical series for MedTech teams: what to build, what to defer, and how to avoid avoidable rework when moving between UK, NHS procurement, and EU routes.
For early-stage MedTech companies, choosing a first target market is not only a commercial decision, but also a regulatory one. The first market often shapes the initial regulatory pathway, the structure of the technical documentation, the evidence strategy, and the internal resources required to reach market readiness.
For manufacturers planning international expansion, the question is often whether to start with the UK, the EU, or the US. While all three markets are important, they operate under different regulatory systems and place different demands on manufacturers.
- In the EU, market access is governed by Regulation (EU) 2017/745 (MDR), with software-specific implications under Rule 11 and significant reliance on Notified Body assessment for many devices.
- In the UK, devices are currently regulated under the UK MDR 2002 (which resembles the legacy EU MDD framework), with MHRA oversight.
- In the US, market entry depends on FDA device classification and the applicable premarket route, such as 510(k), De Novo, or PMA.
A practical first-market decision should therefore begin with regulatory fit rather than assumption. There is no universal answer to which market is “easier” or “faster.” The more useful question is which market best aligns with the product’s intended purpose, likely classification, available evidence, and current regulatory maturity. For software and AI-enabled products, that analysis may also need to account for parallel obligations relating to data privacy, cybersecurity, and, in the EU, AI-specific regulation (EU AI Act).
A High-Level Overview of the Three Regulatory Systems
In the EU, under the MDR, many devices above Class I require conformity assessment by a Notified Body before CE marking can be achieved. For software, Rule 11 can significantly affect classification and may result in Class IIa, IIb or III depending on the impact of the software on clinical decisions and patient management. The MDR also places strong emphasis on clinical evaluation and post-market obligations.
In the UK, devices placed on the UK market must be registered with the MHRA. Although UKCA remains the domestic conformity marking route, CE-marked devices continue to be accepted under current transitional arrangements, with the latest applicable deadline extending to 30 June 2030 depending on device type and the legislation under which the CE mark was obtained. The MHRA has recently launched a consultation on the indefinite recognition of CE-marked medical devices. That means CE-mark availability remains a practical factor in first-market planning for companies considering Great Britain alongside the EU.
In the US, FDA regulatory framework is more risk-based. Depending on the device and its classification, market entry may proceed through a 510(k) premarket notification, a De Novo request for novel devices without a predicate, or PMA for higher-risk devices. The FDA also maintains dedicated resources for AI-enabled and software-based devices through its Digital Health and device software programmes.
AI-Enabled Medical Devices: Where the Comparison Becomes More Complex
For AI-enabled products, the first-market question becomes more complex because manufacturers may need to consider not only medical device rules, but also wider AI, data protection, and cybersecurity requirements.
Across all three markets, the starting point is the same: if an AI product meets the definition of a medical device, it is first assessed under the applicable medical device framework. The presence of AI does not, by itself, create a separate medical device category.
That said, the regulatory context around AI is no longer limited to regulations surrounding medical devices alone. In the EU, the AI Act adds a horizontal layer for certain AI systems, including some AI-enabled medical devices. The MDCG has explained that the AI Act complements, rather than replaces, the MDR/IVDR by introducing requirements aimed at AI-specific risks; it does not itself change device qualification or MDR/IVDR classification. In parallel, where personal data is processed, GDPR obligations may also apply.
In the UK, AI developers need to consider UK GDPR and broader data protection requirements where personal data is processed.
In the US, AI-enabled products that meet the device definition remain within the FDA device framework, and the FDA continues to expand guidance and oversight tools for AI-enabled device software functions. For software-based products, cybersecurity and lifecycle management expectations are also increasingly important in premarket planning. Unlike the EU, the US does not currently apply a single cross-sector AI act equivalent to the EU AI Act, so the comparison is not symmetrical.
For manufacturers, the practical point is that AI products often require a dual-lens assessment: first, whether the product is a medical device at all; and second, whether additional AI, privacy, or cybersecurity frameworks apply in parallel.
Five Regulatory Questions Founders Should Ask Before Choosing a First Market
1. Is the product clearly within medical device scope in all three markets?
Start with intended purpose, claims, functionality, user type, and the degree to which the product influences diagnosis, treatment, or patient management. This is especially important for software and AI-enabled products, where qualification can differ across jurisdictions.
This point is particularly important for software, generative AI, and clinical workflow tools. Not all healthcare-related software is medical device software. Qualification depends on intended purpose and the actual function being performed. In the EU, MDCG (2019-11) software guidance remains central to that analysis, and in the UK the MHRA likewise ties software qualification to whether the product meets the legal definition of a medical device.
For AI-enabled products, this boundary question is even more important because the product may sit at the edge of medical device regulation while also raising separate questions around model governance, data protection, and cybersecurity.
2. What is the likely classification, review route, and timeline?
Manufacturers should assess not only likely classification, but also the practical route to market and expected review timeline.
In the EU, software may be upclassified under MDR Rule 11, which can trigger Notified Body involvement and significantly extend timelines. Industry sources indicate MDR conformity assessment often takes around 12 to 18 months, depending on device complexity, evidence readiness, and Notified Body capacity. This is particularly relevant for some AI-enabled products: AI does not automatically increase classification, but AI-driven functionality may contribute to a higher-risk classification where the software informs or drives diagnosis, treatment decisions, or patient management.
In the UK, the position can be different. Because the current UK framework still largely reflects legacy MDD rules rather than the EU MDR software regime, some stand-alone software products that may be Class IIa or above in the EU can remain self-certified as Class I in the UK in some cases. That can create a materially faster route to market, provided the classification rationale is robust.
For some early-stage software companies, this difference can shape sequencing strategy. Where early market entry, initial revenue generation, and real-world or clinical data collection are priorities, a UK-first approach may in some cases be a practical step before pursuing a higher-class EU submission. The key point is that classification, reviewer involvement, and timeline should be mapped early, because the most practical first market is not always the same as the long-term target market.
3. Is the evidence package sufficient?
Evidence readiness is one of the most common reasons early-stage companies stall after choosing a market. Having a plausible regulatory route is not the same as being ready to walk it.
Under the EU MDR, clinical evaluation sits at the heart of the technical documentation. Manufacturers must demonstrate a favourable benefit-risk profile through a Clinical Evaluation that is substantiated by clinical data, whether generated through clinical investigations, post-market clinical follow-up, or a robust equivalence argument supported by sufficient clinical, biological, and technical similarity to an equivalent device. For software and AI products, equivalence arguments are often harder to sustain because the nature of the product, its training data, and its intended outputs make genuine equivalence to a legacy device difficult to establish. Regulators and Notified Bodies are increasingly scrutinising equivalence claims for software, and founders should not assume that equivalence is a shortcut available to them.
The state of the evidence should be mapped against the likely classification at an early stage. A Class IIa software product heading toward a Notified Body review needs a materially more developed evidence package than a Class I product relying on self-declaration. If the evidence is thin, early feasibility data, limited clinical datasets, or surrogate endpoints that do not directly measure patient outcomes, that should factor directly into the choice of first market, not just the submission timeline.
In Great Britain, the current framework gives manufacturers somewhat more flexibility in how clinical evidence is structured and presented, particularly for lower-classification products. While the MHRA expects a proportionate and credible benefit-risk justification, the prescriptive requirements around CER format and PMCF planning that apply under EU MDR are not currently replicated in the GB regime. For companies with limited but promising early-stage clinical data, this can make a GB-first submission more viable in the near term, provided the evidence is genuinely sufficient to support the claims being made and the intended use.
For the US, the FDA’s evidentiary expectations depend on the pathway. A 510(k) requires a substantial equivalence argument supported by performance testing and, where relevant, clinical data. A De Novo requires a more developed benefit-risk analysis. For AI and software-based products, the FDA has published increasingly detailed guidance on performance testing expectations, transparency, and real-world performance monitoring. Founders targeting the US should engage early with what the FDA expects for their specific product type, rather than assuming that evidence generated for the EU or UK will map directly.
The practical question is not just whether the evidence exists, but whether it is the right kind of evidence for the market you are entering first, and whether it will also serve the markets you intend to enter next.
4. Is the company operationally ready?
The right route on paper may still be the wrong first market in practice. Companies need to look honestly at how ready they are: is the documentation mature enough, is the quality system in place, and can the team handle regulator or reviewer questions without slowing the project down?
In the EU, the technical documentation required under MDR Annexes II and III is extensive. For software products, this includes the software lifecycle documentation expected under IEC 62304, usability engineering records under IEC 62366, cybersecurity documentation, and where AI or machine learning functionality is present, an increasing expectation around transparency, algorithm governance, and change management. The quality management system must be MDR-compliant and, for most Class IIa and above devices, certified under ISO 13485 by a Notified Body. Companies should also ensure they have a PRRC (Person Responsible for Regulatory Compliance) in place. This is a legal requirement under MDR Article 15, and the PRRC must hold documented qualifications in the relevant regulatory field. Many early-stage companies underestimate the practical burden of having an appropriately qualified PRRC, particularly where the team is small and wearing multiple hats.
In the UK, the operational requirements are somewhat lighter in some respects but should not be treated as negligible. MHRA registration is required, and manufacturers established outside the UK must appoint a UK Responsible Person, a UK-based entity that takes on defined legal responsibilities in relation to the device’s compliance and registration. For EU-based or US-based companies targeting the UK market, identifying and formally appointing a UK Responsible Person should be treated as an early operational task, not an afterthought. The quality system requirements under the current UK framework also broadly align with ISO 13485, though the full implementation of the future UK MDR regime, which is expected to introduce closer alignment with MDR-style requirements, will increase the operational burden over time.
5. Will the first market support the next one?
First-market strategy should always be designed with the second and third markets in mind. This is especially important for medical device companies, where the cost and time of generating clinical evidence and building technical documentation is substantial, and where poor upfront planning can mean that work done for one jurisdiction needs to be substantially repeated for another.
The most significant area of leverage is intended use and claims. The way a product’s intended purpose is framed, the patient population, the clinical context, the specific function being performed, shapes both the regulatory classification and the evidence requirements across all three major markets. A claims strategy that is drafted purely to navigate the first market can create real problems when the same product is presented to a different regulator with different expectations. Founders should work with regulatory counsel to develop an intended use statement that is not only appropriate for the first submission but that is defensible and reasonably portable across the UK, EU, and US.
Core technical documentation is another area where upfront investment pays dividends. The EU MDR technical file structure, clinical evaluation, risk management documentation under ISO 14971, software lifecycle records, post-market surveillance planning, and usability evidence, represents a high documentation standard. Companies that build documentation to MDR standards from the outset will generally find that adapting it for a Great Britain submission or a US FDA submission involves incremental work rather than starting from scratch. The reverse is not always true: companies that take shortcuts to meet the minimum requirements of an easier first market often find that the documentation they have produced is not sufficient as a foundation for subsequent submissions.
For AI and software products specifically, the post-market obligations embedded in the EU MDR, PMCF planning, post-market surveillance reports, and the evolving expectations under the EU AI Act for high-risk AI systems, mean that companies should be collecting and structuring real-world performance data from the earliest point of market entry. Data collected in the GB market, if structured correctly, can contribute to PMCF evidence for a subsequent EU submission. That opportunity is often missed when first-market entry is treated as a standalone exercise rather than the first phase of an integrated evidence strategy.
The practical recommendation is to treat the first submission not as a minimum viable compliance exercise, but as the foundation of a regulatory programme. The investment required to do this well is modest relative to the cost of rebuilding documentation from scratch for each subsequent market, and the value of having a coherent, credible regulatory story across jurisdictions should not be underestimated when engaging with Notified Bodies, the MHRA, or the FDA at a later stage.
Conclusion
There is no one-size-fits-all answer to the question of whether the UK, EU, or US should come first. The right decision depends on the product, the pathway, the evidence, and the company’s readiness to support it.
What matters most is making that decision early and on the right regulatory basis. A structured first-market assessment and regulatory strategy can help identify the most practical route, reduce avoidable rework, and build a stronger foundation for future expansion across multiple markets.
Regulatory strategy and cybersecurity readiness are two sides of the same coin, and your choice of first market shapes both.
Book a Joint Review
Choosing your first market is one of the most consequential decisions you’ll make as a medical device founder. Getting the regulatory sequencing, evidence strategy, and documentation right from the start can mean the difference between a smooth path to commercialisation and years of costly rework.
Mantra Systems and Cyber Alchemy are offering a free 30-minute joint review for early-stage founders and innovation teams. In that session we will:
- Map your most practical route to market based on your product, classification, and evidence readiness
- Identify the key regulatory and cybersecurity challenges on your path, and how to address them
- Advise on what to build now versus what to defer, so you invest your resources in the right things at the right time
