If you want to know where regulatory expectations are headed, you don’t always need a new guidance document. Sometimes you just need to listen to what regulatory pros keep arguing about.

Across recent discussions, three themes keep surfacing again and again:

• How long to keep records in a world of longer device life and constant PMS?
• How far “downstream” a manufacturer’s responsibility really goes in the EU supply chain?
• How to build a modern regulatory mindset for AI/ML and emerging markets without repeating 70 years of FDA/EMA history?

Taken together, they point to one simple truth: regulatory maturity is less about new rules and more about how you think.

Record retention: the floor is 10–15 years, but vigilance is effectively indefinite

Many device manufacturers are asking the same question:

“If the regulation says 10 years, can we purge earlier, or exactly at 10 years, to reduce legal exposure?”

On paper, record retention sounds straightforward. Typical patterns:

• EU MDR: Technical documentation and declaration of conformity retained 10 years after the last device covered by the declaration is placed on the market (15 years for implantables).
• US FDA / QMSR: The “DHR” label may be going away in the text, but the underlying requirement to maintain manufacturing history, distribution records, and complaint files is very much alive via ISO 13485.

The tension comes from two competing logics:

• Legal risk mitigation: “Purge as soon as legally allowed so there’s less discoverable material in a lawsuit.”
• Regulatory risk mitigation: “Keep enough history to investigate complaints, support vigilance, and defend your QMS, especially in cases where when devices live longer than the ‘expected life’ you put in the IFU.”

For long-lived devices, those two perspectives collide. If an adverse event or field safety corrective action pops up in year 12 or 15 and you’ve purged the DHR at year 10, you’ve just created a regulatory problem to fix a legal concern.

What mature organizations are doing:

• Treating 10–15 years as a minimum, not a target purge date.
• Aligning retention with real-world device use, not just the theoretical expected life.
• Writing QMS procedures that:
  • Make the retention logic explicit (legal + regulatory + business).
  • Clarify how complaints, vigilance, and recalls are handled after the minimum retention period expires.
• Educating management that “fewer records” ≠ “less liability” if you cannot investigate safety signals.

MDR supply chain: traceability is mandatory, full contractual control is not

Another recurring pain point is downstream traceability between distributors under EU MDR.

Two key principles:

1. Traceability is non-negotiable.
   Each economic operator must be able to identify, for the competent authority, who they supplied devices to (and who supplied devices to them). That clearly covers a distributor-to-distributor handoff.

2. Regulatory responsibility does not equal total contractual control.
   A manufacturer must control its suppliers and subcontractors through an appropriate QMS, but the regulation does not literally require:

• • A formal “quality agreement” with every entity in the chain, or
  • A signed contract between every distributor and every downstream distributor.

Over-interpreting those obligations leads to real business friction: thin-margin distributors being asked to sign heavy legal agreements that go far beyond what the regulation actually says.

Practical, defensible approaches we see working:

• Make sure your QMS clearly defines:
  • How you approve and monitor distributors/suppliers (risk-based).
  • How you ensure they can identify their direct customers and support recalls.
• Use proportionate, documented controls:
  • Sometimes that’s a full contract.
  • Sometimes it’s standard terms & conditions, audit evidence, or documented verification activities.
• Avoid “invented requirements” that turn into unnecessary commercial roadblocks while adding little real safety benefit.

The sweet spot is a traceable, auditable distribution chain without turning every commercial relationship into an over-engineered legal construct.

Regulatory mindset for AI/ML and emerging markets: leapfrogging, not copy-pasting

At the same time, there’s a noticeable surge in two areas:

• Requests for consultants who can handle AI/ML in 510(k)s and SaMD/SiMD.
• Questions from emerging markets trying to build a regulatory culture quickly, without replaying decades of FDA/EMA trial-and-error.

For AI/ML, regulators are increasingly distinguishing between:

• Locked / passive algorithms – parameters fixed, changes handled like traditional software.
• Adaptive / continually learning algorithms – models that update in the field, where the real regulatory “product” is the process you use to control change (e.g., Predetermined Change Control Plans) across the total product lifecycle.

That shift means regulators are no longer just approving “a file”; they’re assessing your ability to govern data, model evolution, and real-world performance under a robust QMS/QMSR.

For emerging markets looking to mature quickly, the question isn’t “How do we copy FDA?” It’s:

• How do we internalize the mindset behind good regulatory systems (risk–benefit reasoning, evidence-based decisions, post-market learning) without recreating every historical detour?
• How do we build capacity in regulatory intelligence, classification logic, and PMS so we can leapfrog straight to modern best practices?

And layered on top of all of this is a new concern: regulatory professionals relying on generative AI outputs without going back to the source text. The risk isn’t the tool itself; it’s treating a plausible-sounding paragraph as equivalent to reading the regulation, guidance, or standard.

If your organization is wrestling with any of these questions: how long to keep which records, how far your MDR obligations really extend, or how to build a modern regulatory culture, we’d be happy to help you turn those debates into clear, defensible processes.