Welcome to my Digital Health Regulatory Pathways Master Class series. This series breaks down the core concepts every founder should understand about US and EU regulatory pathways, from what qualifies as a medical device to how risk classification affects your timeline, cost, and market strategy.

You’ve landed on #4 of this series, where I break down all you need to know about risk classes in the US and the EU.  It is the most important thing in determining which regulatory pathways are open to you.  

How to Figure Out Your Device’s Risk Class (and Why It’s Step One)

Before you start building out documentation or budgeting for regulatory costs, there’s one foundational question every digital health founder needs to answer:

What’s the risk class of your medical device?

Whether you’re pursuing FDA clearance in the U.S. or MDR certification in Europe, this single classification drives nearly every regulatory decision you’ll make.

And if you’re developing a Software as a Medical Device (SaMD) or AI-enabled tool, your classification may not be as obvious as you think.

In this post, we’ll walk you through what “risk class” means in regulatory terms, how the FDA and MDR define and categorize risk, what this classification determines for your startup, and why it’s often more nuanced for SaMD and AI/ML products

What Is a “Risk Class” and Why Does It Matter?

Risk class refers to how regulators assess the potential harm your product could cause if it malfunctions or is used incorrectly. It’s not about your product’s quality—it’s about patient safety.

Your risk class determines:

  • What regulatory pathway you must follow

  • Whether you’ll need FDA or Notified Body review

  • What level of technical documentation and clinical evidence is required

  • How long and expensive your regulatory process will be

In short: no risk class = no roadmap.

FDA Risk Classification (United States)

The FDA classifies devices into three categories based on intended use, indications for use, and the risk to patients if the device fails.

FDA Class

Description

Examples

Class I

Low risk

Bandages, exam gloves, tongue depressors

Class II

Moderate risk

Infusion pumps, pregnancy tests, wheelchairs

Class III

High risk

Pacemakers, implantable defibrillators

Two ways to determine your FDA risk class:

  1. Find a predicate — Look for a similar product already on the market.

  2. Use a risk-based approach — Evaluate what happens if your product fails.

For SaMD/AI tools: There may not be many good predicates—so expect to rely on the risk-based approach more often than not.

MDR Risk Classification (European Union)

The MDR has 4 risk classes:

MDR Class

Description

Examples

Class I

Low risk

Stethoscopes, surgical scissors

Class IIa

Low to moderate risk

Dental fillings, contact lenses

Class IIb

Moderate to high risk

Ventilators, long-term infusion pumps

Class III

High risk

Heart valves, implantable neurostimulators

The MDR uses 23 classification rules (Annex VIII), based on:

  • Duration of use

  • Invasiveness

  • Interaction with the body

  • Special risk factors (like being an active device or software)

Unlike the FDA, the MDR does not use predicates. You must apply the rules directly—especially tricky for software, which tends to get up-classified even when risk seems low.

Want a deeper dive on that? Check out my post: Where Have All the Risk Class I Medical Devices Gone?

A Special Note on SaMD and AI Tools

Whether you’re working with the FDA or MDR, SaMD and AI tools often don’t fit neatly into risk categories.

Why? Because these tools:

  • Are often non-invasive, which makes them look low-risk

  • Still play a role in diagnosis or treatment decisions

  • Use logic that may be opaque, dynamic, or difficult to validate

To address this, regulators have issued specific frameworks:

  • FDA: Software as a Medical Device (SaMD): Clinical Evaluation

  • EU: MDCG 2019-11 and the IMDRF SaMD risk framework (adopted into MDR)

Key tip: If your SaMD tool supports clinical decision-making, assume it’s moderate or higher risk, especially in the EU.

Why Classifying Your Risk Early Helps You Win

Determining your risk class early means you can:

  • Choose the right regulatory pathway (e.g., FDA 510(k), De Novo, PMA, or NB review under MDR)
  • Plan for trials or special controls (more on these later) before you’re too far into development
  • Align product design and data strategy to the right burden
  • Avoid wasting time building something that doesn’t qualify for your intended pathway

Founder’s takeaway: Risk class = time, money, and scope. Treat it as a strategic decision, not just a regulatory label.

Up Next: What Your Risk Class Means in Practice

In the next post, we’ll turn classification into operational planning and walk you through the documentation required for each risk level, if you need a clinical trial, and how much time and budget should you plan for.

This is where regulatory strategy meets startup execution—don’t miss it.

Ask me anything.

Really.  If you have a question, submit it through this form. I will try my best to respond within a business day. Good questions will get featured on my FAQs list. 

Still have questions after exploring? Set up a quick meeting with me here.