The MedTech snapshot: Six months on — what held, what shifted, and what got harder

In December, the argument was that MedTech’s new competitive surface area is assurance: the ability to operationalise trust at scale across procurement, regulation, cybersecurity, data governance, and AI governance. Buyers were institutionalising risk control, and the organisations winning disproportionately were building what that piece called a “procurement-aligned assurance stack” — a single, buyer-consumable system of proof mapped directly to procurement’s decision points.

Six months is long enough to check the thesis against what actually happened. The short version: the core argument held. But the terrain shifted in ways worth examining closely — some of which make the assurance argument stronger, some of which add important nuance, and one of which opens a genuinely new commercial angle that wasn’t visible in December.

What held up

The most important validation is that “governed AI” has become a standard framing in the sector, not a forward-looking one. The question is no longer whether AI governance is a commercial requirement. It is. What’s changed is the organisational infrastructure being built around it.

Deloitte’s January 2026 analysis of MedTech trends put it plainly: AI capability is rapidly becoming the primary competitive differentiator in MedTech. But the way that differentiator is playing out tracks exactly what December’s piece argued — the advantage isn’t in having AI, it’s in governing it credibly. Leading organisations are building AI playbooks, centres of excellence, and standardised data-management practices as the prerequisite layer before AI can deliver value at scale. The distinction between “AI excitement” and “AI operationalisation” is now being enforced by market outcomes, not just predicted by analysts.

The FDA’s PCCP trajectory continued to sharpen. What was a guidance document in August 2025 is now an enforcement posture: industry analyses point to more data-driven inspections, more warning letters, and an explicit expectation of traceable data lineage and audit trails across the total product lifecycle. The “define change in advance” logic of the PCCP framework has become the reference architecture for AI-enabled device software. Manufacturers who treated it as a documentation exercise are discovering it’s actually a quality-system design requirement — which is exactly what the December piece argued.

The procurement hardening story is also intact. The NHS Value Based Procurement push and the IPI measure restricting Chinese participation in EU medical device procurement above €5 million were real signals. Both reflected a deeper structural shift: procurement is becoming a strategic function, not just a cost-control function. Deal eligibility is increasingly determined by vendor posture — on supply chain provenance, security response capability, and the quality of compliance evidence — before commercial terms are even reached.

What shifted

1) The AI governance architecture in Europe got substantially more complicated

The EU AI Act’s timeline looked relatively settled in December. It isn’t. Two significant structural changes emerged in the first half of 2026, and together they make the European AI compliance picture harder to navigate, not easier.

The first is the Digital Omnibus. The European Commission proposed delaying the AI Act’s high-risk requirements, citing a concrete problem: many of the harmonised standards and common specifications needed to operationalise those requirements don’t exist yet. For manufacturers, this sounds like relief. In practice, it creates a compliance planning problem: the timeline has moved, but the direction hasn’t, and building governance infrastructure against a moving deadline is harder than building it against a firm one.

The second is more structurally significant. Following lobbying from MedTech Europe and others, the EU Parliament agreed by a large majority in March 2026 to move medical devices from Annex I Section A to Section B of the AI Act — which effectively means that AI requirements for medical devices will be implemented primarily through MDR/IVDR, not as a parallel AI Act obligation. The goal is to eliminate duplicative conformity assessment and create a single governance framework.

This is the right direction. Dual compliance was always an unreasonable burden. But the transition period will be, in one legal observer’s framing, “disorderly.” The proposal could be finalised by summer 2026 or 2027. In the meantime, manufacturers building AI governance frameworks don’t have a clean single reference point.

The practical consequence for commercial teams is that the “governed change” story told to procurement, RA, and contracting counterparts will need to acknowledge this ambiguity explicitly — buyers with sophisticated legal and compliance functions will know about it, and vague confidence will lose credibility faster than honest uncertainty paired with clear internal governance.

2) The MDR/IVDR revision became a parallel structural story

This wasn’t on the radar in December, or at least not as an active legislative track. The European Commission published its formal MDR/IVDR revision proposals in December 2025, and by May 2026 MedTech Europe had published a detailed 40-page position paper responding to them. The MedTech Forum in Stockholm last month had MDR/IVDR revision as the central backdrop.

The ambition of the revision is to streamline regulatory processes, reduce administrative burden, and improve predictability — while maintaining patient safety standards. MedTech Europe broadly supports the direction while calling for targeted changes, particularly around governance fragmentation (the proposal doesn’t establish a single accountable governance structure), and IVDR transition deadlines that are creating acute pressure for Class C IVD manufacturers.

For the assurance argument, this creates something interesting. The MDR/IVDR revision is partly motivated by a well-founded concern that compliance burden is driving manufacturers to de-prioritise or exit the European market. The framing at the MedTech Forum reflected this: MedTech Europe’s CEO argued that the answer to European healthcare resilience isn’t “buying European,” it’s “buying better,” and that price-only procurement undermines innovation, outcomes, and competitiveness. This is a different kind of regulatory story than December’s piece told. That frame was compliance as tightening vice. The emerging frame is compliance as negotiated operating model — regulators and industry in active dialogue about what’s workable. That changes the tone, though not the underlying commercial requirement.

3) The UK opened as a distinct regulatory track

The December piece didn’t touch the UK, which made sense given the EU focus. It now warrants explicit attention. The UK published draft Medical Devices (Amendment) Regulations 2026 — described as the most significant overhaul of Great Britain’s pre-market device framework in years. The draft proposes a new standalone regulatory framework aligned with international standards (ISO 13485:2016), following post-market surveillance amendments made in June 2025.

For suppliers and manufacturers operating across both markets, this is now a live track requiring distinct attention. The GB framework is diverging deliberately from EU MDR/IVDR, not simply lagging behind it. The commercial implication is that “pan-European assurance” is increasingly a multi-regime proposition — the evidence library, change governance documentation, and procurement-ready narratives need to be structured so they can be adapted by market, not produced once and distributed wholesale.

What got harder

The FDA’s Quality Management System Regulation

In 2026, the FDA is updating its baseline quality requirements under the Quality Management System Regulation (QMSR), aligning US oversight with ISO 13485:2016. This sounds like harmonisation — and it is — but it’s also an operational transformation for any manufacturer whose quality system was built against the legacy Quality System Regulation. The combination of QMSR implementation, PCCP obligations for AI-enabled device software functions, and tighter inspection posture creates a convergent pressure point that many mid-sized manufacturers are not well-positioned for.

Commercially, this matters because quality-system readiness is increasingly a procurement signal. Buyers — especially large health systems and sophisticated OEM partners — are developing the capability to read a manufacturer’s compliance posture as a proxy for delivery risk. A QMSR gap is no longer just a regulatory exposure; it’s a deal-velocity problem.

Supply chain provenance hardened further

The supply chain resilience theme has become louder and more specific since December. The MedTech Forum’s headline theme was healthcare supply continuity during crises. The IPI measure on Chinese participation was an early signal; the follow-on is a broader expectation that every bidder in a significant tender can evidence supply chain provenance and subcontracting composition with precision.

This is harder than it sounds for most suppliers. The provenance documentation that procurement now expects — origin content, subcontracting chains, component-level traceability — wasn’t historically maintained at the granularity now required. Building it retrospectively while also managing current business is genuinely difficult. The organisations that treated this as a near-term priority in early 2025 are meaningfully ahead. Those that didn’t are discovering that supply chain provenance is now a slow-moving eligibility constraint, not a future consideration.

The new angle: regulatory pragmatism as commercial opportunity

This is the development that wasn’t visible in December and deserves attention now.

The EU’s regulatory direction isn’t just about adding requirements. It’s also about preventing market exit. The MDR/IVDR revision, the AI Act integration into MDR/IVDR, the QMSR harmonisation — all of these reflect a recognition at the policy level that compliance burden has real costs for market availability and patient access. Regulators are signalling, more clearly than before, that they want manufacturers to succeed in navigating the framework, not just survive it.

For commercially sophisticated suppliers, this creates a new kind of positioning. The conversation is no longer only “we can help you meet the requirement.” It’s “we understand where the framework is going, and we can help you build toward it in a way that’s durable across revision cycles.” That’s a meaningfully different value proposition — one that requires genuine regulatory intelligence, not just compliance execution capability.

The organisations that will convert this into commercial advantage are those that can translate regulatory fluency into buyer-ready language. Not regulatory briefings dressed up as sales documents, but genuine articulation of how governance architecture choices made today reduce re-work, accelerate submission timelines, and protect pricing power across future regulatory transitions.

The unifying pattern, updated

December’s unifying pattern was: buyers are institutionalising risk control, and the winners are building a procurement-aligned assurance stack.

That’s still right. But the picture is more layered now. Regulatory frameworks are themselves in active negotiation — the MDR/IVDR revision, the AI Act MedTech carve-out, the UK standalone regime, and the QMSR update are all moving simultaneously. The implication is that the assurance stack needs to be designed for adaptability, not just for the current state.

The organisations that will compound their advantage in the second half of 2026 are those that have done two things: built a version-controlled evidence library that can be updated efficiently as frameworks evolve, and developed the cross-functional fluency — RA/QA, Legal, Commercial, Product — to translate that library into different buyer languages simultaneously. The internal assurance infrastructure is necessary but not sufficient. The commercial translation capability is what turns it into deal velocity.

One practical observation from the market: the cross-functional alignment step is still the bottleneck. Manufacturers with strong RA/QA functions and weak commercial translation capability are leaving value on the table in procurement conversations. Manufacturers with strong commercial teams and thin compliance evidence are losing on security review and contracting. The gap between those two profiles is where the competitive moment currently lives.

Conclusion: the framework is moving, the requirement isn’t

If December’s message was “assurance is the new growth strategy,” the June update is this: assurance against a moving framework, with the organisational resilience to adapt, is the durable version of that strategy.

The regulatory environment in MedTech is in genuine flux. Not in a way that reduces the compliance requirement — if anything it intensifies it in certain areas — but in a way that rewards organisations capable of navigating ambiguity without losing commercial momentum. The evidence library, the change governance mechanism, the security response capability, the procurement-native narrative: all of these remain the right investments. The additional requirement is that they’re built to evolve, not locked to a single regulatory moment that will have moved by the time the next procurement cycle opens.

The 2026 winners won’t be those who got compliance right once. They’ll be those who built the organisational capability to get it right continuously — and can demonstrate that capability to buyers before the contract is signed.