Insure24 Blog

Regulation & Compliance (ISO 13485, MHRA, CE Marking) – Insurance Implications

A practical UK guide to ISO 13485, MHRA requirements and CE/UKCA marking for medical device manufacturers — and how compliance affects product liability, professional indemnity, recall and cyber insur

28 April 2026 By Insure24 Medical Device Manufacturing

Regulation & Compliance (ISO 13485, MHRA, CE Marking) – Insurance Implications

Introduction

If you manufacture or place medical devices on the UK market, regulation and compliance aren’t just “paperwork”. They shape your risk profile, your contractual obligations, and—crucially—how insurers view your business.

In this guide we’ll cover three common compliance pillars—ISO 13485, MHRA requirements, and CE marking (plus the UKCA reality)—and explain the insurance implications in plain English. The goal is not to scare you, but to help you avoid gaps that can become expensive at the worst possible time.

The compliance landscape (in one page)

Medical device compliance is a system, not a single certificate.

  • ISO 13485 is a quality management system (QMS) standard for medical devices.
  • MHRA is the UK regulator. It oversees registration, post-market surveillance and enforcement.
  • CE marking (and UKCA) relates to conformity assessment and placing devices on the market.

Even if you outsource key steps (design, sterilisation, software development, packaging, distribution), you still carry responsibilities. Insurers know this. They will often ask who does what, and how you control suppliers.

ISO 13485: what it signals to insurers

ISO 13485 is not a legal requirement in itself, but it is widely used as evidence that you have a controlled, auditable QMS. From an insurance perspective, it can influence both underwriting appetite and claims outcomes.

Why insurers care

A solid QMS reduces the chance of:

  • Nonconforming product reaching the market
  • Documentation gaps that weaken your defence
  • Supplier issues (materials, components, sterilisation failures)
  • Poor complaint handling and slow escalation

In other words: fewer incidents, and stronger evidence if something goes wrong.

Common insurance touchpoints

Insurers may ask about:

  • Scope of certification (which sites, which activities)
  • Audit results and nonconformities (major/minor)
  • CAPA process maturity
  • Supplier qualification and change control
  • Traceability and batch/lot controls
  • Complaint handling and vigilance reporting

What ISO 13485 does not do

ISO 13485 does not automatically prevent claims. A business can be certified and still face:

  • Product liability claims (injury, property damage)
  • Recall costs
  • Contract disputes
  • Cyber incidents impacting connected devices

The key insurance implication: don’t assume certification replaces cover. It can support your risk story, but you still need the right policies and limits.

MHRA: regulatory duties and the “real-world” claim triggers

The MHRA’s role is often most visible when something goes wrong: a complaint escalates, a field safety corrective action (FSCA) is needed, or a competitor/customer reports a concern.

Typical MHRA-driven triggers

From an insurance standpoint, the following events can quickly become costly:

  • Adverse incident investigations and reporting
  • Corrective actions (software patches, labelling changes, component replacement)
  • Suspension of sales or forced withdrawal
  • Inspection findings leading to urgent remediation
  • Supply chain disruption (e.g., sterilisation provider issues)

These are not always “lawsuit” events. They can be operational crises—exactly where insurance can help, if structured properly.

Insurance implication: claims aren’t always third-party injury

Many manufacturers only think about product liability as “someone sues us”. In practice, big costs can arise before any claim is filed:

  • Investigation and expert costs
  • Customer notification and logistics
  • Disposal and replacement stock
  • Lost gross profit from halted production

Some of these sit under specialist covers (recall, business interruption, crisis management), not standard liability.

CE marking, UKCA and market access risk

CE marking historically enabled access to the EU market, and it still matters for many UK businesses selling into Europe. UKCA is the UK’s marking regime, but timelines and acceptance can be complex depending on your products and markets.

From an insurance angle, the key issue is market access and representation:

  • Are you selling in the UK only, EU only, or both?
  • Who is the “manufacturer” in legal terms?
  • Do you have an authorised representative (EU/UK where required)?
  • Are you importing, distributing, or rebranding devices?

Why this matters to insurers

Territory, regulatory status and contractual role affect:

  • Where claims can be brought
  • Which laws apply
  • Defence costs and legal complexity
  • Recall scope (one country vs multi-country)

If you sell into multiple territories, you may need:

  • Worldwide or specified-territory liability
  • Higher limits
  • Local admitted policies (in some cases)

The insurance policies most affected by compliance

Compliance doesn’t just “reduce risk”—it changes what you should insure, and how policies respond.

1) Product Liability (and Public Liability)

For medical device manufacturers, product liability is often the core.

What it can cover:

  • Third-party injury or property damage caused by your product
  • Legal defence costs
  • Settlements/judgments (subject to policy terms)

Compliance implications:

  • Underwriters may require evidence of QMS and traceability
  • Exclusions may apply for known defects, intentional non-compliance, or contractual liabilities beyond common law
  • Claims can hinge on documentation: design history file, risk management file, IFU/labelling, change control records

Practical tip: Make sure your policy definition of “product” includes software/firmware where relevant, and doesn’t unintentionally exclude clinical/diagnostic outputs.

2) Product Recall / Contaminated Product / FSCA support

Recall cover can be critical when you need to remove, repair, or replace products.

What it can help with:

  • Notification and communication costs
  • Shipping, warehousing, disposal
  • Replacement/repair costs (depending on wording)
  • Crisis management and PR support

Compliance implications:

  • Policies may require you to follow regulatory guidance and have a documented recall plan
  • Some covers respond only to “accidental contamination” or “imminent danger” triggers—too narrow for many device scenarios

Practical tip: Ask specifically whether the policy responds to regulatory action and field safety corrective actions, not just classic “contamination”.

3) Professional Indemnity (PI) / Errors & Omissions (E&O)

If you provide design services, consultancy, software development, validation, or advice—even to your own customers—PI/E&O can matter alongside product liability.

What it can cover:

  • Financial loss claims from errors, omissions, or negligent advice
  • Breach of professional duty

Compliance implications:

  • Claims may arise from documentation errors, incorrect regulatory advice, or validation failures
  • Contracts may impose fitness-for-purpose obligations; insurers may treat these as higher risk

Practical tip: If you sell a device plus implementation/training, check whether your activities are treated as “professional services” and whether PI is required.

4) Cyber Insurance (especially for connected devices)

If your device is software-enabled, connected, or relies on cloud services, cyber risk becomes a compliance and safety issue.

What it can cover:

  • Incident response, forensics, legal support
  • Notification and credit monitoring (where relevant)
  • Business interruption from cyber events
  • Liability arising from data breaches

Compliance implications:

  • Security controls, patching, and vulnerability management can be scrutinised
  • A cyber incident can trigger MHRA reporting and corrective action

Practical tip: Ensure your cyber policy aligns with your device ecosystem (manufacturing systems, remote monitoring apps, customer portals, suppliers).

5) Employers’ Liability (EL) and Directors’ & Officers’ (D&O)

Compliance failures can lead to management decisions being questioned.

  • EL is mandatory in most UK cases and can be relevant if staff are exposed to hazardous substances, cleanroom processes, or manufacturing risks.
  • D&O can be relevant where investors, regulators, or stakeholders allege mismanagement, misleading statements, or failure to oversee compliance.

Underwriting questions you should be ready for

When you approach insurers (or renew), expect questions like:

  • What device classes do you manufacture and where are they sold?
  • Do you hold ISO 13485 certification? What’s the scope?
  • Who are your critical suppliers and how are they controlled?
  • What is your complaint rate and how do you trend/act on it?
  • Have you had any recalls, FSCAs, or MHRA investigations?
  • How do you manage software updates and cybersecurity?
  • What contracts do you sign (indemnities, warranties, limitation of liability)?

Being prepared with clear answers can improve terms and reduce delays.

Common coverage gaps (and how to avoid them)

These are issues we see regularly when manufacturers rely on “standard” business insurance.

  • Recall not included (or included only for narrow triggers)
  • Territory mismatch (UK-only cover while selling into EU/US)
  • Software excluded (or not clearly included)
  • Contractual liability exclusions clashing with customer contracts
  • Inadequate limits for worst-case scenarios (multi-patient claims, multi-territory actions)

A quick policy review against your regulatory and sales footprint can prevent nasty surprises.

Practical steps: align compliance and insurance

A good approach is to treat insurance as part of your risk management system.

  1. Map your regulatory role (manufacturer, importer, distributor, legal manufacturer).
  2. List markets and territories you sell into now and next 12–24 months.
  3. Document your controls: QMS scope, supplier oversight, traceability, complaint handling.
  4. Review contracts for indemnities, warranties, and liability caps.
  5. Stress-test scenarios: FSCA, software vulnerability, sterilisation failure, labelling error.
  6. Match policies: product liability + recall/FSCA + PI/E&O + cyber + BI.

When to speak to a broker

If any of the following apply, it’s worth getting specialist advice:

  • You’re moving into higher-risk device classes or new territories
  • You’re launching a connected device or SaaS-enabled device ecosystem
  • You’re signing customer contracts with heavy indemnities
  • You’ve had an MHRA reportable incident, near-miss, or complaint trend
  • You’re scaling manufacturing or changing critical suppliers

Call to action

If you’re a UK medical device manufacturer and want to sanity-check whether your insurance matches your compliance reality, we can help.

We’ll review your activities, territories and regulatory responsibilities, then recommend a clear insurance structure—so you’re not relying on assumptions when it matters.

Call Insure24 on 0330 127 2333 or visit insure24.co.uk to discuss your cover.

Related articles

More reading from the same topic area to help you compare risks, cover options and practical next steps.