Is a GSPR checklist mandatory under EU MDR?

The regulation never uses the word checklist. But Annex II, Section 4 requires your technical documentation to state which GSPRs apply, justify the ones that don't, name the methods and standards used to demonstrate conformity, and give the precise identity of the evidence documents. A matrix is the only sane format for that information, and notified bodies expect to see one.

Do Class I devices need a GSPR checklist?

Yes. Technical documentation per Annexes II and III is required for every device class, including self-certified Class I. No notified body reviews it before you place the device on the market, but a competent authority can ask for it at any time, and your Declaration of Conformity asserts that it exists.

Can I claim conformity using a standard that is not harmonised under MDR?

Yes. Only harmonised standards cited in the Official Journal give a formal presumption of conformity, and the MDR list is short. Standards like IEC 62304 are routinely applied as state of the art instead — you cite the edition, apply it fully, and your conformity argument rests on the evidence rather than on a presumption.

GSPR Checklist: How to Build Your EU MDR Annex I Matrix

Q: How many GSPRs are there?

Annex I of EU MDR 2017/745 contains 23 numbered requirements in three chapters: general requirements (1–9), design and manufacture (10–22), and information supplied with the device (23). Many break into lettered and numbered sub-clauses, so a fully expanded checklist typically runs to well over a hundred rows.

Q: Does the same checklist work for IVDR?

The approach is the same but the content is not. IVDR 2017/746 has its own Annex I with its own GSPRs, weighted toward performance characteristics, metrological traceability and performance evaluation. Don't reuse an MDR checklist for an IVD — build it from the IVDR text.

What the GSPRs are

Twenty-three requirements. Three chapters. No exemptions.

The General Safety and Performance Requirements live in Annex I of EU MDR 2017/745. They are the regulation's actual demands on your device — everything else in the MDR is largely about proving you meet them. They replaced the old MDD "Essential Requirements," and they apply to every device placed on the EU market, from a Class III implant down to a self-certified Class I app.

Annex I is organised in three chapters:

CHAPTER I · GSPR 1–9

General requirements

The device achieves its intended performance and is safe; risks are reduced as far as possible; you run a documented risk management system; use error, device lifetime, transport and the overall benefit-risk determination are all addressed.

CHAPTER II · GSPR 10–22

Design & manufacture

The technical chapters: chemical and biological properties, infection control, radiation, electronic programmable systems and software, active devices, mechanical and thermal risks, devices for lay users. Most of your N/A judgements happen here.

CHAPTER III · GSPR 23

Information supplied

One requirement, many sub-clauses: the label, the packaging, and the instructions for use. Everything the user reads is regulated content, and it must stay consistent with your claims and your risk file.

Twenty-three numbered requirements sounds manageable. But most break into lettered and numbered sub-clauses — GSPR 23 alone runs for pages — so a fully expanded checklist typically has well over a hundred rows that each need an answer.

The GSPR matrix is the one document where your entire technical file converges. If it's vague, the whole file reads as vague.

What the MDR requires

Annex II, Section 4 — the four things you must show.

The MDR never says "checklist." What it says, in Annex II Section 4, is that your technical documentation must contain the information needed to demonstrate conformity with the GSPRs, including:

Which GSPRs apply to your device — and an explanation of why the others do not. Silence on a requirement is not an option; every line gets either evidence or a justification.
The method used to demonstrate conformity with each applicable GSPR — testing against a standard, your risk management process, a usability study, a clinical evaluation, a benefit-risk analysis.
The harmonised standards, common specifications or other solutions applied. With editions. "ISO 14971" without a year is an incomplete citation.
The precise identity of the controlled documents offering evidence — document ID, version, and where to find it in the technical documentation.

A matrix with one row per requirement is simply the only sane format for that information, which is why every notified body expects one and why most provide their own preferred template. If yours does, use theirs — the content below is the same either way.

The five columns

The anatomy of a row that survives review.

Column	What goes in it	What reviewers check
1 · Requirement	The GSPR reference and its full text (or a faithful condensation). Sub-clauses get their own rows.	That nothing from Annex I is missing — including the sub-clauses.
2 · Applicability	Applicable / Not applicable, plus a device-specific justification for every N/A.	That "N/A" is argued, not asserted. "Software-only device, no patient-contacting materials" works; a bare "N/A" does not.
3 · Method	How conformity is demonstrated: testing, risk management, usability engineering, clinical evaluation.	That the method actually answers the requirement — a bench test can't demonstrate a labeling clause.
4 · Standards applied	EN ISO 14971:2019/A11:2021, IEC 62304:2006/AMD1:2015, …	Current editions; harmonised where possible; the standard genuinely covers the clause it's cited against.
5 · Evidence	Doc ID + version + section, e.g. RMF-001 v3.2 §6.4	That the reference resolves: the document exists, at that version, and the cited section says what the row claims.

Here is what a single completed row looks like for a software device, against GSPR 17.2 — the requirement that software be developed in accordance with the state of the art, taking into account the development lifecycle and risk management:

Example row · GSPR 17.2

Applicability

Applicable — device incorporates software (software as a medical device).

Method

Software lifecycle process covering development planning, requirements, architecture, verification and release; software risk management integrated with the ISO 14971 process.

Standards

IEC 62304:2006/AMD1:2015 (state of the art), EN ISO 14971:2019/A11:2021

Evidence

Software Development Plan SDP-001 v2.0; Software System Test Report STR-014 v1.3; Risk Management File RMF-001 v3.2 §7

Notice what the row does not say: "complies." Compliance is the conclusion the reviewer draws from the evidence — it isn't itself evidence.

Choosing standards

Harmonised, state of the art, and the order to reach for them.

Column four has a hierarchy. Work down it:

Common specifications first. Where the Commission has adopted a common specification (Article 9), you comply with it — or you carry the burden of justifying that your solution is at least equivalent.
Harmonised standards next. Standards cited in the Official Journal under the MDR (the EN editions, with their Z-annexes mapping clauses to GSPRs) give you a formal presumption of conformity (Article 8) for the requirements they cover. EN ISO 14971:2019/A11:2021 and EN ISO 13485:2016/A11:2021 are the workhorses.
State of the art for everything else. The MDR's harmonised list is far shorter than the old MDD list, so widely used standards — IEC 62304 among them — are typically applied as state of the art. You get no presumption, but a recognised standard, applied in full and cited by edition, is exactly the conformity argument reviewers expect.
In-house methods last. Legitimate where no standard exists, but expect to defend the method itself, not just the results.

Whatever you cite, cite the edition you actually used — and check it's still current when the file is reviewed, because a superseded edition in your matrix invites a finding even when the work itself was sound.

What gets flagged

The five deficiencies reviewers see constantly.

"Complies" with nothing behind it. A row that says the device complies with GSPR 10 — no standard, no test report, no document reference — is the single most common finding. Every applicable row needs a resolvable evidence pointer.
Unjustified N/As. "Not applicable" without a device-specific rationale is read as "didn't look." The justification can be one sentence; it has to exist and it has to be defensible.
Stale or wrong standard editions. Citing the MDD-era harmonised edition, an undated standard, or a standard that doesn't actually cover the clause it sits next to.
A matrix that disagrees with the rest of the file. Claims in the IFU that the clinical evaluation doesn't support; risks in the matrix the risk file doesn't contain; document versions that don't match the documents. Reviewers cross-read — under MDR they cross-read more than ever.
A matrix written the month before submission. The GSPR checklist is a gap-analysis tool. Started early in design, it tells you which testing and documentation you still owe while you can still plan for it. Written last, it can only report the gaps you no longer have time to close.

Keeping it alive

A living document, not a submission artefact.

The matrix decays the moment anything it points at changes: a design change makes a row's evidence stale, a new standard edition lands in the Official Journal, a post-market finding rewrites part of the risk file. Whoever owns the technical file needs a routine — at design changes and at a fixed review interval — for re-checking that every evidence pointer still resolves to a current document.

This is the part teams underestimate. Building the matrix once is a few weeks of focused work. Keeping a hundred-plus rows synchronised with a moving technical file, by hand, in a spreadsheet, is the part that quietly eats your quality engineer's quarter — and it's exactly the kind of bookkeeping that should be done by construction, with each row linked to the live document it cites rather than to a copy-pasted reference.

FAQ

Common questions.

Is a GSPR checklist actually mandatory?

The regulation never uses the word "checklist." But Annex II, Section 4 requires your technical documentation to state which GSPRs apply, justify the ones that don't, name the methods and standards used, and give the precise identity of the evidence documents. A matrix is the only sane format for that — and notified bodies expect one.

How many GSPRs are there, really?

Twenty-three numbered requirements in three chapters: general (1–9), design and manufacture (10–22), and information supplied with the device (23). Expanded into their sub-clauses, a complete checklist typically runs to well over a hundred rows.

We're a self-certified Class I manufacturer. Do we need one?

Yes. Technical documentation per Annexes II and III is required for every class. Nobody reviews it before you affix the CE mark — but your Declaration of Conformity asserts it exists, and a competent authority can request it at any time. Self-certified means self-evidenced.

Can we cite a standard that isn't harmonised under the MDR?

Yes, and for many clauses you'll have to — the MDR's harmonised list is short. A non-harmonised standard gives no formal presumption of conformity, but applying a recognised standard in full, cited by edition, is the accepted way to demonstrate state of the art. IEC 62304 for software lifecycle is the classic example.

Does the same checklist work for IVDR?

Same approach, different content. IVDR 2017/746 has its own Annex I, weighted toward performance characteristics and performance evaluation. Build the IVD checklist from the IVDR text — don't adapt an MDR matrix and hope.

The GSPR checklist: your Annex I matrix, done properly.