1.   Eudamed shall be accessible for authorised users via a restricted website (‘the restricted website’) and for non-identified users via a public website (‘the public website’).

2.   Eudamed shall be accessible through machine-to-machine data exchange services to competent authorities as referred to in Article 101 of Regulation (EU) 2017/745 and Article 96 of Regulation EU 2017/746 (‘competent authorities’) and notified bodies registered in Eudamed in accordance with Article 3 of this Regulation. The Commission shall provide each Member State and notified body with data exchange access points enabling them to use such data exchange services upon their request.

Eudamed shall be accessible through machine-to-machine data exchange services to actors other than the competent authorities and notified bodies, provided that the LAA of the actor concerned submits a request for such access as referred to in Article 3(8), first subparagraph. The Commission shall approve that request under the condition set out in Article 3(8), second subparagraph.

1.   In order to be granted access to Eudamed via the restricted website, a natural person shall create an account on the Commission authentication service website.

2.   The Commission shall register the competent authorities and the authorities responsible for the notified bodies and shall grant access to the restricted website to a first natural person to act on their behalf. For that purpose, the Member States shall provide to the Commission information on their competent authorities, the authorities responsible for notified bodies and the natural persons to become the first authorised users of those authorities.

3.   The Commission shall register the notified bodies in Eudamed on the basis of the information in the database of notified bodies developed and managed by the Commission (NANDO).

In order to be granted access to Eudamed via the restricted website, the first natural person acting on behalf of an actor that is a notified body shall submit an access request via the restricted website. The authority responsible for the notified body shall approve the request.

4.   In order for other entities than the ones mentioned in paragraphs 2 and 3 to be registered in Eudamed, a natural person acting on behalf of the prospective actor shall submit an actor registration request, via the restricted website. The actor registration request shall include the signed declaration on information security responsibilities referred to in Article 10(1). A national competent authority shall approve the actor registration request, except when the request concerns a sponsor of a clinical investigation or a performance study.

Upon approval of the actor registration request or, in case of a sponsor, when the actor registration request has been submitted, the natural person who submitted that request as referred to in the first subparagraph shall be automatically granted access to the restricted website and become the first authorised user, provided that the conditions in paragraph 6 are fulfilled.

For the purposes of this paragraph, the national competent authority shall be the authority of the place of establishment of the prospective actor. As regards manufacturers established outside of the Union, the national competent authority shall be the authority responsible for the authorised representative mentioned in the actor registration request. As regards system or procedure pack producers established outside of the Union, the national competent authority shall be the authority of the Member State, where the first system or procedure pack of that producer is to be placed on the market.

5.   In order for a natural person to be granted access to the restricted website to act on behalf of an actor, he or she shall submit an access request via the restricted website. A LAA or LUA of that actor shall approve the access request.

6.   In order to become authorised users, natural persons shall accept the user rights and obligations as set out in the document referred to in Article 10(1), point (a), and consult the privacy statement referred to in point (c) of that Article.

7.   The first authorised user of an actor shall automatically be the first LAA of that actor.

8.   A LAA may via the restricted website make a request to the Commission for a machine-to-machine connection for performing data exchanges between the actor’s database and Eudamed.

The Commission may approve the request referred to in the first subparagraph provided that the LAA has confirmed that the actor complies with the information security requirements for data exchange referred to in Article 10(1).

1.   The Commission shall set up an application support team to provide timely assistance to users of Eudamed, reachable via a dedicated functional mailbox.

2.   The Commission shall make available to the users of Eudamed the relevant technical documentation on Eudamed, Frequently Asked Questions regarding Eudamed and the documentation in support of machine-to-machine data exchange services.

1.   The Commission shall be the owner of Eudamed and shall have full administration rights.

2.   Personal data shall be processed in Eudamed for the purpose of complying with the obligations set out in Regulations (EU) 2017/745 and (EU) No 2017/746.

3.   The following categories of personal data shall be processed:

1.   The submission of data in Eudamed shall be deemed executed at the date and time when the data is successfully registered in Eudamed. The date and time of submission shall be determined based on Central European Time (CET) or Central European Summer Time (CEST), as applicable.

2.   Eudamed shall be accessible at all times, except during necessary and previously announced downtime periods due to maintenance activities, including new releases. The Commission shall display in advance a notice to that regard on the restricted website or the public website, as applicable.

1.   The Commission shall take all necessary measures to prevent any malfunction and to identify it, without undue delay, when it occurs.

2.   Where an actor or an authorised user suspects a malfunction, it shall immediately inform the Commission thereof.

3.   Where the Commission identifies a malfunction, it shall take the following measures:

Where the Commission suspends the periods for submission of data to Eudamed as provided for in the first subparagraph, point (b), the malfunction notice shall specify the time of the display of that notice and the likely duration of the suspension.

4.   In addition to the suspension of periods referred to in paragraph 3, first subparagraph, point (b), of this Article, where a malfunction hinders compliance with any of the obligations referred to in Article 80, Article 87(1), Article 89(5), (7), (8) and (9), Article 95(2), (4) and (6), or Article 98(2) of Regulation (EU) 2017/745, or in Article 76, Article 82(1), Article 84(5), (7), (8) and (9), Article 90(2), (4) and (6) or Article 93(2) of Regulation (EU) 2017/746, either of the following procedure shall apply:

5.   In addition to the suspension of periods referred to in paragraph 3, first subparagraph, point (b) of this Article, in the event of a malfunction that hinders compliance with one of the obligations set out in Regulation (EU) 2017/745 or Regulation (EU) 2017/746 other than the obligations referred to in paragraph 4 of this Article, the following procedure shall apply:

6.   When the Commission has established that the malfunction has ceased, it shall communicate that information to the competent authorities. In addition, the Commission shall display a notice to that regard on the restricted website and/or the public website, as applicable. Both the communication and the notice shall indicate the duration of the malfunction and of the suspension of periods referred to in paragraph 3, point (b).

7.   When the Commission has displayed the notice referred to in paragraph (6), actors shall without delay enter the data that they were hindered to submit during the malfunction in Eudamed.

1.   The Commission shall make available to the actors websites for the purposes of testing and training with regard to using Eudamed (‘websites for testing and training’).

Data entered in the websites for testing and training shall be considered fictitious and shall not be made available to the public.

2.   Before using for the first time machine-to-machine data exchange services, an actor shall make at least one successful attempt of submission of data through machine-to-machine using a website for testing and training.

3.   Any changes that the Commission intends to introduce to the Eudamed machine-to-machine data exchange services shall first be introduced by it in the websites for testing and training and shall be available on those websites for a period to be defined in advance by the Commission in collaboration with the Medical Device Coordination Group established under Article 103 of Regulation (EU) 2017/745.

The Commission shall inform the concerned actors via Eudamed in advance of the envisaged changes and of the period of their availability on the websites for testing and training.

1.   The Commission shall make the following documents available on the restricted website:

2.   Actors shall comply with the terms and conditions set out in the documents referred to in paragraph 1, point (b), and, where applicable, point (d) of that paragraph.

3.   Where the Commission suspects that an IT security incident, IT security risk or IT security threat, as defined in Article 2, points (15), (22) and (25), of Decision (EU, Euratom) 2017/46, which it considers as potentially harmful for Eudamed, its data or their confidentiality (‘IT security incident, IT security threat or IT security risk’) has occurred or is present, the Commission may suspend all access to Eudamed.

4.   The Commission may suspend all or part of the functionalities of Eudamed’s electronic systems, where it identifies an IT security incident, IT security threat or IT security risk.

If the suspension referred to in the first subparagraph hinders the entering of data in Eudamed, Article 8(3), (4) and (5) shall apply mutatis mutandis.

5.   Any actor or authorised user who becomes aware of or suspects an IT security incident, IT security threat or IT security risk, shall immediately inform the Commission and the concerned Member States thereof.

1.   Where a competent authority, an LAA or an LUA suspects a fraudulent request for access to Eudamed, they shall refuse the request and immediately inform the Commission of such refusal via the application support team referred to in Article 5(1), specifying that it concerns a suspected fraudulent access request.

2.   Where the Commission has a reasonable suspicion of fraudulent activity by an authorised user affecting the IT security of Eudamed, it shall temporarily suspend that authorised user’s access to Eudamed. In that case, the Commission shall without delay inform all Member States and the concerned actors of the suspension and its justification.

3.   Any actor or authorised user who suspects a fraudulent activity by an authorised user shall without delay inform the Commission and the Member States of the suspected fraudulent activity via the application support team referred to in Article 5(1).

4.   Where the Commission establishes a fraudulent activity in Eudamed, it shall immediately terminate the relevant authorised users’ access to Eudamed and take the necessary measures, including, where appropriate, preventing any future access to Eudamed from the related accounts created on the Commission authentication service website. The Commission shall without delay inform the relevant national competent authorities and the concerned actors of any measures taken pursuant to this paragraph.