TLDR
The FDA's Quality Management System Regulation (QMSR) became effective on February 2, 2026, replacing the decades-old Quality System Regulation (QSR) under 21 CFR Part 820. The QMSR incorporates ISO 13485:2016 by reference, making international quality standards the legal foundation for U.S. medical device compliance. There is no grace period. Full compliance is required now. Key changes include the elimination of QSR's QSIT inspection framework, mandatory separation of corrective and preventive actions, expanded FDA access to internal audits and supplier records, and the requirement for risk-based thinking across every element of your quality system — not just design controls.
FDA QMSR 2026: The Complete Guide to the Quality Management System Regulation
Medical device manufacturers operating in the United States have just crossed one of the most significant regulatory thresholds in decades. On February 2, 2026, the FDA's new Quality Management System Regulation (QMSR) replaced the Quality System Regulation (QSR) that governed device manufacturing practices since 1996.
This is not a name change. It is a structural overhaul of how the FDA defines, inspects, and enforces quality management for medical devices. If your QMS was built around the legacy QSR framework, key elements of your documentation, CAPA processes, design controls, and supplier management are likely non-compliant today.
This guide covers exactly what changed, who is affected, what the new requirements demand, and how to build a QMSR-ready quality system that stands up to FDA inspection.
What Is the FDA QMSR?
The Quality Management System Regulation is the FDA's updated regulatory framework for medical device quality systems. It amends 21 CFR Part 820 by incorporating ISO 13485:2016 — the international standard for medical device quality management systems — directly by reference. The QMSR also incorporates Clause 3 of ISO 9000:2015 to align terminology across U.S. and international regulatory requirements.
Where the legacy QSR spelled out individual requirements across Subparts A through O of Part 820, the QMSR takes a different approach: Part 820 now functions as a regulatory overlay that points directly to ISO 13485:2016 clauses. A small number of FDA-specific provisions are retained or added where ISO 13485 does not fully address U.S. statutory requirements, such as definitions, recordkeeping expectations, and complaint-handling standards.
The QMSR final rule was published by the FDA on February 2, 2024, with a two-year transition period. That period ended on February 2, 2026. Enforcement is now active. Source: FDA
Why Did the FDA Replace the QSR?
The QSR served as the foundation for U.S. medical device quality regulation for nearly 30 years. By the time the FDA began its rulemaking, it had become structurally misaligned with the global standard — ISO 13485:2016 — that most international regulatory bodies, including the European Union, Canada, Australia, and Japan, already used to evaluate device quality systems.
This misalignment created a real compliance burden. A manufacturer selling into multiple markets had to maintain two separate quality frameworks: one for FDA under the QSR, and one for international regulators under ISO 13485. Audit preparation, documentation structures, and inspection readiness all had to be managed twice.
The QMSR eliminates that duplication. By harmonizing 21 CFR Part 820 with ISO 13485:2016, the FDA allows manufacturers who already hold ISO 13485 certification to operate under a unified quality framework. It also brings U.S. inspections into alignment with the internationally recognized compliance model, making FDA's expectations more transparent and consistent with what device companies already practice in global markets. Source: NSF
Who Must Comply with QMSR?
QMSR applies to the same scope of entities previously covered by the QSR: manufacturers, specification developers, repackagers, relabelers, and importers of finished medical devices intended for commercial distribution in the United States.
Any organization subject to 21 CFR Part 820 under the legacy QSR is subject to QMSR today. If your organization held FDA Registration under the QSR framework, full QMSR compliance is now mandatory — effective February 2, 2026, with no phase-in period.
Contract manufacturers, component suppliers, and sterilization providers who perform activities under a device manufacturer's quality system are also affected. The QMSR's strengthened supplier qualification requirements mean that device manufacturers must ensure their supply chain partners meet the standard's supplier control expectations. Source: FDA QMSR FAQ
QMSR vs QSR: Key Differences
Understanding the shift from QSR to QMSR requires looking at both structure and substance. The two frameworks share many underlying principles, but the way those principles are codified, inspected, and enforced has changed significantly.
Structure: From Self-Contained Rules to ISO by Reference
Under the QSR, every requirement was written directly into Part 820 subparts. Quality managers could read the regulation and know exactly what the FDA required. Under QMSR, Part 820 is now a much shorter document. Most requirements are satisfied by pointing to the corresponding ISO 13485:2016 clause.
This means quality professionals must work from two documents simultaneously: the updated 21 CFR Part 820 and the ISO 13485:2016 standard. The ISO standard is not freely available — it requires purchase from ISO or AAMI. This has practical implications for training, SOPs, and documentation.
Terminology: Legacy Terms Retired
The FDA has retired several QSR-era terms that many quality systems still use. The Device History File (DHF), Device Master Record (DMR), and Device History Record (DHR) are no longer the operative framework. Under QMSR, these concepts are consolidated under the Medical Device File (MDF) concept from ISO 13485. Organizations that built their entire documentation structure around DHF/DMR/DHR silos must restructure their approach.
Similarly, the QMSR aligns terminology with ISO 9000:2015 Clause 3, which introduces definitions that differ in some cases from legacy QSR language. Quality teams need to audit their documentation for terminology conflicts.
CAPA: Mandatory Separation
Under the QSR, corrective and preventive actions were often combined in a single CAPA procedure. Under QMSR, Deviation CAPA management must be split: corrective actions and preventive actions must be managed as distinct processes. Organizations that still handle both in a unified CAPA SOP are now out of compliance. An FDA Form 483 observation citing a combined CAPA procedure is now a realistic inspection finding.
Internal Audits and Supplier Records: Now Inspectable
This is one of the most significant operational changes under QMSR. Under the QSR, the FDA's Quality System Inspection Technique (QSIT) focused on four main subsystems and generally did not review internal audit reports or supplier audits. Under QMSR, the new Compliance Program 7382.850 gives FDA investigators the authority to review internal audit findings and supplier audit records as part of a standard inspection.
If your internal audit reports contain unresolved observations, insufficient root cause analysis, or a pattern of repeat findings, those records are now visible to FDA during an inspection. The same applies to supplier qualification records and supplier audit outcomes.
Risk-Based Thinking: Expanded Scope
The QSR addressed risk primarily within design controls. ISO 13485:2016 — and by extension QMSR — requires risk-based thinking to be embedded throughout the entire QMS: in document control, purchasing, production, measurement, and management review. Risk management is no longer a design-phase activity. It is a system-wide discipline. Source: ComplianceQuest
Core Requirements Under QMSR
Management Responsibility
QMSR strengthens management review requirements relative to the QSR. Under ISO 13485:2016 Clause 5, top management must establish quality policy, ensure adequate resources, and conduct formal management reviews that include specific inputs — customer feedback, process performance data, audit results, and corrective action status. Management review records are now subject to FDA inspection scrutiny. Vague or incomplete management review minutes create direct inspection risk.
Document and Record Control
The QMSR maintains strong document control and audit trail requirements. All records must be legible, identifiable, and retrievable. Electronic records systems must ensure integrity, and organizations subject to 21 CFR Part 11 must maintain those controls in parallel.
A key practical change: organizations must maintain documented procedures for records that ISO 13485 designates as "quality records." The list of required quality records under ISO 13485 is longer than what the QSR explicitly required, so many organizations will need to create or formalize documentation they previously handled informally.
Design and Development Controls
The QMSR aligns design controls with ISO 13485:2016 Clause 7.3. The underlying requirements are substantially similar to what the QSR required under 820.30. However, terminology changes and the Medical Device File consolidation mean that legacy design control documentation structures must be reviewed.
Traceability between design inputs and design outputs, design verification and validation evidence, and design transfer documentation remain mandatory — and FDA inspectors can now apply ISO 13485 clause-by-clause expectations rather than the older QSIT design control subsystem checklist.
Supplier and Purchasing Controls
Supplier Quality Management (SQM) requirements under QMSR are more explicit than under the QSR. ISO 13485:2016 Clause 7.4 requires manufacturers to evaluate and select suppliers based on their ability to meet requirements, maintain records of those evaluations, and re-evaluate suppliers at defined intervals.
Critically, supplier audit records are now accessible to FDA during inspections. Manufacturers who relied on questionnaires or certifications alone — without documented process audit activity — need to strengthen their supplier qualification programs immediately.
CAPA and Nonconformance Management
As noted above, corrective and preventive actions must now be managed as separate processes. ISO 13485:2016 Clause 8.5 provides the framework. Each process requires defined procedures, documented root cause investigation for corrective actions, effectiveness verification steps, and escalation mechanisms for systemic issues.
Organizations must also ensure their nonconforming product controls, customer complaint handling, and internal audit finding disposition processes feed into the CAPA system in a traceable, documented way.
How QMSR Changes FDA Inspections
The inspection change under QMSR is as significant as the regulatory text change. On February 2, 2026, the FDA officially retired the QSIT and replaced it with the updated Compliance Program for Inspection of Medical Device Manufacturers (7382.850).
Under the old QSIT, FDA investigators followed a structured four-subsystem approach and specific limitations on what records they could request. The new compliance program gives investigators broader latitude to follow audit trails wherever the evidence leads — including into internal audit files, supplier qualification records, and management review documentation.
What this means operationally:
Your internal audit reports must reflect a mature, functioning audit program. Repeat findings without effective corrective actions create significant inspection risk.
Your management review records must be thorough, dated, and show that leadership is actively engaging with quality data — not just signing off on templated agendas.
Your supplier qualification records must demonstrate documented evaluation and ongoing monitoring, not just a signed supplier agreement.
Your risk register must be current, cross-referenced with your QMS processes, and show evidence of ongoing risk assessment activity.
5 Steps to QMSR Compliance
1. Conduct a Gap Analysis Against ISO 13485:2016
Map your current QMS procedures, records, and documentation structures against ISO 13485:2016 clause by clause. Identify where your existing QSR-based system does not satisfy the ISO standard's explicit requirements. Pay particular attention to Clauses 5 (management responsibility), 7.4 (purchasing), 7.5 (production controls), 8.2 (monitoring), and 8.5 (CAPA).
2. Restructure Your CAPA System
If your organization still uses a combined CAPA procedure, splitting it is your highest-priority compliance action. Create separate SOPs for corrective actions and preventive actions. Ensure each process includes root cause investigation requirements, effectiveness verification steps, and escalation triggers for systemic issues.
3. Prepare Internal Audit and Supplier Records for Inspection
Audit your audit program. Review the last two years of internal audit reports and identify any unresolved findings, repeat observations, or inadequate closure documentation. Build a remediation plan before an FDA investigator does it for you. Apply the same review to supplier qualification files.
4. Update Terminology and Documentation Structures
Replace DHF/DMR/DHR references in your SOPs, work instructions, and templates with the Medical Device File structure. Align terminology throughout your QMS with ISO 9000:2015 Clause 3 definitions. Train your quality team on the terminology changes before the next audit cycle.
5. Embed Risk-Based Thinking System-Wide
Risk management can no longer live only in design controls. Conduct a formal review of how risk-based decision-making is documented across purchasing, production, monitoring, measurement, and CAPA. Update your quality manual, SOPs, and process documentation to reflect risk-based rationale across the full QMS scope.
How Cloudtheapp Supports QMSR Compliance
Achieving QMSR compliance requires a QMS platform that can support the expanded documentation demands, the separated CAPA workflow, the risk-based process requirements, and the deeper audit traceability that FDA investigators now expect to see.
Cloudtheapp is an FDA-validated, AI-powered eQMS platform built for regulated industries including medical devices, life sciences, and pharmaceuticals. The platform supports 21 CFR Part 11 compliant electronic records and signatures, full audit trail controls, and configurable workflows for CAPA, design controls, supplier management, document control, and risk assessments — all within a single, cloud-native system validated to FDA and ISO 13485 standards.
For manufacturers transitioning from legacy QSR-era systems to QMSR, Cloudtheapp provides the structural flexibility to rebuild documentation processes, separate CAPA workflows, and configure supplier qualification programs without requiring IT development resources. The platform's built-in analytics give quality leadership the real-time visibility into process performance data that QMSR's management review requirements demand.
With over 45 configurable applications available through the Cloudtheapp Store — including Corrective and Preventive Actions, Supplier Qualification Management, Audits, Risk Assessments, Design Controls, and Document Control — medical device manufacturers can deploy a QMSR-ready quality system and configure it to match their specific processes in days, not months.
Ready to see how Cloudtheapp can support your QMSR transition? Request a demo or start a 30-day trial today.
Conclusion
The FDA QMSR 2026 marks the end of a 30-year regulatory era and the beginning of a globally harmonized compliance framework for U.S. medical device manufacturers. The regulation is active, enforcement has begun, and there is no grace period.
The organizations that will navigate QMSR inspections successfully are those that understand the structural differences from the QSR, have restructured their CAPA systems, and have made their internal audit and supplier records inspection-ready. Risk-based thinking must now run through every layer of the quality system — not just design controls.
For quality professionals, this is both a compliance obligation and an operational opportunity. A QMSR-aligned QMS — one built on ISO 13485:2016 principles and supported by a validated, configurable eQMS platform — puts your organization in a stronger compliance position across every market where ISO 13485 is the accepted standard.
The regulatory clock has already started. The question now is whether your QMS is built to meet the standard it sets.