There’s a certain type of regulatory section that looks like administrative housekeeping but is actually load-bearing. Section 820.7 of the new QMSR is exactly that. It’s three short paragraphs about where you can find certain standards. And it is, quietly, one of the most consequential provisions in the entire rule.
If you’re working through this series in order, you’ve now seen how the QMSR defines who it covers, how its definitions work, and what it means to document a compliant QMS. Section 820.7 is the mechanism that ties all of it together. It’s the provision that legally grafts an international standard onto a federal regulation — and it has real, practical implications for every manufacturer subject to Part 820.
What Incorporation by Reference Actually Means
“Incorporation by reference” (IBR) is a specific legal technique used in federal rulemaking. When an agency incorporates an external document by reference, that document’s content has the full force and effect of law — exactly as if the text had been printed directly in the Code of Federal Regulations. You’re required to comply with it. An inspector can cite you on it. It counts.
This is not the same as saying a regulation is “consistent with” or “aligned to” a standard. It’s stronger than that. Under §820.7, compliance with ISO 13485:2016 isn’t just good practice or a useful framework. For the sections where it’s incorporated, it’s a legal requirement.
The Office of the Federal Register has formal procedures for IBR — 1 CFR Part 51, if you enjoy reading regulations about how regulations are made — and those procedures require that the IBR material be reasonably available to the public. Which brings us to the practical part.
What §820.7 Incorporates (and Where)
Section 820.7 incorporates two documents:
ISO 9000:2015(E), Clause 3 — Terms and definitions. This is the vocabulary standard, incorporated specifically for use in §820.3 (Definitions). When §820.3 refers you to the definitions in ISO 13485 and ISO 9000, this is the legal basis for that reference.
ISO 13485:2016(E) — Medical devices: Quality management systems — Requirements for regulatory purposes. This is the big one. It’s incorporated by reference for five specific sections: §820.1 (Scope), §820.3 (Definitions), §820.10 (General QMS requirements), §820.35 (Control of records), and §820.45 (Device labeling and packaging controls).
Those five sections represent the substantive core of the QMSR. Everywhere those sections say “as required by ISO 13485” or “in accordance with ISO 13485” — that’s not a suggestion. That’s the IBR doing its work.
What Changed from the Old QSR
This is where the structural shift becomes very clear. The old Quality System Regulation — in place from 1996 until February 2, 2026 — was a standalone document. You could read it cover to cover without consulting anything else and know exactly what was required of you. It had 15 subparts, spelled out in the CFR, covering everything from management responsibility to complaint files to statistical techniques.
The old QSR acknowledged ISO 9001 and ISO 13485 in its preambles and guidance documents, and many manufacturers pursued ISO 13485 certification in addition to QSR compliance. But the two frameworks were legally separate. ISO 13485 was a private standard. The QSR was federal law. They lived in different houses.
Under the QMSR, they’ve moved in together. ISO 13485:2016 is now incorporated by reference, which means it carries the legal weight of regulation. The CFR itself has shrunk dramatically — from 15 subparts to two (Subparts A and B, with Subparts C through O reserved). The rest of your quality system requirements are in ISO 13485, which you are now legally required to follow.
If you were running a QSR-only compliance program without ISO 13485, this was not a small change. You had to obtain the standard, understand how it’s structured (it reads quite differently from the CFR), map your existing procedures against it, and close any gaps. For manufacturers already certified to ISO 13485:2016, the transition was more manageable — though not frictionless, because the QMSR still has FDA-specific additions in Subpart B that ISO 13485 doesn’t fully cover.
The Practical Problem: ISO 13485 Is Not Free
Here’s the part that tends to frustrate people. The regulation requires you to comply with ISO 13485. ISO 13485 is a copyrighted document published by the International Organization for Standardization. It is not freely available online. You have to buy it.
The IBR rules require that incorporated documents be reasonably available to the public, and FDA has satisfied this by making ISO 13485 available for inspection at FDA’s Dockets Management Staff in Rockville, Maryland, and at the National Archives. This is technically public access. It is also not particularly useful for the person who needs to run a gap assessment against their existing procedures on a Tuesday afternoon.
In practice, manufacturers need to purchase a copy of ISO 13485:2016 from ISO, from ANSI (the American National Standards Institute), or from another authorized distributor. If you don’t have it, you are missing part of the regulation you’re required to comply with. That’s a strange place to be in federal compliance, but here we are.
An Important Caveat: ISO Certification ≠ QMSR Compliance
While ISO 13485 is now law (where incorporated), it’s worth being explicit about what that doesn’t mean. Being certified to ISO 13485:2016 by a Notified Body or accredited certification body does not automatically mean you’re in compliance with the QMSR. It’s a meaningful indicator, and it demonstrates alignment with the core QMS requirements. But it doesn’t cover the FDA-specific supplemental provisions in Subpart B — the record-keeping details in §820.35 or the labeling controls in §820.45, which we’ll cover in future posts.
FDA has also been clear that ISO 13485 certificates will not exempt manufacturers from FDA inspections. The agency will assess QMSR compliance on its own terms.
What Manufacturers Should Actually Do
If you haven’t already: make sure you have a licensed, current copy of ISO 13485:2016 in your quality system documentation. It should be controlled, accessible to relevant staff, and treated as part of your regulatory library alongside Part 820. It’s not optional reference material anymore — it’s the regulation.
If your organization went through a QMSR transition in 2025 and you’re revisiting your gap assessment, pay attention to which clauses of ISO 13485 are now legally operative through the IBR mechanism. Your FDA investigator will be looking at ISO 13485 compliance as part of inspecting your QMS — not instead of Part 820, but through it.
Section 820.7 is the kind of provision that gets three lines in a regulation summary and then a year’s worth of implementation work in the real world. The legal mechanism is simple. The implications are not.
Next up: we’ll get into the supplemental provisions of Subpart B, starting with §820.35’s very specific requirements for complaint and servicing records. That’s where FDA added detail beyond what ISO 13485 requires — and where some manufacturers have found gaps they didn’t expect.