Here is a thought experiment for you. Imagine your top management — the CEO, the VP of Quality, the person who signs off on your QMS — sitting down to answer this question: “Do you actually know what your customers require? And do you know what the regulations require? And are those requirements being met?”
If the answer involves a lot of throat-clearing, the phrase “well, it’s complicated,” or a sudden interest in checking their phone, then §5.2 of ISO 13485:2016 has something to say to them.
What §5.2 Actually Says
Section 5.2 is refreshingly brief. In its entirety, it says that top management shall ensure that customer requirements and applicable regulatory requirements are determined and met, with the aim of enhancing customer satisfaction.
One sentence. Twelve words of obligation. But don’t let the brevity fool you — this is not a throwaway clause. It’s the standard putting top management on notice that the entire QMS exists for a reason, and that reason has a face: your customer, and the regulator standing behind them.
Breaking It Down
There are three obligations packed into this one sentence:
1. Customer requirements must be determined. Your organization needs a systematic way of figuring out what customers actually need — not what you assume they need, not what’s easiest for you to provide, and not what you sold them five years ago before the product changed. This connects directly to §7.2, which covers the specifics of capturing and reviewing those requirements. But §5.2 puts the responsibility at the top — not just in the sales team or the customer service inbox.
2. Applicable regulatory requirements must also be determined. Medical devices are regulated products. Whether you’re operating under FDA requirements, EU MDR, Health Canada, or a patchwork of global regulations depending on where your device is sold, those requirements are part of what you’re obligated to meet. “We didn’t know that requirement applied to us” is not an answer auditors find satisfying.
3. Both sets of requirements must be met. Knowing your requirements and meeting them are, it turns out, two different things. §5.2 requires both. It’s not a research exercise — it’s a commitment to action.
What “Top Management” Has to Do With It
Notice that §5.2 puts this squarely on top management. Not quality. Not regulatory affairs. Not the project manager who’s been here longest and somehow ended up responsible for everything. Top management.
This matters because one of the most common failure modes in a QMS is the one where quality is treated as a department rather than a culture. The quality team knows exactly what customers need and what the regulations require, and they’ve documented all of it beautifully, and nobody else in the organization looks at it or acts on it because leadership hasn’t made it a priority.
§5.2 exists to close that gap. Top management must ensure requirements are determined and met. That word — ensure — is doing a lot of work. It means leadership needs to set the conditions, allocate the resources, and follow through, not just sign off on a policy statement and move on.
What This Looks Like in Practice
In real life, §5.2 compliance tends to show up in a few specific places:
Your customer requirements process has teeth. Customer requirements should flow from actual customer input — complaints, feedback, specification reviews, post-market data — and be traceable into your design, production, and service processes. If “customer requirements” in your QMS is a document that was written at implementation and hasn’t been touched since, that’s a gap.
Regulatory requirements are identified and tracked. Many companies maintain a regulatory requirements matrix or a similar document that lists applicable regulations, standards, and directives by market and device type. This isn’t just paperwork — it’s the mechanism that turns “we need to comply with regulations” into “here are the specific regulations, here is where they’re addressed in our QMS, and here is the evidence.”
Management review addresses customer satisfaction. §5.6 (Management Review) requires review of customer feedback and satisfaction data. This is §5.2’s accountability mechanism — the moment where top management actually looks at whether the requirements are being met, not just whether the policy says they should be.
The Audit Reality
Auditors looking at §5.2 aren’t usually hunting for a document titled “Customer Focus Policy.” They’re looking for evidence that customer and regulatory requirements have actually been determined, documented, and flowed into the organization’s processes. They’ll look at how requirements are captured in contracts and design inputs. They’ll look at whether regulatory requirements are identified for each market. They’ll look at management review records to see if satisfaction data is being reviewed and acted upon.
Where §5.2 tends to generate findings is in organizations that have never systematically identified which regulatory requirements apply to their devices, or where customer feedback exists but there’s no evidence it influences anything, or where management review notes show customer satisfaction data being reported but no actions taken in response to problems.
One Sentence, Fully Unpacked
Section 5.2 is a single sentence that carries the entire premise of the standard: medical device manufacturers exist to make safe, effective products that meet the needs of customers and the requirements of regulators, and leadership is responsible for making sure that actually happens.
Everything else in ISO 13485 — the document control, the design controls, the corrective actions, all of it — is in service of that premise. §5.2 just makes sure the people at the top of the organization haven’t forgotten it.
Put it on a poster if you have to. Leadership needs to hear it more often than you’d think.
Work with Red Hen Admin
Ready to put this into practice?
Whether you need an independent quality system audit or hands-on QMS consulting, Red Hen Admin can help — remote and on-site in Southern California.