Medical device post-market surveillance (PMS) and vigilance reporting are minimum requirements to maintain regulatory compliance in most markets. In Mexico, this requirement is called technovigilance and it is mandatory to maintain your sanitary registration from COFEPRIS (The Federal Commission for Protection against Health Risks), Mexico’s medical device regulator. If you’re in the post-market phase in other markets, Mexico’s technovigilance requirements will feel familiar to you. However, some terminology and processes are unique to Mexico. Let’s take a look.
Mexico’s Technovigilance Framework and Standards
The goal of technovigilance is to ensure devices remain safe and perform as intended throughout the device life cycle. Technovigilance activities include monitoring device performance and reporting, assessing, and responding appropriately to any adverse events with corrective and preventive actions. NOM-240-SSAl-2012 “Norma Oficial Mexicana NOM-240-SSAl-2012, Instalación y operación de la tecnovigilancia” is the Mexican Official Standard (NOM) that outlines the technovigilance ecosystem and requirements in Mexico and aligns with Global Harmonization Task Force (GHTF) standards on post-market surveillance and vigilance. A draft of the NOM, PROY-NOM-240-SSA1-2024, was published in 2024 that will introduce numerous modifications, including bringing software as a medical device (SaMD) into the standard’s scope, expanding reporting criteria, and implementing mandatory reporting requirements for distributors. As of this writing, PROY-NOM-240-SSA1-2024 has not been published in the Official Gazette of the Federation, which would launch the transition to the updated version. However, significant changes from the published draft are not expected.
Technovigilance requirements also intersect with Mexico’s Good Manufacturing Practice (GMP) standard. Good Manufacturing Practices for Medical Devices: NOM-241-SSA1-2025 (link in Spanish) and Medical Device labeling: NOM-137-SSA1-2008 (link in Spanish), and which also has an open draft version NOM-137-SSA1-2024.
Key Players in the Technovigilance System in Mexico
Direct oversight of technovigilance requirements in Mexico including activities and device safety is managed by the National Center for Pharmacovigilance (CNFV), a division within COFEPRIS. Adverse event reports are submitted to CNFV for assessment, along with follow-up reports and details of Field Safety Corrective Actions (FSCAs). Users and providers can also submit a notification to CNFV about your device, in which case, CNFV will contact you or your legal representative.
Under NOM-240-SSAl-2012, the sanitary registration holder is responsible for implementing a technovigilance system (also called a technovigilance unit). If your company is based outside Mexico, you will need a legal representative, called a Mexico Registration Holder (MRH), to represent you to COFEPRIS and CNFV. In this case, your MRH “owns” the sanitary registration of your product and will be primarily responsible for maintaining technovigilance activities. Your MRH will submit notifications to CNFV on your behalf and will need an established technovigilance unit. Under the draft standard, distributors are also obligated to report incidents to the MRH. Technovigilance responsibilities of your MRH and distributor should be addressed in your Technical Agreement with each supplier, in accordance with NOM-241-SSA1-2025.
Technovigilance unit refers to your established technovigilance processes and procedures, and the personnel within your organization responsible for implementing them. All key players in Mexico’s healthcare ecosystem and supply chain are required to establish a technovigilance unit, including at the state and national levels. The units maintained by the manufacturer and/or MRH should employ someone with the appropriate education and training to evaluate adverse events and have systems and procedures in place to collect, analyze, and document adverse event information. You must inform CNFV in writing of the person responsible for overseeing your technovigilance unit and that person will be solely responsible for reporting to CNFV. Other technovigilance personnel require training that should be documented as part of your technovigilance and quality systems.
Criteria of Reportable Adverse Events
An adverse incident must be reported to CNFV when it meets three criteria:
Serious public health threats should be handled with highest priority. Incidents that could have led to any of these outcomes but were prevented by intervention must still be reported. Under the draft standard, adverse events occurring during clinical trials must be reported even if the device involved is not yet registered in Mexico.
Examples of reportable adverse events include a device malfunction or failure during intended use, unforeseen adverse events (i.e., adverse events that were not identified in the pre-market risk assessment), inaccurate labeling or instructions for use (IFU), interactions with other substances, patient-specific reactions, or incorrect test results from an IVD device.
A trend report should be filed when there is an increase in reportable adverse incidents, exempt incidents that start occurring more frequently, or events previously scheduled for periodic reporting. Even when incidents are normally exempt from reporting, a sudden rise may indicate shifts in how the device functions or is being used. Manufacturers should track these developments and are expected to flag significant deviations in device performance.
The draft version of the updated technovigilance requirement standard in Mexico will expand reporting obligations beyond adverse events. It requires notifying the CNFV of any developments that could affect a device’s safety monitoring. These developments include the transfer of registration rights to a new MRH, cancellation or withdrawal of a device’s sanitary registration, and incidents involving theft, falsification, or loss of the device. Updates to clinical trial protocols must also be reported. The draft also mandates that national and international security alerts related to the device be communicated to the authority and actively monitored by all technovigilance units.
Incidents that Do Not Require Reporting to CNVF
If a device malfunction is identified by the user before use, or if the cause is clearly linked to a pre-existing medical condition and not the device itself, reporting is not required, provided there is sufficient evidence to conclude that the device functioned as intended and did not contribute to harm.
Other exceptions include adverse events involving expired devices, cases where built-in safety mechanisms prevented harm, and incidents with minimal risk and/or frequency that have been evaluated and deemed acceptable following a risk assessment. Known and anticipated adverse events do not need to be reported if they are described in the device’s IFU, labels, or scientific literature, and/or have been deemed clinically acceptable. Incidents already addressed in warning notices also do not require separate reporting, nor do cases covered by specific exceptions granted by the CNFV.
What About use Errors and Abnormal Use?
Use errors involving medical devices must be assessed, and the results must be made available to the CNFV upon request. Use errors must be reported when they meet the three main criteria for reportable adverse events or when they lead or could lead to the death or deterioration of health of a user or present a serious public health threat.
Abnormal use (i.e., where a device is used in a way that is clearly outside its intended purpose) does not need to be reported to CNFV. However, these incidents resulting from abnormal use must still be investigated by the manufacturer or MRH.
When and How to Submit an Adverse Event Report to CNFV
Notifications of reportable adverse must be sent in writing to CNVF in order to stay compliant with Technovigilance Requirements in Mexico. The initial report should include the submitter’s name and contact information, company information, and essential details of the device and the incident, including relevant patient information, device description and location, and any preventive, corrective, or FSCAs implemented prior to the notification. Under the draft NOM, the quality and completeness of the information submitted with your report should be classified as Level 1, 2, 3 (Level 3 being the highest quality).
The timing of the submission depends on the severity of the adverse event. If the incident poses a serious threat to public health, it must be reported within two working days of confirmation (the revised standard may revise this period to three calendar days). If the event involves a death or a serious health deterioration, the notification must be submitted no later than 10 calendar days after confirmation. For other reportable events, the deadline is 30 calendar days.
A follow-up report and final report must be submitted within at least six months of the first notification, though extensions may be granted. The follow-up report should include updates on the progress of the investigation, any preliminary findings, details of similar incidents that may have occurred, and a risk assessment. The final report presents the complete investigation of the incident including root causes, corrective measures, preventive measures, FSCAs, and final conclusions to close the investigation. FSCAs can include device recalls or withdrawals, device design or materials modifications, changes to labeling or IFUs, etc. A detailed list of information required with the notification and follow-up report can be found in section 6.7.13 of NOM-240-SSAl-2012.
Technovigilance Report Requirements in Mexico
The Technovigilance Report is an inventory of all technovigilance activities and is submitted to COFEPRIS as part of the registration renewal process, which occurs every five years. The report should be submitted at least three months before the intended renewal date for consideration pending your renewal.
The report should include key product details, such as the generic name, model or catalog number, risk classification, registration number, manufacturer and distributor information, software version (if applicable), and clinical characteristics. You must include a detailed section covering all adverse incidents reported to CNFV during the past five years. This includes counts and descriptions of both serious and unanticipated incidents, the number of units sold annually, estimated patient exposure, market duration, and any safety alerts or corrective actions taken.
Ready to Learn More About Technovigilance Requirements in Mexico?
COFEPRIS expects registration holders to be proactive about safety monitoring, maintain transparent communication among all stakeholders in the medical device supply chain, and FSCA handling. As your Mexico Registration Holder, MedEnvoy will ensure that your technovigilance processes are efficient, effective, and comply with Mexico’s regulations and standards. Partnering with MedEnvoy gives you full control of your COFEPRIS sanitary registration with the strategic advantage of local regulatory expertise. Learn more about our Mexico Registration Holder service.
Related Resources
Related Guidance
We share our expertise because we believe in removing barriers to global commercialization.
EU Classification Guidance Updated: Borderline Manual and MDCG 2021-24
The European Commission published two closely related guidance updates that directly affect how medical devices and in vitro diagnostic medical devices are qualified…
The Business Impact of EUDAMED on Market Access
The European Database on Medical Devices (EUDAMED) is often viewed by manufacturers purely as a compliance burden when…
MedEnvoy at RAPS Euro Convergence 2026
We are excited to share that MedEnvoy will be participating in RAPS Euro Convergence 2026 as an exhibitor! This year’s…