Medical devices are treated differently based on which class they are in. The MDR (EU) and the FDA have different systems of classifying medical devices. We mostly focus on the EU MDR side of things.
This is a complicated topic with many ambiguities (you’ll get used to those in regulatory work), so I’ll only touch upon it briefly and simplify it ridiculously. Under the MDR, there are three different classes: I, II and III. What’s the typical class of software?
Under MDR, most mobile apps will be class II devices (IIa, to be specific). Radiology software mostly remains class II (IIa or IIb).
Why is this relevant? Because this decides how you will certify your software. Ironically, the requirements are the same, but the procedure is slightly different. Typically, you need an external auditor (e.g. from an institution like TÜV SÜD or Berlin Cert) to “check” your Quality Management System (of your company) and Technical Documentation (of your product).
But the large difference is that for class I devices, you don’t need an external auditor: You can self-certify yourself. That sounds ridiculous at first, but it simply means that you still have to do the same work but don’t have to involve someone else to check on you. At the very least, this makes the process faster because you don’t have to wait for an external company to schedule an audit date and send you your certificate (which can take months). You may however be surprise-audited.
Speaking from experience, the amount of work for class I certifications is also significantly lower. This pretty much a business decision - how many “gaps” do you want to have in your Quality Management System and Technical Documentation, at the risk of being shut down when you’re surprise-audited?
By the way, if hardware is connected to software, things get more tricky. Don’t get into the business of medical hardware.
Once you’ve found out your device class and determined whether you need to be audited by a Notified Body, you need to find one. But first, you need to found your company.