For the first time ever, based on anonymized EU documents we’ve received, we’re exposing the true state of EUDAMED. At the center of it: A gigantic €9M/year budget, €317k hosting costs, and a staff member who switched sides and started selling his internal knowledge.
(In case you didn’t know: EUDAMED is the European Database on Medical Devices – here’s another article with some context and its technical problems.)
But let’s take a step back first. How did all of this happen?
In October 2024, we shipped BEUDAMED, a better EUDAMED. What initially started out as a just-for-fun coding project nudged us to dive deeper into EUDAMED’s technical design. Sure, we didn’t have access to internal data or code, but we did have to wrestle with the public data when integrating it into BEUDAMED – all 500k+ medical devices, a ton of data.
And what we saw.. it wasn’t pretty, which is a huge understatement. It was a mess: Missing certificates, duplicate entities, inconsistencies – to an outsider, it might seem like EUDAMED was a one-week coding project of a high school student.
Except that it wasn’t. This was serious software, developed by the EU and funded by our money as taxpayers.
But besides the messiness, one much bigger elephant stood in the room: We had built BEUDAMED in 19 person-days. And, in many aspects, it already was a much better product than EUDAMED: Searches would complete in milliseconds (not 10-20 seconds), you only had to use one search field instead of 15, and, best of all, you could right-click on search results and open them in new tabs. We didn’t even have to deploy cutting-edge software wizardry to achieve this – it was simply enough to write code slightly better than a high school student.
EUDAMED, however, has been in continuous development since around 2017. So, in comparison to our 19 person-days, we estimated EUDAMED to have taken 5,900 person days, a 300x increase (we turned out to be wrong – read on).
This left us scratching our heads: With 300x the resources, how is it possible to ship a product which is worse? And why the hell is it still not possible to right click on search results, two months after we reported it? Is anyone working on EUDAMED at all?
No one really knew the answer. But maybe we were able to find out?
The European Commission allows people to request Commission documents – the procedure is called EASE, which stands for “Electronic AccesS to Commission DocumEnts”. Yes, as you can see, the acronym makes absolutely zero sense and poses the bigger question of what the hell is going on those people’s heads.
Regardless, I’ll try not to get caught up in another rant and move on!
(Oh wait, credit where credit is due: I had no idea about the EASE system, but a friendly dude named Stephen pointed me towards it. Thanks, Stephen!)
So we requested documents from the EU. We started with the basics: Who was behind the development of EUDAMED? How many people were working on it? And what does it cost?
And what we found was nothing short of crazy.
But before I’ll tell you what we found, here’s what we got first: A promising automated message from the EASE system (highlights added):
You have a new_rec message concerning your request for access to the European Commission documents registered under case number 2024/[…].
So let me get this straight: While we were trying to do research on why EUDAMED is terrible software, we are confronted with another terrible software which has obvious, glaring bugs in its email logic – what the hell is a “new_rec” message?
And don’t get me started on the new EU multi-factor authentication which requires you to re-enter your phone number (!?) when logging in. Yes, you have to re-enter your phone number, even though you’ve (obviously) already stored it in your profile. No other website on the entire internet requires you to do so – with good reason, because it makes zero rational sense. Crazy. Maybe the system was developed by the same people who came up with the EASE acronym.
Anyway. I’ll try to not get caught up in another rant here, and will try to move on, again.
Because what we found is way more crazy than anything in my preceding rants – get ready for this. Those juicy “new_rec” documents contained not one, but multiple bombshells, and we’re the first to report them. Get ready!
The Hosting Costs
How much does it cost to host a web application nowadays?
Let’s take a look at Hetzner – a renown, reliable provider, located in central Germany, with perfect connectivity to other European countries. We’re not affiliated with them, but I personally think they’re tremendously cool: They offer great products at competitive prices and are single-handedly propping up the German cloud ecosystem which, besides them, doesn’t really exist.
So, at Hetzner, for €840 / year, you get an extremely powerful server: A CPU with 8 cores, 16 threads and 64GB of memory. Incidentally, this is the exact server which already is running BEUDAMED! And guess what, it’s completely overpowered for it. That’s why it also runs Digital Health Jobs and two more applications. And it’s still overpowered! (It’s in the left box below)
So this is a powerful server and it can run BEUDAMED. But you might now say “EUDAMED has way more traffic, not comparable, yadda yadda” to which I counter sure, EUDAMED has way more traffic, but all of that is solvable (caching etc.), and this server would still be able to run EUDAMED. At least that’s my opinion.
Okay, so €840 / year would work.
But maybe you might now say “we need even more performance!!11”, for no rational reason whatsoever, because we’ve seen above that this server already is sufficient. Maybe you have an incompetent, pointy-haired boss who secretly wields a corporate credit card with a fishy bonus points scheme, and he simply orders you to purchase the most powerful thing ™ you can find. Sure.
And even then Hetzner has you covered – you could choose the server in the right box below, for €2,800 / year. This buys you 48 CPU cores (!), 96 threads (!!) and 256GB of RAM. To say that this is a powerful server is an epyc (get it?) understatement. This is a godzilla of servers available to normal humans who don’t have access to a sales rep at Dell. It’s a beast. And yes, it could obviously also run EUDAMED.
It could probably run all other EU databases, too, in parallel.
So let’s summarize:
- You can very likely run EUDAMED on a €840 / year server.
- You can definitely run EUDAMED and a €2,800 / year server.
So now we’ve established how much money would be sufficient to procure sufficient hosting infrastructure for EUDAMED.
What do you think the EU is currently paying for EUDAMED hosting?
€840?
€2,800?
Something in between?
No.
€317,333.14.
For 2023 alone.
Yes. That’s three hundred seventeen thousand, three hundred thirty-three Euros and fourteen cents. And that only covers the hosting costs for one year, specifically for 2023.
Here’s a screenshot of the budget document:
The columns are not easy to understand (what’s “Baseline ITCB”?), but my reading of them is that “baseline” costs were ~€227k, and in addition to that there was an “overconsumption”, costing an additional ~€90k, leading to ~€317k in total.
That’s completely, utterly crazy. It’s.. beyond crazy.
It’s such a crazy number that I literally don’t have any viable rational explanations which services the EU might be purchasing here.
Let’s put things into perspective again: The most powerful Hetzner server, as we’ve seen above, costs €2,800 per year. With the EUDAMED hosting costs of €317k, you could purchase 110 of those servers.
110 servers!
That literally makes you a small cloud provider already!
The irony, of course, is that Europe still doesn’t have a viable cloud provider, even though the hosting costs of EUDAMED alone would be sufficient to fund a small one.
So. 110 servers. And, again, just one of those servers is way more than sufficient to run EUDAMED – indeed, it’s probably sufficient to run all EU databases. And now you’ve got not one, but 110 of them. That makes no rational sense.
Talking about rational sense. I see three possible explanations:
- The EU has indeed purchased ~110 servers, which are sitting in a data center and doing not very much, because the EU purchased 110x of what it actually needed.
- The EU has indeed purchased ~110 servers, which are actually being used because the software code is so terrible that it needs 110x more resources than it should.
- The EU only purchased what it actually needed (1 huge server, or 2-4 small ones), but is overpaying for those services by a factor of ~110x.
Regardless of how you spin it, it sounds terrible.
Personally, I think the overpayment scenario is the most likely. One data point for that would be the ~€90k “overconsumption” charge we saw in the document above. In that case, we’re witnessing highway robbery by whoever is the EU’s cloud provider – absurdly inflated prices, completely decoupled from the economic reality of the outside world.
Who in the EU signed off on this? Isn’t this the exact thing which the highly complex public procurement process aims to avoid?
I would really be interested to see which provider is providing these services, and into which pockets that money ultimately disappears.
So those are the hosting costs.
But there’s more.
The Team
In our other article, we estimated the EUDAMED development team to consist of three full-time people working on it since 2017. I was a bit hesitant to make this estimate, because I thought we might be over-estimating: Maybe it’s only one or two people working on EUDAMED, and we shouldn’t be too hard on them, as it might be a lot of work on just a few shoulders?
But boy, were we wrong. “Just a few shoulders” is probably the completely wrong gut feeling we had there.
Before we dive into the crazy numbers, let’s quickly do a reality check here again. How many people does a typical software team need? At Amazon, there famously was the idea of “two-pizza” teams – teams small enough to feed with two (large) pizzas, i.e. 6-8 people. This is in line with our experiences:
- At OpenRegulatory, we’re running an eQMS software, a consulting business and more cool stuff (like the website you’re looking at!) with 5 people.
- At my prior job, we built the first version of a fancy AI Radiology software with 6 people.
Are you ready for the number of people on EUDAMED?
57 people.
Fifty-seven people.
That’s the number of people on the EUDAMED timesheet for 2023.
Yes, I have the same question like you right now: What are all those people doing? Luckily, EUDAMED seems to be doing some quality management, because they have an org chart! And as we’ve learned in regulatory compliance, an org chart is always very useful. Not sure for what, but at least it’ll help us understand the EUDAMED team. Here’s what we have:
- “Phoenix Team Squad”: 7 People
- Dev Team Leads: 5 People
- Full Stack Developers: 8 People
- Manual Testers: 4 People
- Automated Test Developers: 4 People
- Technical Writers: 6 People
- Support Team: 4 People
- Front End Developers: 5 People
- Back End Developers: 6 People
- Regression Testers: 5 People
- Accessibility Testers: 2 People
Funnily enough, if you sum all of those numbers up, you end up with 52 people, not 57. So there’s a discrepancy of 5 people who mysteriously are missing on the org chart, yet are listed in the timesheet.
Hold on, people submitting hours, yet not being on the org chart? I know what you’re thinking (😂). Anyway, moving on.
Given that you’d realistically only need 5-8 people as we’ve seen above, we’re looking at an over-provisioning by a factor of 10x here.
Only 10x more resources as required? Hold on, the EU actually sounds pretty efficient here.
Unfortunately, this is also not true if you think more about it. It doesn’t take the time into account.
We built the current version of BEUDAMED in around 30 person-days. In contrast, EUDAMED has been going on for 7 years already. Assuming the team always consisted of around 57 people, that results in ~145k person-days.
So we’re no longer looking at a difference of 10x in efficiency. Instead that’s a difference of ~4,833x.
By that calculation, the EUDAMED team is operating four thousand times less efficient than a normal software development team.
Interesting. Moving on.
The org chart, raises so many more questions:
- Why do you need 5 frontend plus 6 backend developers if you already have 8 full-stack developers? By definition, full-stack developers cover both frontend and backend already.
- What are those 6 technical writers doing all day long, given that hardly any public documentation on EUDAMED exists?
- And what about those 4 manual testers? If you already have 4 automated testers, why would any sane person additionally hire 4 manual testers?
- Most interestingly: What’s up with the “Phoenix Team Squad”? Were they parachuted in to help salvage the timeline? (Success so far has been limited)
Screenshots of everything at the end of this post.
But now, I’ll move on to our next finding: The budget.
The Budget
What do you think – what’s the budget of EUDAMED? Well, we already know the hosting costs (😂) and the team size (57 😅), so you already might guess that we’re not looking at a small number.
Here it is:
€9.226 million.
For 2023 alone.
Yes, that’s more than nine million Euros, for 2023 alone.
As you can see, the budget for 2023 was actually planned to be ~€5.8 million. That’s already a crazy amount of money for building a simple database (which, remember, we built in 30 person-days).
But it gets even worse.
Turns out, the budget was overrun by 58%, leading to an actual budget of ~€9.2 million.
This number is also hard to imagine, so let’s put things into perspective, yet again: Our yearly payroll is around 400k€. Over the last few years, we’ve been able to provide a complete set of free medical device compliance templates, an eQMS software and tons of other cool stuff, lots of it available for free!
So let’s say 400k€ is equivalent to one “OpenRegulatory Company”.
With €9M, you could fund around 22 (!) OpenRegulatory Companies. Each one could create free templates for a specific industry. Imagine that! One company would go off and create free templates for information security (ISO 27001). Another one would fix the shadiness of clinical studies (CROs etc.), and provide templates for those. And then you’d still have 20 OpenRegulatory companies to assign to industries! The value for startups (and others!) would be huge.
So €9M, in the right hands, could deliver a lot of value.
€9M, in the wrong hands, well.. that’ll deliver an unfinished database with terrible usability and performance: EUDAMED.
So it’s a ton of money, and the team is not even achieving its goal.
But where is all this money going? Let’s do some calculations.
First, we have to deduct the €300k hosting costs (😂) from the total budget of €9.2M, leaving us with €8.9M.
Assuming there’s a mix of junior and senior developers and the average salary is €60k, we’re looking at a payroll of 57 people * €60k = €3.4M / year.
So, we have:
- €0.3M hosting costs
- €3.4M payroll costs
- = €3.7M in total costs
So our estimated total costs are €3.7M. Yet the total costs are €9.2M. What? We’re still “missing” a difference of €5.5M.
The “new_rec” documents I received unfortunately don’t explain this gap. My best guess would be that it’s for freelancers and consultants. But given that the product is so dysfunctional and the team already so bloated, you might not be too far off describing it as a Universal Basic Income scheme for a select group of consultants.
Still, I won’t dive overly deep into speculation here. This might be solvable by requesting more “new_rec” documents via the EASE system (after re-entering my phone number in the handy new multi-factor authentication).
Let’s move on to something really crazy, and some might say controversial.
The Staff Member Who Switched Sides
A while ago, a notified body auditor told me a story which sounded too crazy to be true: Allegedly, a high-profile EUDAMED staff member had left the EUDAMED team and was now providing “EUDAMED services” which consisted of essentially selling his internal EUDAMED knowledge by providing “EUDAMED submission software” and consulting.
Now, you see.. this is a crazy story. But the regulatory industry is so broken (and sometimes toxic) that I hear many similarly crazy stories quite often. So a story of someone “walking through the revolving door” from the EU to the industry actually sounded like just another day at the office to me.
Accordingly, I didn’t follow up on this at the time. But, somewhat ironically, when I posted on LinkedIn about the dire state of (duplicated) data in EUDAMED a while ago, that person commented on it, arguing that the EUDAMED team really cares about data.
Besides the fact that the line of arguing sounds rather questionable (the team cares about data – cool – but shouldn’t they care about software competency?), this now rekindled my interest in the story. So I checked out the person’s website and LinkedIn profile, and.. wow. It seems to be true.
I confronted the person with these allegations by responding to his LinkedIn comment. Instead of responding to me, he blocked me.
Hm.
So yeah, the regulatory bubble is a dark space sometimes.
But maybe it’s just me, not him? I’ll therefore pause for a second and present you with the facts first so that you can form your own opinion:
- He was part of the EUDAMED team until around 2019.
- Then, he left the team and registered the domain eudamed.com.
- On eudamed.com, he offers a “unique EUDAMED Submission Software, Consultancy, & Training”.
Okay, got an opinion?
Here’s mine:
Purchasing the domain eudamed.com instead of letting the EU have it is a highly unethical move. It actively confuses people on where to find the real EUDAMED. Hell, even I remember being confused by this when I got into the medical device industry in 2020 or so.
His EUDAMED submission software and consultancy are most likely based on internal knowledge of the EUDAMED data structures which he gained while working on it. Now selling this internal knowledge in this way means actively choosing personal profit over collective progress – maximizing consulting revenue while leaving EUDAMED behind, broken as it is.
So those are my opinions.
What do you think?
If this makes you feel sad, let me cheer you up with another thought experiment: Let’s assume everyone on the EUDAMED team acted this way – i.e. they quit the team, register an ambiguous domain (eudamed.app, eudamed.berlin, eudamed.porn (😂), etc.) and start providing “EUDAMED submission software” and consulting.
Would that be good?
No, that would be terrible. The EUDAMED project would essentially fail, while its people choose to personally profit from this failure by selling out their internal knowledge.
But this thought experiment actually becomes quite funny, albeit in a tragic way:
- Given that the EUDAMED team is huge at 57 people, does the web even have 57 unique domain endings, so that each ex-EUDAMED person can register their own eudamed dot whatever domain?
(The answer is yes – the web has around 1.5k domain endings.) - From an economic perspective, will the influx of 57 new EUDAMED consultants lead to a deflation in EUDAMED consulting prices? Imagine if EUDAMED consulting became so cheap that it’d be cheaper hiring an EUDAMED consultant to fix your plumbing than hiring an actual plumber.
(The answer is “I don’t know” – economics are hard to predict.)
Haha.. so that was fun. But back to the real world. This is actually quite serious.
Here’s a final thought experiment: Imagine you’ve founded a software company. A few years in, one of your key employees leaves, registers a domain with the same name as your company (!) and starts offering software and consulting services based on the internal knowledge he gained while working for you (!!). Would that be okay?
No. In the real world, this would be where the lawyers enter the stage.
But, as we’ve learned today, the EU and EUDAMED don’t seem to be connected to the real world – neither when it comes to ethical standards, nor when it comes to budgets.
But maybe it’s just me again, and maybe I’m missing something here. Maybe it’s ethically acceptable what this guy is doing, and it’s simply me whose moral compass is wrong. Maybe €9M / year is a reasonable budget to develop a database, and it’s simply us who are so smart that we develop things four thousand times faster than other humans. And maybe €300k / year are normal hosting costs, and you do indeed need a data center full of 110 servers to run one web application.
What do I know. I just run a small software company.
1 comment
Aykaz
Bonkers