Managing Medical Device Supplier Contracts: Key Risks Under Czech Law

Contractual relationships with suppliers of medical devices and technologies are a key matter for every healthcare provider in the Czech Republic. This article will give you a practical overview of the risks hidden in these contracts and show you how to properly protect your organisation’s interests under Czech law. You will learn which clauses the contract must include, how to avoid common mistakes, and where the greatest financial and legal penalties may arise.

Quick summary

• Contracts with medical device suppliers require specific legal drafting under Czech law : A standard purchase or service agreement is not enough. Medical devices are subject to a strict regime under Act No. 89/2021 Coll. and EU regulations (MDR/IVDR), covering certification, training, servicing and liability. These aspects must be clearly addressed in the contract.
• Allocation of liability and risks is critical : The healthcare provider bears primary responsibility towards patients for the quality of care and the safety of the technologies used in the Czech Republic. Even if the defect is on the supplier’s side, the patient will pursue claims against you. Without a properly structured recourse/indemnity claim in the contract, you may lose the ability to recover damages from the supplier.
• Service obligations and technical specifications have legal consequences : The supplier (or a person authorised by the supplier) must carry out professional maintenance and periodic safety and technical inspections (PBTK). The contract must clearly define deadlines, technician availability and responsibility for meeting statutory time limits under Czech legislation.
• Supervisory authorities pay close attention to contracts and documentation : The State Institute for Drug Control (SÚKL – the Czech medical devices regulator), regional authorities and health insurance companies assess during inspections whether you are fulfilling obligations related to operating medical devices. A poorly drafted contract or missing documentation automatically results in a finding of non-compliance and the risk of significant fines.
• Contracts with medical device suppliers require specific legal drafting under Czech law : A standard purchase or service agreement is not enough. Medical devices are subject to a strict regime under Act No. 89/2021 Coll. and EU regulations (MDR/IVDR), covering certification, training, servicing and liability. These aspects must be clearly addressed in the contract.

Why contracts with medical device suppliers are different from ordinary purchases

When a company orders computers or office furniture, it is a standard commercial relationship. With medical devices, the situation is fundamentally different. A medical device, instrument or software directly affects patients’ health and safety. For this reason, the area is regulated in the Czech Republic by Act No. 89/2021 Coll., on Medical Devices, and directly applicable EU regulations (MDR and IVDR).

This means that your contract with the supplier must reflect the specific obligations arising from these regulations. It is not sufficient to accept the supplier’s standard terms and conditions, which often do not cover the specifics of Czech medical device law. The attorneys at ARROWS, a Prague-based law firm, regularly deal with situations where clients only realise after an incident or an inspection that their contracts did not include the guarantees required by law.

Healthcare providers are in a position where Czech law penalises them directly for breaches of obligations. SÚKL inspectors focus on whether you have ensured servicing (PBTK), whether staff have undergone training, and whether you have instructions for use and declarations of conformity available. If the contract with the supplier does not clearly transfer these obligations or address cooperation, you face fines in the hundreds of thousands to millions of Czech crowns.

Basic legal framework for medical devices

Before signing the contract, it is necessary to understand the legal framework applicable in 2026. In the Czech Republic, the key regulation is Act No. 89/2021 Coll., on Medical Devices, which is complemented by the EU regulations MDR (2017/745) and IVDR (2017/746).

Medical devices are divided into risk classes (I, IIa, IIb, III). The higher the class, the stricter the requirements for clinical evaluation, certification and servicing. The supplier must guarantee that the device bears the CE marking, confirming compliance with EU requirements. Without this marking, the device (subject to exceptions such as custom-made devices) may not be placed on the market or used.

The contract must include a written guarantee that the delivered devices meet all regulatory requirements applicable in the Czech Republic, have valid certificates, and that the supplier is liable for any defects in the legal or technical documentation. Using a device without a valid CE marking may lead to a fine imposed by SÚKL and establishes the provider’s liability for any harm to a patient’s health.

Consumables and supplier “lock-in” (Vendor Lock-in)

With equipment technology, a common issue is dependence on consumables (reagents, kits, tubing). In public procurement as well as day-to-day operations, it is necessary to consider so-called life cycle costs (Life Cycle Costing).

If you are purchasing a device, the contract must clearly address the prices and availability of these consumables for the entire expected service life of the device. Otherwise, you expose yourself to the risk of “Vendor Lock-in”, where the supplier unilaterally increases the prices of consumables after the device is purchased, and those consumables cannot be sourced elsewhere. The contract must include price fixing (e.g., with an inflation clause) and an availability guarantee.

Related issues – Classes and categories of medical devices

1. What is ZUM and why is it important for the contract?

Separately billable material (ZUM) is a category of items reimbursed by health insurance companies beyond the flat-rate payment for a procedure in the Czech Republic. The supplier must guarantee that the material will meet the reimbursement conditions (e.g., inclusion in the relevant reimbursement list/catalogue). If the material is removed from reimbursement due to the supplier’s error, the contract should address compensation.

2. Can I use non-original accessories?

From a legal perspective, this is possible if the manufacturer of the alternative accessory declares compatibility and conformity (CE). However, device manufacturers often argue that using non-original material voids the warranty. The contract should clearly set out under what conditions alternative material may be used without losing the warranty for the main device.

3. What role does CE certification play?

It is a basic condition for placing products on the market. The contract must include the supplier’s obligation to provide an EU declaration of conformity for all delivered items.

Liability – who is responsible for what?

This is a critical point of any contract. Under the Czech Civil Code and the Act on Health Services, the healthcare provider is liable for harm caused to a patient, even if it was caused by a defect in the device used. The patient sues you, not a manufacturer in China or a distributor in Germany.

The attorneys of ARROWS, a Prague-based law firm, therefore strongly recommend including a so-called recourse clause in contracts. This ensures that if you have to compensate a patient for damage due to a defect in the supplied device, you have the right to recover that amount from the supplier.

Suppliers often try to limit their liability in contracts (e.g., up to the purchase price of the goods). However, such a limitation is highly risky for healthcare providers in the Czech Republic. Personal injury damages can reach millions of Czech crowns, while the price of the device may be in the tens of thousands. The contract should therefore not include liability caps for personal injury or for damage caused intentionally or by gross negligence, which is in any event contrary to Section 2898 of the Czech Civil Code.

Related questions – Liability

1. Do I have to pay the patient even if the defect is on the manufacturer’s side?

Yes. If harm occurs in the course of providing healthcare services due to a defective device, you are primarily liable (Section 2936 et seq. of the Czech Civil Code). You must then seek recovery from the supplier.

2. Can I be fully released from liability?

Towards the patient, it is not possible to waive in advance liability for harm to natural rights (health) under Czech law.

3. What if the supplier goes bankrupt?

This is a real risk. We therefore recommend requiring in the contract that the supplier maintains product liability insurance for damage caused by a product defect with a sufficiently high indemnity limit, and keeps this insurance in place for the entire service life of the device.

Service, maintenance and periodic safety and technical inspections (PBTK)

Act No. 89/2021 Coll. imposes on the provider an obligation to carry out maintenance and periodic safety and technical inspections (PBTK) at intervals set by the manufacturer.

The supplier contract must address:

1. A guarantee of performing PBTK. The supplier should undertake to carry out the prescribed inspections within the statutory deadlines. If it fails to do so and you are fined by SÚKL (the Czech State Institute for Drug Control) (which for legal entities can be up to CZK 500,000 or even more depending on the severity), the supplier should reimburse the fine.
2. Professional competence. Service may only be performed by a registered person with the relevant manufacturer training. The contract must guarantee that the supplier’s technicians have this qualification.
3. Response time (SLA) and a replacement device. For critical devices (CT, MRI, ventilators), the contract must include a guaranteed time to commence repairs (e.g., within 24 hours) and a time to remedy the fault. In the event of a longer repair, it is advisable to contractually stipulate an obligation to provide a replacement device free of charge.
4. Post-warranty service. It is advisable to contractually regulate service terms (labour and parts pricing) also for the period after the warranty expires, to avoid sudden price increases.

Related questions – Service

1. Who monitors PBTK deadlines?

The provider is responsible. However, in a well-drafted service agreement, the supplier takes over this administration and deadline tracking.

2. Can I arrange servicing through a third party?

Yes, provided that this third party has the manufacturer’s authorization and training. However, beware of warranty terms—intervention by an unauthorized service provider during the warranty period usually results in the warranty becoming void.

Certification, training and documentation

Upon delivery of a medical device, administrative obligations must be fulfilled; omissions are a frequent target of inspections in the Czech Republic.

1. Staff training. Under Act No. 89/2021 Coll., a medical device may only be operated by a person who has completed training. This training is provided by the supplier (or a person authorized by the manufacturer). The contract must stipulate that the supplier will provide initial training free of charge and also ensure any additional training for new employees (e.g., for a flat fee).
2. Instructions for use. The supplier is obliged to provide instructions in the Czech language.
3. Technical documentation. For servicing and inspections, it is necessary to have the relevant documentation available.

Penalties for failing to provide training or failing to keep documentation of it can reach hundreds of thousands of Czech crowns. The contract should clearly state that delivery of the device is deemed completed only after the training has been carried out and all documentation has been handed over.

Responsibility for legal compliance and cybersecurity

With the rise of digitalisation and the effectiveness of the new Cybersecurity Act (implementing the NIS2 Directive) in 2026, the cybersecurity of medical devices is coming to the forefront in the Czech Republic.

If the device is connected to a network or processes patient data:

1. GDPR compliance. The supplier must guarantee that the software enables data processing in compliance with  (encryption, access logging, ability to erase).
2. Cybersecurity (NIS2). If you fall under regulation as a provider of an essential or important service, you must manage risks in the supply chain. The contract must oblige the supplier to comply with security standards, report security incidents, and provide updates (patches) throughout the entire service life of the device.
3. Software updates. The supplier must guarantee the availability of security updates. Outdated software is a risk to the entire hospital network.

Related questions – Legislation and IT

1. Who is responsible for a data leak from the device?

Primarily you, as the personal data controller under Czech and EU law. However, if the leak is caused by a security vulnerability that the supplier failed to fix, you may assert recourse—if the contract allows it.

2. What if the supplier stops supporting the software?

The contract should include a guarantee of support for a specified period (e.g., 10 years).

Risks and sanctions	How ARROWS can help (office@arws.cz)
No right of recourse: The healthcare provider pays damages to the patient but cannot recover them from the supplier of the defective device.	Drafting contractual clauses: We will set up an effective recourse mechanism and ensure the supplier cannot avoid liability.
Breach of the PBTK obligation: A fine from SÚKL (the Czech State Institute for Drug Control) of up to CZK 1,000,000 (Section 94 of Act No. 89/2021 Coll.) for failing to carry out inspections.	Setting up the service agreement: We will contractually transfer responsibility for monitoring deadlines and performing inspections to the supplier, backed by contractual penalties.
Unfavourable “lock-in”: Dependence on the supplier’s overpriced consumables with no ability to switch.	Protection against dependency: We will incorporate price fixing for consumables and conditions for using alternatives into the agreement.
Insufficient documentation and training: A fine of up to CZK 500,000 for missing records of staff training.	Process setup: We will ensure the handover protocol includes confirmation that statutory training has been provided under Czech law.
Cybersecurity risks (NIS2/GDPR): Patient data leakage or operational paralysis due to an attack via an unsecured device.	Security clauses: We will implement the requirements of the new Czech Cybersecurity Act into contracts with technology suppliers.

Public procurement and the specifics of purchasing medical devices

For public contracting authorities (state hospitals and regional and municipal facilities) in the Czech Republic, Act No. 134/2016 Coll., on Public Procurement, applies. When purchasing, correctly determining the estimated contract value is crucial. It must include not only the price of the device, but also related services (maintenance/service) and consumables for the usual period (e.g., 4 years). Splitting a contract in order to reduce its value below statutory thresholds is prohibited.

A specific rule is the prohibition on stating specific brands in the tender documentation unless it is technically necessary. Requirements must be defined by technical and medical parameters. ARROWS’ Czech legal team regularly helps set qualification requirements and evaluation criteria so that the contracting authority obtains a high-quality device, not merely the cheapest one that meets minimum requirements.

Beware of so-called “disproportionate requirements”, which could be challenged before the Office for the Protection of Competition (ÚOHS), the Czech competition authority. Fines for errors in the procurement procedure can reach up to 10% of the contract price or CZK 20 million.

Supply chain, subcontractors and GDPR

The relationship between the supplier and the healthcare provider in the GDPR context is usually that of controller (the provider) and processor (the supplier, if it has access to data during servicing), or, alternatively, independent controllers.

The contract must include a data processing clause under Article 28 GDPR if the supplier has access to patients’ personal data (e.g., during remote administration of a diagnostic device). The absence of this agreement is a common shortcoming sanctioned by the Office for Personal Data Protection (ÚOOÚ), the Czech data protection authority.

It is also necessary to address contractually whether the supplier uses additional subcontractors (e.g., external cloud services for storing images). The controller (you) must have an overview of the subcontractors involved and the right to object to changes to them.

Practical steps when entering into or reviewing a contract

• Step 1: Audit existing contracts. Check whether you have valid service agreements (PBTK) for all devices and whether they cover the statutory requirements applicable in 2026 under Czech law.
• Step 2: Verify the supplier. Before signing, request evidence of the manufacturer’s authorisation to service, ISO certificates, and proof of insurance.
• Step 3: Define the scope of performance. Be specific. “Delivery of an X-ray” is not enough. Specify accessories, software, PACS connectivity, training, and documentation.
• Step 4: Set penalties. A contract without penalties has no teeth. Set contractual penalties for late delivery, failure to meet service deadlines, or loss of functionality/uptime.
• Step 5: Prepare for inspections. Keep a file for each contract containing the EU Declaration of Conformity, instructions for use, staff training records, and PBTK reports.

Conclusion

Contracts with medical device suppliers are not just a formality. They are a fundamental risk-management tool for a healthcare facility in the Czech Republic. A well-drafted contract will protect you from fines imposed by SÚKL, ensure operational continuity, and provide certainty in the event of a dispute over damages.

Attorneys at ARROWS, a Prague-based law firm, deal with these issues on a daily basis. We have experience with dozens of healthcare facilities, public procurement procedures, and damages disputes. Our firm carries professional liability insurance with high limits, giving you the assurance of strong professional backing.

If you are unsure about the quality of your contracts or are planning to purchase new technology, contact ARROWS, a Prague-based law firm. Send us your documents to office@arws.cz for a consultation. In healthcare law, prevention is always cheaper than dealing with the consequences.

FAQ – Most common legal questions on contracts with medical device suppliers

1. If a contract is concluded for a fixed term and is automatically extended, can I terminate it?

Answer: It depends on the wording of the contract. Automatic extension is common, but the contract should include an option to refuse the extension within a certain window before the anniversary date. If the supplier fails to perform its obligations (e.g., does not carry out servicing properly), you have the statutory right under Czech law to withdraw from the contract due to a material breach. Contact us to assess your specific situation.

2. What documents must I have for the device in 2026?

Answer: At a minimum: (a) the EU Declaration of Conformity, (b) instructions for use in Czech, (c) a record of staff training having been carried out, (d) an operating log (if required), (e) PBTK reports.

3. Can the supplier increase the service price by inflation even if it is not in the contract?

Answer: Without an indexation (inflation) clause in the contract, the supplier cannot unilaterally increase the price unless the parties reach a new agreement. If you do not agree to the increase, the contract remains in force under the original terms (unless the supplier terminates it, if it has that option).

4. What should I do if I find out I am using a device without a valid PBTK?

Answer: Immediately take the device out of operation and order an inspection. Using a device without a valid PBTK is an administrative offence subject to a high fine in the Czech Republic and, if a patient is harmed, it establishes your liability. It is not possible to “paper” an inspection retroactively, and doing so would be fraud.

5. Do I have to tender the servicing if the device is under warranty?

Answer: Warranty servicing is usually tied to the supplier. Post-warranty servicing in public procurement should be tendered; however, a negotiated procedure without prior publication (JŘBU) is often used by reference to technical exclusivity if servicing can only be performed by an authorised representative. This approach must be thoroughly justified under Czech public procurement rules.

6. Is liability insurance also required for an outpatient clinic?

Answer: Yes, the Act on Health Services (Section 45) imposes an obligation on all providers to have liability insurance in place for damage caused in connection with the provision of healthcare services in the Czech Republic.

Notice: The information contained in this article is of a general informational nature only and is intended to provide basic guidance on the topic. Although we strive for maximum accuracy, legal regulations and their interpretation evolve over time. To verify the current wording of the relevant regulations and their application to your specific situation, it is therefore necessary to contact ARROWS, a Prague-based law firm, directly (office@arws.cz). 

Read also:

• Public Procurement of Medical Devices and Services in the Czech Republic:
• Legal Liability and Statutory Duties of Healthcare Management in Czechia:
• Protecting Healthcare Know-How and IP in the Czech Republic: Key Steps:
• Cybersecurity, Drone Hijacking, and Liability for Damage:
• Legal Validity and Risks of Simple Electronic Signatures in Czech Law: