The effectiveness of the risk management systems established by medical device manufacturers and health-care facilities is clearly mitigated by European and national legal provisions. Laws, regulations and authorities prevent the systematic exchange of much safety-relevant information. The obligation to report adverse events is suspended for many relevant risks associated with medical device use. Reporting into the vigilance system is of little avail for users. Reporting even may endanger the information provider. The federal fragmentation of the German vigilance system poses a risk for patients. Risk management in health-care facilities without risk policy is dangerously incomplete.