FDA + DEA + DSCSA compliance on Magento — is it actually feasible?

Yes. Magento is a commerce platform — compliance is a wiring problem, not a platform-fit problem. Three separate regulators, three workstreams:

• FDA — product registration (NDC code per drug + strength + package size), structured product labeling (SPL) for the PDP, MedWatch adverse-event reporting integration. Magento custom product attributes hold NDC + SPL XML reference; an admin observer pushes adverse-event reports to FDA’s SafetyReport API.
• DEA — only relevant if you handle Schedule II–V controlled substances. Custom Magento checkout step for DEA Form-222 (Schedule II) or CSOS electronic ordering, biennial inventory tracking, suspicious-order monitoring (SOM) reports auto-flagged via a Magento cron + report module. DEA registrant validation per buyer-account at signup.
• DSCSA (Drug Supply Chain Security Act, fully effective 27 Nov 2023, with stabilisation period) — unit-level GS1 DataMatrix serialization (GTIN + serial + lot + expiry), AS2 / EPCIS exchange with trading partners, transaction information / history / statement (TI / TH / TS) at every handoff. Magento talks to a serialization middleware (TraceLink, rfxcel, SAP ATTP, Tag-It) for the actual serial-record exchange — nobody builds DSCSA middleware from scratch.

I’ve shipped this stack for a regional pharma distributor and a specialty Rx pharmacy. Two things matter: middleware pick (TraceLink is the safe default at $80M+ GMV; rfxcel cheaper for mid-market; Tag-It is good for small pharmacies) and regulatory pre-audit before any live release. Don’t skip the pre-audit.