--- title: The Both-Sides Perspective: Auditor and MedTech Entrepreneur description: What does MDR look like from both sides of the audit table? Tibor Zechmeister has spent 15 years as a founder and as a lead auditor. Here is what that dual view teaches. authors: Tibor Zechmeister, Felix Lenhard category: MDR Fundamentals & Regulatory Strategy primary_keyword: both-sides perspective MDR auditor entrepreneur canonical_url: https://zechmeister-solutions.com/en/blog/both-sides-perspective-auditor-entrepreneur source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # The Both-Sides Perspective: Auditor and MedTech Entrepreneur *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Most people who write about MDR have sat in one chair. Tibor Zechmeister has sat in two. Fifteen years as a MedTech founder. Four companies, including Flinn.ai. And simultaneously a Notified Body lead auditor operating under the framework of Annex VII of Regulation (EU) 2017/745. The both-sides perspective is not a branding line. It is what happens to your judgment when you have been the one sweating through an audit and the one sitting on the other side of the table asking the questions. Each chair teaches things the other chair cannot. This post walks through what each side sees, and what only becomes visible when you have sat in both.** **By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.** --- ## TL;DR - Tibor Zechmeister has spent fifteen years in MedTech regulatory affairs, founded four companies including Flinn.ai, and works as a Notified Body lead auditor under the framework of Annex VII of Regulation (EU) 2017/745. - The founder chair teaches what the regulation costs in cash, sleep, and team morale. Things an auditor who has never built a company cannot fully understand. - The auditor chair teaches what good and bad files actually look like across dozens of companies. The patterns a single founder will never see because they only go through certification once or twice. - The combination produces a specific kind of judgment: knowing which corners are safe to round and which ones are load-bearing, and being able to defend that judgment to a Notified Body because you have been on the other side. - The honest limit: nobody knows every corner of the MDR. "If someone says they do, they're not even scratching the surface." The book and this blog are written in that spirit. --- ## "How hard could it be?". The origin story A brief framing note from Felix. Felix met Tibor at FH Kärnten somewhere around fifteen to twenty years ago. Tibor was running a startup called Tremitas. Felix was doing what Felix does. Building a strategic roadmap for the company. That roadmap is where Tibor ran into the Medical Device Directive, which is what the MDR was called back then. It was his first real encounter with European medical device regulation. He says it cleanly: "How hard could it be to certify a medical device? Fifteen years later, I know that wasn't the smartest question." That sentence is the whole origin story. Tibor did not start out as a regulatory expert. He started as a founder who thought the regulatory side of MedTech was a task to finish rather than a world to learn. The fifteen years since are what happens when a founder who thought it would be easy refuses to quit until it actually is easy. Or at least, until it is defensible, predictable, and survivable on a startup budget. Tibor takes it from here. ## What the founder chair teaches Tibor spent the first ten years as a manufacturer. He made so many mistakes he would never do again. The founder chair teaches things you cannot learn any other way. Here is what that means in practice. **It teaches you what the regulation actually costs.** Not in euros on a consultant's invoice. In runway, in team meetings that do not happen because half the team is writing procedures, in product decisions that get delayed because nobody is sure which way the classification will land. The cash cost of MDR is visible in spreadsheets. The other costs are not. You only see them when you are the person approving the spend, looking at the calendar, and watching the roadmap slip. **It teaches you what fear feels like.** Not the fear of failing an audit in the abstract. The specific fear of an investor call where you have to explain why certification slipped another quarter. The fear of a team member resigning because they are tired of writing the same procedure for the third time. The fear that you will have done everything right and still be killed by a Notified Body queue. An auditor who has never built a company can understand these fears intellectually. A founder who has been there understands them in their body. **It teaches you what actually gets used.** Sitting inside a company, you see which procedures are followed and which ones are theater. You see which risk controls actually change behavior and which ones are paragraphs in a binder. You develop a nose for the difference between documentation that represents reality and documentation that is written to pass an audit. That nose is impossible to develop from the outside. **It teaches you the specific loneliness of regulatory work in a small company.** There is nobody to escalate to. There is nobody who has seen this exact edge case before. You are making decisions that will define the next two years of the company, and you are making them with a fraction of the information a regulatory affairs team at a large MedTech would have. Tibor knows that chair. He has been in it. ## What the auditor chair teaches The auditor chair teaches a completely different set of things. Notified Body lead auditors operate under Annex VII of the MDR, which defines the requirements Notified Bodies themselves must meet. Including the competence and independence of their auditors. That framework is the one Tibor audits under. **It teaches you pattern recognition across companies.** A single founder goes through certification once or twice in a career. An auditor sees dozens of files in a year. You start to see the same patterns over and over. The same shortcuts, the same misunderstandings, the same places where the file looks clean but is actually hollow. You develop a statistical sense of where things go wrong that no single founder can develop. **It teaches you what "good" actually looks like.** Founders often ask Tibor, "Is this good enough?" Before he sat in the auditor chair, he had an opinion. After he sat in the auditor chair, he had a reference set. He has seen the three-person company in Lower Austria that finished an audit with zero non-conformities. He has seen the Berlin outfit that bought templates online and replaced the placeholder company name. The gap between those two files is everything, and you only see the full gap when you have read a lot of files. **It teaches you that auditors are not trying to catch you.** "Audits are not policing. They're about working together to produce safer medical devices." That is not a PR line. That is what the job actually feels like from the auditor's seat. The auditor wants the device to be safe. The auditor wants the company to pass. The auditor is not looking for a reason to fail you. The auditor is looking for evidence that you have done the work. When founders approach the audit as a fight, they make it harder on themselves for no good reason. **It teaches you where the regulation is sharp and where it is soft.** Some MDR requirements are absolute. Some require judgment. An auditor learns, through repetition, which is which. And learns to defend the distinction. This is the single most valuable thing the chair teaches, and it is not written down anywhere. It lives in the accumulated experience of having applied the same articles to dozens of different devices. ## What you only learn from sitting in both Here is the part that matters. There are things you only learn when you have occupied both chairs. And they are the things that most shape how Tibor works with founders now. **You learn which corners are safe to round and which ones are load-bearing.** As a pure founder, everything feels load-bearing because you cannot afford to be wrong. As a pure auditor, you can recommend the full program because you are not paying for it. In both chairs, you learn which requirements have real compliance weight and which are habits the industry has built up around the regulation without the regulation actually demanding them. That judgment is the difference between a startup that ships in eighteen months and one that is still writing procedures in year four. **You learn how to defend a lean decision to a Notified Body.** A founder on their own might make the right lean call and still fail the audit because they cannot explain the reasoning in the language the auditor expects. Having sat in the auditor chair, Tibor knows exactly what the auditor needs to hear to accept a lean decision. Which article it traces to, which evidence supports it, which alternative was considered and rejected and why. Lean is not just about doing less. It is about being able to justify less with more precision than the standard approach justifies more. **You learn to separate "the regulation requires it" from "my consultant recommends it."** Most of the work that drowns startups is in the second category, not the first. You only see this clearly when you have watched the regulation be applied from both sides. As a manufacturer trying to meet the obligation and as an auditor checking whether the obligation has been met. The space between those two things is where waste lives, and it is large. **You learn honest respect for the regulation, even when you disagree with it.** "I don't love the MDR. It's a terrible overkill. But I love the challenge of overcoming it efficiently." That is Tibor's honest position. He is not a regulation fanboy. He thinks the MDR is disproportionate to the safety benefit in many places. But the regulation exists, it is law, and patients depend on it being applied seriously. The both-sides perspective is what keeps the critique honest. Neither cheerleading nor dismissing, but working through it as it is. ## The sparring partner concept Tibor is not a consultant. He is a sparring partner. Consultants give you PowerPoint slides. A sparring partner sits next to you and fixes things. The distinction matters because it comes out of the both-sides experience. A consultant. The kind who has only sat in one chair. Tends to produce artifacts. Reports. Roadmaps. Gap analyses. All of that has its place, but none of it gets you certified on its own. A sparring partner gets in the ring with you. Disagrees with you when you are wrong. Runs the argument you will need to run with the Notified Body before you run it with them. Points at the specific paragraph of your file that will cause trouble and rewrites it with you, not for you. Tibor works this way because he knows from the founder chair how useless a PowerPoint slide feels when your runway is six months and you do not know whether your classification is going to hold. And he knows from the auditor chair what an auditor is actually going to ask when they open your file. Putting those two things together is the entire job. ## The honest limit. "I don't know everything" Here is the part every founder should hear clearly. "I don't know everything about the MDR. If someone says they do, they're not even scratching the surface." The regulation is vast. It touches hundreds of edge cases. New guidance documents come out. Standards get revised. Case law develops. Notified Body positions shift. Anybody who tells you they have mastered all of it is either lying or does not understand how large the domain actually is. Tibor has fifteen years in this, four companies, a lead auditor role, and still finds corners he has not seen before. This is why the book and this blog give everything away. There is no knowledge monopoly to protect. The complexity of the regulation itself creates the need for expert partners. Not because the book holds anything back, but because every device is different and every company has edge cases the book cannot cover. If a reader walks away from this post thinking Tibor has special knowledge they cannot access, they have misunderstood. What he has is fifteen years of making mistakes and learning from both chairs. The mistakes are in these posts. The learning is in these posts. The edge cases for their specific device are not in these posts, because nobody can write them in advance. ## The Subtract to Ship angle The Subtract to Ship framework. The methodology this whole blog and the companion book are built on. Only works if whoever is running it has the both-sides perspective. You cannot subtract safely from outside. If you have only been a founder, you do not know which cuts are safe. If you have only been an auditor, you do not feel the cost of keeping everything. The framework requires someone who has lived both experiences and can defend each cut to the auditor because they know what the auditor will ask. That is the reason the framework exists. And it is the reason the both-sides perspective is not a marketing line. It is the working condition that makes lean MDR compliance possible without cutting into safety. ## Reality Check. Where do you stand? 1. Is the person advising you on MDR someone who has actually built a MedTech company, or only someone who has written about building one? 2. Has that person ever sat on the other side of an audit table, in any capacity? Do they know what an auditor actually asks? 3. When you ask them a question they do not know the answer to, do they admit it. Or do they make something up? 4. Can they defend a lean decision to a Notified Body, or do they default to "do everything" because it is safer for them if you do? 5. Are you paying for artifacts (slides, reports, gap analyses) or for someone who will sit next to you and fix things? 6. Have you read anything from the Notified Body side of MDR. Or is everything you know about audits coming from companies preparing for them? ## Frequently Asked Questions **Can the same person be a Notified Body lead auditor and a MedTech entrepreneur?** Yes, within the independence rules set out in Annex VII of Regulation (EU) 2017/745, which governs Notified Body requirements including the independence and competence of auditors. A lead auditor cannot audit a company they have a conflict of interest with, but there is no prohibition on auditors also running or founding MedTech companies in general. The combination is uncommon but valuable. It produces judgment that neither pure auditors nor pure entrepreneurs develop. **What does the both-sides perspective actually change in practice?** It changes the ability to defend lean decisions to a Notified Body. A founder who has only been a founder may make the right call and still fail the audit because they cannot frame the decision in the language the auditor expects. A person who has sat in both chairs knows what the auditor will ask and can prepare the file accordingly. It also changes the ability to tell the difference between real compliance requirements and industry habits that have accreted around the regulation without the regulation demanding them. **Is the both-sides perspective a substitute for reading the regulation yourself?** No. The regulation is the only authoritative source. The MDR (EU) 2017/745 consolidated text is the single point of truth for everything. A sparring partner with the both-sides perspective helps you apply the regulation, but they do not replace it. Founders who outsource their regulatory understanding entirely end up at the mercy of whoever they hired. The both-sides perspective should be additive to your own reading, not a substitute for it. **How do I tell if a regulatory advisor has real both-sides experience?** Ask specific questions. "What company did you build? What class was the device? What Notified Body did you certify with? What are you auditing now, and for whom?" Real experience produces specific, concrete answers. Vague answers mean vague experience. Also ask what they do not know. Anyone who claims to know everything about the MDR is signaling that they have not seen enough of it to know how large it is. **Why does this post not try to sell me something?** Because the domain sells itself. MDR is vast, the stakes are high, and the gap between knowing what to do and doing it safely is where expert partners add value naturally. The book and the blog give everything away because we can. The consulting demand comes from the complexity of specific situations, not from anything we hold back in the writing. ## Related reading - [What Is the EU MDR? The Complete Guide](/blog/what-is-eu-mdr) – the hub post for everything in MDR Fundamentals and the place to start if you are new to the Regulation. - [Notified Body Auditor Perspective on MDR](/blog/notified-body-auditor-perspective) – more on what the audit actually looks like from the other side of the table. - [How to Prepare for Your First Notified Body Audit](/blog/prepare-for-first-notified-body-audit) – the practical preparation guide, written with both-sides input. - [DIY vs. Hiring an MDR Consultant](/blog/diy-vs-mdr-consultant) – how to evaluate any advisor you are thinking of hiring. - [The Subtract to Ship Framework for MDR Compliance](/blog/subtract-to-ship-framework-mdr) – the methodology the both-sides perspective makes possible. - [How to Choose the Right Notified Body](/blog/choose-right-notified-body) – the strategic decision behind the audit relationship. - [The No-Bullshit MDR Guide for First-Time Founders](/blog/no-bullshit-mdr-guide-first-time-founders) – the founder-chair companion post. ## Sources 1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices (Medical Device Regulation), consolidated text. Official Journal of the European Union, L 117, 5.5.2017. 2. Regulation (EU) 2017/745, Annex VII. Requirements to be met by Notified Bodies (including requirements for the competence, independence, and impartiality of auditors). --- *This post is part of the MDR Fundamentals & Regulatory Strategy series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. The both-sides perspective is the working condition behind everything in this blog and the companion book. The book gives everything away because the regulation itself, not any withheld knowledge, is what creates the need for expert partners.* --- *This post is part of the [MDR Fundamentals & Regulatory Strategy](https://zechmeister-solutions.com/en/blog/category/mdr-fundamentals) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*