Some MDR work can be done in-house by a disciplined founder with good reading skills and enough runway to be slow. Some MDR work should never be done without expert input because the cost of getting it wrong — in euros, in months, or in patient harm — is an order of magnitude larger than the cost of getting help. The decision is not "consultant or no consultant." It is a list of specific activities, each one scored against your team's actual competence, the stakes of the decision, and the cost of the mistake. This post gives you that list, and it gives you a way to tell competent external help from expensive noise.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • DIY is viable for parts of MDR work. It is not viable for all of it. The question is which parts, for which team, at which stage.
  • The activities that almost always benefit from expert input are the ones where a wrong decision is hard to reverse: intended purpose definition, classification, clinical evidence strategy, Notified Body selection, and PRRC arrangements under Article 15.
  • The activities that a disciplined founding team can often handle in-house are the ones where the work is mostly reading, drafting, and maintaining: procedural QMS documents, training records, internal audit planning, vendor files, basic risk management documentation under supervision.
  • There is a charlatan problem in MDR consulting. "We have a dedicated expert handling regulatory" is one of the most dangerous sentences in MedTech, because the person behind the sentence is often not an expert at all.
  • The test that separates a regulatory sparring partner from a regulatory vendor is simple. A vendor gives you slides and invoices. A sparring partner sits next to you and fixes things. You want the second one.
  • Every euro you try to save on the wrong decision at the start costs hundreds or thousands later. Every euro you overspend on work you could have done yourself is runway you do not get back. Both mistakes are common. Both are avoidable with a framework.

Why this matters for your startup

There is an Austrian company we came across where the founders told every investor, every partner, and every incoming auditor the same sentence: "We have a dedicated expert handling regulatory." The sentence did its job. Investors relaxed. Partners relaxed. The board relaxed. Everyone assumed the hard part was covered.

The "dedicated expert" turned out to be beginner-level. Not a fraud in the criminal sense — just someone who had learned the vocabulary without learning the regulation. The QMS documents looked right. The filenames matched what you would expect to see. The structure of the technical file looked plausible from the outside. Under the surface, almost every significant decision had been made incorrectly. Intended purpose was inconsistent between documents. Classification rationale pointed at the wrong Annex VIII rule. The clinical evaluation strategy would not have survived a serious Notified Body review. The risk file was cosmetic.

Nobody noticed until a real audit hit. By then, the company had been operating for years on a regulatory foundation that looked competent and was not. Rebuilding it cost a multiple of what getting it right the first time would have cost, and they were lucky they discovered the gap before it reached a patient.

"We have a dedicated expert handling regulatory" became, in our experience, one of the most dangerous sentences in MedTech. Not because the sentence is always wrong — sometimes the expert really is competent. Because the sentence ends the conversation when it should start one.

Felix has a sharper version of the same point from the startup coaching side: there are a lot of people who claim to have expertise and really do not have it. Regulatory consulting attracts them because the vocabulary is learnable, the invoices are large, and the customers are often too junior in the domain to tell the difference between fluency and competence.

This post is written to give you the tools to tell the difference — whether you are evaluating us, a competitor of ours, or a regulatory hire on your own team.

What DIY can credibly cover

Some regulatory work is readable, repeatable, and mostly about discipline. A founder with enough time, a willingness to read primary sources, and a minimum of prior exposure to quality management can handle more than most regulatory consultants will admit. The activities where DIY works best share three properties: the rules are written down clearly, the work is maintenance-heavy rather than decision-heavy, and the cost of a small error is a correction rather than a catastrophe.

Work that a disciplined founding team can often do in-house:

  • Procedural QMS documents once a competent baseline structure exists. Writing a document control SOP, a training SOP, or a supplier evaluation SOP is not witchcraft. It is careful reading of EN ISO 13485:2016+A11:2021 and honest description of what your team actually does.
  • Training records and internal training delivery. Nobody outside your company knows your processes better than you do. A consultant writing your training materials will often produce something generic that your team ignores.
  • Internal audit planning and execution at the level of checking whether your own processes are being followed. External internal audits (yes, that phrase is correct) are useful at certain milestones, but the regular discipline of "are we doing what we said we would do?" is an in-house job.
  • Vendor files, purchasing records, and supplier assessments for routine suppliers. The judgment calls on critical suppliers are harder and sometimes worth expert input.
  • Basic risk management documentation under competent supervision — populating the risk file with identified hazards, running through the analysis, recording mitigations. The structure is learnable. The judgment on which hazards matter most is where expert input earns its keep.
  • Literature searches and the first drafts of literature-based clinical evaluation input, provided someone with clinical evaluation experience reviews the strategy before you commit to it.
  • Post-market surveillance data collection infrastructure, once the PMS plan is correctly designed.

DIY here does not mean "do it alone, once, and never revisit." It means "the work lives inside the company and is done by people who will still be here in two years." That is the correct long-term shape for a competent MedTech organisation. No consultant can run your QMS for you forever, and if one tries to, that is a sign to walk away.

What should almost always involve expert input

Some MDR work is the opposite. The rules are written down, but reading them correctly requires judgment developed across many devices, many audits, and many failure modes. The work is decision-heavy rather than maintenance-heavy. A small error at the start compounds into a large one at the end. These are the activities where DIY is a false economy in almost every startup we have worked with.

  • Intended purpose definition. The single most leveraged sentence in your entire regulatory file. The definition drives classification, clinical evidence strategy, labelling, and whether you are a medical device at all. Getting this wrong at the start means every downstream document is built on a faulty foundation.
  • Classification under MDR Annex VIII. The classification rules are not a lookup table. They involve interpretation, and the interpretation depends on experience with how Notified Bodies actually read the rules. A classification one step too high is months of unnecessary work. A classification one step too low is a conformity assessment that will not hold up.
  • Clinical evidence strategy under Article 61 and Annex XIV. The difference between a literature-based pathway, an equivalence-based pathway, and a full clinical investigation is hundreds of thousands of euros and one to two years of development time. The decision should be made once, with expert input, and documented.
  • Notified Body selection and first engagement. There are too few Notified Bodies for MDR and too many devices. Choosing the wrong one costs months of queue time. The first interaction with them sets the tone for the entire certification. See How to Choose the Right Notified Body.
  • PRRC under MDR Article 15. The Person Responsible for Regulatory Compliance is a legal role with specific qualification requirements. Micro and small enterprises can use an external PRRC arrangement under Article 15(2), and for many startups this is the right structure — see PRRC Options for Startups and PRRC and MDR Article 15. Getting the PRRC setup wrong is a legal exposure, not just a regulatory one.
  • Technical file architecture. Annex II tells you what must be in the file. It does not tell you how to organise a file that a specific Notified Body will read in a specific way. Experience with how files are actually reviewed is the difference between a first submission that proceeds and a first submission that comes back with a long list of deficiencies.

The underlying pattern: if the decision is hard to reverse, get expert input before you make it. If the work is repeatable once the decision is made, do it yourself.

The sparring partner vs. vendor test

The most useful distinction we have for evaluating external regulatory support is the difference between a sparring partner and a vendor.

A vendor sells you deliverables. PowerPoint slides. Gap analyses. Template packages. Beautifully formatted documents that arrive in your inbox with an invoice. The vendor relationship is transactional: you describe what you want, they produce it, you pay, they leave. The vendor never has to defend the work in front of a Notified Body, because by the time the Notified Body shows up, the vendor has moved on to the next customer.

A sparring partner sits next to you and fixes things. They work inside your problem, not across from it. They argue with you when you are wrong. They change their mind when you are right. They answer the phone at 9pm before an audit because the audit is also their problem. When something breaks, they are still there, and they help fix it, and they learn from it alongside you.

Tibor's self-description: "I'm not a consultant. I'm a sparring partner. Consultants give you PowerPoint slides. I sit next to you and fix things." That is a self-description, not a brand line. And it is a test you can apply to any person or firm you are considering, including us. If the pitch is a menu of deliverables with fixed prices and fixed scope, you are looking at a vendor. If the pitch is an honest conversation about where you are, what is hard, and how they would engage with the problem over time, you are looking at something closer to a sparring partner.

Both have their place. For a one-off document review, a vendor can be fine. For the core regulatory strategy of a startup, you want the sparring partner shape, and you want them to still be around in two years.

How to evaluate any regulatory consultant

A practical list of questions for a first conversation with any regulatory consultant, ours or anyone else's. The answers tell you more than any credentials list.

  1. "Tell me about a device you got wrong." A consultant who has done 50 certifications has failed at some point. Someone who has not is either lying or has not done the work. Real practitioners have scars and can describe them without drama.
  2. "Walk me through a classification decision you argued with a Notified Body about." Listen for specifics — the rule, the argument, the evidence, the outcome. Vague answers mean the person has watched this happen, not done it.
  3. "What is the intended purpose of my device, as you understand it right now?" A competent consultant will try to answer and will ask clarifying questions. An incompetent one will skip this and talk about next steps.
  4. "What don't you know about MDR?" This is Tibor's favourite question, applied in reverse. If a consultant claims total expertise — "I know everything about MDR" — that is a warning sign. The regulation is vast. MDCG guidance evolves. Harmonised standards change. An honest answer starts with the areas where they defer to specialists: notified-body-specific politics, niche device categories, particular member state nuances. A consultant who cannot name a single area of regulatory weakness is not self-aware enough to trust with your file.
  5. "Who actually does the work?" Some firms sell you a senior name and hand the work to juniors. That can be fine if the juniors are supervised. It is not fine if the senior never appears again.
  6. "What happens if the Notified Body rejects part of the file?" The answer you want is: "I help you fix it." The answer you do not want is: "That would be a change order."
  7. "Can I call three of your previous clients?" Real sparring partners have references who are still happy to talk years later. Vendors have references who barely remember them.
  8. "What would you refuse to do for a client?" An honest consultant has red lines — no illegal testing, no grey-area exports, no help obscuring information from the Notified Body, no fake documentation. A consultant without red lines will sell you the mistake that ends your company.

The answers do not need to be polished. They need to be specific, honest, and rooted in real experience.

Red flags

  • "We have a dedicated expert handling regulatory" — said without a name, a CV, a specific track record, or an independent way to verify.
  • Promises that certification will be easy, fast, or guaranteed. It will not be easy. It can be fast relative to peers who are wasting runway. It will never be guaranteed.
  • Pricing that is strikingly below market for the scope described. Either the scope is not what you think it is, or the work will be done by someone under-qualified.
  • Pricing that is strikingly above market without a clear explanation of what the premium buys.
  • No clarifying questions in the first conversation. A consultant who is ready to quote before understanding your intended purpose is not listening.
  • Only template-based deliverables. Templates have a place — as a starting point. As the final product, they are the Berlin template disaster waiting to happen.
  • Refusal to show you previous work at any level. Confidentiality is real; blanket refusal is a signal that the previous work is not defensible.
  • A single-person practice with no backup plan if the person gets sick, goes on holiday, or decides to wind down. Your regulatory partner should not be a single point of failure.

When cheaper (or internal) is the right answer

Cheaper is not always wrong. There are real cases where a lighter engagement, or no external engagement, is the correct choice.

  • You have a founder or co-founder with genuine MDR experience from a previous company, not just a regulatory course.
  • Your device is clearly Class I, the intended purpose is stable, and you are not in a borderline case.
  • You have a competent external PRRC under Article 15(2) arrangement and that person is engaged enough to catch errors.
  • You are in Phase 1 feasibility work — the design is not frozen, and the manufacturer obligations under Article 10 have not fully attached yet.
  • You have strong technical writing culture and a team used to producing real documentation, not performative documentation.

In these cases, an expensive consultant adds cost without adding safety, and you should push back against anyone telling you otherwise.

When cheaper is a trap

  • You have no MDR-experienced person on the team, and the one regulatory hire you made is a junior whose CV is shorter than the regulation.
  • Your device is in a classification grey zone, or the intended purpose is still moving.
  • Your clinical evidence strategy is unclear, and you are improvising on whether to go literature, equivalence, or investigation.
  • You are approaching first Notified Body engagement with no prior experience of how that conversation actually runs.
  • Your runway depends on certification landing within a specific window, and a wrong first submission pushes you past that window.

In these cases, the cheapest decision is the most expensive one. Every euro you try to save on the wrong decision at the start costs hundreds or thousands later — and sometimes the thing that gets lost is not money but the company itself.

The Subtract to Ship angle

The Subtract to Ship framework applies to consulting engagements the same way it applies to the technical file. Strip everything that does not trace to a specific MDR obligation or a specific unresolved decision. If a consultant is offering you work that does not map to an article, an annex, a harmonised standard, or a decision you genuinely need help making, cut it.

Subtraction is also how you decide whether to engage at all. Write down the full list of decisions and deliverables between here and your next milestone. For each one, ask two questions: does our team have the competence to do this correctly, and what is the cost of getting it wrong? The items where the answer is "no" to the first question and "large" to the second are the items where external expertise pays for itself. The items where the answer is "yes" to the first question or "small" to the second are the items where DIY is fine. Everything in between is a judgement call, and that is where a both-sides perspective — someone who has been on both the auditor side and the entrepreneur side — earns its keep.

Reality Check — Where do you stand?

  1. For each major regulatory deliverable in your plan, can you name the person responsible, the hours budgeted, and the competence rationale for assigning it to that person?
  2. If you have regulatory work outsourced, can you describe, in specific terms, what the consultant is actually doing — not what the proposal says, what the work is?
  3. If your "dedicated regulatory expert" is an internal hire, who independently verified that person's competence? Their CV is not verification.
  4. Do you have a PRRC arrangement that is either a competent internal hire or a properly structured external arrangement under Article 15(2)?
  5. If your current consultant disappeared tomorrow, would you know what work they had done, what decisions they had made, and why?
  6. Has anyone on your team read the actual text of MDR Article 10, Article 15, Annex II, and Annex VIII — not a summary, the text?
  7. When a consultant gives you advice you disagree with, does the conversation end with a better answer, or with an invoice?

Frequently Asked Questions

Can a MedTech startup really do MDR certification without a consultant? For a clearly Class I device with a disciplined team and at least one person with prior regulatory experience, yes. For anything more complex than that, the question is not whether you can — the question is whether the time and risk cost of learning on the job is cheaper than the fee of an experienced partner. Usually it is not.

How much should I budget for external MDR support? There is no single number. The honest ranges depend on device class, scope of engagement, whether the consultant is doing the work or sparring with your team, and your geography. Be suspicious of both very low and very high quotes. Ask for the scope broken down by activity and by hours, not just a lump sum.

What is a PRRC and do I need an external one? The Person Responsible for Regulatory Compliance is a role defined in MDR Article 15 with specific qualification requirements. Micro and small enterprises can use an external PRRC arrangement under Article 15(2). Whether you should depends on whether you have an internal candidate who meets the Article 15(1) qualification criteria and has enough time to do the role properly. See PRRC Options for Startups.

How do I tell a good regulatory consultant from a bad one in a single conversation? Ask them what they do not know. A good one will answer honestly, naming specific areas of weakness. A bad one will deflect. Then ask them to tell you about a device they got wrong. Good ones have scars and can describe them. Bad ones claim perfection.

What if I cannot afford expert input on the decisions that need it most? Then you cannot afford to make the decisions yet. This is uncomfortable to hear, but the Subtract to Ship discipline applies: do not start irreversible work until the reversible preparation is done. Read the primary sources. Use the Subtract to Ship framework to remove work you do not need. And if you still cannot afford help on the decisions that remain, that is a signal about your funding plan, not about your regulatory strategy.

Is this post an ad for Zechmeister Strategic Solutions? It is not meant to be. Our project rule is to give away everything we know and let the complexity of the domain create demand naturally. Use this framework to evaluate us, to evaluate our competitors, and to evaluate regulatory hires on your own team. If the right answer for your specific situation is a different consultant or no consultant at all, we would rather you make that choice well than hire us badly.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers), Article 15 (person responsible for regulatory compliance), Article 15(2) (external PRRC arrangements for micro and small enterprises), Annex I (general safety and performance requirements), Annex II (technical documentation), Annex VIII (classification rules), Annex XIV (clinical evaluation). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016 + A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes.

This post is part of the MDR Fundamentals & Regulatory Strategy series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. The framework in this post is meant to be used against any regulatory partner, including us. If it helps you hire someone else and feel good about the choice, it has done its job.