A market surveillance inspection by a Competent Authority is a statutory enforcement action, not a commercial audit. Handle it in seven steps: acknowledge first contact within the deadline the authority sets, assemble the requested documentation exactly as scoped, prepare for a site visit if one is announced, answer questions factually and narrowly, deliver a written post-inspection response on time, run a real CAPA on every finding, and avoid the small number of mistakes that turn a manageable inspection into an enforcement cascade under MDR Articles 94, 95, and 97. The legal basis is MDR Article 93 and the manufacturer obligations in Article 10. Cooperation is mandatory. Volunteering beyond what was asked is not, and should not be the default.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • A Competent Authority inspection under MDR Article 93 is legally distinct from a Notified Body audit. The CA enforces; the NB certifies. The playbooks are not interchangeable.
  • The single highest-leverage move in the first 48 hours is acknowledging the inspection in writing, confirming the scope in your own words, and asking the authority to put its deadline and requested artefacts in writing.
  • Produce exactly what was requested, in the structure the authority asked for. Extra volume is not helpful and sometimes harmful.
  • Answer only the question on the table. Do not speculate. Do not extrapolate. Do not volunteer parallel issues that were not part of the scope.
  • Every finding produces a CAPA under your QMS. Root cause, corrective action, preventive action, effectiveness check, evidence. Article 95 and Article 97 timelines run against this.

Why this is not an NB audit

Founders who have been through a Notified Body audit sometimes assume a Competent Authority inspection will feel similar. It does not. The NB is a designated conformity assessment body operating under a contract with the manufacturer. The CA is a public enforcement body operating under the national law that implements MDR Chapter VII, Section 3. The NB writes findings that feed a certificate. The CA writes findings that can feed a restriction, a withdrawal, or a recall.

The consequence for day-to-day handling is that the tone, the pacing, and the decision rights are different. An NB auditor can be pushed back on, negotiated with, and occasionally overruled on interpretation. A CA inspector has a statutory mandate under MDR Article 93(3) that entitles them to documentation and samples, and the manufacturer's obligation is cooperation, not debate. That does not mean rolling over. It means knowing the difference between cooperating on the evidence and litigating the regulation. Post 191 on market surveillance by competent authorities covers the legal architecture in full. This post is the operational companion.

Step 1 — Handle the first contact

The inspection almost always starts with a letter or an email. It will name the Competent Authority, cite the legal basis (typically MDR Article 93 and the national transposition), describe the scope of the inquiry, list the documents requested, and set a response deadline.

The first move is to acknowledge receipt in writing, to the named inspector, within one working day. The acknowledgement does three things: it confirms the authority has reached the correct legal entity, it restates the scope as the manufacturer understands it, and it asks any clarifying questions about the requested artefacts or the deadline. If the deadline is unrealistic for the scope requested, this is the moment to say so and to propose an alternative, with reasons. Authorities will usually accept a reasonable extension request made early. They rarely accept one made on the day the package was due.

The second move is to notify the PRRC under MDR Article 15, the authorised representative if one is involved, and — where the inquiry touches a device under certificate — the Notified Body. The NB is entitled to know, and will find out eventually through the coordinated mechanisms the Regulation provides. Telling them first is a relationship choice that pays off later.

The third move is to open an inspection file. Not a folder on someone's laptop. A versioned, QMS-controlled file that captures every piece of correspondence, every artefact produced, every internal decision, and every interaction with the authority. Everything that happens during the inspection becomes part of the record. If it is not in the file, it did not happen.

Step 2 — Gather the requested documents

Read the scope twice. The most common error in this step is producing either too much or too little. Too little leaves the authority with unanswered questions and extends the inspection. Too much volunteers material outside the scope of the inquiry and can widen it in ways that were never required.

Produce exactly what was requested, in the format requested. If the authority asked for the current technical documentation package in the Annex II structure, deliver it in the Annex II structure. If the authority asked for the vigilance log for the last twenty-four months, deliver twenty-four months — not twelve, not thirty-six. If the authority asked for the PMS report under Article 85 or the PSUR under Article 86, deliver the one that applies to the device's class.

Every artefact produced goes through a short pre-release check. Is it the current version? Is it the version actually in use? Are the cross-references inside the document still valid? Is the file name clear? Is there a cover memo that states what the document is, what version it is, what date it was last updated, and what MDR article or annex it maps to? The cover memo is the single cheapest thing a startup can do to make an inspector's life easier, and it is almost never done.

A small number of artefacts are requested in almost every inspection, regardless of scope: the EU Declaration of Conformity, the current technical documentation, the PMS plan and the most recent PMS report or PSUR, the risk management file, the QMS scope and manual, the evidence of PRRC designation under Article 15, and the vigilance and complaint logs. If any of these cannot be retrieved within two working days, that retrieval gap is itself the first finding. Post 54 on preparing for the first Notified Body audit covers the document discipline that makes this retrieval possible.

Step 3 — Prepare for the site visit if one is announced

Not every market surveillance inspection involves a site visit. Many are resolved on documentation alone. When a visit is announced, the scope usually widens from documents-on-file to processes-in-action, and the preparation changes accordingly.

Confirm the visit date, the duration, the expected attendees from the authority, the rooms required, and any equipment they have asked to see. Name a single internal point of contact — typically the PRRC or the QMS manager — who owns the visit from the manufacturer's side. Brief every person who might be interviewed on the single rule that matters: answer the question on the table honestly, in your own words, without speculation and without volunteering adjacent topics. If you do not know the answer, say so and commit to finding it within the visit.

Do not clean up the QMS in the week before the visit. Rewrites in the final days introduce version control problems and are visible to an experienced inspector. If something is wrong in the QMS on Monday, it is still wrong on the Friday of the visit. Fix it through the CAPA system, on the same timeline the CAPA system would normally apply, and document the fix as a finding the manufacturer surfaced and is already remediating. Authorities respect active CAPA far more than they respect last-minute cosmetics.

Run one short internal walk-through. Not a full mock inspection — the inspection is days away and the time is better spent ensuring the requested artefacts are current. A walk-through covers the physical route the inspector will take, the rooms they will see, the documents they will ask for in each location, and the people they will talk to. Thirty minutes of walk-through saves hours of confusion on the day.

Step 4 — Answer questions during the inspection

The interview discipline is the single most undertrained skill in startup regulatory teams, and the single most consequential during a CA inspection.

Answer the exact question asked. If the inspector asks when the last management review was held, the answer is the date of the last management review — not a tour of the QMS, not an explanation of why the previous one was delayed, not a narrative about the company's growth. Short, factual, accurate. If a follow-up question is warranted, the inspector will ask it.

If you do not know the answer, say so. "I will need to check the record" is a professional answer. "I believe it was around July" is not — it introduces an imprecise fact into the record that will be cross-checked against documents and will create a discrepancy if the document says June. Guesses create findings. Admissions of uncertainty do not.

Do not volunteer information outside the question. Inspectors sometimes ask an open question specifically to see what the team surfaces unprompted. A well-meaning founder can open an entirely new line of investigation by answering "do you have anything else to add?" with a five-minute tour of every open CAPA in the system. The correct answer is "nothing relevant to the current scope." If there is a significant issue the authority genuinely needs to know about, that is a vigilance decision under Article 87, not an off-the-cuff disclosure during an interview.

Do not argue the regulation in the room. If there is a substantive disagreement on interpretation — and there will sometimes be — note it, cooperate on the evidence the authority is requesting, and reserve the substantive argument for the written post-inspection response, where it can be made carefully, with citations, and on the record.

Step 5 — Deliver the written post-inspection response

After the inspection, the authority produces a written communication. Depending on the Member State and the scope, this can be a preliminary findings letter, a formal decision under Article 95 or Article 97, a request for corrective measures, or a follow-up question list. Whatever the format, the response deadline is binding.

The written response is the single document that most determines the outcome. It should contain, at minimum, a restatement of each finding in the manufacturer's own words (to confirm understanding), the manufacturer's position on each finding (agree, partially agree, disagree with reasons), the corrective actions already taken, the corrective actions planned with target dates, the preventive actions to avoid recurrence, the evidence already available, and the evidence that will be produced by which date.

Where the manufacturer disagrees with a finding, the disagreement is stated cleanly, cited to the specific MDR article, annex, or harmonised standard being interpreted, and supported by evidence. Disagreement is legitimate. Silent non-compliance is not. Authorities treat a well-argued disagreement very differently from a dismissive one, and very differently from a missed response.

The response is signed by the PRRC and the person in the organisation who has authority to commit to the corrective actions. For a small startup, this is often the founder, and the founder's signature has legal weight under MDR Article 10. Treat it accordingly.

Step 6 — Run the CAPA properly

Every accepted finding becomes a CAPA under the QMS. Not a note. Not a promise. A formal corrective and preventive action with the discipline EN ISO 13485:2016 + A11:2021 requires: problem statement, root cause analysis, immediate correction, corrective action, preventive action, effectiveness verification, closure.

Short-circuiting the CAPA process is the fastest way to turn a single finding into an Article 95 enforcement action. Article 95 empowers the authority to require corrective measures within a defined period and, where the manufacturer fails to act adequately, to take measures itself. "Failed to act adequately" includes CAPA responses that were formally filed but technically empty — no root cause, no effectiveness check, no evidence that the same problem cannot recur. An experienced inspector sees through an empty CAPA in minutes.

Article 97 addresses non-compliance that does not rise to unacceptable risk, and uses the same cascade: the authority requires the manufacturer to end the non-compliance within a reasonable period; if the manufacturer does not, the authority takes its own measures. For either article, the CAPA record is the manufacturer's evidence that the period was used well.

For the CAPA discipline itself and the specific shape a regulator expects to see, see post 174 on CAPA for post-market findings and post 175 on closing non-conformities under MDR.

Step 7 — Avoid the common mistakes

The mistakes that turn a manageable inspection into a bad one are not exotic. They are the same mistakes, repeated.

  • Missing the first deadline. A missed deadline on the acknowledgement letter or on the first document request sets the tone for the rest of the inspection and is itself a finding.
  • Producing the wrong scope of documents. Too much or too little are both errors. Produce exactly what was asked for.
  • Letting the founder speak without preparation. Founders who enjoy talking about their product sometimes volunteer claims during an inspection that the QMS cannot support. The interview discipline applies to everyone, including the CEO.
  • Running last-minute document rewrites. Version control errors introduced in the final week are visible and are themselves a finding.
  • Arguing regulation in the room. Argue on paper, after the inspection. Cooperate on evidence in the room.
  • Filing an empty CAPA. A CAPA with no root cause, no effectiveness check, and no evidence is worse than no CAPA — it signals that the manufacturer believes the process can be faked.
  • Not telling the Notified Body. Where a certificate is involved, the NB will be informed through the authorities' coordinated mechanisms. Letting them hear it from the authority instead of from the manufacturer damages the relationship and often the certificate.
  • Hiding documents the inspector asks for. Under MDR Article 93(3), the authority is entitled to the documentation it asks for. Withholding it is a separate offence on top of whatever triggered the inspection.

The Subtract to Ship angle

The Subtract to Ship framework applied to inspection handling produces a small number of rules that are easy to state and difficult to maintain under pressure. Produce exactly what was asked. Answer exactly what was asked. Record exactly what happened. Close each finding with a real CAPA traced to a specific MDR article. Everything else — the panic, the rewrites, the volunteer disclosures, the defensive debates — is waste, and under inspection conditions waste is expensive.

The framework's final test applies here without modification. For every action the team takes during the inspection, ask: does this trace to a specific obligation in Article 10, Article 93, or the article being investigated? If yes, do it. If no, cut it. Subtraction during an inspection is discipline, not laziness — it is the refusal to let adrenaline expand the scope of the interaction beyond what the Regulation requires.

Reality Check — Where do you stand?

  1. If a Competent Authority letter arrived tomorrow citing Article 93 and requesting the current technical file, the last twenty-four months of vigilance records, and the latest PMS report, could you acknowledge within one working day and deliver within the typical two-to-four-week window?
  2. Is there a single named person — with a named backup — who owns the inspection file and the inspector interface from the manufacturer's side?
  3. Have your process owners been trained on the interview discipline described in Step 4, or would they volunteer adjacent information under open questioning?
  4. Is every finding from your last internal audit closed through a real CAPA with root cause, effectiveness check, and evidence, or are some of them filed as empty closure records?
  5. Do you know the name and contact route of the Competent Authority in the Member State where your device was first placed on the market?
  6. Does the PRRC under Article 15 have a named backup who could step in during an inspection if the primary PRRC is unavailable?
  7. If the inspection triggered a finding under Article 97, could you close it within the typical reasonable period the authority would set, and produce the evidence chain to prove it?

Frequently Asked Questions

Can I refuse to let a Competent Authority inspector on site? No. Under MDR Article 93(3) the authority is entitled to perform appropriate checks, which include on-site inspection where justified. Refusing access is itself a compliance failure and will escalate the inspection. The correct response to an on-site visit is cooperation, not obstruction.

Should I tell my Notified Body that a Competent Authority is inspecting me? Yes, especially where the device is under certificate. The authorities and the NB exchange information under the coordinated mechanisms in Articles 95 and 97, and the NB will find out. Telling them first is a relationship choice that pays off and avoids the appearance of concealment.

How is this different from a Notified Body surveillance audit? The NB audits against your contract and the conformity assessment annex that applies to your device. The Competent Authority inspects against the Regulation itself, under a statutory mandate in Chapter VII Section 3. The NB writes findings against a certificate. The CA writes findings that can trigger restrictions, withdrawals, or recalls under Articles 94, 95, and 97.

What if I disagree with a finding? State the disagreement in writing, in the post-inspection response, with the specific article, annex, or standard you are interpreting and the evidence supporting your position. Disagreement is legitimate when it is substantive and well-argued. Do not argue in the room during the inspection itself — argue on paper, on the record, where the reasoning can be read by reviewers.

Does Article 10 apply to a three-person startup during an inspection? Yes. MDR Article 10 sets the general obligations of manufacturers and applies to every manufacturer placing a device on the Union market, regardless of company size. The obligations are proportionate to the device's risk class, but the obligations themselves — including cooperation with Competent Authorities — are not waived for small teams.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers), Article 93 (market surveillance activities), Article 94 (evaluation of devices suspected of presenting an unacceptable risk or other non-compliance), Article 95 (procedure for dealing with devices presenting an unacceptable risk to health and safety), Article 96 (other provisions on market surveillance), Article 97 (other non-compliance). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016 + A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes.

This post is part of the Post-Market Surveillance & Vigilance series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. A Competent Authority inspection is one of the few moments in a startup's regulatory life when the cost of preparation and the cost of improvisation diverge by an order of magnitude — the seven steps in this post are how that gap is closed before the first letter arrives.