--- title: Hiring for Regulatory Affairs in a Startup: What to Look For and What to Avoid description: Hiring your first regulatory affairs person is a high-leverage decision. Here is how to evaluate candidates, the red flags to avoid, and what the right hire looks like. authors: Tibor Zechmeister, Felix Lenhard category: Team Building, Operations & Scaling primary_keyword: hiring regulatory affairs startup canonical_url: https://zechmeister-solutions.com/en/blog/hiring-regulatory-affairs-startup source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # Hiring for Regulatory Affairs in a Startup: What to Look For and What to Avoid *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **The first regulatory affairs hire in a MedTech startup is one of the highest-leverage decisions on the cap-table-adjacent org chart, and it is the decision most often made on the wrong criteria. The right hire is a person who has actually read the MDR end to end, who has been in a room with a Notified Body auditor, who can defend a classification argument from first principles, and who will say no to the CEO when saying no is the correct answer. The wrong hire is a person with the vocabulary and the CV but without the substance — and that hire is disturbingly common because the vocabulary is learnable and the substance is not. This post gives you the interview framework, the red flags, the honest compensation picture, and the separation of roles that keeps a small team legally and operationally sound.** **By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.** --- ## TL;DR - The first RA hire is high-leverage because every downstream decision — classification, clinical strategy, technical file architecture, Notified Body relationship — is shaped by whoever sits in that seat. - The most dangerous failure mode is hiring someone who is fluent in the vocabulary but has never defended a decision in front of an auditor. It is common, it is hard to detect on a CV, and it ends companies. - Seniority expectations collide with startup reality. A genuine senior RA hire usually costs more than a pre-seed startup can carry full-time, which is why fractional, external, and hybrid arrangements exist and are legitimate. - The interview questions that actually reveal competence are the ones that ask the candidate to reason about a specific device, cite specific MDR articles from memory, and describe a decision they got wrong. - RA, QA, and the PRRC role under MDR Article 15 are three distinct functions. Collapsing them into one hire is sometimes necessary at small scale, but only if the competence is genuinely present on every side. - The hire-versus-outsource-versus-contract decision is not about cost. It is about where the work actually has to live and whether the competence can be verified. - The charlatan problem is real. Regulatory affairs attracts people who have learned the words without doing the work, because the words are learnable and the customers are often too junior to tell the difference. --- ## The Austrian fake-expert story — the pattern this post exists to prevent There is an Austrian company we came across where the founders had a sentence they used to close every difficult conversation. "We have a dedicated expert handling regulatory." The sentence worked. Investors relaxed. The board relaxed. Partners relaxed. Auditors, initially, also relaxed. Everyone around the company assumed the hard part was covered because someone with a title was sitting in the seat. The "dedicated expert" turned out to be beginner-level. Not a criminal fraud — just a person who had learned the vocabulary of regulatory affairs without learning the regulation behind it. The QMS documents looked right at a glance. The filenames matched what an outsider would expect. The structure of the technical file was plausible from a distance. Under the surface, almost every significant decision had been made wrongly. Intended purpose was inconsistent between documents. Classification rationale pointed at the wrong Annex VIII rule. The clinical evaluation strategy would not have survived a serious Notified Body review. The risk file was cosmetic. Nobody noticed until a real audit hit. By then, the company had been operating for years on a foundation that looked competent and was not. The cost of rebuilding was a multiple of the cost of hiring correctly the first time, and they were lucky the gap surfaced in an audit room rather than in a patient harm event. This post exists to stop that story happening in your company. The defence is a specific, boring discipline: know what the seat is for, know what real competence looks like, and test for it explicitly in the hiring process instead of trusting titles and CVs. Felix has a sharper version of the same point from the coaching side. There are a lot of people who claim expertise and really do not have it. Regulatory affairs is one of the domains where that claim is easiest to make, because the vocabulary is learnable, the invoices are large, and the customers are often too new to the field to tell the difference between fluency and competence. The same warning applies whether you are hiring an employee, engaging a consultant, or evaluating an existing team member who has drifted into an RA title by accident. ## What a regulatory affairs person actually does Before you can hire one well, you have to be honest about what the seat is for. RA is the interpreter role. The person in this seat reads the MDR, the harmonised standards, and the relevant MDCG guidance, and they turn those texts into decisions about your specific device. The core deliverables, in rough order of leverage: - **Intended purpose.** The single highest-leverage sentence in the regulatory file. RA writes it, defends it against drift, and updates it when the device evolves. - **Classification.** Which Annex VIII rule applies, what the class is, and what the conformity assessment route is under MDR Article 52. Not a lookup — a reasoned argument with supporting evidence that a Notified Body will either accept or challenge. - **Regulatory strategy.** The sequence of decisions and deliverables between where the company is today and CE marking, mapped to real calendar time and real budget. - **Technical file architecture.** How the Annex II requirements are structured so that a reviewer can find what they need without a treasure hunt. - **Clinical evaluation strategy.** Whether the clinical pathway is literature-based, equivalence-based, or a full clinical investigation under MDR Article 61 and Annex XIV — and the defence of that choice. - **Notified Body relationship.** Selection, first engagement, ongoing correspondence, response management, and the discipline of not poisoning the relationship by missing a deadline. - **Change control from a regulatory perspective.** Every design change, scope change, or market change triggers an RA analysis of the regulatory impact. - **Interaction with authorities and vigilance reporting.** Incident and field safety corrective action reporting when things go wrong. What RA is not: document control, training record maintenance, internal audit scheduling, supplier file administration. Those are QA — see [Building a QA/RA Quality Team in a Startup](/blog/building-qa-ra-quality-team-startup). The confusion between the two is one of the most common sources of a bad hire, because a company needs both and often looks for the wrong profile for the seat that is vacant. ## Seniority expectations versus startup reality The first collision you will hit in the market is the gap between what a genuine senior RA hire costs and what a pre-seed or seed-stage MedTech startup can afford. A genuinely senior RA manager — someone with 10–15 years of MedTech experience, multiple CE marks behind them, direct experience being in the room with Notified Body auditors, and the judgment to make a classification argument under pressure — is not a junior salary. In Western Europe, fully loaded, this profile typically runs in the upper half of the RA salary range (see the compensation section below). That is a real cost for a company with 18 months of runway. The honest options for a startup that cannot carry a senior hire full-time: - **Fractional senior.** An experienced RA professional working part-time across two or three companies. Expensive per hour, but the hours are concentrated on the decisions that matter. Best for the first 6–12 months of serious regulatory work. - **External Article 15(2) PRRC plus internal junior.** A qualified external PRRC under MDR Article 15(2) covers the legal role and provides senior judgment on big decisions, while a junior internal hire handles the daily work under supervision. This is the pattern we cover in detail in [The PRRC Role in Startups: Hiring, Outsourcing, or Training Someone Internal](/blog/prrc-startup-hiring-outsourcing-training). - **Mid-level internal hire with sparring-partner support.** A 3–5 year RA professional as the full-time internal owner, backed by an external sparring partner for the decisions that exceed their experience. This shape tends to work from Series A onwards. - **Senior co-founder.** If one of the founders has the regulatory background, the problem dissolves. This is rare but when it exists it is the cheapest route to real competence. What almost never works: hiring a cheap "RA Manager" with a life-sciences degree and no MDR experience, handing them the title, and assuming the title will mature into competence without supervision. Competence does not grow that way. It grows under experienced mentorship on real decisions with real consequences. A junior without a mentor is a junior running a regulatory project alone, which is the profile that produced the Austrian story. ## Red flags in candidates The CV and the interview will both lie to you if you are not looking for specific signals. The red flags below are the ones we see repeatedly in candidates who should not be hired into an RA seat. - **Cannot cite a specific MDR article from memory.** A competent RA candidate will name Article 10, Article 15, Article 52, Annex II, Annex VIII, Annex XIV, and the handful of articles relevant to their past devices without looking them up. Someone who waves vaguely at "MDR requirements" has not internalised the text. - **Talks in process vocabulary instead of regulatory content.** Listen for the difference between "we ran a CAPA" and "we had a non-conformity against clause 8.5.2 of ISO 13485 and the corrective action changed the supplier qualification procedure in the following specific way." The first is a sentence anyone can learn. The second is a sentence only someone who did the work can produce. - **No direct Notified Body contact.** Ask who they personally spoke to at the Notified Body, what the conversation was about, and how it ended. A candidate who has only seen Notified Body correspondence through a manager has watched this work happen, not done it. - **Perfect career narrative.** A candidate who has never failed at anything in regulatory work is either early in their career or not telling the truth. Real practitioners have scars and can describe them. Ask directly: "Tell me about a device you got wrong." Silence or deflection is a signal. - **Fluent in every domain.** An RA candidate who claims deep expertise in every device class, every standard, every therapeutic area, and every geography is not self-aware enough to trust with your file. The honest answer names areas of weakness. Tibor's favourite question in reverse: "What don't you know about MDR?" A candidate who cannot answer specifically is a candidate who has not been humbled by the regulation yet. - **No opinion about your device.** A strong candidate will have read your website and the public description of your product before the interview and will come in with at least a provisional view on intended purpose and classification. A candidate who arrives with no opinion is either not interested or not capable of forming one. - **Title escalation without scope growth.** A CV where the titles have moved up faster than the scope suggests is a title-inflation candidate. Look at what the person actually did at each stage, not what they were called. ## Questions that reveal real competence The interview questions below are the ones we use — and recommend using — to separate a real RA candidate from a fluent impostor. None of them are gotchas. All of them reward candidates who have done the work and embarrass candidates who have not. 1. **"Walk me through the intended purpose of our device, as you understand it from our public materials."** A competent candidate will answer, will admit the limits of their public knowledge, and will ask clarifying questions. A weak candidate will skip this and talk about process. 2. **"Which Annex VIII rule would govern the classification of our device, and what is your reasoning?"** The answer does not have to be correct — your device may be in a grey zone — but the reasoning has to be specific, rule-referenced, and defensible. 3. **"Tell me about a classification argument you had with a Notified Body. What was the rule, what was the evidence, how did it end?"** Listen for specifics. Vague answers mean the person was adjacent to this, not in it. 4. **"Describe a device you worked on that you would classify differently today with the benefit of hindsight."** Real practitioners have this story. It costs them nothing to tell it honestly because the mistake is in the past. 5. **"What are the qualification criteria for a PRRC under MDR Article 15(1), and which route do you meet?"** Anyone interviewing for an RA seat in a MedTech startup should be able to answer this in one sentence. If they cannot, they have not read the article they might be appointed under. 6. **"What is the difference between literature-based clinical evaluation and equivalence-based clinical evaluation under MDR Article 61 and Annex XIV?"** A real candidate can distinguish the two, name MDCG 2020-5 as the relevant guidance, and describe when each pathway is appropriate. 7. **"When have you told a CEO 'we are not ready to release this device' and what happened?"** The Article 15(6) protection exists because this moment is real. A candidate who has never been in that moment has never been trusted with a release decision. 8. **"Which parts of the MDR do you not yet know well enough to decide alone?"** Self-awareness is the single strongest competence signal. A candidate who names specific weaknesses is far more trustworthy than one who claims total expertise. The answers do not need to be polished. They need to be specific, honest, and rooted in first-hand experience. ## RA versus QA versus PRRC — keep the separation clean A common mistake in startup hiring is collapsing RA, QA, and the PRRC role under MDR Article 15 into a single job description because the company only has budget for one seat. At the smallest scale, one person can genuinely hold more than one of these functions, but the functions themselves do not merge. Treating them as interchangeable in the job description produces a hire who is good at one and pretending at the others. **RA** interprets the regulation and drives the decisions described above. **QA** operates the QMS — document control, training, internal audits, CAPA, management review, supplier controls — under EN ISO 13485:2016+A11:2021. **PRRC** is a legally defined role under MDR Article 15 with specific qualification criteria in Article 15(1) and specific tasks in Article 15(3), protected by Article 15(6). For the deeper walk-through of the PRRC decision, see [The PRRC Role in Startups: Hiring, Outsourcing, or Training Someone Internal](/blog/prrc-startup-hiring-outsourcing-training) and [PRRC and MDR Article 15](/blog/prrc-mdr-article-15). Practical rule when writing the job description: name the RA scope explicitly, name the QA scope explicitly, and name whether the hire will also serve as PRRC and under which Article 15(1) qualification path. If the answer is "yes, also PRRC," the competence requirements narrow sharply — you are now hiring for a legal role, not an operational one. If the PRRC is covered separately under an Article 15(2) external arrangement for a micro or small enterprise, say so in the job description. Vagueness here produces a bad hire. ## Hire versus outsource versus contract Not every RA need has to be met by a full-time hire. The honest decision framework: - **Hire when** the work is continuous, embedded in daily operations, requires deep device-specific context carried across months and years, and the company has crossed the threshold where external support alone cannot keep up with the volume of decisions. - **Contract (fractional or consulting sparring-partner) when** the decisions are high-stakes but episodic, the company is pre-seed or seed with limited runway, and senior experience is more important than availability at 9am every morning. - **Outsource (Article 15(2) external PRRC) when** the company qualifies as a micro or small enterprise under Commission Recommendation 2003/361/EC, the legal role needs to be covered, and the internal RA capacity is being built separately. Outsourcing the PRRC role is a legitimate, regulation-defined route — not a workaround — provided the external person is genuinely "permanently and continuously at the disposal of" the company. The trap is mixing these up. Hiring a junior full-time instead of contracting a senior fractional because the junior is cheaper per month. Outsourcing the entire RA function with no internal owner and then discovering that the external provider has no accountability when a deadline slips. Contracting a sparring partner but failing to build any internal capacity, so the company is permanently dependent on someone outside the walls. We cover the full framework in [DIY vs Hiring an MDR Consultant](/blog/diy-vs-mdr-consultant) — the same test applies to any external regulatory support. ## The honest compensation picture Compensation for regulatory affairs in MedTech varies by country, by seniority, and by the scale of the employer. What follows is an honest range for Western European markets as of the writing of this post. Treat the numbers as observed ranges, not quotes, and verify against local data for your specific geography. - **Junior RA associate** (0–3 years, typically a science or engineering degree, limited direct MDR experience): roughly EUR 45,000–65,000 fully loaded. This profile needs supervision and is not a substitute for a senior presence on high-stakes decisions. - **Mid-level RA specialist / manager** (3–7 years, at least one CE mark behind them, direct Notified Body experience): roughly EUR 65,000–95,000 fully loaded. This is the most common startup hire once the company is past seed. - **Senior RA manager / Head of RA** (7–15 years, multiple CE marks, judgment to run the function independently): roughly EUR 90,000–140,000 fully loaded, with the upper end at large employers and experienced hires. - **Fractional senior / consulting sparring partner** (episodic engagement, senior experience): typically billed in the range of EUR 120–250 per hour or on retainer, depending on scope and relationship shape. - **External PRRC under Article 15(2)**: commonly in the range of EUR 500–3,000 per month, depending on device complexity, involvement level, and provider seniority. The lowest rates typically do not satisfy "permanently and continuously at their disposal" in a meaningful sense. Two warnings about the numbers. First, paying significantly below the range for a claimed seniority level is a red flag — the claim is probably thinner than the CV suggests. Second, paying significantly above the range without a clear explanation of what the premium buys is also a warning — either the scope is different from what you think, or the hire is a brand without a matching substance. Both errors are common. Both are avoidable with the interview framework above. ## The charlatans problem Felix has a line he uses with founders who are evaluating regulatory support: there are a lot of people on the planet who claim to have expertise and do not. Regulatory affairs is one of the domains where the claim is easiest to make. The vocabulary is learnable from a handful of articles, a public version of the MDR, and a few days of reading MDCG guidance. The CV polish is straightforward. The interview performance is achievable with preparation. None of these are equivalent to having done the work. The defence is the discipline this post describes. Do not hire on fluency. Do not hire on titles. Do not hire on the strength of a CV that you cannot reference-check in depth. Do hire on specific answers to specific questions about your specific device, on direct stories about real mistakes and real recoveries, on willingness to name weaknesses, and on the willingness to say no to the CEO when saying no is the right answer. The charlatans are not usually malicious. They are usually people who drifted into the title, liked it, and discovered that the rewards for fluency were high enough that learning the substance felt optional. The company that hires them pays the cost of the missing substance later, and the cost is always larger than the cost of hiring carefully would have been. ## The Subtract to Ship angle The [Subtract to Ship framework](/blog/subtract-to-ship-framework-mdr) applies to RA hiring the same way it applies to the technical file. Strip the org-chart template. Forget what the RA function "should" look like in a 500-person MedTech employer. Name the actual work that has to happen in the next 12 months, name the person who will own each piece, and verify that the competence behind the name is real. If a piece of work has no named owner, the seat is empty and needs to be filled. If a seat exists without a piece of work attached, the seat is decoration and needs to be cut. Subtraction in hiring also means refusing to hire a junior full-time when the right answer is a fractional senior. It means refusing to hire a senior full-time when the right answer is a contract sparring partner plus an internal mid-level. It means refusing to collapse RA, QA, and PRRC into one seat when the competence is not genuinely present on all three. And it means refusing to keep a seat filled when the person in it has been shown, honestly, not to be carrying the work. What you keep is a small number of honest seats with real people and real competence behind them, and a hiring plan that grows the function in the direction the work is actually heading — not the direction the investor deck says. ## Reality Check — Where do you stand? 1. For the RA work that has to happen in your company in the next 12 months, do you have a named owner for every significant deliverable, or are you relying on "the team"? 2. If your first RA hire is already in the seat, can you describe — in specific terms — three MDR articles they can cite from memory and one decision they have made that a weaker candidate would have made differently? 3. Have you verified that your RA hire has direct Notified Body experience, or only second-hand exposure through a previous manager? 4. When you interviewed your current RA hire, did you ask them to reason out loud about your specific device, or did you rely on their CV and references? 5. If your RA hire is also named as PRRC, do they meet the Article 15(1) qualification criteria by a documented path (degree plus one year, or four years of experience)? 6. If your RA hire is not the PRRC, is the PRRC arrangement separate, documented, and real — whether internal or under Article 15(2)? 7. Has your RA hire ever told your CEO "we are not ready to release this" or "we need to change this decision before we go further"? If not, is that because the moment has not arisen, or because they do not feel they have the authority under Article 15(6)? 8. If the person in your RA seat left tomorrow, how long would it take to carry the work forward without losing context? More than eight weeks is a warning. ## Frequently Asked Questions **When should a MedTech startup hire its first regulatory affairs person?** Usually at the transition from 3–5 people to 10 people, or earlier if the device is in a classification grey zone, the clinical evidence strategy is unclear, or the Notified Body engagement is approaching. Before the first dedicated internal hire, the function can be covered by a fractional consultant or an external sparring partner, but the work still needs a named internal owner at co-founder or CEO level. **What qualifications should a first RA hire have?** At a minimum, a relevant degree (engineering, life sciences, law, pharmacy, medicine) and direct hands-on experience with medical devices under MDR — not just general quality or life-sciences experience. If the hire will also serve as PRRC, they must meet the MDR Article 15(1) criteria: either the relevant degree plus at least one year of regulatory affairs or QMS experience relating to medical devices, or four years of such experience without the formal qualification. **Can one person cover RA, QA, and PRRC in a small startup?** Yes, at small scale, provided the competence is genuinely present on all three sides and the PRRC qualification criteria under MDR Article 15(1) are met. As the company grows past 10 employees, the functions usually start to separate because the depth of work in each diverges. See [Building a QA/RA Quality Team in a Startup](/blog/building-qa-ra-quality-team-startup). **How do I tell a real RA candidate from a fluent impostor?** Ask them to cite specific MDR articles from memory, to reason about your specific device in real time, to describe a decision they got wrong, and to name the parts of MDR they do not yet know well enough to decide alone. Specific answers and honest self-awareness are far more reliable than polished CVs or references. **How much does a regulatory affairs hire cost in a European MedTech startup?** Observed ranges for Western European markets: junior RA associate roughly EUR 45,000–65,000 fully loaded; mid-level RA specialist or manager roughly EUR 65,000–95,000 fully loaded; senior RA manager or Head of RA roughly EUR 90,000–140,000. Fractional senior engagements commonly bill at EUR 120–250 per hour. External PRRC arrangements under Article 15(2) commonly run EUR 500–3,000 per month. All numbers are ranges to verify for your geography, not quotes. **Should a startup outsource regulatory affairs entirely?** No. Specific high-expertise tasks can legitimately be contracted or outsourced, and the PRRC role can be covered externally under Article 15(2) for micro and small enterprises. But the RA function as a whole needs an internal owner — someone inside the company who holds context, coordinates external support, and is accountable when something slips. An RA function without an internal owner is a function without accountability. See [DIY vs Hiring an MDR Consultant](/blog/diy-vs-mdr-consultant). **What is the biggest mistake founders make when hiring RA?** Hiring on fluency instead of substance. The vocabulary of regulatory affairs is learnable, and a candidate who has learned the words can sound competent in an interview without having done the work. The defence is specific, device-level questions that force the candidate to reason from first principles — and the willingness to refuse the hire when the reasoning is thin, even when the CV is not. ## Related reading - [The MedTech Startup Team: Key Roles You Need Before and After CE Marking](/blog/medtech-startup-team-key-roles) — the hub post for the team building category. - [PRRC and MDR Article 15](/blog/prrc-mdr-article-15) — the legal foundation of the PRRC role. - [PRRC Options for Startups](/blog/prrc-options-startups) — practical options for small companies under Article 15(2). - [DIY vs Hiring an MDR Consultant](/blog/diy-vs-mdr-consultant) — the companion framework for evaluating any external regulatory support. - [The Subtract to Ship Framework for MDR](/blog/subtract-to-ship-framework-mdr) — the methodology behind every hiring decision in this post. - [The CMO Question in a MedTech Startup](/blog/cmo-question-medtech-startup) — hiring the clinical voice alongside the regulatory function. - [The PRRC Role in Startups: Hiring, Outsourcing, or Training Someone Internal](/blog/prrc-startup-hiring-outsourcing-training) — the companion PRRC decision framework. - [Building a QA/RA Quality Team in a Startup](/blog/building-qa-ra-quality-team-startup) — how the quality function splits and grows as the company scales. - [Evaluating Regulatory Consultants Honestly](/blog/evaluating-regulatory-consultants) — deeper evaluation framework for external providers. - [How to Evaluate a Regulatory Hire](/blog/evaluate-regulatory-hire) — the competence test framework for quality and regulatory candidates. ## Sources 1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 15 (person responsible for regulatory compliance), Article 15(1) (qualification criteria — either a relevant degree in law, medicine, pharmacy, engineering, or another relevant scientific discipline plus at least one year of professional experience in regulatory affairs or QMS relating to medical devices; or four years of such experience), Article 15(2) (micro and small enterprise derogation allowing an external PRRC permanently and continuously at the disposal of the company), Article 15(3) (tasks of the PRRC), Article 15(6) (protection of the PRRC from disadvantage within the organisation). Official Journal L 117, 5.5.2017. 2. Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises. Official Journal L 124, 20.5.2003. 3. EN ISO 13485:2016 + A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Clause 6.2 (human resources — competence based on education, training, skills, and experience, with documented evidence). --- *This post is part of the Team Building, Operations & Scaling category in the Subtract to Ship: MDR blog, under the Regulatory Hiring subcategory. Authored by Felix Lenhard and Tibor Zechmeister. If you are about to make your first RA hire, run the interview framework in this post before the offer goes out — and if you already have someone in the seat, run the Reality Check against the work they are actually doing, not the title on the door.* --- *This post is part of the [Team Building, Operations & Scaling](https://zechmeister-solutions.com/en/blog/category/team-operations) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*