--- title: MedTech Investor Due Diligence: Regulatory and QMS description: What MedTech investors check in regulatory and QMS due diligence: red flags that kill rounds, the evidence pack to assemble, who gets interrogated. authors: Tibor Zechmeister, Felix Lenhard category: Funding, Business Models & Reimbursement primary_keyword: MedTech investor due diligence regulatory QMS canonical_url: https://zechmeister-solutions.com/en/blog/investor-due-diligence-regulatory-qms source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # MedTech Investor Due Diligence: Regulatory and QMS *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Investor due diligence on regulatory and QMS is not a paperwork exercise. It is a structured interrogation of whether your Article 10 manufacturer obligations are real, whether your QMS can survive a notified body audit, and whether the CE mark in your pitch deck is defensible. Founders who prepare the evidence pack before the term sheet close rounds faster and at better valuations.** **By Tibor Zechmeister and Felix Lenhard.** ## TL;DR - Experienced MedTech investors run regulatory DD in parallel with commercial and financial DD, and they use external regulatory counsel for anything Class IIa and above. - The questions hit Article 10 manufacturer obligations hard: QMS, risk management, clinical evaluation, PMS, PRRC, technical documentation, Eudamed registration. - The red flags that kill rounds: PRRC gap, clinical evidence gap, QMS theatre, untracked design changes, overbroad intended purpose, missing supplier qualification. - The evidence pack is finite and can be assembled in 2 to 4 weeks if the underlying work is actually done. - The people investors interrogate: CEO on strategy, CTO on design controls, Head of QA/RA or PRRC on QMS and Technical Documentation, clinical lead on evidence. ## Why this matters MedTech fundraising rounds do not usually collapse on valuation. They collapse on regulatory due diligence findings that surface in week three of the process, after the founders thought the hard part was over. By then the momentum is gone, the lead investor is quietly talking to their partners about walking, and the bridge conversation starts. This is avoidable. Regulatory DD asks a finite number of questions. You can prepare the answers and the evidence in advance. What you cannot do is fake the underlying work. The DD process is designed to detect exactly that. Tibor has sat on both sides of this table: as founder raising rounds, as a notified body auditor, and as the regulatory DD expert investors call in to interrogate target companies. Felix has coached founders through the data room preparation side. The patterns below are consistent across rounds from seed to Series B. ## What MDR actually says Investors anchor their DD questions in manufacturer obligations, which MDR defines clearly. **Article 10** sets out manufacturer obligations. The key paragraphs from a DD standpoint: - **Article 10(1)-(3)** — manufacturers shall ensure devices comply with GSPRs (Annex I), taking into account intended purpose, classification, and the state of the art. - **Article 10(2)** — manufacturers shall establish, document, implement and maintain a risk management system. In practice this means an EN ISO 14971:2019+A11:2021-aligned risk file. - **Article 10(3)** — manufacturers shall conduct clinical evaluation in accordance with Article 61 and Annex XIV, including post-market clinical follow-up. - **Article 10(4)** — manufacturers shall draw up and keep up to date technical documentation per Annex II and Annex III. - **Article 10(6)** — where applicable, manufacturers shall obtain CE marking in accordance with Article 20 and conformity assessment procedures. - **Article 10(9)** — manufacturers shall have a quality management system in place. For notified-body-involved routes this translates into EN ISO 13485:2016+A11:2021 plus MDR-specific elements assessed under Annex IX. - **Article 10(10)** — post-market surveillance system per Article 83 to 86 and Annex III. - **Article 10(12)-(14)** — registration of manufacturers and devices in Eudamed, and maintenance of the declaration of conformity. **Article 15** requires a Person Responsible for Regulatory Compliance (PRRC) with the qualifications specified in paragraphs (1) and (6). For micro and small enterprises, the PRRC may be permanently and continuously at disposal rather than employed, but the obligation is not waivable. **Annex IX** governs QMS-based conformity assessment including the notified body's audit of the QMS and assessment of Technical Documentation on a sampling basis. **Annex II** defines the Technical Documentation structure. **Annex III** defines the PMS-related Technical Documentation including PMS plan, PSUR/PMS report, and PMCF plan and report. Investors do not quote these articles at you. They ask questions whose answers are the evidence that these articles have been implemented. The difference between a clean DD and a failed DD is whether the evidence exists. ## A worked example A Series A lead investor runs regulatory DD on a Class IIa software-as-a-medical-device company with a CE mark already in hand. They hire external regulatory counsel. Here is the sequence, compressed. **Week 1: Data room request.** The investor sends a 40-item request list covering: QMS certificate and scope, MDR certificate and scope, Technical Documentation index, clinical evaluation report, PMS plan and latest PMS report, PMCF plan and evaluation report, risk management file, PRRC appointment and qualifications, supplier list with qualification status, design history summary, nonconformity and CAPA log, internal audit reports for the last 24 months, management review minutes, list of reported incidents and vigilance, Eudamed registrations, declaration of conformity. **Week 2: Evidence pack review.** Regulatory counsel reads everything. They flag anomalies: the PMS plan references a PMCF study that has not actually started; the CER was last updated 14 months ago and does not incorporate the most recent literature; the PRRC is a part-time external who signed off on items during a period when they were demonstrably unavailable; the supplier list includes a critical cloud provider with no qualification record. **Week 3: Interviews.** Counsel interviews the CEO on strategy, the Head of QA/RA on QMS operation, the PRRC on actual engagement, the clinical lead on evidence strategy. The PRRC interview goes badly. The PRRC does not know the current version of the CER and cannot explain the PMCF gap. **Week 4: DD report to investor.** Finding summary: six majors, eleven minors. Two of the majors are structural: the PRRC arrangement is not compliant with Article 15 in substance (present on paper, absent in practice), and the clinical evaluation is not being updated in line with Annex XIV Part B. The investor asks for a remediation plan and an escrow against regulatory risk. The valuation takes a haircut. The round still closes, but on worse terms and six weeks later than planned. This is a realistic composite. Every one of the six major findings was preventable with two to four weeks of preparation before the DD started. ## The Subtract to Ship playbook The playbook is to assemble the evidence pack before you open the round and to fix the findings yourself so the investor's counsel finds nothing. **Build the evidence pack index as a living document.** Not for the investor. For you. It should list every Article 10 obligation, the current location of the evidence, the owner, and the last-updated date. If you cannot produce this index in an afternoon, you do not know your own compliance state. **Fix the PRRC situation first.** Article 15 compliance is a common DD failure point. The PRRC must have the qualifications (paragraph 1), must actually be available and engaged, and must be able to demonstrate they exercise the function described in paragraph 3. If your PRRC is a part-time external who signs documents without reviewing them, fix it before DD starts. A compliant PRRC arrangement survives interrogation. A non-compliant one does not. **Update the clinical evaluation report on schedule.** Annex XIV Part B and Part A together require periodic updates to the CER based on PMS and PMCF data. An out-of-date CER is one of the single most common DD findings. **Reconcile the PMS plan to what is actually happening.** If your PMS plan says you run a PMCF study, the study should be running. If your PMS plan says you collect certain data sources, those data sources should be collecting data. Paper-only PMS is QMS theatre and counsel will find it. **Qualify your critical suppliers under clause 7.4 of EN ISO 13485.** Cloud providers, contract manufacturers, test labs, clinical investigators, SOUP component providers. If it is on the critical path, it should be qualified. **Keep design change control current.** Every significant change to the device since certification should have a documented impact assessment, a risk file update, and where applicable a notified body notification. An untracked change is a red flag that implies every other change might be untracked too. **Write an intended purpose statement that matches what you sell.** If your marketing expanded beyond the certified intended purpose, Article 7 violations are a DD finding and a potential notified body issue. Investors notice this immediately. **Prepare the PRRC, the Head of QA/RA, and the clinical lead for interviews.** They should know the current state of their files cold. A weak interview can overturn a clean data room. **Budget 2 to 4 weeks of internal prep time before opening the round.** The evidence pack preparation is itself a useful diagnostic. If the preparation surfaces real problems, better to find them now than in week three of DD. **Ask the investor early who will run their regulatory DD.** If it is a named external counsel known in the industry, plan accordingly. These people know what to look for. Treat the DD as adversarial from the start. The subtraction move is to stop treating DD as a project that starts when the investor sends the request list. Treat it as an always-on state. Compliance you can prove today is compliance you can raise on today. ## Reality Check - Can you produce a current Article 10 evidence index in one afternoon, with owners and last-updated dates? - Is your PRRC actually engaged, or on paper only? Could they pass an unscheduled interview? - When was your CER last updated? Does it incorporate current literature and PMS data? - Does your PMS plan match what your team is actually doing, or is it aspirational? - Are all critical suppliers qualified under clause 7.4, with records to prove it? - Has every significant design change since certification been impact-assessed and documented? - Does your marketing stay within the certified intended purpose, or has it drifted? - Can your Head of QA/RA walk an auditor or investor counsel through the Technical Documentation without preparation? ## Frequently Asked Questions **Do all MedTech investors run regulatory DD?** Specialist MedTech investors and lead investors in priced rounds almost always do. Generalist or syndicate investors may rely on the lead's DD. Strategic investors (corporate VCs with MedTech portfolios) run the most thorough regulatory DD. **When should we start preparing for regulatory DD?** The day you start your MDR work. The evidence pack should exist from day one and grow as the company grows. Backfilling it under time pressure is where mistakes happen. **Will an external PRRC arrangement pass DD?** Yes, if the arrangement is compliant with Article 15 in substance. The PRRC must be qualified, available, and actually exercising the function. Part-time external PRRCs are common and can be fine. Ghost PRRCs are not. **What is the single biggest regulatory DD red flag?** Mismatch between what documents say and what the team actually does. Paper-only QMS, paper-only PMS, paper-only PRRC. Counsel will test for it in interviews and usually find it quickly. **Can a CE mark alone survive DD?** No. The CE mark is a starting point. DD looks at whether the obligations the CE mark depends on (QMS, PMS, clinical evaluation updates, change control) are being maintained. A certificate issued 18 months ago with no maintenance activity since is a red flag. **How much does bad regulatory DD cost us in valuation?** In practice, 10 to 30 percent haircut for fixable findings, round collapse for structural findings. The delay cost is often larger than the valuation cost because momentum matters. ## Related reading - [Venture capital for MedTech in Europe 2026](/blog/venture-capital-medtech-europe-2026) — the investor landscape this DD happens in. - [The regulatory slide in your MedTech pitch deck](/blog/pitch-medtech-regulatory-slide) — how to front-run DD questions. - [MedTech startup valuation and regulatory milestones](/blog/medtech-startup-valuation-regulatory-milestones) — how regulatory state maps to valuation. - [Preparing for a MedTech acquisition: regulatory DD](/blog/prepare-medtech-acquisition-regulatory-due-diligence) — the higher-intensity version of this process at exit. - [PRRC under MDR Article 15](/blog/prrc-mdr-article-15) — the single most common DD failure point. ## Sources 1. Regulation (EU) 2017/745 on medical devices, consolidated text. Articles 7, 10, 15, 20, 61, 83-86, Annex II, Annex III, Annex IX, Annex XIV Parts A and B. 2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. 3. EN ISO 14971:2019+A11:2021 — Medical devices — Application of risk management to medical devices. 4. MDCG 2025-10 (December 2025) — Post-market surveillance guidance. --- *This post is part of the [Funding, Business Models & Reimbursement](https://zechmeister-solutions.com/en/blog/category/funding-reimbursement) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*