An ISO 13485 certification body is an accredited organisation that audits your quality management system against EN ISO 13485:2016+A11:2021 and issues a certificate. An MDR Notified Body is an organisation designated under Regulation (EU) 2017/745 Article 42 to perform conformity assessment for specific device classes and codes. The two roles are often held by the same parent organisation under different scopes, but they are not interchangeable. If your MDR path runs through Annex IX, the QMS audit has to be done by a Notified Body designated for your device codes, not by a pure ISO 13485 certification body. Choose once, and choose so that a single audit serves both purposes wherever the Regulation allows it.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • An accredited ISO 13485 certification body can issue an EN ISO 13485:2016+A11:2021 certificate; only an MDR Notified Body designated under Article 42 can perform the Annex IX QMS assessment required for CE marking of most devices.
  • The two roles are frequently offered by the same parent organisation under separate accreditation and designation scopes, which is why founders confuse them.
  • IAF MD 9 is the IAF mandatory document that governs how accredited bodies apply ISO/IEC 17021-1 to medical device QMS certification against ISO 13485.
  • For any Class IIa, IIb, III or Class I sterile, measuring, or reusable surgical device, a standalone ISO 13485 certificate from a non-designated certification body does not satisfy the MDR; the audit has to come from a Notified Body.
  • The efficient path for most startups is a single dual-purpose audit where the QMS is assessed once against EN ISO 13485:2016+A11:2021 and against the MDR Annex IX requirements in the same visit.
  • Selection criteria that actually matter are designation scope, queue time, technical competence in your device area, audit team language, and whether the body will do a dual-purpose audit; price variance matters less than founders expect.

Why the certification body choice is not a commodity decision

A first-time founder looks at the ISO 13485 certification market and sees what looks like a commodity. Dozens of bodies issue certificates. Prices cluster in a narrow range. Websites say similar things. The temptation is to pick the cheapest, fastest, or nearest body and move on.

That move fails at the moment the Regulation enters the picture. MDR Article 10(9) obliges every manufacturer to run a QMS. MDR Annex IX, for devices that need conformity assessment through the QMS route, obliges the QMS audit to be performed by a Notified Body designated under Article 42 for the exact device codes that apply to the product. A certificate from a body that cannot legally perform the Annex IX assessment is a quality credential at best and a procurement mistake at worst.

The decision is not "which body issues ISO 13485 certificates." The decision is "which body can carry my QMS audit from ISO 13485 conformity all the way through to the MDR Annex IX output I actually need to CE-mark the device." For the full step-by-step path this audit fits into, see post 320.

ISO 13485 certification body vs MDR Notified Body. The distinction

An accredited ISO 13485 certification body is an organisation accredited under ISO/IEC 17021-1 (with the medical-device sectoral rules of IAF MD 9) by a national accreditation body that is a signatory of the IAF MLA. Its scope is to audit management systems against ISO 13485 and issue certificates that are recognised across the IAF MLA network. That certificate says nothing about MDR conformity on its own. It says the QMS meets the standard.

An MDR Notified Body is an organisation designated by a Member State authority under MDR Article 42 and listed on the NANDO database. Its designation specifies which device codes (MDA and MDN codes under the MDR nomenclature) and which horizontal and vertical technical competences it is authorised to cover. A Notified Body performs conformity assessment procedures under the MDR annexes that apply, including the Annex IX QMS assessment and the Annex IX technical documentation assessment.

The confusion exists because most MDR Notified Bodies are also accredited as ISO 13485 certification bodies, often through the same legal entity. So when you sign a contract with a Notified Body, you are often signing with an organisation that wears two hats. One accredited for ISO 13485 under IAF MD 9, one designated for MDR conformity assessment under Article 42. The hats cover different scopes. A good contract is explicit about which hat is being worn for which output.

The practical rule: if the device needs a Notified Body at all under the MDR classification rules, the QMS audit should be done by that Notified Body, not by a separate certification body. If the device is a Class I self-declaration device with no Notified Body involvement required, a standalone ISO 13485 certificate from any accredited body can still be useful as a quality credential but is not a Regulation requirement. For the relationship between Article 10(9) and Annex IX, see post 278.

IAF MD 9. The sectoral rulebook for ISO 13485 audits

IAF MD 9 is the International Accreditation Forum mandatory document titled "Application of ISO/IEC 17021-1 in the field of Medical Device Quality Management Systems (ISO 13485)." It is the rulebook that tells accreditation bodies and certification bodies how to apply the generic management systems certification standard (ISO/IEC 17021-1) to the specific case of medical device QMS certification against ISO 13485.

IAF MD 9 covers auditor qualifications, audit time calculation rules, technical codes for different medical device sectors, and the principles that separate a competent medical device audit from a generic management system audit. It is not itself the audit standard, but a body that does not apply IAF MD 9 correctly is not running a defensible ISO 13485 certification programme.

For the founder choosing a certification body, IAF MD 9 matters because it defines the technical codes the body must cover to audit your device type, and because it sets the minimum auditor competence requirements. A body whose auditors do not meet the IAF MD 9 competence criteria for your device area will either decline the audit or run it badly. Ask the question explicitly: "Under IAF MD 9, what technical codes does your accreditation cover, and does my device fall inside them?" A competent body answers this without hesitation.

The dual-purpose audit strategy

The most efficient move for a startup on the MDR Annex IX path is a single dual-purpose audit. The Notified Body audits the QMS once, against EN ISO 13485:2016+A11:2021 under its ISO 13485 accreditation scope, and against the MDR Annex IX Section 2 QMS requirements under its MDR designation scope, in the same site visit with the same audit team.

The output is two certificates from one audit. An ISO 13485 certificate and, eventually, the Annex IX QMS certificate that feeds the MDR CE certificate issued under Annex IX. The alternative. Audit once for ISO 13485 with one body, then audit again for MDR with a Notified Body. Doubles the disruption, doubles the preparation, doubles the cost, and creates two sets of findings to close.

Splitting the audits is only defensible in one narrow case. If a company needs ISO 13485 certification urgently for commercial reasons. A customer contract, a supplier qualification. And the MDR Notified Body has a queue time of twelve months or more, an interim ISO 13485 certificate from an accredited body that is not the chosen Notified Body can be used as a bridge. The downside is that the interim certificate does not count toward MDR conformity and the full audit still has to happen later. For the full dual-audit playbook, see the efficient approach to combining ISO 13485 and MDR Annex IX audits in the deeper-dive post.

A worked selection walk-through

A Class IIb device startup with a wearable diagnostic is choosing between three candidates for its QMS certification body.

Candidate A is an accredited ISO 13485 certification body with fast turnaround and a competitive price. Queue time is three months. On checking the NANDO database, the founder finds the body is not designated as an MDR Notified Body. The certificate from this body would be valid as an ISO 13485 credential but would not count toward Annex IX conformity. For a Class IIb device that needs a Notified Body under MDR, this candidate is a dead end for the CE path. Eliminated.

Candidate B is an MDR Notified Body with a strong reputation in active devices and software. NANDO shows it is designated for the MDA and MDN codes that cover the device. Its ISO 13485 accreditation is held by the same legal entity under IAF MD 9. Queue time for a new manufacturer is fourteen months. Price is at the high end of the range. Audit team speaks the founder's language. The body will run a dual-purpose audit.

Candidate C is another MDR Notified Body with relevant designation scope. Queue time is six months. Audit team is competent in the device area. Price is mid-range. The body has confirmed willingness to do a dual-purpose audit in writing. Reference calls with two other startups come back positive on the audit team's technical depth.

The correct move is Candidate C. Candidate A is eliminated by the designation gap. Candidate B is slower and more expensive without enough added competence to justify the delta. Candidate C wins on queue time, competence, dual-purpose willingness, and reference quality. The decision is not price; the decision is the combination of scope, time, and competence that lets the startup run one audit that serves both outputs.

The selection playbook

Selecting an ISO 13485 certification body in an MDR context comes down to six checks, applied in order.

Check 1. Designation scope. Pull the body's entry on the NANDO database. Confirm it is designated under the MDR for the MDA and MDN codes that apply to your device. If it is not, the body cannot serve as your MDR Notified Body and should only be used for a pure ISO 13485 certificate if that is genuinely what you need.

Check 2. Accreditation scope. Confirm the body holds ISO 13485 certification accreditation under IAF MD 9 covering the technical codes that match your device. This is the ISO 13485 side of the same organisation. A competent Notified Body holds both scopes; a few hold only one.

Check 3. Queue time. Ask for the realistic time from contract signature to Stage 1, and from Stage 1 to certificate. Ask for recent examples. Queue time variance between bodies is the largest cost variance in the whole selection.

Check 4. Technical competence. Ask who will be on the audit team and what their experience is with devices like yours. Ask for two reference calls with recent clients in your device category. A body that refuses reference calls is telling you something.

Check 5. Audit logistics. Language of the audit team, geography of the audit sites, willingness to do Stage 1 remotely, and willingness to run a dual-purpose audit against ISO 13485 and MDR Annex IX in the same visit.

Check 6. Contract clarity. The contract should name both scopes explicitly. The ISO 13485 certification scope under IAF MD 9 accreditation and the MDR Annex IX assessment scope under Article 42 designation. And specify which outputs are produced from which audit. Ambiguity here shows up later as scope disputes at certificate renewal.

Price is a tiebreaker, not a primary criterion. The variance between competent bodies on price is smaller than the variance in audit team quality, and a bad audit team costs more than a price difference ever saves. For a deeper dive on the selection trade-offs in the Notified Body context, see post 321 in the Notified Body cluster and the efficient combined-audit playbook.

Reality Check. Where do you stand?

  1. Have you pulled your candidate body's NANDO entry and confirmed its MDR designation covers your device codes?
  2. Have you confirmed the same body's ISO 13485 certification accreditation under IAF MD 9 covers your technical codes?
  3. Have you asked for realistic queue time from contract to certificate, with recent examples?
  4. Have you asked for the audit team's experience in your device area and done at least two reference calls?
  5. Have you confirmed in writing that the body will run a dual-purpose audit against EN ISO 13485:2016+A11:2021 and MDR Annex IX in a single site visit?
  6. Is the contract explicit about which scope produces which output and which certificate?
  7. If you are choosing a pure ISO 13485 certification body because you only need the credential, have you documented why a standalone certificate is sufficient for your MDR path?

Any "not yet" is where the work is.

Frequently Asked Questions

Is an ISO 13485 certification body the same as an MDR Notified Body? No. An ISO 13485 certification body is accredited under ISO/IEC 17021-1 with the sectoral rules of IAF MD 9 to audit QMSs against ISO 13485 and issue certificates. An MDR Notified Body is designated under MDR Article 42 to perform conformity assessment for specific device codes. The two roles are often held by the same parent organisation under different scopes, but the legal authority is different and the scopes are not interchangeable.

Can any accredited body issue the certificate I need for MDR conformity? No. For devices that need Notified Body involvement under the MDR classification rules, the QMS audit has to be performed by a Notified Body designated for the relevant device codes. A certificate from an accredited certification body that is not an MDR Notified Body counts as an ISO 13485 quality credential but does not feed the Annex IX conformity assessment.

What is IAF MD 9 and why does it matter? IAF MD 9 is the International Accreditation Forum mandatory document that applies ISO/IEC 17021-1 to medical device QMS certification against ISO 13485. It defines technical codes for different medical device sectors and auditor competence requirements. A body whose IAF MD 9 scope does not cover your device type cannot run a competent audit of your QMS.

Can I use the same audit for ISO 13485 and MDR Annex IX? Yes, and in most cases you should. An MDR Notified Body that also holds ISO 13485 certification accreditation can run a single dual-purpose audit where the QMS is assessed against both EN ISO 13485:2016+A11:2021 and the MDR Annex IX Section 2 requirements in the same site visit. This is the efficient approach and avoids duplicate preparation.

How do I know if a body is an MDR Notified Body for my device? Check the NANDO database on the European Commission website. Search for the body and look at its MDR designation scope, which lists the MDA and MDN codes it is authorised to cover. If your device code is not on the list, the body cannot serve as your MDR Notified Body regardless of what its sales team says.

Is it ever sensible to split ISO 13485 certification and MDR assessment between two bodies? Only in narrow cases. For example, when a company needs an ISO 13485 credential fast for commercial reasons and the chosen MDR Notified Body has a long queue. The interim certificate is then a bridge. For the main MDR conformity assessment, splitting the two doubles the disruption and is not recommended.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 8 (use of harmonised standards), Article 10(9) (quality management system obligation), Article 42 (designation of Notified Bodies), Annex IX (conformity assessment based on a quality management system and on assessment of technical documentation, Section 2). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016+A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes. The harmonised standard providing presumption of conformity with MDR Article 10(9).
  3. IAF MD 9. IAF Mandatory Document for the Application of ISO/IEC 17021-1 in the Field of Medical Device Quality Management Systems (ISO 13485). International Accreditation Forum.
  4. NANDO database. New Approach Notified and Designated Organisations, European Commission, listing Notified Bodies designated under Regulation (EU) 2017/745 with their designation scopes.

This post is part of the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. The MDR is the North Star. EN ISO 13485:2016+A11:2021 is the tool. The certification body is who verifies the tool. Choose the one that can serve both the standard and the Regulation in a single audit.