--- title: Why MDR Requires a Medical Device-Specific QMS: ISO 13485 vs. ISO 9001 description: ISO 9001 is a general quality management standard. ISO 13485 is medical device-specific. Here is why MDR effectively requires the latter, and what the differences actually are. authors: Tibor Zechmeister, Felix Lenhard category: Quality Management Under MDR primary_keyword: ISO 13485 vs ISO 9001 MDR canonical_url: https://zechmeister-solutions.com/en/blog/iso-13485-vs-iso-9001 source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # Why MDR Requires a Medical Device-Specific QMS: ISO 13485 vs. ISO 9001 *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **ISO 9001 is the general quality management standard for any industry. EN ISO 13485:2016+A11:2021 is the medical device-specific QMS standard that, under MDR Article 8, provides presumption of conformity with the QMS obligation in MDR Article 10(9). A QMS built to ISO 9001 alone does not satisfy MDR requirements, because it lacks the medical device-specific elements Article 10(9) and Annex IX require: a regulatory compliance strategy, risk-based thinking tied to EN ISO 14971, design controls appropriate for medical devices, documented procedures where the Regulation mandates them, device traceability, and the structural link to post-market surveillance and vigilance. The MDR is the North Star. EN ISO 13485:2016+A11:2021 is the tool that gets you there. ISO 9001 is a different tool for a different purpose.** **By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.** --- ## TL;DR - ISO 9001 is the generic quality management standard applicable to any organisation in any industry. ISO 13485 is the QMS standard specific to medical devices. - Under MDR Article 8, only harmonised standards whose references are published in the Official Journal provide presumption of conformity. EN ISO 13485:2016+A11:2021 is the harmonised standard for QMS. ISO 9001 is not. - ISO 13485 adds medical device-specific requirements that ISO 9001 does not contain: regulatory compliance strategy, explicit risk-based approach across the product lifecycle, design and development controls for medical devices, documented procedures where the Regulation requires them, and device-level traceability. - A QMS built only to ISO 9001 will fail a Notified Body audit under MDR Annex IX because it will miss medical device-specific aspects that MDR Article 10(9) names at a minimum. - Transitioning a pure ISO 9001 QMS to EN ISO 13485:2016+A11:2021 is possible and sometimes efficient, but it is not a cosmetic relabelling. It is a real gap analysis against the medical device additions. --- ## Why this question comes up at all The question "do I really need ISO 13485 or can I get away with ISO 9001?" comes up more often than it should. It shows up in three situations. The first is a company that already holds an ISO 9001 certificate from a previous business line and is now entering medical devices. The second is a founder who has read that "ISO 13485 is based on ISO 9001" and reasonably assumes the standards are interchangeable. The third is a founder reading the MDR text, noticing that Article 10(9) does not name ISO 13485 by name, and concluding that any QMS standard should work. All three readings land on the same wrong answer. The reason they are wrong is not that ISO 9001 is a bad standard — it is a perfectly good standard for its purpose. The reason they are wrong is that the MDR, through Article 8 and the harmonisation mechanism, gives a specific standard a specific legal effect, and that standard is EN ISO 13485:2016+A11:2021, not ISO 9001. Getting this clear at the start of a QMS project saves the rework later. Building the wrong QMS and then converting it is more painful than building the right QMS once. ## MDR Article 10(9) — the legal anchor Before comparing standards, fix the legal source. The QMS obligation under the MDR comes from Article 10(9) of Regulation (EU) 2017/745. The paragraph requires manufacturers of medical devices to establish, document, implement, maintain, keep up to date, and continually improve a quality management system that ensures compliance with the Regulation in the most effective manner and in a manner proportionate to the risk class and type of device. The paragraph then lists the aspects the QMS must address at a minimum — regulatory compliance strategy, general safety and performance requirements identification, management responsibility, resource management including supplier control, risk management per Annex I Section 3, clinical evaluation including post-market clinical follow-up, product realisation, UDI verification, post-market surveillance, communication with authorities, vigilance reporting, CAPA, and monitoring and measurement. (Regulation (EU) 2017/745, Article 10, paragraph 9.) Read that list with ISO 9001 in mind. Several of those aspects have no ISO 9001 counterpart at all. Regulatory compliance strategy. Risk management per Annex I. Clinical evaluation. UDI verification. Post-market surveillance. Vigilance. These are medical device obligations. A generic quality management standard does not address them. For the full Article 10(9) walk-through and the Annex IX assessment route, see post 278 on MDR Article 10(9) and Annex IX QMS requirements. ## How ISO 13485 provides presumption of conformity — MDR Article 8 Under MDR Article 8, compliance with a harmonised standard whose reference has been published in the Official Journal of the European Union gives presumption of conformity with the corresponding MDR requirements that the standard covers. The harmonisation mechanism is what turns an industry standard into a regulatory tool. EN ISO 13485:2016+A11:2021 is the harmonised standard for QMS under the MDR. When a manufacturer's QMS conforms to the standard, the Notified Body and the competent authorities presume — unless there is evidence to the contrary — that the QMS satisfies the corresponding Article 10(9) obligations. The "Z annexes" in EN ISO 13485:2016+A11:2021 map the standard's clauses against the MDR requirements they address, so the manufacturer can see exactly which obligations are covered and which gaps remain. ISO 9001 is not harmonised under the MDR. A QMS conforming to ISO 9001 does not carry any presumption of conformity with MDR Article 10(9). A Notified Body assessing such a QMS under Annex IX has no shortcut — it has to verify each Article 10(9) aspect from first principles, and it will find gaps, because ISO 9001 does not address several of those aspects at all. This is the core of the answer. EN ISO 13485:2016+A11:2021 is not "better" than ISO 9001 in some abstract sense. It is the one with the legal effect the MDR grants. ## The specific medical device additions ISO 13485 has that ISO 9001 does not This is the comparison that clarifies everything. The two standards share a common ancestry — ISO 13485 was historically aligned with earlier ISO 9001 structures — but ISO 13485 adds a set of medical device-specific requirements that ISO 9001 does not contain. Here are the additions that matter most under the MDR. **A regulatory compliance strategy.** ISO 13485 requires the manufacturer to document its approach to meeting applicable regulatory requirements. The QMS is not just about producing consistent products; it is about producing products that comply with the regulatory framework in each market where they are placed. ISO 9001 contains no equivalent concept. The MDR, through Article 10(9), requires exactly this. **A risk-based approach across the product lifecycle.** ISO 13485 requires risk management to be applied throughout product realisation, from design inputs through production, servicing, and post-market activities, and it links explicitly to a separate risk management standard (EN ISO 14971:2019+A11:2021) for the methodology. ISO 9001 uses "risk-based thinking" in a much narrower sense — assessing risks to the quality management system itself, not hazards to patients and users from the device. The MDR, through Article 10(9) and Annex I Section 3, requires medical device risk management, not generic QMS risk-based thinking. **Design and development controls appropriate for medical devices.** ISO 13485 requires a formal, documented design and development process with planning, inputs, outputs, review, verification, validation, transfer, and change control — all at a depth appropriate for devices whose failure can harm patients. ISO 9001 contains design and development requirements, but at a less prescriptive level and without medical device-specific expectations like design verification against user needs, design validation in the use environment, or a design history file equivalent. The MDR requires the former. **Documented procedures where the Regulation mandates them.** ISO 13485 requires documented procedures for specific processes — document control, record control, internal audits, control of non-conforming product, CAPA, and several others — because medical device regulators expect to audit the documented procedures against the actual operations. ISO 9001, by contrast, moved away from mandatory documented procedures in its 2015 revision, giving organisations flexibility to define the level of documentation they need. That flexibility is not appropriate for a regulated industry where the Notified Body expects to see documented procedures. ISO 13485 kept the documented procedure requirements exactly because the medical device regulatory framework depends on them. **Device traceability.** ISO 13485 requires traceability at the device level, including for implants at the individual unit level, and links to identification and traceability requirements the MDR reinforces through UDI under Articles 27 and 29. ISO 9001 requires identification and traceability only "where appropriate" and does not specify device-level or unit-level traceability. For medical devices under the MDR, traceability is not optional and is not "where appropriate" — it is a structural obligation. **The structural link to PMS, vigilance, and regulatory reporting.** ISO 13485 contains clauses on feedback, complaint handling, reporting to regulatory authorities, advisory notices, and post-market surveillance activities. ISO 9001 contains customer satisfaction and complaint handling in a much more general form, without the regulatory reporting dimension. The MDR, through Articles 83 to 92, requires an active PMS system, vigilance reporting within specific timelines, and communication with competent authorities — and Article 10(9) names these explicitly as required QMS aspects. These are not minor additions. They are the parts of the QMS that a Notified Body assessing a medical device manufacturer will look at first. An ISO 9001 QMS, by design, does not cover them. ## Why a pure ISO 9001 QMS fails an MDR audit Put the two points together. The MDR requires a QMS that covers the Article 10(9) aspects at a depth proportionate to the device. A Notified Body, under the Annex IX route, assesses that QMS against the MDR obligations. EN ISO 13485:2016+A11:2021 provides presumption of conformity. ISO 9001 does not. Now imagine a startup walking into a Notified Body audit with an ISO 9001 certificate and no EN ISO 13485:2016+A11:2021 work done. What does the auditor see? The auditor sees a QMS that has document control, management review, internal audits, and customer feedback — all useful, all present. The auditor also sees no documented regulatory compliance strategy, no integrated medical device risk management linked to EN ISO 14971:2019+A11:2021, no design and development process sized for medical devices, no structured PMS system under MDR Article 83, no vigilance reporting procedures under Articles 87 to 92, no PRRC process under Article 15, and no UDI verification process under Articles 27 and 29. Each one of those absences is a non-conformity against MDR Article 10(9). Collectively, they are structural. The audit does not fail because ISO 9001 is a bad standard. It fails because ISO 9001 is a standard for a different purpose. A certificate in the wrong standard is not a partial certificate in the right one. It is evidence of a different QMS that happens to have some overlapping processes. ## The transition path from ISO 9001 to ISO 13485 For a company that already holds an ISO 9001 certificate and is entering medical devices, the transition to EN ISO 13485:2016+A11:2021 is possible and sometimes efficient, but it is not cosmetic. It is a real gap analysis against the medical device additions, and it typically breaks into four moves. **Move one: map the existing QMS against the EN ISO 13485:2016+A11:2021 structure.** Identify which clauses are already covered by the existing ISO 9001 QMS (document control, management review, internal audits, some CAPA, some supplier control) and which are not. The overlap is real but partial. **Move two: build the medical device-specific processes that do not exist.** Regulatory compliance strategy, medical device risk management linked to EN ISO 14971:2019+A11:2021, design and development controls at medical device depth, device traceability, PMS system under MDR Article 83, vigilance under Articles 87 to 92, PRRC under Article 15, and UDI verification under Articles 27 and 29. These are additions, not modifications. **Move three: tighten the documented procedures.** Where the ISO 9001 QMS delegated documentation to "as appropriate," tighten to the level the medical device regulatory framework expects. This is where many transition projects underestimate the work — the documentation discipline in medical devices is stricter than ISO 9001 allows for. **Move four: audit against MDR Article 10(9) directly, not just against the standard.** After the standard gap is closed, check the MDR gap separately. EN ISO 13485:2016+A11:2021 does not perfectly cover every MDR requirement; the Z annexes show where the coverage is and is not. Close the residual gaps deliberately. For the gap walkthrough, see post 320 on the Z annexes and MDR gaps and post 327 on ISO 13485 certification for MedTech startups. A clean transition, done properly, takes months, not weeks. A company that tries to treat it as a relabelling exercise will fail the Notified Body audit and have to redo the work. For a lean build-from-scratch alternative, see posts 280 and 281 on building a lean QMS and the minimum viable QMS. ## The Subtract to Ship angle The Subtract to Ship framework applied to this question produces a clean rule. Do not add work that does not contribute to MDR compliance. Do not carry forward an ISO 9001 QMS that only partially applies and hope the overlap is enough. Decide cleanly which standard governs the QMS — EN ISO 13485:2016+A11:2021 for medical devices — and build the QMS against the MDR through that standard. Every process in the QMS should trace to an Article 10(9) aspect. Every clause of the standard applied should close a gap against the Regulation. Nothing decorative. Nothing aspirational. Nothing carried over from a previous business because "we already had it." For a company with an existing ISO 9001 QMS, this rule means two things. First, keep the parts that genuinely satisfy Article 10(9) aspects and can be defended in an audit. Second, cut the parts that do not apply and build the medical device-specific processes that are missing. The result is not a bigger QMS than a build-from-scratch. It is a proportionate QMS that happens to have some lineage in the previous ISO 9001 work. For a company without an existing ISO 9001 QMS, the rule is simpler. Start at EN ISO 13485:2016+A11:2021, build against Article 10(9), and never look at ISO 9001 at all. ## Reality Check — Where do you stand? 1. Can you state, in one sentence, why EN ISO 13485:2016+A11:2021 is the harmonised standard for QMS under the MDR and ISO 9001 is not? 2. If you currently hold an ISO 9001 certificate, have you done a gap analysis against EN ISO 13485:2016+A11:2021 and against MDR Article 10(9) separately? 3. Do you have a documented regulatory compliance strategy, or is your QMS silent on the regulatory framework? 4. Is your risk management linked to EN ISO 14971:2019+A11:2021 and integrated across design, production, and PMS — or is it generic QMS "risk-based thinking" applied to the management system? 5. Do your design and development controls meet the depth required for medical devices, or are they at a generic ISO 9001 level? 6. Do you have documented procedures where the MDR and EN ISO 13485:2016+A11:2021 require them, not just where "it seems appropriate"? 7. Can you produce a device-level traceability record for any unit of any device you have shipped? 8. Does your QMS include PMS under MDR Article 83, vigilance under Articles 87 to 92, PRRC under Article 15, and UDI verification under Articles 27 and 29 as real running processes? A "not yet" on any of these points to the next piece of work. ## Frequently Asked Questions **Can I use my existing ISO 9001 certificate for MDR compliance?** Not on its own. ISO 9001 is not a harmonised standard under the MDR, so it does not provide presumption of conformity with MDR Article 10(9). You can keep the parts of an existing ISO 9001 QMS that genuinely satisfy Article 10(9) aspects, but you need to add the medical device-specific processes and align the QMS to EN ISO 13485:2016+A11:2021. A Notified Body will assess your QMS against the MDR, not against ISO 9001. **Is ISO 13485 legally required by the MDR?** No. MDR Article 10(9) requires a QMS proportionate to the risk class and type of device. It does not name any standard by name. EN ISO 13485:2016+A11:2021 is the harmonised standard that, under MDR Article 8, provides presumption of conformity. In practice, it is the efficient path and the one Notified Bodies expect, but the legal obligation is the Regulation itself. **What are the main differences between ISO 9001 and ISO 13485?** ISO 13485 adds medical device-specific requirements that ISO 9001 does not contain: a regulatory compliance strategy, an explicit risk-based approach across the product lifecycle tied to medical device risk management, design and development controls appropriate for medical devices, documented procedures where the Regulation requires them, device-level traceability, and structural links to PMS, vigilance, and regulatory reporting. ISO 9001 is a generic standard for any industry; ISO 13485 is specific to medical devices. **Can a Notified Body certify my QMS to ISO 9001?** A certification body can issue an ISO 9001 certificate, but an ISO 9001 certificate is not the QMS certificate you need under the MDR. Under the Annex IX route, the Notified Body assesses your QMS against MDR Article 10(9) and issues an MDR QMS certificate. That assessment uses EN ISO 13485:2016+A11:2021 as the reference standard for presumption of conformity. See post 321 on Notified Body QMS certification for the full process. **How long does the transition from ISO 9001 to ISO 13485 take?** It depends on the starting QMS and the target device class, but for a typical small company the real work is months, not weeks. The medical device-specific additions — regulatory compliance strategy, medical device risk management, design controls at medical device depth, PMS, vigilance, PRRC, UDI verification — are substantive new processes, not paperwork changes. For a lean build, see post 280 on building a lean QMS for an MDR startup. ## Related reading - [What Is a Quality Management System for Medical Devices?](/blog/what-is-quality-management-system-medical-devices) — the pillar post for the Quality Management Under MDR cluster. - [MDR Article 10(9) and Annex IX: The QMS Requirements Every Startup Must Meet](/blog/mdr-article-10-9-annex-ix-qms-requirements) — the legal anchor this post builds on. - [How to Build a Lean QMS for an MDR Startup](/blog/build-lean-qms-mdr-startup) — the operational playbook for building the QMS this post describes. - [The Minimum Viable QMS for a Medical Device Startup](/blog/minimum-viable-qms) — the smallest honest QMS that can still meet Article 10(9) for a Class I device. - [The Z Annexes: Where ISO 13485 Meets the MDR](/blog/iso-13485-z-annexes-mdr-gaps) — the clause-to-article mapping and where the residual MDR gaps live. - [ISO 13485 Certification for MedTech Startups](/blog/iso-13485-certification-startups) — the practical certification process for EN ISO 13485:2016+A11:2021. - [Notified Body QMS Certification Under MDR](/blog/notified-body-qms-certification-mdr) — how the Notified Body assesses and certifies the QMS under Annex IX. - [The Subtract to Ship Framework for MDR Compliance](/blog/subtract-to-ship-framework-mdr) — the methodology behind the discipline in this post. ## Sources 1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 8 (use of harmonised standards), Article 10 (general obligations of manufacturers, including paragraph 9 on the quality management system), Annex IX (conformity assessment based on a quality management system and on assessment of technical documentation). Official Journal L 117, 5.5.2017. 2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. The harmonised standard providing presumption of conformity with MDR Article 10(9) when its clauses are correctly applied. --- *This post is part of the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. The MDR is the North Star. EN ISO 13485:2016+A11:2021 is the tool the Regulation's harmonisation mechanism makes efficient. ISO 9001 is a different tool, for a different purpose, and no amount of diligence on a generic quality standard substitutes for a medical device-specific QMS built against Article 10(9).* --- *This post is part of the [Quality Management Under MDR](https://zechmeister-solutions.com/en/blog/category/quality-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*