--- title: Legal Considerations for MedTech Startups Under MDR description: Contracts, IP, and liability allocation for MedTech startups: the legal essentials that connect MDR obligations to commercial agreements. authors: Tibor Zechmeister, Felix Lenhard category: Team Building, Operations & Scaling primary_keyword: legal considerations MedTech startup MDR canonical_url: https://zechmeister-solutions.com/en/blog/legal-considerations-medtech-startups source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # Legal Considerations for MedTech Startups Under MDR *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Every MedTech startup needs a set of contracts that do two jobs at once: they allocate commercial risk like any normal business agreement, and they allocate regulatory responsibility under MDR. The five essential contracts are the Authorized Representative mandate, the contract manufacturer agreement, the supplier quality agreement, the distributor agreement, and the PRRC engagement. Get these wrong and the notified body, not just your lawyer, will notice.** **By Tibor Zechmeister and Felix Lenhard.** ## TL;DR - MDR Article 10 places general obligations on the manufacturer that cannot be contracted away, but many of the operational tasks can be delegated through written agreements. - MDR Article 11 requires a written mandate between the manufacturer and the Authorized Representative, with specific minimum content defined by the regulation. - MDR Articles 13 and 14 allocate specific verification obligations to importers and distributors. Your distributor contracts need to account for this. - MDR Article 10(16) liability (financial coverage) is not transferable to a contract manufacturer, even if the CMO causes the defect. - Supplier Quality Agreements (SQAs) are how EN ISO 13485:2016+A11:2021 clause 7.4 gets operationalized. Without them, suppliers are a finding waiting to happen. - IP in MedTech startups often sits awkwardly across founders, research institutions, contract developers, and CMOs. Carve-outs and assignment clauses matter more here than in pure software. ## Why MedTech legal work is different In a software startup, contracts are mostly about commercial risk: revenue, IP ownership, indemnification, limitation of liability. In MedTech, contracts carry a second layer: they are the legal scaffolding that makes MDR compliance work in practice. Your notified body will read your contracts. Your competent authority can ask for them during market surveillance. The distribution of responsibilities between you, your contract manufacturer, your Authorized Representative, your distributors, and your Person Responsible for Regulatory Compliance (PRRC) must be unambiguous on paper, because when something goes wrong, "we assumed they were handling it" is not a defense. Tibor has audited startups where the founder confidently told him the contract manufacturer handled process validation, only for the contract itself to say nothing of the sort. That is not just a commercial gap. It is a non-conformity against ISO 13485 clause 7.4 and against the manufacturer's obligations under MDR Article 10. Felix has watched startups lose months because founder IP was still held by a university tech transfer office, or because a contract developer had not signed an assignment agreement, making a fundraise impossible and a notified body audit uncomfortable. The legal work is not glamorous. But it is load-bearing. ## What MDR actually says about legal allocation **MDR Article 10** sets out the general obligations of manufacturers. These include ensuring devices are designed and manufactured in accordance with MDR, establishing a risk management system, drawing up technical documentation, running a QMS, conducting clinical evaluation, ensuring post-market surveillance, and maintaining financial coverage (Article 10(16)). Article 10 obligations ultimately sit with the manufacturer. A startup cannot contract them away to a CMO or a consultant. But it can. And must. Use contracts to ensure its counterparties perform the operational tasks it is delegating. **MDR Article 11**. Authorized Representative. Requires any manufacturer not established in the EU to designate an Authorized Representative through a written mandate. Article 11 lists the minimum content the mandate must cover, including tasks like verifying the EU Declaration of Conformity and technical documentation, keeping them available for competent authorities, cooperating on corrective actions, and immediately informing the manufacturer of complaints and reports from healthcare professionals. For EU-based startups this is not relevant. For non-EU startups selling into the EU, a compliant mandate is a hard requirement. **MDR Article 13** sets out importer obligations. Verifying that the device bears the CE mark, that an EU Declaration of Conformity has been drawn up, that the manufacturer is identified and has designated an AR where required, that the device is labeled correctly, and that UDI has been assigned. **MDR Article 14** does the same for distributors with a somewhat lighter verification scope. These are statutory duties. But the commercial contracts with importers and distributors should explicitly reference them so everyone knows who is doing what. **MDR Article 15**. Person Responsible for Regulatory Compliance. Requires manufacturers to have at least one person with the defined qualifications permanently and continuously at their disposal. For micro and small enterprises, the PRRC may be external but must still be permanently and continuously available. The relationship with an external PRRC must be documented in a contract that reflects the permanence and continuity Article 15 requires. **EN ISO 13485:2016+A11:2021 clause 7.4**. Purchasing. Requires documented controls for suppliers commensurate with the effect of the purchased product on the final device. In practice, this is implemented through Supplier Quality Agreements that define quality responsibilities, change notification, audit rights, and nonconformity handling. ## A worked example A German-based startup developing a Class IIa wearable device is 12 months from CE marking. They are designing the product in-house, but they have outsourced: - Hardware manufacturing to a Polish electronics contract manufacturer - Sterile packaging to a Czech packaging house - Mobile app development to a Portuguese software studio (ended three months ago) - EU representation is not needed (they are in Germany) - PRRC is an external consultant working 10 hours per week under a service agreement Here is the legal stack they need in place before their notified body stage 2 audit: **Contract 1. Polish CMO Manufacturing and Supply Agreement.** Commercial terms: price, volumes, delivery, payment. Regulatory annex: scope of manufacturing steps, process validation responsibilities, change control, CAPA participation, audit rights, complaint investigation cooperation, post-market surveillance data sharing, UDI marking responsibility, liability allocation (which flows back to Article 10(16). The startup retains ultimate product liability toward patients regardless of what the CMO contract says). **Contract 2. Czech packaging SQA.** Supplier Quality Agreement covering change notification, incoming inspection criteria, nonconformity handling, and audit rights under ISO 13485 clause 7.4. **Contract 3. Portuguese software studio IP assignment.** Because the relationship has ended, they need to confirm all code, documentation, and design artifacts are unambiguously assigned. Gap found: the original work-for-hire contract did not include moral rights waivers or specific assignment of software IP. They fix this with a post-hoc assignment agreement before the audit, because a notified body will ask about the source of software components per EN 62304. **Contract 4. PRRC Services Agreement.** Documents the consultant's Article 15 qualifications, the scope of PRRC duties, the minimum availability commitment (to reflect "permanently and continuously at their disposal"), termination notice period, and obligations on handover of records. **Contract 5. Distributor agreements (not signed yet).** Templates ready for signing after CE mark, referencing the distributor's Article 14 verification duties explicitly. ## The Subtract to Ship playbook **Step 1. Map your regulatory counterparties.** Before you draft a single contract, list every external party that touches your device: contract manufacturers, suppliers of critical components, software subcontractors, sterilization services, AR (if non-EU), PRRC (if external), distributors, importers. For each, note the MDR article that defines their role. **Step 2. Build a contract register.** One document listing every contract, its parties, its MDR anchor, its expiry date, and its owner inside your company. This is also what your notified body will ask to see. **Step 3. Do not use generic templates unedited.** Off-the-shelf SaaS or manufacturing templates do not account for MDR. Either work with a lawyer who has done MedTech before, or use MedTech-specific templates as a starting point and have them reviewed. **Step 4. Lock down IP early.** Every founder, every employee, every contractor, every intern needs a signed IP assignment. University spinouts need to resolve tech transfer terms before the first fundraise. Software contractors need specific assignment of software IP, not just "work for hire" language. Open source components need licensing review (what comes back in EN 62304 SOUP handling). **Step 5. Write supplier quality agreements before you ship, not after.** SQAs are not a formality. They define what the supplier will do if you have a recall, a CAPA, or a notified body audit finding. Without one, you are improvising in a crisis. **Step 6. Review annually.** Contracts drift. Companies get acquired. Scope changes. Your contract register should be reviewed every year as part of the QMS management review. ## Reality Check 1. Can you list every external party that touches your device, and name the MDR article that defines their role? 2. Do you have a signed IP assignment from every founder, employee, and contractor who has ever touched the product? 3. Does your CMO contract explicitly address process validation, change control, CAPA cooperation, and audit rights? 4. Do you have a Supplier Quality Agreement with every critical supplier, or just purchase orders? 5. If you are non-EU, does your Authorized Representative mandate include every item required by MDR Article 11? 6. Is your external PRRC engagement documented in a way that demonstrates "permanently and continuously at their disposal" per Article 15? 7. Have your distributor templates been updated to explicitly reference Article 14 verification obligations? 8. Do you know where your contracts are stored and who can produce them in 24 hours if a notified body asks? ## Frequently Asked Questions **Can I transfer product liability to my contract manufacturer?** No. MDR Article 10(16) financial coverage obligations sit with the legal manufacturer regardless of what your CMO contract says. You can allocate commercial risk between you and the CMO through indemnification and insurance clauses, but liability toward patients and regulators remains with you. **Do I need a lawyer for every contract?** No. But you need a lawyer for the first version of each template, and for any high-value or high-risk deal. Once you have MedTech-specific templates reviewed by competent counsel, you can use them repeatedly with minor adjustments and escalate only the unusual cases. **What happens if I start selling without a Supplier Quality Agreement in place?** It is a classic ISO 13485 clause 7.4 nonconformity during audit. It is also a practical risk: when a supplier makes a change you did not know about, you will not find out until something goes wrong in the field. **Is a letter of intent enough with a contract manufacturer?** No. LOIs cover commercial terms at a high level. They do not create the regulatory accountability that MDR Article 10 and ISO 13485 clause 7.4 require. You need a signed Manufacturing and Supply Agreement or equivalent before scale-up manufacturing. **How do I handle IP from a university spinout?** Resolve it before the first external fundraise and well before any notified body audit. Tech transfer offices have standard licenses, but the terms vary wildly. Specialist legal advice is worth the money here because mistakes are very expensive to unwind. **Does the PRRC need an employment contract, or can they be a consultant?** MDR Article 15 allows external PRRCs for micro and small enterprises, but requires they be "permanently and continuously" at the manufacturer's disposal. A consulting contract can satisfy this if the scope, availability, and notice periods genuinely reflect permanent availability. A one-day-per-month retainer usually does not. ## Related reading - [Authorized Representatives](/blog/authorized-representatives) – the specific content required in an Article 11 mandate. - [MDR importers and distributors](/blog/mdr-importers-distributors) – how to allocate Article 13 and 14 duties in distributor contracts. - [Working with CMOs under MDR](/blog/working-with-cmos-mdr-startup) – what belongs in a Manufacturing and Supply Agreement. - [Supplier qualification under MDR and ISO 13485](/blog/supplier-qualification-mdr-iso-13485) – the quality system context for SQAs. - [Outsourced processes and contract manufacturers](/blog/outsourced-processes-contract-manufacturers) – ISO 13485 clause 4.1.5 and how to document control of outsourced processes. ## Sources 1. Regulation (EU) 2017/745 on medical devices, consolidated text. Articles 10, 11, 13, 14, 15. 2. EN ISO 13485:2016+A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes, clauses 4.1.5 and 7.4. 3. Council Directive 85/374/EEC on liability for defective products, as amended. --- *This post is part of the [Team Building, Operations & Scaling](https://zechmeister-solutions.com/en/blog/category/team-operations) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*