Market surveillance under MDR is the ongoing oversight activity performed by the Competent Authorities of the Member States to verify that devices placed on the Union market comply with the Regulation, governed by Articles 93 to 100 of Regulation (EU) 2017/745. It is distinct from the Notified Body's conformity assessment role. Where the Notified Body certifies the device before and during its life on the market, the Competent Authority investigates, inspects, and — where necessary — enforces. Article 93 sets the general mandate, Article 94 governs the procedure for devices presenting an unacceptable risk, Article 95 empowers authorities to require corrective measures, and Article 97 addresses non-compliance that does not rise to unacceptable risk. Every manufacturer, including a three-person startup with a single Class I device, is subject to this oversight from day one on the market.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • Market surveillance by Competent Authorities is set out in Chapter VII, Section 3 of Regulation (EU) 2017/745, Articles 93 to 100. It is the regulator-side mirror of the manufacturer's own post-market obligations.
  • Article 93 gives Competent Authorities the mandate to perform appropriate checks on the characteristics and performance of devices, including documentation review, physical examination, and laboratory testing where warranted.
  • Article 94 governs the procedure for devices presenting an unacceptable risk to health or safety. It is the article that activates when an investigation concludes a device must be restricted, withdrawn, or recalled.
  • Article 95 empowers a Competent Authority to require a manufacturer to take corrective measures, and to take them itself where the manufacturer does not act. Article 97 addresses non-compliance short of unacceptable risk.
  • Market surveillance is not vigilance. Vigilance under Articles 87 to 92 is the manufacturer's reporting obligation. Market surveillance under Articles 93 to 100 is the authority's investigation and enforcement obligation. The two systems meet, but they do not substitute for each other.

Why this matters for your startup

For most founders, the Competent Authority is a name on a letterhead — BASG in Austria, BfArM in Germany, ANSM in France, AEMPS in Spain — until the day a letter arrives asking for documentation, or a signal from a hospital triggers an inspection visit, or a market surveillance campaign picks the startup's product category for routine sampling. That is the day the Regulation stops being an abstraction and becomes an inspector at the door with a statutory right to ask questions.

Market surveillance is the part of the MDR that startups consistently under-prepare for. The Notified Body's role is well-understood — it is the audit, it is the certificate, it is the relationship the founder has actually been paying for. The Competent Authority is the other half of the enforcement equation, and for most startups the first direct contact only happens when something has already gone sideways. The purpose of this post is to move that first contact from a crisis to a predictable, manageable interaction.

The CA mandate versus the Notified Body role

The single cleanest distinction to hold in mind is this: the Notified Body certifies; the Competent Authority investigates and enforces. They are not redundant. They operate in parallel, on different legal bases, with different tools.

A Notified Body is a private, designated conformity assessment body. It assesses the manufacturer's QMS and technical documentation under the relevant conformity assessment annexes of the MDR, issues certificates where the assessment passes, and performs surveillance audits during the validity of those certificates. Its authority derives from its designation under MDR Article 42 and flows through contracts with the manufacturer.

A Competent Authority is a public body designated by each Member State under MDR Article 101. Its authority derives from national law implementing the Regulation, and it does not need a contract with the manufacturer to exercise it. Under Article 93, the Competent Authority performs appropriate checks on the conformity characteristics and performance of devices — including documentation review, physical examination, and, where justified, laboratory testing on adequate samples. Article 93(3) empowers the authorities to require economic operators to make available the documentation and information necessary for the purpose of carrying out their activities and, where necessary and justified, to provide samples of devices free of charge.

The two bodies talk to each other. Article 93(4) obliges Member States to review and assess, on a regular basis, the functioning of their surveillance activities, and Articles 95 and 97 both require Competent Authorities to inform the Commission, other Member States, and — where a certificate is involved — the Notified Body that issued it. A Notified Body finding during a surveillance audit can trigger a Competent Authority investigation. A Competent Authority enforcement action can trigger a Notified Body certificate review. The two loops feed each other, and a startup is inside both of them.

Types of inspection a CA can perform

Under the Article 93 mandate, a Competent Authority can run several distinct types of inspection, and a startup should know which is which before one lands.

Documentation review. The authority requests technical documentation, the Declaration of Conformity, the PMS plan and report or PSUR, the risk management file, the clinical evaluation, the vigilance records, and any related QMS evidence. This is the most common first contact and is usually handled through written correspondence.

Unannounced or announced on-site inspection. The authority visits the manufacturer's premises, or an importer's, or a distributor's, to examine records, interview staff, and verify that documented processes actually run. Article 93(3) provides the legal basis. Unannounced inspections are rare for first-time encounters but are not prohibited, particularly where a signal suggests imminent risk.

Product examination and sampling. Under Article 93(3), the authority can require that samples of devices be provided free of charge. The samples can be subject to physical examination, functional testing, or laboratory analysis.

Market surveillance campaigns. Competent Authorities periodically run thematic campaigns in which a class of devices, a specific claim, or a specific risk area is sampled across the market. A startup can be pulled into a campaign not because anything is wrong with its product but because its product category is in scope that year.

Follow-up on vigilance reports. An incident or FSCA reported by the manufacturer under Article 87 triggers an assessment by the Competent Authority under Article 89. That assessment can escalate into a full market surveillance action if the authority concludes the underlying issue is broader than the reported incident.

What triggers an investigation

Investigations are not random in the way some founders imagine. They are triggered by specific signals, and the signals are worth knowing in advance.

A vigilance report under Article 87 is the most common trigger — a serious incident or FSCA filed by the manufacturer itself. A complaint from a clinician, hospital, patient, or competitor routed to the Competent Authority. A flagged finding from a Notified Body surveillance audit. A cross-border referral from another Member State's Competent Authority through the coordinated mechanisms of Articles 95 and 97. A signal from customs authorities at the Union border. A market surveillance campaign that sweeps a device category. Media reporting or academic publications that raise safety concerns. And, increasingly, a signal from real-world data sources and public registries.

What turns a signal into an investigation is the authority's assessment that something specific warrants checking. The authority is not required to have concluded that a problem exists — it is required to exercise its mandate to verify compliance. A first letter asking for documentation is not an accusation. It is the start of a process that the manufacturer is expected to engage with constructively and completely.

The manufacturer's obligations during an investigation

Once an investigation is underway, a startup's obligations are concrete. Article 93(3) and the broader Chapter VII Section 3 framework require cooperation. That means producing requested documentation within the timeline the authority sets, making personnel available for interviews where requested, providing samples where required, and responding to findings in writing with the reasoning, evidence, and corrective actions the authority asks for.

Cooperation does not mean capitulation. The manufacturer retains the right to present its own interpretation of the Regulation, to challenge a finding on the technical merits, and to propose alternative corrective measures where the authority's initial proposal is disproportionate or technically unnecessary. What the manufacturer does not have is the right to delay, to obstruct, or to treat the authority as optional. Every delay becomes part of the record, and every obstruction becomes a separate finding on top of whatever triggered the investigation in the first place.

The PRRC under Article 15 is typically the operational interface with the Competent Authority. For small startups, that is often the same person who is running vigilance, running PMS, and running the QMS. The load concentration is real and is one of the reasons a named backup for the PRRC is not optional.

The difference from a vigilance event

A vigilance event and a market surveillance event can look similar from inside a small company, but they are legally distinct and should not be handled with the same playbook.

A vigilance event is a manufacturer-initiated report under Article 87, driven by a serious incident or FSCA decision. The timeline is set by Article 87(3) — 15 days as the default upper limit, 10 days for a serious public health threat, 2 days for death or unanticipated serious deterioration. The decision to report is the manufacturer's. The clock starts from the manufacturer's awareness of the event. The interpretive reference is MDCG 2023-3 Rev.2, revised January 2025.

A market surveillance action is authority-initiated under Articles 93 to 100. The timeline is set by the authority, not the manufacturer. The scope is set by the authority. The cooperation obligation runs throughout. An authority-initiated action can follow a manufacturer-initiated vigilance report — that is how Article 89 assessments often escalate — but it can also arrive cold, with no prior vigilance event, based on a third-party signal. The two systems meet but they are not the same, and the manufacturer's playbook for each is different.

For the vigilance side, see what is vigilance under MDR. For the specific case of a Competent Authority's analysis of a vigilance report, see MDR Article 89: how competent authorities assess serious incidents.

Where an investigation concludes that something is wrong, the Regulation provides a cascading set of responses.

Article 94 — devices presenting an unacceptable risk. Where a Competent Authority has sufficient reason to consider that a device presents an unacceptable risk to the health or safety of patients, users, or other persons, or to other aspects of the protection of public health, it evaluates the device concerned covering all requirements laid down in the Regulation relevant to the risk. The economic operators concerned cooperate as necessary. Article 94 is the entry point to enforcement and is the article the authority invokes when the signals are serious enough that a formal assessment is opened.

Article 95 — procedure for dealing with devices presenting an unacceptable risk. Where, following the Article 94 evaluation, the Competent Authority finds that the device does present an unacceptable risk, it requires the manufacturer, authorised representative, or other relevant economic operator to take all appropriate and duly justified corrective measures to bring the device into compliance, to restrict the making available on the market, to make its availability subject to specific requirements, to withdraw the device from the market, or to recall it within a reasonable period, clearly defined and communicated to the economic operator concerned. Where the economic operator fails to take adequate corrective measures within the period specified, the Competent Authority takes all appropriate provisional measures itself.

Article 97 — non-compliance short of unacceptable risk. Where a Competent Authority makes a finding that a device is not in compliance with the Regulation but does not present an unacceptable risk, it requires the relevant economic operator to put an end to the non-compliance concerned within a reasonable period that is clearly defined and communicated to the economic operator. Where the economic operator fails to put an end to the non-compliance, the Competent Authority takes all appropriate measures to restrict or prohibit the device being made available on the market, or to ensure that it is recalled or withdrawn from the market.

Articles 98, 99, and 100 round out the framework with provisions on preventive health protection measures, good administrative practice, and the Union-level information system that ties the national authorities together so that a finding in one Member State triggers a coordinated response across the others.

For a deeper walkthrough of the Article 94 evaluation mechanics and how it interacts with a manufacturer-initiated recall, see MDR Article 94 and devices presenting unacceptable risk and the companion piece on recalls under MDR.

What startups should keep ready

The operational takeaway from Articles 93 to 100 is that a Competent Authority contact should find a manufacturer that is already prepared, not one that starts preparing on receipt of the first letter. The specific artefacts that should be retrievable within the timeline an authority typically sets are these.

The current technical documentation package in the structure required by Annex II and Annex III. The current Declaration of Conformity. The current PMS plan, the most recent PMS Report under Article 85 or PSUR under Article 86, and the PMCF plan or its documented non-applicability justification. The vigilance decision log for the last twelve to twenty-four months, including every classification call and its reasoning. The risk management file in its current revision under EN ISO 14971:2019 + A11:2021. The QMS records relevant to the specific inquiry under EN ISO 13485:2016 + A11:2021 — CAPA, complaints, training, supplier controls, design controls. The Declaration of Conformity, UDI assignments, and the EUDAMED registrations where applicable. The contact details of the PRRC under Article 15 and the backup. And the contract framework with distributors and importers that names the obligations on each economic operator when the authority asks for distribution chain data.

If any of those cannot be produced within a reasonable period after an authority request, the production gap is itself a finding. The Subtract to Ship rule is to keep this list short, keep each item traceable to a specific Regulation reference, and keep each item retrievable rather than comprehensive. A lean folder that the team actually maintains beats a vast folder that nobody opens.

The Subtract to Ship angle

The Subtract to Ship framework for MDR applied to Competent Authority readiness produces a short rule: build the minimum set of retrievable artefacts that satisfies Articles 93 to 100, and keep them current. The temptation is to over-build the readiness folder — to prepare for every hypothetical question an authority could possibly ask. That is exactly the kind of speculative work the framework cuts.

The test is the same test applied elsewhere in the methodology. For every artefact in the readiness folder, name the specific article, annex, or MDCG guidance that requires it. If the trace is clean, the artefact stays. If not, it comes out. The result is short enough that a three-person team can keep it current without drowning.

What the minimum readiness folder does not include: decorative cover pages, dashboards no one reads, copies of the Regulation itself, speculative risk analyses of hazards that do not apply, and templates imported from other companies that were never adapted to the actual product. Every one of those is subtraction bait. The Competent Authority does not want volume. It wants the current, accurate, article-traced evidence that the Regulation has been followed.

Reality Check — Where do you stand?

  1. If a Competent Authority letter arrived tomorrow asking for the current technical documentation, the PMS report, and the vigilance log for the last twelve months, how long would it take you to assemble the package, and how confident would you be in the completeness?
  2. Does your team understand the difference between a vigilance event under Articles 87 to 92 and a market surveillance action under Articles 93 to 100, and do you have distinct playbooks for each?
  3. Can you name the Competent Authority of the Member State in which your device was first placed on the market, and do you have a current contact pathway to it?
  4. Is the PRRC under Article 15 reachable on short notice, and is there a named backup who can respond within the same timeframe?
  5. Have you read Articles 93, 94, 95, and 97 in full, or have you only encountered them second-hand?
  6. Does your distribution and import contract framework spell out each economic operator's cooperation obligations in the event of a Competent Authority inquiry?
  7. When was the last time you ran a dry-run of a Competent Authority document request — a simulated inquiry pushed through the full response pathway within the kind of timeline an authority typically sets?

Frequently Asked Questions

What is market surveillance under MDR in one sentence? Market surveillance under MDR is the oversight activity performed by the Competent Authorities of the Member States to verify that devices placed on the Union market comply with the Regulation, set out in Articles 93 to 100 of Regulation (EU) 2017/745.

Who performs market surveillance — the Notified Body or the Competent Authority? The Competent Authority. Notified Bodies perform conformity assessment and surveillance audits under their designation. Competent Authorities perform market surveillance under their statutory mandate in Chapter VII Section 3 of the Regulation. The two bodies exchange information but the enforcement mandate sits with the Competent Authority.

What happens when a Competent Authority decides a device presents an unacceptable risk? Under Article 94 the authority evaluates the device, and under Article 95 it requires the manufacturer to take corrective measures — bringing the device into compliance, restricting availability, withdrawing it, or recalling it within a reasonable period. Where the manufacturer does not act, the authority takes the measures itself.

What is the difference between Article 95 and Article 97? Article 95 applies where the device presents an unacceptable risk to health or safety. Article 97 applies where the device is non-compliant with the Regulation but does not present an unacceptable risk. Both articles empower the authority to require corrective measures, but the threshold and the severity of the available enforcement tools differ.

Does a Class I startup really have to prepare for a Competent Authority inspection? Yes. Articles 93 to 100 apply to every manufacturer of every class of device placed on the Union market. There is no small-company exemption and no class-based exemption. The risk-proportionate obligations of Articles 10 and 83 feed into what the authority expects to see, but the right to perform checks under Article 93 applies from day one on the market.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 87 (reporting of serious incidents and FSCAs), Article 89 (analysis of serious incidents and FSCAs), Article 93 (market surveillance activities), Article 94 (evaluation of devices suspected of presenting an unacceptable risk or other non-compliance), Article 95 (procedure for dealing with devices presenting an unacceptable risk to health and safety), Article 96 (other non-compliance), Article 97 (other non-compliance), Article 98 (preventive health protection measures), Article 99 (good administrative practice), Article 100 (Union market surveillance information system). Official Journal L 117, 5.5.2017.
  2. MDCG 2023-3 Rev.2 — Questions and Answers on vigilance terms and concepts as outlined in Regulation (EU) 2017/745 and Regulation (EU) 2017/746, first publication February 2023, Revision 2 January 2025.
  3. EN ISO 13485:2016 + A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes.
  4. EN ISO 14971:2019 + A11:2021 — Medical devices — Application of risk management to medical devices.

This post is part of the Post-Market Surveillance & Vigilance series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. Market surveillance is the half of the enforcement equation most startups only meet in a crisis — which is exactly why building a short, article-traced readiness folder before the first letter arrives is one of the highest-leverage acts of regulatory hygiene a small team can perform.