MDR Article 10(9) is the legal obligation: every manufacturer must establish, document, implement, maintain, keep up to date, and continually improve a quality management system that ensures compliance with Regulation (EU) 2017/745 in the most effective manner and in a manner proportionate to the risk class and type of device. Annex IX Section 2 is the assessment route: when a Notified Body audits a QMS under the full quality management system conformity assessment, it verifies, against the actual operations of the manufacturer, that every aspect required by Article 10(9) is in place and running. EN ISO 13485:2016+A11:2021 is the harmonised standard that, when correctly applied, provides presumption of conformity with the Article 10(9) obligation. The Regulation is the law. Annex IX is how the law is checked. The standard is the tool.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • Article 10(9) is the legal source of the QMS obligation in the MDR. Everything else — ISO 13485, Annex IX, the Notified Body's audit plan — is downstream of those thirteen lines of legal text.
  • Article 10(9) names the QMS aspects that must be covered at a minimum. A QMS that misses any of them is non-compliant with the Regulation, regardless of how well it follows EN ISO 13485:2016+A11:2021.
  • Annex IX Section 2 is the specific assessment route where the Notified Body audits the QMS itself (not only the technical documentation). It applies to most Class IIa, IIb, and III devices following the full QMS route.
  • "Proportionate to the risk class and type of device" is not a loophole. It is the Regulation's own instruction to size the QMS against the device, not against a template.
  • EN ISO 13485:2016+A11:2021 is the harmonised standard that gives presumption of conformity under MDR Article 8. It is the efficient path, not the legal path.
  • The three most common misreadings are treating the standard as the law, over-scoping a small-company QMS to a large-company structure, and under-scoping by skipping aspects Article 10(9) lists explicitly.

Two teams, two readings of the same Regulation

Two small companies. Both building Class IIa devices. Both heading into the full QMS route under Annex IX. One based in Berlin, one in Vienna. Same legal text applied to them, same Notified Body framework, two completely different outcomes.

The Berlin team read the Regulation once, decided "we need ISO 13485," bought a template package, replaced the placeholder company name throughout, and submitted the result. When Tibor later reviewed what they had, the QMS was approximately 0.1 percent aligned with their actual operations. The procedures described a company that did not exist. Every Article 10(9) aspect was technically "present" as a document title. None of them were real.

The Vienna team read Article 10(9) first. They wrote down the aspects it lists, went through each one against how the company actually worked, and only then opened EN ISO 13485:2016+A11:2021 to find the clauses that gave them presumption of conformity with the MDR obligations they had already mapped. The document set was smaller. Every procedure described a real process. When the Notified Body arrived under the Annex IX route, the audit had something to inspect.

The difference was not effort. The difference was the order in which they read the documents. The Regulation first. The standard second. Everything else after that.

Article 10(9) — the exact obligation, decoded

Article 10 of Regulation (EU) 2017/745 lists the general obligations of manufacturers across fourteen paragraphs. Paragraph 9 is the QMS paragraph. Read this paragraph slowly, because nothing else in the QMS conversation makes sense until it is fixed in mind.

Article 10(9) requires manufacturers of medical devices to establish, document, implement, maintain, keep up to date, and continually improve a quality management system that ensures compliance with the Regulation in the most effective manner and in a manner proportionate to the risk class and type of device. The QMS must address, at a minimum, the following aspects: the strategy for regulatory compliance, including compliance with conformity assessment procedures and procedures for management of modifications to the devices covered by the system; identification of applicable general safety and performance requirements and exploration of options to address those requirements; responsibility of the management; resource management, including selection and control of suppliers and sub-contractors; risk management as set out in Section 3 of Annex I; clinical evaluation in accordance with Article 61 and Annex XIV, including post-market clinical follow-up; product realisation, including planning, design, development, production and provision of service; verification of the UDI assignments made in accordance with Article 27(3) to all relevant devices and ensuring consistency and validity of information provided in accordance with Article 29; setting up, implementation and maintenance of a post-market surveillance system, in accordance with Article 83; handling communication with competent authorities, notified bodies, other economic operators, customers and/or other stakeholders; processes for reporting of serious incidents and field safety corrective actions in the context of vigilance; management of corrective and preventive actions and verification of their effectiveness; and processes for monitoring and measurement of output, data analysis and product improvement. (Regulation (EU) 2017/745, Article 10, paragraph 9.)

Now decode the three structural moves inside that paragraph.

First move: the verbs. "Establish, document, implement, maintain, keep up to date, and continually improve." Six verbs, each with legal weight. A QMS that is "established" on paper but not implemented fails the verb "implement." A QMS that is implemented today but not maintained fails "maintain." A QMS that is maintained but not updated when the Regulation, the standards, or the device change fails "keep up to date." The Notified Body is checking all six verbs, not just the first one.

Second move: the effectiveness test. "Ensures compliance with this Regulation in the most effective manner." The QMS is not an end in itself. It exists to ensure MDR compliance. Every process in the QMS has to contribute to that outcome, and the Notified Body will look for evidence that the QMS is actually producing compliance, not just documents.

Third move: the proportionality test. "Proportionate to the risk class and type of device." This is the Regulation's own instruction that the QMS must be sized to the device. A Class I non-sterile instrument made by three people does not require the same QMS depth as a Class III implant manufactured at scale. Both QMSs must cover every Article 10(9) aspect. They will look nothing alike in practice.

Everything that follows in this post — Annex IX, EN ISO 13485:2016+A11:2021, the common misreadings — is commentary on those three moves.

The QMS processes Article 10(9) names or implies

Article 10(9) names a set of aspects every QMS must address at a minimum. Map them against the operational processes a startup will actually run, and the picture looks like this.

Management responsibility. Top management defines the quality policy, sets objectives, allocates resources, conducts management reviews, and accepts personal accountability for the QMS. Article 10(9) lists "responsibility of management" explicitly. For the deeper operational treatment, see post 284 on management responsibility under MDR.

Resource management, including supplier control. People, infrastructure, work environment, suppliers, and sub-contractors. Article 10(9) calls out supplier and sub-contractor selection and control by name. A startup that depends on a contract manufacturer or a sensor supplier must show that the QMS controls that supplier.

Product realisation. Planning, design, development, production, and provision of service. Article 10(9) lists these explicitly. This is where design controls live, where production and process validation live, and where technical documentation under Annex II is generated as a byproduct of the process.

Risk management linkage. Article 10(9) points to Section 3 of Annex I for risk management. The QMS must contain the risk management process and link it to design, verification, validation, production, PMS, and CAPA. EN ISO 14971:2019+A11:2021 is the harmonised standard for this aspect.

Clinical evaluation and post-market clinical follow-up. Article 10(9) refers to Article 61 and Annex XIV. The QMS must include the processes for planning, conducting, updating, and feeding clinical evaluation and PMCF into design and PMS.

Post-market surveillance. Article 10(9) refers to Article 83, which establishes the PMS system as a QMS process. PMS is not a separate system bolted on after launch. It is a process inside the QMS that runs before, during, and after market placement.

Vigilance and communication with authorities. Processes for reporting serious incidents and field safety corrective actions, and for handling communication with competent authorities, Notified Bodies, distributors, and customers.

CAPA and monitoring. Management of corrective and preventive actions, verification of their effectiveness, and processes for monitoring, measurement, data analysis, and product improvement. Article 10(9) lists these as the closing-loop aspects of the system.

UDI verification and information consistency. Article 10(9) requires the QMS to verify UDI assignments under Article 27(3) and ensure consistency of the information provided under Article 29.

PRRC — the named human accountability. Article 15 sits beside Article 10(9) in the startup reading list. Every manufacturer must have at least one Person Responsible for Regulatory Compliance with defined qualifications. Micro and small enterprises may have the PRRC permanently and continuously at their disposal under Article 15(2) rather than internally employed. The QMS documents who this person is, what their qualifications are, and how they exercise their role inside the quality system.

Each of these aspects also corresponds to clauses of EN ISO 13485:2016+A11:2021. The standard is where the operational detail lives. The Regulation is where the obligation lives.

Annex IX Section 2 — how the Notified Body actually assesses the QMS

Annex IX of the MDR describes the "conformity assessment based on a quality management system and on assessment of technical documentation." It is the full QMS route — the most common route for Class IIa, IIb, and III devices and the one most startups will encounter.

Annex IX is split into sections. Section 1 covers the general principles. Section 2 covers the assessment of the quality management system. Section 3 covers the assessment of the technical documentation. Section 4 covers the surveillance assessment. Section 5 covers the changes to the approved QMS or to the range of devices covered. For a startup facing its first audit, Section 2 is the section to read first.

Annex IX Section 2 requires the manufacturer to lodge an application for conformity assessment with a Notified Body, including a description of the QMS, the procedures in place, the documentation of the QMS, and sufficient information to demonstrate that the QMS meets the MDR requirements. The Notified Body then audits the QMS to determine whether it satisfies the requirements of the Regulation. The audit team must include at least one member with proven experience for the technology concerned. The audit is not a paper review. It is an on-site verification that the documented system actually governs the company's real operations.

Once certified, Annex IX Section 4 requires the Notified Body to conduct surveillance assessments at least annually, to ensure that the certified QMS continues to meet the requirements. Annex IX also requires unannounced on-site audits at the manufacturer's premises and, where appropriate, at the premises of the manufacturer's suppliers and sub-contractors.

This is the structural reason why a template QMS cannot survive Annex IX. A template QMS describes a fictional company. The audit verifies the QMS against the real one. The mismatch is visible within the first hour. There is nowhere to hide.

EN ISO 13485:2016+A11:2021 — the harmonised standard as the tool

Under MDR Article 8, harmonised standards whose references have been published in the Official Journal of the European Union give presumption of conformity with the corresponding MDR requirements when they are correctly applied. EN ISO 13485:2016+A11:2021 is the harmonised standard for QMS. When a manufacturer's QMS conforms to EN ISO 13485:2016+A11:2021, the Notified Body and competent authorities presume — unless there is evidence to the contrary — that the QMS satisfies the corresponding Article 10(9) obligations.

This is the efficient path. It is not the only legally possible path. A manufacturer can, in principle, meet Article 10(9) without using the harmonised standard, by documenting how the QMS meets every MDR requirement from first principles. In practice, no sensible startup does this. The harmonised standard exists to save everyone time.

There are two points where the standard and the Regulation do not perfectly overlap, and every startup must understand them.

First, the harmonised standard does not cover every MDR requirement. The "Z annexes" in EN ISO 13485:2016+A11:2021 map the clauses of the standard against the MDR articles they address. Gaps exist. The manufacturer is responsible for covering the gaps in the QMS even though the standard is silent on them. The most common gaps are around PMS (Article 83), vigilance, and the PRRC (Article 15).

Second, conformity with EN ISO 13485:2016+A11:2021 is not the legal obligation. Conformity is the presumption. A Notified Body finding a non-conformity against the MDR itself — even in a QMS certified to EN ISO 13485:2016+A11:2021 — can still raise a finding against the Regulation. The standard is a tool for meeting the law. The law is the law.

Practically: build the QMS to satisfy Article 10(9). Use EN ISO 13485:2016+A11:2021 as the structural blueprint. Close the MDR-specific gaps explicitly. Document how every QMS process traces back to an Article 10(9) aspect.

How proportionality actually works across risk classes

"Proportionate to the risk class and type of device" is the phrase that allows lean startup QMSs to be legally compliant and also the phrase that most often gets misapplied in both directions.

Proportionality is not a discount. It does not say "small companies can skip processes." It says the QMS must cover every aspect Article 10(9) names, at a depth appropriate to the device's risk and the complexity of the manufacturing operation.

A Class I device that is non-sterile, non-measuring, and non-reusable does not follow the Annex IX full QMS route at all. It follows a self-declaration route, but the manufacturer still has Article 10(9) obligations. The QMS must cover every aspect, but at a depth that matches low-risk operations. Document control can be simple. Design controls can be brief. Supplier controls can be limited to the few actual suppliers. PMS must still exist.

A Class IIa device following Annex IX requires the QMS route with Notified Body assessment. The QMS is larger because the stakes are higher and the assessment is deeper. Every aspect is still present. The procedures are longer. The records are more detailed. Verification and validation generate more evidence. PMS is more active.

A Class III device requires the QMS to cover the same aspects again, at the depth appropriate to catastrophic risk and complex production. Design controls are elaborate. Risk management is continuous. Clinical evaluation is extensive. PMS is almost a second full-time operation.

In all three cases, every Article 10(9) aspect is present. What changes is depth, not coverage. Getting this judgment right is where real competency separates from template thinking, and where the Subtract to Ship discipline is most useful.

The three common misreadings

Misreading one: the template QMS. A founder buys a template package, replaces the company name, and submits the result. Every Article 10(9) aspect is technically named in a document. None of the documents describe the real company. Annex IX Section 2 is designed to catch exactly this. The Berlin team learned this the hard way. Post 280 on building a lean QMS covers the corrective move.

Misreading two: over-scoping. A startup reads EN ISO 13485:2016+A11:2021 cover to cover, treats every clause as mandatory at full depth, and builds a 500-document QMS for a three-person company making a Class I instrument. Proportionality is the defence here. The Regulation itself tells the manufacturer to size the QMS to the device. An over-scoped QMS is not "safer." It is harder to maintain, harder to audit, and more likely to contain contradictions that become non-conformities.

Misreading three: under-scoping. A startup reads Article 10(9) selectively, omits aspects like PMS, vigilance, PRRC, or UDI verification because "we will add them at launch," and arrives at the Notified Body audit with structural gaps. Proportionality does not license omission. Every aspect must be present, at a depth appropriate to the device. Starting late on PMS or PRRC is the single most common cause of minor non-conformities Tibor sees in first audits.

The Subtract to Ship angle

The Subtract to Ship framework (post 065) applied to Article 10(9) and Annex IX produces a clean operational rule.

Every process, procedure, form, and record in the QMS must trace to a specific aspect of Article 10(9) or another specific MDR obligation. If it traces, it stays. If it does not trace, it comes out. If two processes cover the same Article 10(9) aspect, they merge. If an Article 10(9) aspect has no process, one is created at the depth the device requires.

This is not a recipe for a smaller QMS in all cases. A Class III manufacturer applying Subtract to Ship will still have a large QMS, because the Regulation requires a lot and the device is complex. A Class I startup applying Subtract to Ship will have a small QMS, because the Regulation does not require more and the operations do not justify more. In both cases, nothing in the QMS is theatre, and every document has a legal reason to exist. That is the test.

Reality Check — Where do you stand?

  1. Can you open Regulation (EU) 2017/745 to Article 10(9) and read the paragraph out loud without needing to look up what each phrase means?
  2. Can you list the aspects Article 10(9) names at a minimum, and match each one to a specific process in your QMS?
  3. Do you know whether your device goes through the Annex IX route, and have you read Annex IX Section 2 in full?
  4. For each Article 10(9) aspect, can you show a live record from the last thirty days proving the process is running?
  5. Have you identified the gaps where EN ISO 13485:2016+A11:2021 does not fully cover an MDR requirement — PMS, vigilance, PRRC, UDI verification — and closed them explicitly in the QMS?
  6. Is your QMS depth proportionate to your risk class and type of device, or is it sized for a different company?
  7. Does your team understand the ordering — MDR first, Annex IX second, EN ISO 13485:2016+A11:2021 third — or do they think "ISO 13485 is the rules"?
  8. If an Annex IX Section 2 audit started tomorrow morning, could you walk the auditor from every Article 10(9) aspect to a live record without opening a template?

Any "not yet" on this list is a pointer to the next piece of work.

Frequently Asked Questions

Is EN ISO 13485:2016+A11:2021 legally required under the MDR? No. The legal requirement is MDR Article 10(9). EN ISO 13485:2016+A11:2021 is the harmonised standard that, under MDR Article 8, provides presumption of conformity with the corresponding MDR requirements when it is correctly applied. A manufacturer can in principle meet Article 10(9) without the standard, but in practice the standard is the efficient path and the one Notified Bodies expect.

Does Annex IX apply to every device? No. Annex IX is one of several conformity assessment routes. It applies to most Class IIa, IIb, and III devices following the full QMS and technical documentation assessment route. Other routes exist under Annex X and Annex XI. Class I non-sterile, non-measuring, non-reusable devices follow a self-declaration route without Notified Body involvement, but the manufacturer still has Article 10(9) obligations.

Do I need to read the whole MDR to understand Article 10(9)? No, but Article 10(9) references other articles and annexes that you do need to read in context: Article 15 on the PRRC, Article 61 and Annex XIV on clinical evaluation, Article 83 on the post-market surveillance system, and Annex I Section 3 on risk management. Reading Article 10(9) together with these cross-references gives you the operational meaning of each aspect.

Is Annex IX the same as EN ISO 13485:2016+A11:2021? No. Annex IX is the MDR conformity assessment route that the Notified Body uses to check the QMS. EN ISO 13485:2016+A11:2021 is the harmonised standard the manufacturer uses to build the QMS. The Notified Body audits the manufacturer's QMS against the MDR requirements under the Annex IX procedure. Conformity with the standard gives presumption of conformity with the Regulation. They are different documents with different roles.

What is the most common Notified Body finding under Annex IX Section 2? In Tibor's experience, the most common findings are QMS processes that exist on paper but are not actually being run, MDR-specific gaps that the standard does not cover (especially PMS, vigilance, and PRRC), and proportionality errors where the QMS is either over-scoped or under-scoped relative to the device.

Can a small startup really pass an Annex IX Section 2 audit? Yes, when the QMS is real. Proportionality is the Regulation's own instruction that the QMS must match the device. A three-person company with a disciplined QMS that covers every Article 10(9) aspect at the appropriate depth can pass an Annex IX audit with zero non-conformities. The Vienna team in this post did exactly that. See post 281 on the minimum viable QMS.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 8 (use of harmonised standards), Article 10 (general obligations of manufacturers, including paragraph 9 on the quality management system), Article 15 (person responsible for regulatory compliance), Article 83 (post-market surveillance system of the manufacturer), Annex IX (conformity assessment based on a quality management system and on assessment of technical documentation, including Section 2 on quality management system assessment). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. The harmonised standard providing presumption of conformity with MDR Article 10(9) when its clauses are correctly applied.

This post is a deep dive within the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. The MDR is the North Star. Annex IX is how the law is verified. EN ISO 13485:2016+A11:2021 is the tool that makes the verification efficient. Read in that order, build in that order, and every subsequent piece of QMS work becomes simpler.