--- title: MDR QMS Certification: Using ISO 13485 from Application to Certificate description: ISO 13485 certification is how you demonstrate the QMS that MDR Article 10(9) requires. Here is the path from application to certificate. authors: Tibor Zechmeister, Felix Lenhard category: Quality Management Under MDR primary_keyword: MDR QMS certification ISO 13485 canonical_url: https://zechmeister-solutions.com/en/blog/mdr-qms-certification-iso-13485 source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # MDR QMS Certification: Using ISO 13485 from Application to Certificate *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **MDR QMS certification is the process by which a certification body or Notified Body audits your quality management system against EN ISO 13485:2016+A11:2021, the harmonised standard that under MDR Article 8 provides presumption of conformity with the QMS obligation in MDR Article 10(9). The path runs from certification body selection, through an application package, a Stage 1 documentation audit, a Stage 2 on-site audit, certificate issuance, annual surveillance audits, and a three-year recertification cycle. Each step is sequential and each step can fail independently. The MDR is the North Star. EN ISO 13485:2016+A11:2021 is the tool. Certification is how the tool is verified.** **By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.** --- ## TL;DR - MDR QMS certification against EN ISO 13485:2016+A11:2021 is how a manufacturer demonstrates the QMS that MDR Article 10(9) requires, and how a Notified Body verifies it under MDR Annex IX. - The process has seven sequential steps: certification body selection, application package, Stage 1 audit, Stage 2 audit, certificate issuance, annual surveillance audits, and recertification every three years. - Stage 1 is a documentation and readiness review. Stage 2 is the on-site audit where the auditor verifies that the documented QMS actually governs the real operations. - A certificate issued against EN ISO 13485:2016+A11:2021 covers the standard; the MDR certificate issued under Annex IX also covers the MDR-specific gaps the standard does not address. - Surveillance audits happen at least annually and can raise non-conformities that block certificate maintenance if not closed. - The total elapsed time from a complete QMS to a certificate in hand is typically six to twelve months for a well-prepared startup, longer if the QMS is not real on day one. --- ## Why certification is a separate step from having a QMS A common confusion among first-time founders is to treat "having a QMS" and "being certified" as the same thing. They are not. MDR Article 10(9) requires every manufacturer to establish, document, implement, maintain, keep up to date, and continually improve a quality management system proportionate to the risk class and type of device. That is the legal obligation. It is binding whether or not anyone audits you. Certification is the act of an independent body checking that your QMS meets EN ISO 13485:2016+A11:2021 and, under MDR Annex IX, meets the MDR obligations on top of the standard. The certificate is not the QMS. The certificate is third-party evidence that the QMS exists, runs, and meets the reference standard on a specific date. Under MDR Article 8, compliance with a harmonised standard whose reference has been published in the Official Journal of the European Union gives presumption of conformity with the corresponding MDR requirements. EN ISO 13485:2016+A11:2021 is the harmonised standard for QMS. A certificate against that standard, issued by a competent body, is the mechanism by which the presumption is documented. For the relationship between Article 10(9), Annex IX, and the standard, see post 278. This post walks through the certification path step by step. Seven steps, each one sequential, each one with its own failure modes and its own preparation rules. ## Step 1. Certification body selection The first step is choosing who will audit your QMS. The answer depends on what you need the certificate to do. If you need an ISO 13485 certificate as a pure QMS credential, any accredited certification body can issue one. If you need the QMS audited as part of an MDR conformity assessment under Annex IX, the audit must be performed by a Notified Body designated under the MDR for the device class and codes that apply to your product. The list of designated Notified Bodies lives on the NANDO database on the European Commission site. For most startups heading toward a CE mark under Annex IX, the practical move is to contract directly with a Notified Body and have the QMS audit integrated with the MDR conformity assessment. Splitting the two. Using one body for ISO 13485 certification and another for MDR assessment. Creates duplication and rarely saves money. For Class I self-declaration devices where no Notified Body is required for the product, a standalone ISO 13485 certificate from an accredited certification body can still be useful as a quality credential, but it is not required by the Regulation. The selection criteria that matter in practice are designation scope (does the Notified Body cover your device codes under MDR), capacity and queue time (some bodies have waiting lists of twelve months or more), technical competence in your device area, and language and geography of the audit team. Price matters less than most founders expect. The variance between bodies is smaller than the variance in the quality of the audit team assigned to you. For the full Notified Body selection framework, see post 321. ## Step 2. The application package Once the certification body is selected, the manufacturer submits an application package. The content of this package is defined by the body and, for Notified Bodies under MDR, shaped by Annex IX Section 2. The package typically contains: a formal application form, the manufacturer's legal details and organisation chart, a description of the scope of certification (which devices, which sites, which processes), the QMS manual, the list of documented procedures, the list of products and their classifications, the technical documentation for representative devices, and evidence of the core QMS processes actually running (management review minutes, internal audit reports, CAPA records, complaint records). The application package is not a sales pitch. It is a first look at whether the QMS is real. A body reviewing a thin application package with no internal audit evidence, no management review records, and no CAPA history will draw the obvious conclusion: the QMS has not been running long enough to be auditable. The body will either defer the audit or proceed to a Stage 1 that confirms the same finding at greater cost. The rule of thumb is that the QMS must have been running for at least three months. With real records, not reconstructed ones. Before an application is submitted. Less than that, and Stage 1 will document that the system is not yet mature enough to certify. ## Step 3. The Stage 1 audit Stage 1 is the documentation and readiness audit. Its purpose is to verify that the QMS is documented, that the scope is clear, that the organisation understands the requirements of the standard, and that the QMS is ready for the Stage 2 on-site audit. Stage 1 can be conducted remotely or on-site depending on the body and the complexity of the operation. The auditor reviews the QMS manual, the procedures, the Z annex mapping from the standard to MDR requirements, and the core records. The auditor also identifies any gaps that must be closed before Stage 2. The output of Stage 1 is a report listing observations, potential non-conformities, and readiness findings. A clean Stage 1 clears the path to Stage 2. A Stage 1 with major readiness findings. Missing internal audit cycle, no management review, undocumented procedures for mandatory processes. Will result in Stage 2 being postponed until the findings are closed. The most common Stage 1 findings in first certifications are these: the QMS scope is not clearly defined, the document control system is incomplete, internal audits have not been conducted or have been conducted but not recorded properly, management review has not happened, CAPA records are thin or missing, and the Z annex mapping to MDR is absent. Each of these is fixable before Stage 2 if caught early. For a deeper walkthrough of Stage 1 preparation and common findings, see post 322. ## Step 4. The Stage 2 audit Stage 2 is the on-site audit where the auditor verifies that the documented QMS actually governs the real operations of the company. This is where template QMSs die and real QMSs pass. Everything in the Subtract to Ship discipline (post 065) and the discipline of building an honest QMS (posts 276, 281) is tested at Stage 2. The auditor walks through every major QMS process, from management responsibility through document control, design and development, purchasing, production, CAPA, internal audit, management review, PMS, vigilance, and the MDR-specific aspects under Annex IX Section 2. For each process, the auditor asks the "how do you know?" question and expects a documented answer traceable to a specific record from recent operations. Stage 2 findings are categorised as major non-conformities, minor non-conformities, or observations. A major non-conformity blocks certificate issuance until it is closed with evidence. Not with a plan to close it, but with actual corrective action verified by the auditor. A minor non-conformity typically allows certification to proceed on the condition that a corrective action plan is submitted and verified at the next audit. Observations are suggestions that do not block certification but should be addressed. The duration of Stage 2 depends on the scope, the device class, and the organisation size. For a small startup with one site and one device family, Stage 2 is typically two to four auditor-days. For a larger company with multiple sites, it scales accordingly. Plan for the audit to be disruptive. Key people will be interviewed, records will be requested in real time, and production or development activity will be observed directly. For Stage 2 survival tactics, see post 323. ## Step 5. Certificate issuance Once Stage 2 is complete and any major non-conformities are closed, the certification body reviews the audit report through its internal certification committee. This is a separate step from the audit itself. The committee confirms that the audit was conducted properly, that findings were categorised correctly, and that the evidence supports the certification decision. The committee either issues the certificate, defers pending further corrective action, or declines. For a clean Stage 2 with minor findings handled properly, the certificate is typically issued within four to eight weeks of the audit closing. The certificate specifies the standard (EN ISO 13485:2016+A11:2021), the scope of certification (which devices and which processes), the sites covered, the certification body's accreditation, the issue date, and the expiry date. The validity period is three years from issue, subject to successful surveillance audits. For manufacturers going through the full MDR conformity assessment under Annex IX, the QMS certificate is one of two outputs. The other being the technical documentation assessment under Annex IX Section 3. Both must be in place before a CE certificate can be issued. The QMS certificate alone does not authorise CE marking. For the relationship between the QMS certificate and the MDR certificate, see post 324. ## Step 6. Surveillance audits The certificate is not a permanent grant. Under both EN ISO 13485:2016+A11:2021 and MDR Annex IX, the certification body conducts surveillance audits at planned intervals. At least annually. To verify that the QMS continues to meet the requirements. Surveillance audits are shorter than Stage 2 but follow the same logic. The auditor walks through a risk-based sample of QMS processes, verifies records from the period since the last audit, checks the status of previous findings, and identifies new findings. Surveillance findings can be major or minor. A major finding at surveillance can suspend the certificate until corrective action is verified. Annex IX also requires unannounced on-site audits at the manufacturer's premises and, where appropriate, at the premises of suppliers and sub-contractors. These happen without advance notice and are specifically designed to catch the gap between what the QMS says and what the operations actually do. The operational rule for surviving surveillance is simple and uncomfortable: run the QMS the same way every day, not differently during audit weeks. A QMS that is real on Monday is real on the day the unannounced auditor arrives. A QMS that is theatrical will be found out. ## Step 7. Recertification After three years, the certificate expires and must be renewed through a recertification audit. This is more comprehensive than a surveillance audit and closer in scope to a Stage 2. The auditor reviews the full QMS, the cumulative history of findings and corrective actions, the evolution of the company and its devices, and the ongoing effectiveness of the system. Recertification is the moment when accumulated drift becomes visible. A QMS that has been slowly sliding away from its documented processes over three years will show the drift at recertification. A QMS that has been maintained honestly will pass recertification as smoothly as the original Stage 2. For companies that have grown significantly during the certificate period. New devices, new sites, new employees, new suppliers. Recertification is also the moment to formally update the scope of certification. This is not optional. A certificate issued for one device family does not cover a new device family that was added later without a scope change. For the recertification playbook, see post 327. ## The Subtract to Ship angle Subtract to Ship applied to QMS certification produces one operational rule: build the QMS that the device actually needs, certify the QMS that exists, and stop trying to pre-empt the auditor with documents that describe processes you do not run. The default failure mode in startup certification is not under-preparation. It is over-preparation of the wrong kind. Mountains of documents written for the audit rather than for the operations, procedures describing fictional processes, records reconstructed in the weeks before Stage 1 to fill gaps in the real history. Every one of these moves makes the certificate harder to earn, not easier. The auditor can tell, within the first hour of Stage 2, whether the QMS runs the company or the company runs around the QMS. Subtract to Ship in certification means this. Every document in the QMS describes a real process. Every record comes from real operations, not from reconstruction. Every procedure is tested by asking the person who runs the process whether the procedure matches what they do. Nothing is added to impress the auditor. Nothing is kept because "audits usually want this." The Regulation and the standard are the referees; every piece of work traces to one or the other or comes out. For the broader framework, see post 065. ## Reality Check. Where do you stand? 1. Have you identified the certification body or Notified Body you will work with, and confirmed they cover your device scope and have capacity? 2. Has your QMS been running long enough. With real records, not reconstructed ones. To be auditable (at least three months of genuine operation)? 3. Do you have documented internal audit cycle, management review minutes, and CAPA records from before the application is submitted? 4. Is your Z annex mapping from EN ISO 13485:2016+A11:2021 to MDR requirements complete, with the MDR-specific gaps explicitly closed? 5. For every major QMS process, can you walk an auditor from the documented procedure to a live record from the last thirty days? 6. Have you briefed the people who will be interviewed at Stage 2. Not to rehearse answers, but to make sure they understand which process they own and where the records are? 7. Do you have a calendar for surveillance audits across the three-year certificate cycle, and an owner for each one? 8. If an unannounced audit arrived tomorrow, would anything in your QMS surprise you in a bad way? Any "not yet" is where the work is. ## Frequently Asked Questions **How long does MDR QMS certification take from start to certificate?** For a well-prepared startup with a real QMS and the right certification body selected, the elapsed time from application to certificate is typically six to twelve months. The bottleneck is usually Notified Body queue time rather than the audit itself. Companies with a template QMS or reconstructed records take substantially longer because Stage 1 and Stage 2 surface findings that must be closed before the certificate can be issued. **Do I need a Notified Body or can I use any certification body?** It depends on what you need. For a pure EN ISO 13485:2016+A11:2021 certificate as a quality credential, any accredited certification body can issue one. For a QMS audit as part of an MDR conformity assessment under Annex IX, the audit must be performed by a Notified Body designated under the MDR for your device codes. Most startups heading toward CE marking work directly with a Notified Body. **What is the difference between Stage 1 and Stage 2?** Stage 1 is a documentation and readiness review. The auditor checks whether the QMS is documented, whether the scope is clear, and whether the company is ready for an on-site audit. Stage 2 is the on-site audit itself, where the auditor verifies that the documented QMS actually governs the real operations. Stage 1 catches paper gaps; Stage 2 catches reality gaps. **What happens if Stage 2 finds a major non-conformity?** A major non-conformity blocks certificate issuance until it is closed with verified corrective action. This is not a paper submission. The auditor must see evidence that the corrective action has been implemented and is effective. Closing a major non-conformity typically takes weeks to months depending on severity. The certificate cannot be issued until every major finding is closed. **How often are surveillance audits?** At least annually under both EN ISO 13485:2016+A11:2021 and MDR Annex IX. The body schedules surveillance audits across the three-year certificate cycle, and the surveillance findings feed the recertification decision at the end of year three. Annex IX also allows unannounced audits, which happen without advance notice. **Can I change certification bodies mid-cycle?** Yes, but it involves a transfer process. The new body typically conducts a transfer audit to verify the current state of the QMS before accepting the existing certificate. Changing bodies during a non-conformity period is generally not advisable. The new body will inherit the open findings and may require them to be closed before transfer. ## Related reading - [What Is a Quality Management System for Medical Devices?](/blog/what-is-quality-management-system-medical-devices) – the pillar post for the Quality Management Under MDR cluster. - [MDR Article 10(9) and Annex IX: The QMS Requirements Every Startup Must Meet](/blog/mdr-article-10-9-annex-ix-qms-requirements) – the legal anchor behind this certification process. - [Why MDR Requires a Medical Device-Specific QMS: ISO 13485 vs. ISO 9001](/blog/iso-13485-vs-iso-9001) – why EN ISO 13485:2016+A11:2021 is the standard you certify against. - [The Minimum Viable QMS for a Medical Device Startup](/blog/minimum-viable-qms) – the smallest honest QMS that can still pass Stage 2. - [Notified Body Selection for MDR QMS Certification](/blog/notified-body-selection-qms-certification) – the selection framework behind Step 1 of this process. - [Preparing for Stage 1: The ISO 13485 Documentation Audit](/blog/stage-1-iso-13485-documentation-audit) – the Stage 1 deep dive. - [Surviving Stage 2: The ISO 13485 On-Site Audit](/blog/stage-2-iso-13485-onsite-audit) – the Stage 2 deep dive. - [From QMS Certificate to CE Marking Under Annex IX](/blog/qms-certificate-to-ce-mark-annex-ix) – how the QMS certificate connects to the MDR certificate. - [ISO 13485 Recertification and Surveillance Audits](/blog/iso-13485-recertification-surveillance) – the three-year cycle and the drift problem. - [The Subtract to Ship Framework for MDR Compliance](/blog/subtract-to-ship-framework-mdr) – the methodology behind the discipline in this post. ## Sources 1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 8 (use of harmonised standards), Article 10 (general obligations of manufacturers, including paragraph 9 on the quality management system), Annex IX (conformity assessment based on a quality management system and on assessment of technical documentation, including Section 2 on quality management system assessment and Section 4 on surveillance assessment). Official Journal L 117, 5.5.2017. 2. EN ISO 13485:2016+A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes. The harmonised standard providing presumption of conformity with MDR Article 10(9) when its clauses are correctly applied. --- *This post is part of the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. The MDR is the North Star. EN ISO 13485:2016+A11:2021 is the tool. Certification is how the tool is verified against the real operations of a real company.* --- *This post is part of the [Quality Management Under MDR](https://zechmeister-solutions.com/en/blog/category/quality-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*