MDR QMS compliance costs fall into two buckets that founders routinely conflate: the fixed fees paid to a certification body or Notified Body for the audit itself, and the much larger ongoing internal effort required to build, run, and maintain a QMS that meets EN ISO 13485:2016+A11:2021 and the MDR Article 10(9) obligation on top of it. Certification body fees for a Class IIa startup generally sit in the low-to-mid five-figure range for first certification under Annex IX, with annual surveillance fees in the same range and recertification at year three. Internal effort — the real cost — is typically several times larger than the fees. This post gives the honest shape of both, so a first-time founder can budget a QMS programme without being surprised by the category nobody quoted them.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • MDR QMS compliance costs have two distinct halves: certification body fees (fixed, quoted, visible) and internal effort (variable, invisible until you measure it, usually larger).
  • Certification body fees for a Class IIa startup under MDR Annex IX typically run a five-figure sum for first certification, plus annual surveillance fees, plus a larger recertification audit at year three.
  • Internal effort to build a QMS that genuinely meets EN ISO 13485:2016+A11:2021 and MDR Article 10(9) dominates the total cost, and is where the Subtract to Ship discipline produces real savings.
  • Ongoing maintenance — document control, internal audits, management review, CAPA, training, supplier oversight — runs continuously and scales with team size, not with how often you look at the QMS.
  • The single largest avoidable cost is rework after a Stage 2 finding that could have been caught earlier. A clean QMS costs less than a theatrical one, every time.
  • Current fees are always time-sensitive. Any specific euro number you read online, including this one, is indicative only. Get written quotes from the actual certification body before you commit a budget line.

Why QMS cost gets quoted wrong

Most first-time founders ask one question when they start budgeting QMS work. "How much does ISO 13485 certification cost?" The answer they usually get is a single number from a certification body sales team, and that number is almost always just the audit fee. The founder writes that number into the financial plan, feels reassured, and keeps building the product.

Twelve months later, the same founder is on a call with Tibor trying to work out why the QMS has eaten four times the budgeted amount. The audit fee was quoted correctly. Every other cost category was missing. The document control platform licence. The internal audit cycle. The management review process. The training records. The CAPA work. The supplier questionnaires. The time the founding team spent writing procedures at 11pm because nobody else could. None of that was in the "ISO 13485 cost" number. All of it was in the real QMS.

This post gives the honest shape of the cost so the budget can be built once, correctly. For the certification path itself, see post 320. For the Notified Body selection decision that sits behind the fees, see post 321. For Stage 2 survival tactics, see post 323. For the full CE marking cost breakdown that this sits inside, see post 744.

The cost categories

MDR QMS compliance costs break into seven categories. Every one of them applies to every startup pursuing Annex IX conformity assessment. None of them can be cut to zero. Several of them can be reduced significantly with the right discipline.

1. Certification body fees for first certification

The first and most visible category. This is what the certification body or Notified Body charges for the work set out in MDR Annex IX Section 2 — the QMS assessment itself, including application review, Stage 1 documentation audit, Stage 2 on-site audit, and certificate issuance.

For a small startup with one site, one device family, and a Class IIa scope, first certification fees at general framing sit in the low-to-mid five-figure range in euros. For Class IIb, the fee is meaningfully higher because the audit scope is larger. For Class III, higher again, often by a multiple, because Annex IX assessment at the top of the risk pyramid involves more auditor-days, expert panel consultation where required, and deeper technical documentation review that runs in parallel with the QMS audit.

The variance between certification bodies on fee alone is smaller than founders expect. The larger variance is in what the fee buys you in terms of auditor competence, queue time, and responsiveness during findings resolution. A slightly more expensive body that assigns a competent auditor and answers questions within 48 hours is cheaper in reality than a slightly cheaper body that loses three months to scheduling friction. For the full selection framework, see post 321.

2. Internal effort to build the QMS

This is the category that dominates real cost and almost never appears in a sales quote. Building a QMS that meets EN ISO 13485:2016+A11:2021 and the MDR Article 10(9) obligation on top of it requires writing procedures, implementing document control, running the first cycle of internal audits, holding the first management review, setting up CAPA, establishing training records, building the supplier evaluation system, and closing the Z annex mapping from the standard to the MDR-specific requirements.

None of this work can be bought as a finished product. Template packages exist and some are useful as starting points, but every template must be customised to match the real operations of the company. The template-without-customisation pattern — a founder buying a generic SOP pack and replacing the placeholder company name — is the single most reliable way to fail a Stage 2 audit. It feels like a cost saving in month one. It is a cost explosion in month nine.

The honest internal effort to build a first QMS for a Class IIa startup, with a small team and sensible tooling, is typically several hundred hours of concentrated work spread across three to six months, plus the ongoing effort of actually running the processes so that real records exist by the time of Stage 1. Whether this is paid as internal salary, external consulting, or a mix, it is a real cost and it is usually several times the size of the certification body fee for first certification.

3. Ongoing internal effort — running the QMS

A QMS that runs produces records. Records come from process cycles. Process cycles take time. The internal audit cycle, the management review cycle, the document change cycle, the CAPA cycle, the training cycle, the supplier review cycle — every one of these is a recurring load on the team.

The honest rule is that a lean startup QMS under Class IIa typically requires a meaningful fraction of one full-time equivalent spread across the team, not one dedicated person. Some of that load sits with the PRRC. Some sits with the design and development lead. Some sits with the person responsible for production or supply. The total is real, even if no single person is labelled "QMS manager."

Founders who assume the QMS runs itself after certification discover at the first surveillance audit that it does not. The records have gaps. The training is out of date. The management review has slipped. Every one of these is a finding, and every finding costs more to close than it would have cost to prevent.

4. Annual surveillance audits

The certificate is not a permanent grant. Under both EN ISO 13485:2016+A11:2021 and MDR Annex IX, the certification body conducts surveillance audits at planned intervals — at least annually — to verify the QMS continues to meet the requirements.

Surveillance audits are shorter than Stage 2, but they are not trivial. The fee is a fraction of the first certification fee but lands every year. The internal preparation effort is also real — pulling records for the auditor, walking through sampled processes, closing any open findings from the previous audit.

Annex IX also requires unannounced on-site audits at planned intervals. These land without advance notice and are specifically designed to catch the gap between what the QMS says and what the operations actually do. The cost shows up both in the fee and in the disruption to the operating week when they happen.

5. Recertification at year three

At the end of the three-year certificate cycle, the certificate expires and must be renewed through a recertification audit. This is more comprehensive than a surveillance audit and closer in scope to the original Stage 2. The fee reflects the extra auditor-days, and the internal preparation effort scales accordingly.

For a company that has run the QMS honestly across the three years, recertification is manageable. The accumulated evidence supports itself, the processes are stable, and the findings are typically minor. For a company that has let the QMS drift — documented processes slowly diverging from real operations — recertification is where the drift becomes visible and expensive. The remediation cost at that point can easily exceed the original build cost.

6. Scaling cost as the team grows

QMS cost is not fixed. It scales with headcount, with the number of sites, with the number of device families in scope, and with the complexity of the supply chain. A five-person startup with one device has a very different QMS footprint from a thirty-person company with three devices and two sites, even if both are Class IIa.

What scales:

  • Training records — every new hire goes through training, and the training matrix grows.
  • Document control — more people touching more documents increases the load on the review and approval cycle.
  • Internal audits — more processes and more sites mean more audit time.
  • Supplier oversight — more components and more suppliers mean more evaluation and monitoring.
  • Change control — a bigger company changes more things more often, and every change runs through the change control process.
  • Scope expansion — adding a new device family to the certificate requires a formal scope extension, which is its own cost line.

The founders who budget the QMS at the size of the team they have today, and never revisit it, are the ones who run into surveillance findings in year two when the team has tripled and the QMS has not kept up.

7. Tooling — document management and records infrastructure

Document management tooling is a real line item that gets left out of most first budgets. At minimum, a startup needs a controlled system where documents are versioned, approvals are recorded, training acknowledgements are captured, and records cannot be silently edited. The options run from a disciplined use of a general document platform, through startup-oriented electronic QMS products, up to full enterprise QMS suites.

The cheap end of this range is a shared drive with rigorous discipline. It works for very small teams and very short periods. It stops working the moment the team grows past the point where discipline alone can enforce version control. Most startups we work with move to a dedicated electronic QMS platform before Stage 1, not after, because the auditor reads the document control system as a signal of QMS maturity.

Common cost mistakes

Five mistakes show up in almost every first-time startup QMS budget.

Mistake 1 — quoting only the audit fee. The certification body fee is the most visible number but the smallest category. A budget built around it alone underestimates total QMS cost by a factor of three or more.

Mistake 2 — assuming templates replace work. Templates are a starting point, not a deliverable. Every template must be customised to real operations. The work of customisation is the majority of the build effort.

Mistake 3 — treating QMS cost as a one-time line. The QMS is a recurring operating cost, not a project cost. Management review, internal audit, training, and CAPA are monthly and quarterly activities for the life of the company.

Mistake 4 — forgetting surveillance audits in the runway. The annual surveillance audit lands in year two and year three, before the first certificate cycle is even complete. If it is not in the runway model, the runway model is wrong.

Mistake 5 — skipping tooling until the auditor asks. A last-minute migration to a proper document control system in the weeks before Stage 1 is the most expensive version of this work. Do it early, do it once.

The Subtract to Ship angle

Subtract to Ship applied to QMS cost produces one operational rule: every euro of QMS spend must trace back to a specific MDR obligation or a specific requirement of EN ISO 13485:2016+A11:2021. If it does, fund it properly. If it does not, cut it entirely. The discipline is described in full in post 065.

The place where subtraction produces the biggest savings is not the audit fee, which is close to fixed. It is the internal build effort, where the default failure mode is over-production of documents that do not match real operations. Every page of SOP written for a process the company does not actually run is waste. Every template signed off without customisation is future rework. Every review layer added because "it looks more rigorous" is drag with no regulatory value.

The converse is equally important. Some lines of QMS spend are load-bearing and must not be cut. A real internal audit cycle. A real management review. A real CAPA process with closed-loop evidence. Training records that match the training that actually happened. Document control that makes silent editing impossible. These are not optional. Cutting them to save budget is the setup for the most expensive category of all — rework after a finding.

The honest result of running Subtract to Ship on a QMS budget is usually a smaller total spend in the visible categories and a larger allocation to the few categories that matter. The net is lower cost and a cleaner audit.

Reality Check — Where do you stand?

  1. Have you separated certification body fees from internal effort in your budget, or are both collapsed into a single "QMS" line?
  2. Do you have written quotes from at least two certification bodies for first certification, surveillance, and recertification — not just first certification?
  3. Have you costed the internal effort to build the QMS in hours or FTE, and converted that honestly into a euro figure?
  4. Is there a line in your financial plan for annual surveillance audits in year two and year three?
  5. Have you budgeted the recertification audit at year three, including the internal preparation effort?
  6. Does your tooling line include a proper document control system, or are you planning to pass Stage 2 on a shared drive?
  7. If your team doubles in the next twelve months, is there a mechanism for the QMS budget to scale with it?
  8. Can you defend every line of QMS spend by pointing to a specific MDR article or a specific clause of EN ISO 13485:2016+A11:2021?

Frequently Asked Questions

What does ISO 13485 certification actually cost a startup? At general framing, certification body fees for a Class IIa first certification under MDR Annex IX sit in the low-to-mid five-figure range in euros, with annual surveillance fees added each year and a larger recertification audit at year three. The dominant cost is not the fee but the internal effort to build and run the QMS, which is typically several times the fee. Get written quotes from the certification body you intend to contract with before committing any budget number.

Is the audit fee the same for every certification body? No, but the variance is smaller than most founders expect. The larger difference between bodies is in auditor competence, queue time, responsiveness during findings resolution, and how efficiently the audit itself runs. A slightly higher fee from a body with a strong team is typically cheaper in reality than a slightly lower fee from a body that loses time to scheduling friction.

Can I reduce QMS cost by using templates? Templates are a starting point, not a deliverable. Every template procedure must be customised to match the real operations of the company or the Stage 2 auditor will find the gap. The cost saving from a template package is real only if the customisation effort is budgeted and done. The template-without-customisation pattern is the single most reliable way to fail a first audit.

How much does a surveillance audit cost? Less than first certification, but it recurs every year for the life of the certificate. The fee is a fraction of the Stage 2 fee, and the internal preparation effort is real but smaller than first certification. Over a three-year cycle, surveillance audits add meaningfully to the total QMS cost, and unannounced audits under Annex IX can land in between.

Does QMS cost scale with team size? Yes. Training, document control, internal audits, supplier oversight, and change control all scale with headcount and operational complexity. A QMS budget built for a five-person team will not fit a thirty-person team, even at the same device class. Plan for the QMS to scale with the organisation, not to stay fixed.

What is the single biggest avoidable QMS cost? Rework after an audit finding that could have been caught earlier. A theatrical QMS — documents that do not match operations, records reconstructed in the weeks before Stage 1, procedures nobody follows — produces findings that cost several times the original saving to close. A clean QMS costs less than a theatrical one, every time.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10, paragraph 9 (quality management system obligation for manufacturers, proportionate to the risk class and type of device), and Annex IX (conformity assessment based on a quality management system and on assessment of technical documentation, including Section 2 on QMS assessment and Section 4 on surveillance assessment, including unannounced audits). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. The harmonised standard providing presumption of conformity with MDR Article 10(9) when its clauses are correctly applied.

Note on current fees. Certification body and Notified Body fees are time-sensitive and differ between bodies, device classes, and scope. Every figure in this post is indicative at general framing only. Before committing any QMS cost line in a financial plan, obtain written quotes from the specific certification body or Notified Body you intend to contract with, covering first certification, annual surveillance, and recertification across the full three-year cycle.

This post is part of the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. The MDR Article 10(9) obligation sets the requirement. EN ISO 13485:2016+A11:2021 is the tool. The cost of that tool is real, recurring, and recoverable only through the discipline of making every line of spend trace back to a specific obligation.