MDR Article 10(9) requires every medical device manufacturer to operate a quality management system proportionate to the risk class and type of device. EN ISO 13485:2016+A11:2021 is the harmonised standard that, under MDR Article 8, gives a manufacturer presumption of conformity with the corresponding QMS requirements when the standard is correctly applied. The standard discharges most of the Article 10(9) obligation through its clauses, but not all of it — several MDR-specific aspects sit outside the standard's scope and must be closed explicitly by the manufacturer. The Regulation is the legal obligation. The standard is the efficient route to demonstrating conformity. Understanding exactly where the standard covers the law and where it does not is the difference between a clean Notified Body audit and an expensive set of findings.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • The legal QMS obligation is MDR Article 10(9). EN ISO 13485:2016+A11:2021 is the tool the Regulation's harmonisation mechanism grants legal weight.
  • Under MDR Article 8, conformity with a harmonised standard whose reference is published in the Official Journal gives presumption of conformity with the corresponding MDR requirements.
  • EN ISO 13485:2016+A11:2021 contains Annex ZA and Annex ZB, the "Z annexes," which map the standard's clauses against the MDR requirements they address.
  • Presumption of conformity is rebuttable. A Notified Body that finds evidence of non-conformity with the MDR can still raise findings, even against a QMS certified to the standard.
  • Several Article 10(9) aspects sit outside or only partially inside the standard — regulatory compliance strategy, PMS linkage, vigilance reporting under Articles 87 to 92, PRRC under Article 15, and UDI verification under Articles 27 and 29.
  • Building the QMS against the MDR through the standard — and closing the residual gaps explicitly — is the discipline that survives Annex IX Section 2.

Why this question matters on day one of a QMS project

A founder opens EN ISO 13485:2016+A11:2021 for the first time and reads through the clauses. Management responsibility, resource management, product realisation, measurement and improvement. Everything looks structured, well organised, industry-standard. The founder closes the document and starts building procedures that match the clauses. Six months later, the Notified Body arrives under the Annex IX Section 2 route, audits the QMS against the MDR, and raises findings — not because the standard was applied badly, but because the MDR has obligations the standard never addresses, and no one built processes for them.

This failure mode is preventable. It requires understanding exactly how the standard discharges the Article 10(9) obligation, where the discharge is complete, and where the manufacturer has to close the gap themselves. That understanding is the subject of this post.

For the foundational definition of a medical device QMS, see post 276. For the full Article 10(9) and Annex IX walkthrough, see post 278. For why ISO 9001 is not a substitute, see post 279. This post sits between those three and answers the specific question: given that Article 10(9) is the law and EN ISO 13485:2016+A11:2021 is the tool, how does the tool actually discharge the law?

The Article 8 mechanism — how a standard gains legal weight

The MDR does not require manufacturers to follow any specific standard. What it does is create a mechanism by which certain standards gain legal effect through a process called harmonisation.

Under MDR Article 8, compliance with harmonised standards whose references have been published in the Official Journal of the European Union gives presumption of conformity with the corresponding requirements of the Regulation that those standards cover. The standards become "harmonised" when the European Commission, on the advice of the European standards organisations, decides that a given standard adequately expresses the technical content of specific MDR requirements, and publishes the reference in the Official Journal. At that point, a manufacturer who applies the standard correctly can rely on a legal presumption that the corresponding MDR requirements are met.

This is not a minor technicality. It is the central bridge between the Regulation (which states obligations in legal language) and the practical engineering reality (which needs concrete, testable requirements). Without harmonisation, every manufacturer would have to argue from first principles that its QMS, its risk management process, its software lifecycle, and its clinical evaluation satisfy the Regulation. With harmonisation, the manufacturer can point to conformity with a specific standard and rely on the presumption the Regulation grants.

MDCG 2021-5 Rev.1 (July 2024) explains the harmonisation mechanism in detail, including the process by which a harmonised European standard ("hEN") is developed, the role of the "Annex Z" clauses that map standard content against Regulation requirements, and the concept of presumption of conformity itself. Any founder building a QMS should read MDCG 2021-5 Rev.1 once, early, so that the mechanism is clear before the engineering work begins.

EN ISO 13485:2016+A11:2021 is the harmonised standard for QMS under the MDR. Its reference is the one a manufacturer points to when claiming presumption of conformity with the QMS obligations in Article 10(9).

What presumption of conformity actually means

Presumption of conformity is a phrase with a specific legal meaning, and founders frequently get it wrong in both directions.

What it does mean: a Notified Body or competent authority assessing the QMS starts from the position that the corresponding MDR requirements are met, as long as the manufacturer is correctly applying EN ISO 13485:2016+A11:2021. The burden shifts. Instead of the manufacturer having to prove conformity from first principles, the authority has to find specific evidence of non-conformity to raise a finding. This shift is enormously practical — it makes audits faster, makes certification projects cheaper, and gives the manufacturer a defensible starting position in any regulatory interaction.

What it does not mean: that the QMS is automatically and irrevocably compliant. Presumption of conformity is rebuttable. If a Notified Body walks into an on-site audit and finds that a process the standard requires is not actually being run — or that an MDR requirement the standard does not cover is missing from the QMS — the presumption does not prevent a finding. The presumption is a starting position, not a shield.

It also does not mean that conformity with the standard equals conformity with the MDR across the board. The standard covers what the standard covers. The MDR has obligations that the standard does not address. Those residual obligations sit with the manufacturer regardless of the standard's coverage. The rest of this post is about those gaps.

Where the standard maps to MDR articles

EN ISO 13485:2016+A11:2021 contains two informative annexes — Annex ZA and Annex ZB — that map the clauses of the standard against the requirements of the MDR (Annex ZA) and the IVDR (Annex ZB) that the standard addresses. These are the "Z annexes" referred to in harmonisation terminology. Reading them is the single most useful thing a founder can do when planning a QMS project.

The Z annexes show, clause by clause, which MDR requirement each clause of the standard supports. For example, Clause 4 of the standard (the general quality management system requirements — documentation, management responsibility at the system level, control of documents and records) maps against the general QMS obligation in Article 10(9). Clause 5 (management responsibility) maps against the "responsibility of the management" aspect. Clause 6 (resource management, including human resources, infrastructure, and work environment) maps against "resource management, including selection and control of suppliers and sub-contractors." Clause 7 (product realisation, including planning, customer-related processes, design and development, purchasing, production and service provision, control of monitoring and measuring equipment) maps against "product realisation, including planning, design, development, production and provision of service." Clause 8 (measurement, analysis and improvement, including monitoring and measurement, control of non-conforming product, analysis of data, and improvement including CAPA) maps against "management of corrective and preventive actions and verification of their effectiveness" and "processes for monitoring and measurement of output, data analysis and product improvement."

Each mapping line in the Z annex is a claim: conformity with this clause of the standard, correctly applied, gives presumption of conformity with this part of the MDR. Reading them together produces a picture of which parts of Article 10(9) the standard discharges and which parts it does not.

The Z annexes are also where the gaps become visible — because where the standard has no clause that maps to a given MDR requirement, the annex is silent on that requirement, and the manufacturer can see immediately that additional work is needed outside the standard.

What the standard does not cover

The most important sentences in the Z annexes of EN ISO 13485:2016+A11:2021 are the ones describing what the standard does not cover. These are the MDR obligations a manufacturer has to discharge through QMS processes the standard does not describe.

Regulatory compliance strategy. Article 10(9) opens with "strategy for regulatory compliance, including compliance with conformity assessment procedures and procedures for management of modifications to the devices covered by the system." The standard touches on regulatory requirements as inputs to the QMS, but it does not require a documented regulatory compliance strategy as a standalone deliverable. The manufacturer has to add one.

Post-market surveillance system under MDR Article 83. The standard contains clauses on feedback, complaint handling, and post-market activities, but the MDR PMS system under Article 83, Article 84, and Annex III is more structured, more prescriptive, and more tightly linked to vigilance and CAPA than the standard requires. MDCG 2025-10 (December 2025) describes what the MDR PMS system actually looks like. The manufacturer has to build a PMS plan, PMS report or PSUR as appropriate to the device class, and the data collection infrastructure to feed them. None of this is fully specified by the standard.

Vigilance reporting under Articles 87 to 92. The standard contains clauses on reporting to regulatory authorities, but the MDR vigilance obligations — serious incident reporting timelines, trend reporting, field safety corrective actions, PSRs, and communication with competent authorities through Eudamed — are defined by the Regulation and MDCG 2023-3 Rev.2 (January 2025), not by the standard. The manufacturer has to build vigilance procedures that reflect the MDR text directly.

PRRC under Article 15. The standard says nothing specific about the Person Responsible for Regulatory Compliance. Article 15 requires every manufacturer to have at least one PRRC with defined qualifications, and Article 15(2) allows micro and small enterprises to have the PRRC permanently and continuously at their disposal rather than internally employed. The QMS has to document who the PRRC is, their qualifications, and their role in the quality system. The standard does not describe this.

UDI verification under Articles 27 and 29. Article 10(9) explicitly requires the QMS to verify UDI assignments under Article 27(3) and ensure consistency of the information provided under Article 29. The standard has traceability clauses but does not describe the UDI system the MDR creates. The manufacturer has to build the UDI verification process as an MDR-specific addition.

Identification of applicable GSPR. Article 10(9) requires "identification of applicable general safety and performance requirements and exploration of options to address those requirements." The standard has design input clauses but does not describe the GSPR identification process as a standalone QMS deliverable. In practice, this is usually a GSPR checklist or matrix showing how each applicable requirement in Annex I is addressed, with references to the design evidence. The standard does not require this directly; the Regulation does, through Article 10(9).

These are the residual gaps. A QMS that follows EN ISO 13485:2016+A11:2021 correctly, and then closes each of these gaps explicitly with a documented process, satisfies Article 10(9) in full. A QMS that follows the standard and stops there has findings waiting in the Annex IX Section 2 audit.

The gap between ISO 13485 and MDR requirements

The gap is smaller than founders fear and larger than they hope. It is not a hidden set of secret obligations — it is written out in the MDR text itself, in the Z annexes of the standard, and in the MDCG guidance documents that accompany the Regulation. The work of closing the gap is the work of reading those three sources together and writing down, in your own QMS, how each residual obligation is met.

The practical move is to build a single document — sometimes called a "QMS-to-MDR mapping" or "regulatory compliance matrix" — that lists every aspect of Article 10(9), identifies the standard clause that addresses it (if any), and describes the additional QMS process the manufacturer has built to close any residual gap. The Notified Body will find this document early in any assessment and use it as a navigation aid through the QMS. A manufacturer who has built it deliberately walks into the audit ahead of the auditor. A manufacturer who has not built it walks in behind.

See post 320 on the Z annexes and the MDR gaps for a clause-by-clause walkthrough of where the standard covers the Regulation and where it does not. See post 326 on the QMS-to-MDR mapping document for the operational template.

Common misunderstandings

"ISO 13485 is the law." No. The law is MDR Article 10(9). The standard is a tool that, when correctly applied, gives presumption of conformity with the law. Treating the standard as the law leads to QMSs that satisfy the standard but miss MDR-specific obligations.

"If we are certified to EN ISO 13485:2016+A11:2021, we are MDR-compliant." No. An ISO 13485 certificate issued by a certification body is evidence that the QMS conforms to the standard on the day of the audit. It is not the MDR QMS certificate issued by a Notified Body under Annex IX. The MDR QMS assessment is a separate, deeper exercise that uses the standard as a reference but tests the QMS against the Regulation directly.

"Presumption of conformity means the Notified Body cannot raise findings." No. Presumption of conformity is a rebuttable starting position. If the Notified Body finds specific evidence of non-conformity — a process that is documented but not run, an MDR requirement the standard does not cover and the QMS does not address — the presumption does not prevent a finding. See post 321 on Notified Body QMS certification under MDR for the assessment process in detail.

"The Z annexes are just informative, so we can skip them." Technically, the Z annexes are informative rather than normative. Practically, they are the single most valuable part of the standard for an MDR project, because they tell the manufacturer exactly which MDR requirements the standard covers and which it does not. Skipping them is expensive.

"The standard is enough for low-risk devices." Proportionality allows a low-risk device to have a leaner QMS, but it does not allow the manufacturer to ignore Article 10(9) aspects the standard does not cover. A Class I startup still needs the regulatory compliance strategy, the PMS system, the vigilance processes, the PRRC, and the UDI verification. The depth is smaller. The presence is not optional.

The Subtract to Ship angle

The Subtract to Ship framework (post 065) applied to this question produces a clean rule. Build the QMS against MDR Article 10(9), use EN ISO 13485:2016+A11:2021 as the structural blueprint for the aspects it covers, and close the residual gaps with the minimum number of additional processes needed to discharge the MDR-specific obligations. No duplicate processes. No decorative structures. No "ISO-style" documents that the standard does not actually require. No "MDR-style" processes that the Regulation does not actually require.

Every document in the QMS should be defensible on one of two grounds: it implements a clause of the standard that maps to an Article 10(9) aspect in the Z annexes, or it closes a residual MDR gap that the standard does not cover. Documents that fail both tests come out. Documents that fail neither test stay. The result is a lean, honest QMS that presents a clear story to the Notified Body and survives the Annex IX Section 2 audit.

See posts 280 and 281 on building a lean QMS and the minimum viable QMS for the operational playbook that applies this discipline in practice.

Reality Check — Where do you stand?

  1. Can you state, in one sentence, the difference between MDR Article 10(9) (the legal obligation) and EN ISO 13485:2016+A11:2021 (the tool that gives presumption of conformity)?
  2. Have you read Annex ZA of EN ISO 13485:2016+A11:2021 and mapped each of its entries against your current QMS processes?
  3. Do you have a documented QMS-to-MDR mapping that lists every Article 10(9) aspect, the standard clause that covers it, and any additional process you have built to close a residual gap?
  4. Have you identified the residual MDR obligations that the standard does not fully cover — regulatory compliance strategy, PMS under Article 83, vigilance under Articles 87 to 92, PRRC under Article 15, UDI verification under Articles 27 and 29, GSPR identification — and built processes for each one?
  5. Does your team understand that presumption of conformity is rebuttable, and that a Notified Body can still raise findings against a QMS certified to the standard?
  6. If a Notified Body auditor asked "how does your QMS discharge Article 10(9)?", could you walk them through the Z annex mapping and the gap-closure document without opening a template?
  7. Is your QMS depth proportionate to your risk class and type of device, or has it been sized for a different company's problem?

Any "not yet" is the next piece of work.

Frequently Asked Questions

Does an ISO 13485 certificate prove my QMS is MDR-compliant? No. A certification body can issue an ISO 13485 certificate confirming that the QMS conforms to EN ISO 13485:2016+A11:2021. That certificate provides presumption of conformity with the corresponding MDR requirements under Article 8, but it is not the MDR QMS certificate a Notified Body issues under the Annex IX route. The Notified Body assesses the QMS against the MDR, not against the standard alone, and can raise findings where the standard's coverage is incomplete.

What does "presumption of conformity" mean in practice? It means the Notified Body and competent authorities start from the position that the corresponding MDR requirements are met, as long as the manufacturer is correctly applying the harmonised standard. The burden shifts to the authority to find specific evidence of non-conformity. The presumption is rebuttable — if evidence of non-conformity is found, a finding can still be raised.

Where are the Z annexes in EN ISO 13485:2016+A11:2021? Annex ZA maps the standard's clauses to the MDR requirements they address. Annex ZB maps the same clauses to the IVDR requirements. Both are informative annexes at the end of the standard document. They are the single most useful tool for planning how the standard will discharge the MDR QMS obligations in your project.

Which MDR requirements does the standard not fully cover? The main residual gaps are the regulatory compliance strategy, the PMS system under MDR Article 83, vigilance reporting under Articles 87 to 92, the Person Responsible for Regulatory Compliance under Article 15, UDI verification under Articles 27 and 29, and the explicit identification of applicable general safety and performance requirements under Annex I. Each of these requires a QMS process the standard does not fully describe.

Do I need to read MDCG 2021-5 Rev.1 to understand the harmonisation mechanism? It helps. MDCG 2021-5 Rev.1 (July 2024) explains how harmonised standards are developed, how the Annex Z mechanism works, and what presumption of conformity means in the MDR framework. A single careful read early in a QMS project saves a lot of confusion later.

Is conformity with EN ISO 13485:2016+A11:2021 the only way to meet Article 10(9)? No. A manufacturer can in principle meet Article 10(9) without using the harmonised standard, by documenting how the QMS meets every MDR requirement from first principles. In practice, no sensible startup does this. The harmonised standard exists to save everyone time, and Notified Bodies expect to see it applied.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 8 (use of harmonised standards and presumption of conformity), Article 10 (general obligations of manufacturers, including paragraph 9 on the quality management system), Annex IX (conformity assessment based on a quality management system and on assessment of technical documentation). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes, including Annex ZA (mapping of standard clauses against MDR requirements) and Annex ZB (mapping against IVDR requirements). The harmonised standard providing presumption of conformity with MDR Article 10(9) when its clauses are correctly applied.
  3. MDCG 2021-5 Rev.1 — Guidance on standardisation for medical devices, Revision 1, July 2024. Explains the harmonisation mechanism, the role of harmonised European standards, the Annex Z mechanism, and the concept of presumption of conformity under the MDR and IVDR.

This post is part of the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. The MDR is the North Star. EN ISO 13485:2016+A11:2021 is the tool the Regulation's harmonisation mechanism makes efficient. Presumption of conformity is the bridge between them, and the Z annexes are the map. Read in that order, build in that order, and the Annex IX Section 2 audit has something real to inspect.