Yes. For low-risk and low-mid-risk devices, the MDR in its current form has been overkill. It had good intentions around patient safety after the PIP breast implant scandal, but it failed to balance safety with innovation and in many cases killed innovation in the lower-risk range without a proportionate safety gain. This is the honest verdict of a lead auditor who has audited more than fifty companies and founded four MedTech companies. The right founder response is not to complain about the regulation, but to accept it as it is and cut every deliverable that MDR does not actually require.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • Tibor's honest assessment, from fifty-plus company audits and four MedTech company foundings, is that MDR has been disproportionate for low-risk and low-mid-risk devices.
  • The regulation's intentions were legitimate: prevent another PIP-scale scandal and raise the baseline of patient safety across Europe.
  • The unintended effect was to raise compliance cost for devices whose safety profile did not justify the additional burden, pushing many low-risk innovators out of the EU market or out of business entirely.
  • The Subtract to Ship founder response is not to argue about proportionality. It is to accept the regulation as written and build only what MDR actually requires, cutting every gold-plated document.
  • The December 2025 European Commission proposal signals that the proportionality critique is now on the official agenda, but it is not yet a reason to lower the compliance bar.

Why this matters (Hook)

Most public commentary on MDR comes from one of two camps. The first camp defends every line of the regulation because patient safety is sacred. The second camp attacks the regulation wholesale because compliance cost is crushing. Neither camp is useful to a founder with a real device, a real budget, and a real decision to make this quarter.

Tibor's position is honest and uncomfortable. He sits on both sides. As a Notified Body lead auditor he has seen what happens when manufacturers cut corners, and he has signed findings that almost certainly prevented patients from being harmed. As the founder of four MedTech companies, including Flinn.ai, he has also written the cheques for technical files that, in his professional judgment, did not produce a safer device. Both things are true at the same time.

Felix coaches founders through the emotional reality of this contradiction. A founder building a low-risk wellness-adjacent device in 2026 is told that their product is potentially life-changing, and also that they have to assemble documentation at roughly the same depth as a device that implants in the human body for fifteen years. The founder feels gaslit. The auditor who keeps signing the findings for missing documents also feels something close to it. This post is the honest conversation both sides wish they could have in the open.

What MDR actually says (Surface)

MDR proportionality lives in the classification system. Regulation (EU) 2017/745, Article 51 and Annex VIII, places devices into Class I, Class IIa, Class IIb, and Class III based on invasiveness, duration of contact, active or non-active nature, and intended purpose. Article 52 then maps each class to a conformity assessment route. In theory, a Class I self-certified device should face a far lighter compliance burden than a Class III implantable.

In practice, the burden is less differentiated than the classification implies. A Class IIa startup still needs:

  • A full QMS to EN ISO 13485:2016+A11:2021, per Article 10(9).
  • A complete technical file per Annex II and Annex III.
  • General safety and performance requirements demonstration per Annex I.
  • A risk management file to EN ISO 14971:2019+A11:2021.
  • A clinical evaluation to Article 61 and Annex XIV, even when the clinical risk profile is low.
  • Post-market surveillance per Articles 83–86 and post-market clinical follow-up where applicable.
  • Vigilance per Articles 87–92.
  • A PRRC per Article 15.
  • Notified Body involvement for conformity assessment.

Every one of those obligations has a legitimate safety rationale in isolation. Taken together for a low-risk device, the total compliance cost begins to exceed what the device's safety profile justifies. The regulation does not contain an explicit proportionality override for low-risk devices. The startup pays full price.

The December 2025 Commission proposal on MDR reform now acknowledges, at the political level, that this outcome was not what the regulation intended when it was drafted after the PIP breast implant scandal.

A worked example (Test)

Tibor has seen this example pattern, in different variations, more than a dozen times.

A small team builds a Class IIa non-invasive measurement device for home monitoring. The device has a clean risk profile, a well-understood measurement principle, and a clinical use case that is more about convenience than life-saving intervention. The bill of materials for the hardware costs about 120 euros. The team's total seed round is one-and-a-half million euros.

Their MDR budget, done properly, lands between 350,000 and 600,000 euros by the time CE mark is achieved. That includes QMS certification, Notified Body fees, a clinical evaluation package with a modest PMCF study, biocompatibility, usability engineering, technical documentation, and the PRRC function. The founders carry personal risk through most of that timeline.

A comparable device in the United States, placed on the market under the 510(k) pathway, would typically see a total regulatory spend well below the EU figure, with a faster path to revenue. A comparable Class I wellness device, staying outside the medical device framework entirely, would face essentially no certification cost but would also not be allowed to make any medical claim.

The MDR bill does not buy zero safety. It buys a structured QMS, a risk management file that genuinely surfaces hazards, and post-market monitoring. Tibor has seen founders uncover real risks they had not thought of during their first proper ISO 14971 session. That is value. The question is whether the marginal value of the full MDR package, for a device at this risk level, justifies the marginal cost for a startup at this stage.

Tibor's honest verdict, looking at fifty-plus audits of exactly this kind of company: for most low-risk devices, the answer has been no. The regulation produces safer devices at the higher-risk end and cost-disproportionate compliance at the lower-risk end. Innovation at the lower end gets strangled not by bad intentions but by uniform application of rules designed for high-risk products.

The Subtract to Ship playbook (Ship)

The honest verdict does not change the founder's decision matrix in April 2026. The regulation is still the regulation. Arguing with it wastes runway. The Subtract to Ship response is built on acceptance and ruthless subtraction.

Rule 1: Accept the regulation as written, not as you wish it were. Every hour spent complaining about MDR proportionality is an hour not spent shipping. Tibor, despite his critique, starts every engagement with founders by saying the same thing: MDR is the law, we will comply with it completely, and then we will cut everything that is not required.

Rule 2: Do only what MDR actually requires. Felix calls this the subtraction audit. For every document in the technical file, every process in the QMS, and every activity on the regulatory roadmap, write the specific MDR article, annex, or MDCG guidance that requires it. If there is no reference, the activity does not belong in the plan. Most startup technical files carry between twenty and forty percent gold-plated content. That is pure subtraction territory.

Rule 3: Match classification effort to classification class. A Class IIa file is not a Class III file. Clinical evaluation, PMCF, and technical documentation should scale with risk. Notified Body expectations scale with class. Do not voluntarily deliver Class IIb evidence for a Class IIa device because a consultant suggested it.

Rule 4: Use the harmonised standards that give presumption of conformity. EN ISO 13485:2016+A11:2021, EN ISO 14971:2019+A11:2021, and the other harmonised standards are not optional suggestions. They are the cheapest path to demonstrating compliance. Building custom processes outside these standards adds cost without adding safety.

Rule 5: Consider the wellness-first path when it is genuinely viable. For some devices, the honest answer is not to enter the medical device framework at all during the first phase. Launch as a wellness product, generate evidence and users, and transition to a medical device when strategically ready. Tibor counts this as one of the best regulatory decisions a founder can make when it is legally honest.

Rule 6: Track the reform, do not bet on it. The December 2025 Commission proposal is a political signal. It is not a reason to lower the compliance bar today. Build for the current MDR, and let any future relief be upside.

Rule 7: Use the regulation as a moat once you are through it. The same burden that hurt the startup on the way in becomes a barrier to competitors after CE mark. Founders who treat MDR as a moat rather than a tax recover some of the value they paid during certification.

Reality Check

  1. Can you state, in one sentence, the classification rule from Annex VIII that places your device in its class, and can you justify it?
  2. Have you audited every document in your technical file against a specific MDR article, annex, or MDCG reference, and deleted the ones with no reference?
  3. Is your clinical evaluation package scaled to your actual risk class, or are you over-delivering because a consultant suggested it?
  4. Is your QMS built around EN ISO 13485:2016+A11:2021, or have you added custom processes that no regulation requires?
  5. Have you honestly evaluated whether a wellness-first path is legally viable for your device before committing to full MDR?
  6. Are you spending energy arguing about MDR proportionality instead of shipping?
  7. Do you know whether the December 2025 Commission proposal touches your device class, or are you assuming it does?
  8. If MDR stays exactly as written through 2028, does your certification plan still work?

Frequently Asked Questions

Is it acceptable to publicly call MDR overkill? Tibor does so publicly, as a Notified Body lead auditor, because the critique is backed by direct audit experience and by a consistent pattern across fifty-plus companies. The critique is professional, not political. It is also paired with complete compliance in every engagement. Founders can hold both positions at once.

Does MDR still make sense for high-risk devices? Yes. The proportionality critique is focused on low-risk and low-mid-risk devices. For Class IIb and Class III, and especially for implantables, the full MDR framework produces measurable safety value. The critique targets the uniform application of rules designed for the highest-risk end to the lowest-risk end.

Should founders wait for MDR reform before starting? No. The reform path is multi-year, uncertain, and will contain transitional arrangements that favour devices already on the market. Founders who ship under current MDR will be in a stronger position to benefit from any future relief than founders who paused.

What does Subtract to Ship actually subtract? Gold-plated documentation, consultant-added processes with no regulatory basis, voluntary over-delivery beyond classification class, duplicated testing, and activities that do not trace to an article, annex, or MDCG guidance. It does not subtract anything the regulation requires.

Is wellness-first honest or a loophole? It is honest when the device, as marketed, makes no medical claim and the intended purpose is genuinely wellness-oriented. It is not honest if the team is secretly making medical claims in sales conversations while keeping them out of the labelling. Tibor's rule is that Article 2(12) applies: intended purpose is defined by the data supplied by the manufacturer, including in promotional materials.

How did MDR end up this way if the Commission now admits it was overkill? The regulation was drafted in the aftermath of the PIP breast implant scandal and other patient harm events. The political imperative was to raise the safety floor across Europe. Proportionality to risk class was addressed in the classification system but not rigorously enforced through differentiated compliance burden. The December 2025 proposal is the first official acknowledgement that the outcome diverged from the intention.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Articles 10, 15, 51, 52, 61, 83–86, 87–92. Annexes I, II, III, VIII, XIV.
  2. Regulation (EU) 2023/607 amending Regulations (EU) 2017/745 and (EU) 2017/746 as regards transitional provisions.
  3. EN ISO 13485:2016+A11:2021 Medical devices. Quality management systems. Requirements for regulatory purposes.
  4. EN ISO 14971:2019+A11:2021 Medical devices. Application of risk management to medical devices.