---
title: MedTech M&A: How Acquirers Evaluate Regulatory Assets
description: How MedTech acquirers diligence regulatory assets under MDR — CE certificate transferability, QMS maturity, CER currency, and PMS continuity.
authors: Tibor Zechmeister, Felix Lenhard
category: Funding, Business Models & Reimbursement
primary_keyword: MedTech M&A acquirers regulatory assets
canonical_url: https://zechmeister-solutions.com/en/blog/medtech-ma-acquirers-evaluate-regulatory
source: zechmeister-solutions.com
license: All rights reserved. Content may be cited with attribution and a link to the canonical URL.
---

# MedTech M&A: How Acquirers Evaluate Regulatory Assets

*By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.*

> **When a MedTech acquirer runs diligence on a CE-marked target, they are not buying the device — they are buying the manufacturer's regulatory position under MDR Article 10. That position includes a CE certificate tied to a specific legal entity, a QMS audited under Annex IX, a living clinical evaluation, and an open-ended PMS obligation. Every one of those assets can discount or kill the deal if it does not survive legal entity change.**

**By Tibor Zechmeister and Felix Lenhard.**

## TL;DR
- Under MDR Article 10, manufacturer obligations attach to a specific legal entity — CE certificates do not automatically travel with a share sale or asset purchase.
- Acquirers diligence the QMS as audited under Annex IX, the technical documentation under Annex II and III, the CER currency under Article 61, and open vigilance and CAPA items under Articles 83–92.
- Notified Body relationships are not contractually assignable by default — most NB contracts require notification, re-assessment, or a certificate amendment when the manufacturer entity changes.
- Deal-killers include expired or soon-to-expire CE certificates, CERs older than the PMS update cycle, unresolved field safety corrective actions, and incomplete UDI submissions in Eudamed.
- A share deal usually preserves the legal entity and certificate; an asset deal usually does not, and often forces re-certification timelines the acquirer has not budgeted for.

## Why this matters

Almost every MedTech exit we see in Europe is a regulatory transaction dressed up as a technology transaction. The buyer may write the press release about the clinical platform, but their lawyers and their regulatory team are reading the CE certificate, the QMS certificate, the last Notified Body audit report, and the PMS plan. If any one of those documents is fragile, the term sheet is fragile.

Tibor has sat on both sides of this. As a Notified Body lead auditor, he has watched certificates get re-issued — and watched deals get repriced — because nobody in diligence understood that the certificate is bound to the manufacturer as defined in MDR Article 2(30), not to the product. As a founder who has sold companies, he has seen acquirers knock seven figures off the purchase price in the final week because a Clinical Evaluation Report was dated more than the PMS cycle allowed.

Founders preparing for an exit tend to optimise for revenue growth, IP, and clinical data. Acquirers optimise for regulatory risk-adjusted cash flow. When those two frames collide at the diligence stage, the founder usually loses — unless the regulatory assets were built to travel.

## What MDR actually says

### Manufacturer obligations are entity-bound

MDR Article 10 lays out the general obligations of manufacturers — everything from establishing a QMS (Article 10(9)), to maintaining technical documentation (Article 10(4)), to post-market surveillance (Article 10(10)), to appointing a PRRC under Article 15. These obligations attach to the "manufacturer" as defined in Article 2(30): the natural or legal person who manufactures or has a device designed, manufactured, or fully refurbished and markets that device under its name or trademark.

That definition is the pivot point of every M&A transaction. If the legal person changes, the manufacturer changes, and every obligation in Article 10 has to either travel with the entity or be re-established.

### Certificates are issued to a specific manufacturer

Under MDR Article 52 and Annex IX, the Notified Body issues a QMS certificate and (for Class IIa, IIb, and III) device-specific certificates to the manufacturer named in the application. The certificate references a legal entity, registered office, and scope. Nothing in the MDR allows an acquirer to simply "transfer" a certificate by signing a purchase agreement. The Notified Body is the issuer and the Notified Body decides whether the post-transaction entity still satisfies the conditions under which the certificate was issued.

In practice, the NB's own contract with the manufacturer governs the mechanics — notification periods, re-assessment scope, fees, and whether a certificate amendment or a new certificate is required. Those contracts are not standardised across NBs.

### PMS and vigilance obligations are continuous

MDR Articles 83–86 require an active, planned PMS system; Articles 87–92 require vigilance reporting. These obligations do not pause during a transaction. If a serious incident occurs mid-deal and the target delays the 15-day vigilance report under Article 87(3) because "we're in a deal," the acquirer inherits a regulatory breach.

## A worked example

A Series A cardiovascular software startup — Class IIa SaMD, CE-marked in 2024 — signs a non-binding LOI with a US strategic for EUR 42 million. The acquirer runs six weeks of regulatory diligence. Here is what they find, and what it costs the founders.

**Finding 1: The CE certificate is in the Austrian GmbH, but the acquirer planned to consolidate the IP under a Delaware parent via an asset purchase.**

The Notified Body confirms that an asset purchase extinguishes the manufacturer relationship. A new manufacturer would need a new application under Annex IX, which in 2026 means 9–14 months of queue and audit time. The deal structure shifts to a share acquisition to preserve the GmbH and the certificate. Tax structure changes. Price drops EUR 1.8 million.

**Finding 2: The Clinical Evaluation Report was finalised 22 months ago.**

The PMS plan commits to annual CER updates. The target missed one cycle. Under MDR Article 61(11) and Annex XIV Part A, clinical evaluation must be a "continuous process" updated with PMS data. The acquirer flags this as a material non-conformity risk for the next NB surveillance audit. Holdback escrow of EUR 2 million for 18 months.

**Finding 3: Two customer complaints logged but not triaged.**

The QMS procedure requires triage within 10 working days. Both complaints sat for six weeks. Neither turned out to be a serious incident, but the trail shows a broken process under ISO 13485:2016+A11:2021 clause 8.2.1 and MDR Article 83. The acquirer requires a CAPA plan and a third-party QMS gap audit before close. Two-month delay. EUR 180,000 in additional legal and consulting fees.

**Finding 4: Eudamed UDI-DI registration was never completed for one product variant.**

Minor finding, but it signals regulatory hygiene issues. Acquirer adds a representation and warranty with survival period of three years.

Final purchase price: EUR 38.4 million, with EUR 2 million escrow. The founders lose EUR 3.6 million of headline value to regulatory debt that could have been cleared in the six months before the LOI was signed.

## The Subtract to Ship playbook

Subtract everything from your pre-exit regulatory checklist that is not one of these eight items. Every one of them ties to a specific MDR article and every one of them is something an acquirer will look at.

**1. Certificate inventory with expiry and renewal status.** For each CE certificate and QMS certificate: issuer, scope, legal entity, issue date, expiry date, next surveillance date. If any certificate expires within 18 months of target close, start the renewal now. Acquirers discount certificates inside the renewal window heavily because they pay for the renewal risk.

**2. Legal entity mapping.** A one-page diagram showing which legal entity holds which certificate, which Eudamed SRN, which PRRC under Article 15, which authorised representative contract. If your engineering IP sits in one entity and your manufacturer registration sits in another, document the inter-company agreements that hold it together. Acquirers will ask.

**3. QMS built for transfer under EN ISO 13485:2016+A11:2021.** Process-based, documented, with records that survive a change of control. "It's all in one founder's head" is a diligence red flag. Run an internal audit specifically with a change-of-control lens: if the CEO disappeared tomorrow, could the QMS still be operated? If not, fix that before diligence, not during.

**4. Clinical evaluation that is current.** Under Article 61 and Annex XIV Part A, the CER is a living document. Date-stamp the last update. Align the update cycle with your PMS plan under Annex III. An acquirer reading a CER older than the cycle your own plan commits to will flag it immediately.

**5. PMS evidence, not just a PMS plan.** A plan is the easy part. Acquirers want to see the actual output: complaint logs, trend analyses, PMCF data where applicable, PSUR drafts for Class IIa and above under Article 86, or PMS report for Class I under Article 85.

**6. Clean vigilance status.** No open serious incident reports, no open FSCA (Field Safety Corrective Action), no open competent authority inquiries. If any of these exist, document them with dates, status, and expected resolution.

**7. Notified Body communications.** Copies of the last full audit report, any non-conformities raised and the CAPA responses, and any correspondence about the target's NB relationship. Also — and this is underrated — a written confirmation from the NB about what they require in a change-of-control scenario. Get this before diligence, not during.

**8. Eudamed completeness.** All actor registrations complete, all UDI-DI submissions current, all certificate entries matching reality. Eudamed is public where it exists, and acquirers check it.

Every item traces to a specific MDR article. Every item is something you can subtract only by actually completing, not by ignoring.

## Reality Check

1. If your legal entity changed tomorrow, can you cite the exact Notified Body contract clause that governs what happens to your CE certificate? If no, you have not read the contract.
2. When was your CER last updated, and does that date comply with the cycle your own PMS plan commits to?
3. Name every open CAPA older than 60 days. If the list is longer than three, acquirers will notice.
4. Is your PRRC under Article 15 an employee or a contractor, and does your QMS survive if they leave?
5. Are all your product variants fully registered in Eudamed with current UDI-DI records?
6. If a serious incident occurred today, do you know the 15-day, 10-day, and 2-day reporting thresholds under Article 87 without looking them up?
7. Has your QMS been internally audited in the last 12 months against ISO 13485:2016+A11:2021 with change-of-control as an explicit scenario?
8. Do you have a written, dated statement from your Notified Body about what they require in a share deal versus an asset deal?

## Frequently Asked Questions

**Does a share deal automatically preserve my CE certificate?**
Usually, but not always. The legal entity survives, so the manufacturer in Article 2(30) terms is unchanged. But most NB contracts require notification of a change of control, and the NB may conduct a special audit or adjust the certificate. Read your NB contract.

**Can we transfer a CE certificate to a new legal entity?**
The MDR does not provide a "transfer" mechanism. In practice, it requires a new application, review, and issuance by the NB — essentially a new certificate process. Plan for months, not weeks.

**What if the acquirer wants to change the device name or branding?**
Labelling changes touch Annex I Chapter III. Minor rebrand under the same intended purpose is usually manageable, but always confirm with your NB under the change control process in your QMS.

**Should we pause PMS during diligence?**
No. MDR Articles 83–92 obligations are continuous. Pausing PMS during a deal is the single fastest way to create a material breach the acquirer will find.

**How early should we start regulatory cleanup before an exit?**
12 to 18 months before you expect an LOI. CER updates, CAPA closure, and Notified Body surveillance cycles all take time you cannot compress during diligence.

**Does the acquirer's own QMS replace ours at close?**
Not automatically. The manufacturer entity named on the certificate keeps operating under its own QMS unless and until the acquirer executes a formal QMS integration with NB involvement.

## Related reading
- [Prepare for MedTech Acquisition: Regulatory Due Diligence](/blog/prepare-medtech-acquisition-regulatory-due-diligence) — the companion diligence preparation checklist.
- [MedTech Startup Valuation and Regulatory Milestones](/blog/medtech-startup-valuation-regulatory-milestones) — how regulatory status prices into valuation.
- [MedTech Exit Strategy](/blog/medtech-exit-strategy) — structuring the exit around regulatory realities.
- [MDR Article 10 Manufacturer Obligations](/blog/manufacturer-mdr-article-2-30) — the legal anchor for everything in this post.
- [Choose the Right Notified Body](/blog/choose-right-notified-body) — why NB choice affects deal mechanics years later.

## Sources
1. Regulation (EU) 2017/745 on medical devices, consolidated text. Articles 2(30), 10, 15, 52, 61, 83–92; Annex II, Annex III, Annex IX, Annex XIV.
2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes.
3. MDCG 2025-10 (December 2025) — Post-market surveillance.

---

*This post is part of the [Funding, Business Models & Reimbursement](https://zechmeister-solutions.com/en/blog/category/funding-reimbursement) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*