In MedTech, revenue is a lagging indicator of regulatory competence. The KPIs that actually predict whether you will ship and scale are regulatory milestones, notified body interaction quality, post-market surveillance data health and risk closure rates. SaaS dashboards mislead because they assume a world where shipping faster is always better. Under MDR, shipping faster without the evidence stack is how you get pulled from the market.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • Revenue lags by 18 to 36 months in MedTech, so leading indicators must be regulatory and clinical, not commercial.
  • The four metric families that matter for a pre-market MedTech startup are: evidence build rate, notified body interaction quality, quality system health and risk closure.
  • Post-market, the dashboard shifts to PMS data quality, complaint trend velocity and CER update cadence, all anchored in MDR Articles 83 to 86.
  • SaaS metrics like MRR growth, CAC payback and NPS are necessary but insufficient, because they assume the product can legally be sold.
  • A regulated startup dashboard should fit on one page and contain no more than twelve numbers.
  • The single most predictive metric in the pre-market phase is the number of open GSPR gaps per device, trending to zero.

Why this matters

A founder pitched us last autumn. Slide seven was beautiful: pipeline, ARR projection, activation curves, a CAC payback chart. Slide eight was "Regulatory status: on track." That was the whole slide.

Two months later her notified body came back with a review report containing 47 findings, 12 of them major. The pipeline did not matter anymore. She had no idea her regulatory file was that far from ready because nothing in her dashboard tracked it. She had SaaS metrics for a business that could not legally sell.

This is the MedTech startup paradox in one picture. Commercial metrics look healthy until the regulatory wall arrives, and then they stop mattering entirely. The founders who ship on time are the ones who put the regulatory work on the dashboard next to revenue, with the same rigour, the same weekly cadence and the same executive attention.

What MDR actually says

MDR does not mandate specific startup KPIs. But it does mandate that you track certain things continuously, and those mandated activities are precisely the signals a serious MedTech dashboard should surface.

Article 10(9) requires manufacturers to establish, document, implement, maintain, keep up to date and continually improve a quality management system proportionate to the risk class and type of device. Proportionate is the operative word. For a three-person startup, proportionate means small, but still functional. You cannot demonstrate "continually improve" without measuring something.

Articles 83 to 86 define the post-market surveillance system. Article 83 requires that the PMS system be part of the QMS, that it actively and systematically gather, record and analyse data on quality, performance and safety of a device throughout its entire lifetime. Article 84 requires a PMS plan. Articles 85 and 86 define the PMS report and periodic safety update report, with the cadence and depth depending on device class.

Articles 87 and 88 cover vigilance and trend reporting. Trend reporting (Article 88) is particularly relevant as a metric because it forces you to define what "statistically significant increase in non-serious incidents or expected side-effects" actually looks like for your device. You cannot detect a trend you are not measuring.

Annex III specifies the technical documentation for PMS, including the PMS plan structure and the data sources you must tap. MDCG 2025-10 on post-market surveillance is the current interpretive layer and should be read alongside Annex III.

The MDR does not give you a dashboard. It gives you a set of activities you must perform and demonstrate. The dashboard is how you make those activities visible to yourself and to investors before an auditor forces them to be visible the hard way.

A worked example

Consider a 14-person Class IIa software startup, 18 months from target CE mark, wearable-connected rehabilitation software. Burn is EUR 180k per month. Seed round closing in six months. The founders previously ran a SaaS company and instinctively want to track activation, retention, weekly active users.

Here is the dashboard we built with them. One page. Twelve numbers. Updated weekly, reviewed every Monday in a 30-minute standup with the founder, the quality manager and the clinical lead.

Block 1 — Evidence build rate (4 metrics)

  1. GSPR gaps open, by GSPR number. Target: trending to zero 90 days before NB submission.
  2. CER draft completeness percentage. Specific sub-sections from Annex XIV Part A, scored green/amber/red weekly.
  3. Clinical data sources identified vs evaluated. A ratio. If you have 80 sources identified and 12 evaluated, that is red.
  4. Technical documentation sections closed vs Annex II structure. 23 sections, scored green/amber/red.

Block 2 — Notified body interaction quality (3 metrics)

  1. Average response time to NB query, rolling 30 days. Target: under 5 working days. Slower than that and the NB closes review windows.
  2. First-time response acceptance rate. If the NB comes back three times on the same question, something is wrong with the answer quality, not the question.
  3. Open findings count by severity (major/minor/observation) with age.

Block 3 — Quality system health (3 metrics)

  1. Open CAPAs by age. CAPAs older than 60 days without movement are a red flag for any auditor.
  2. Internal audit findings closure rate. Finding something is fine. Not closing it is the problem.
  3. Document control backlog — documents overdue for review per the QMS document lifecycle.

Block 4 — Risk closure (2 metrics)

  1. Residual risks above acceptable threshold per ISO 14971, trending to zero.
  2. Risk controls verified vs risk controls defined. A ratio. Controls without verification evidence are not controls.

Notice what is not on this list: revenue, MRR, pipeline, DAUs, NPS. Those live on a separate commercial dashboard that becomes primary only after CE mark. Pre-market, they are noise.

After six weeks of running this dashboard the founder told us two things. First, the weekly standup surfaced a CER structural problem three months before the notified body would have caught it. Second, her investors started asking different questions. They stopped asking about activation and started asking about GSPR gap closure velocity. That is investor education happening through numbers, not through pitch decks.

The Subtract to Ship playbook

Here is how to build a regulated startup dashboard without drowning in bureaucracy.

Step 1 — List your legally mandated activities. Start from MDR Articles 10, 83 to 88, and Annex III. For each mandated activity, ask: what does "doing this well" look like in a measurable way? This gives you the raw material for metrics. Do not invent metrics for things the regulation does not require.

Step 2 — Cut to twelve. If you cannot explain a metric to your cleaning staff in 30 seconds, it does not belong on the dashboard. The point is executive attention, not data collection. Twelve is a ceiling, not a floor. Eight is better.

Step 3 — Define thresholds before you collect data. Green, amber, red for each metric. If you cannot define the thresholds in advance, you do not understand the metric well enough to track it. Thresholds force you to have the conversation about what acceptable actually means.

Step 4 — Review weekly, act monthly. Weekly review keeps the numbers honest. Monthly action is when you actually reshape the work. Do not change the dashboard structure more than once a quarter, otherwise trends disappear.

Step 5 — Make it visible to investors. Put the regulatory dashboard on page two of every board deck. This trains your investors, your board and future acquirers to see regulatory milestones as first-class business milestones. For the mechanics of how to frame regulatory progress to investors, see our post on the regulatory slide in a medtech pitch.

Step 6 — Post-market, shift the dashboard. After CE mark, evidence build rate metrics retire and PMS metrics take their place. Complaint rate per 1000 devices in service, PMS data completeness by source, CER update cadence, PMCF data yield, trend detection signal count. The commercial dashboard becomes primary but the regulated dashboard does not disappear. It becomes the health check underneath the business.

Step 7 — Never use a metric to punish a person. If your quality manager reports a new major non-conformity and gets punished, you will never see another major non-conformity reported. You will just see them arrive during the audit. The dashboard is a truth-seeking tool, not a performance management tool. Treat it accordingly.

A word on SaaS metrics. They are not wrong. They are incomplete. MRR, CAC, churn and NPS matter once you are on the market. The error is importing them as the primary dashboard while you are still pre-market, because they give you a false sense of momentum while the regulatory work that gates all of it slips. Track SaaS metrics. Just do not let them crowd out the metrics that actually determine whether you ship.

Reality Check

  1. Can you name your twelve most important non-revenue metrics right now, without looking them up?
  2. Does your weekly team meeting start with regulatory progress or with pipeline?
  3. When was the last time your board reviewed a regulatory dashboard as a standalone agenda item?
  4. What is your current number of open GSPR gaps, and is the trend down?
  5. What is your average response time to notified body queries in the last 30 days?
  6. Do your CAPAs have an age distribution or just a count?
  7. If an auditor walked in on Monday, which of your twelve metrics would you be most embarrassed about?
  8. Do you have PMS metrics defined before CE mark, or will you improvise them afterwards?

Frequently Asked Questions

Does this mean I should not track revenue or MRR? No. Track them. Just do not let them be the primary dashboard before CE mark. Pre-market, commercial metrics are directional intent, not reality. After CE mark, they become primary and the regulatory dashboard becomes the underlying health check.

How do I get my team to care about GSPR gap closure velocity? Make it visible, review it weekly, celebrate closures the way a SaaS team celebrates MRR jumps. The numbers shape the culture. If the only thing you congratulate is a demo, you get demos. If you congratulate a closed GSPR gap, you get closed GSPR gaps.

What if my investors only ask about SaaS metrics? Educate them with the regulatory dashboard on page two of every update. Within six months they will ask better questions. If they do not, you may have the wrong investors for a regulated business. See our post on pitching the regulatory slide.

How granular should PMS data quality metrics be? Granular enough to detect a trend, not so granular that you cannot act. MDCG 2025-10 and Annex III give you the source categories. Start with source completeness (are you actually getting data from every source your PMS plan lists?) before worrying about sophistication.

Should the PRRC own the regulatory dashboard? The PRRC should review it and sign off on its integrity. The founder should own the fact that the dashboard exists and is acted upon. These are not the same thing. Ownership of visibility is a founder job.

Is there a template I can copy? We deliberately do not publish a fixed template because the right dashboard depends on device class, maturity stage and team composition. The twelve metrics above are a starting point, not a recipe. Adapt them.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Articles 10, 83, 84, 85, 86, 87, 88 and Annex III.
  2. MDCG 2025-10 (December 2025) — Post-market surveillance.
  3. EN ISO 13485:2016+A11:2021 — Quality management systems for medical devices.
  4. EN ISO 14971:2019+A11:2021 — Application of risk management to medical devices.