The MedTech team that ships is not the team that has hired everyone. It is the team that has the right 3-5 roles filled honestly, with real competence behind each title, and with a leadership layer that treats regulatory as core engineering rather than a tax. Before CE marking, the minimum viable team is a committed CEO, a technical lead with device-domain depth, a clinical voice, a quality-and-regulatory lead, and a PRRC arrangement that satisfies MDR Article 15. After CE marking, the team has to grow along specific lines. Post-market surveillance, vigilance, supplier management, complaint handling. Or the certificate becomes a liability. Everything else is either premature or outsourceable.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • A pre-CE MedTech startup does not need a big team. It needs five honest seats: CEO, technical lead, clinical voice, quality-and-regulatory lead, and a PRRC arrangement under MDR Article 15.
  • Some of these seats can be filled part-time, fractional, or external in the early stages. Others cannot. The PRRC role has a specific legal shape under Article 15, including the micro and small enterprise option in Article 15(2).
  • The single most dangerous failure mode is not understaffing. It is a "dedicated expert" who has learned the vocabulary but not the regulation, combined with a board that has stopped asking questions.
  • Leadership commitment is a prerequisite, not a bonus. If the top of the company does not care about regulatory, nobody below will, and the war is already lost.
  • Founder agreements matter more in MedTech than in most industries because the timelines are long and the equity on the cap table has to survive five to seven years without becoming dead weight.
  • The team evolves in predictable stages. 3 people, 10 people, 30 people. And each transition has its own hiring trap.
  • Subtract to Ship applied to team building means: do not hire until the work is real, do not hire a title until you can verify the competence, and do not assume a consultant can be a substitute for an internal owner.

Why this matters for your startup

There is an Austrian company Tibor came across where the founders told every investor, every partner, and every incoming auditor the same sentence: "We have a dedicated expert handling regulatory." It was the sentence that ended every difficult conversation. The board relaxed. The investors relaxed. The partners relaxed. Under the surface, the "expert" was beginner-level. Fluent in the vocabulary, empty on the substance. Intended purpose was inconsistent between documents. Classification pointed at the wrong Annex VIII rule. The clinical evaluation strategy would not have survived a serious Notified Body review. The company had been running for years on a foundation that looked competent and was not. Tibor has written about this in DIY vs. Hiring a Regulatory Consultant because it is a consulting question, but it is also a team question, and that is what this post is about.

The second story is from Felix's side. A solo founder had built a company with a team of eight people. The product was not shipping. The founder had assumed the problem was the product, or the market, or the fundraise. It turned out the problem was the team. Not individually bad people, but the wrong shape for the problem. Felix's recommendation was uncomfortable: rebuild the team first, then the product. The founder did exactly that. Replaced the team. Re-engineered the product. The silent rebuild worked, but it cost a year and a lot of money that would have been saved by hiring more carefully the first time.

The third story is the one that still ends companies. Two co-founders start with a clean 50/50 split. No leaver clauses. No vesting. No agreement about what happens if one of them leaves, dies, or checks out. One of them does check out two years later. The other now owns 50% of a company whose other 50% is dead equity. The absent co-founder will not sell, will not vote, will not engage. Every investor who looks at the cap table walks away. The company is functionally un-investable. This is not a regulatory problem, but it is a team problem that kills MedTech startups disproportionately because the funding cycles are long and the dead equity sits on the cap table for a decade.

These three stories share one theme. In MedTech, team mistakes are not just HR problems. They become regulatory problems, funding problems, and certificate-survival problems, and they compound over timelines much longer than a consumer startup can afford to ignore.

The core roles every MedTech startup needs

Before we talk about what each role does, here is the honest minimum. A pre-CE MedTech startup needs these seats filled, with real competence behind each one, even if some of them are fractional or external.

  1. CEO / founder. Accountable for the whole, including regulatory.
  2. Technical lead / CTO. Owns the device architecture and the engineering reality.
  3. Clinical voice. Someone who understands how the device is actually used by clinicians and patients.
  4. Quality and regulatory lead. Owns the QMS, the technical file architecture, and the regulatory strategy.
  5. PRRC arrangement. The legally required Person Responsible for Regulatory Compliance under MDR Article 15, internal or external.

That is it. Five seats. Not five hires. Five seats. In the earliest stage, one person can hold two seats if the competence is real. The CEO can be the clinical voice if the CEO is a clinician. The technical lead can be a co-founder. The quality-and-regulatory lead can be external or fractional in the earliest phase. The PRRC can be an external arrangement under Article 15(2) if the company qualifies.

What you cannot do is leave a seat empty and pretend. A seat without an owner is a seat that will break the company at the worst possible moment. Usually the first Notified Body audit.

What each role actually does

CEO / founder

The CEO in a MedTech startup is not just the business lead. They are the person who has to internalise that the regulation is not an obstacle to the product. It is part of the product. MDR Article 10 places the legal obligations of a manufacturer on the legal manufacturer entity, and in a small company that entity is ultimately accountable at the top. The CEO is the one who decides whether regulatory gets the time, the budget, and the cross-functional priority it needs. They are also the one who has to stop saying "we have a dedicated expert handling regulatory" and start asking actual questions.

Technical lead / CTO

The technical lead owns the device architecture, the engineering decisions, and the connection between the engineering reality and the regulatory file. In a startup this person is often a co-founder. They need to understand enough of the regulatory surface to make design decisions that do not create unnecessary regulatory load. Material choices, software architecture, risk control implementation, verification strategy. A CTO who treats regulatory as "the QMS team's problem" is a CTO who will be surprised by the technical file review.

Clinical voice

The clinical voice is the person who understands how the device is actually used in the clinical setting. Not what the brochure says, but what happens on a busy Tuesday morning in a clinic. This role is often missing in startups founded by pure engineers. It does not always have to be a CMO (Chief Medical Officer) with a full-time salary. It can be a clinical advisor, a founding clinician, a part-time medical director. What it cannot be is absent, because the intended purpose, the user requirements, the clinical evaluation, and the usability engineering all depend on real clinical understanding.

Quality and regulatory lead

This role owns the QMS as required under EN ISO 13485:2016+A11:2021, the technical file architecture, and the regulatory strategy. In a pre-CE startup this is often one person wearing both the QA hat and the RA hat. See Building a Quality Team: QA and RA for when and how to split the roles. The person in this seat does not need to know every answer. They need to know which questions to ask, which articles to read, and when to escalate. They are the internal owner of the relationship with external experts and the Notified Body.

PRRC

The PRRC is a legally defined role under MDR Article 15. We cover the legal foundation in depth in PRRC and MDR Article 15 and the startup-specific options in PRRC Options for Startups. The PRRC is the specific person. Named, qualified, available. Who is responsible for ensuring the regulatory compliance of the device. It is not a title you hand out. It is a legal function with specific qualification requirements and specific tasks.

What can be fractional or external, and what cannot

Not every seat has to be a full-time employee. The honest breakdown for a pre-CE startup with limited runway looks like this.

Must be internal (full-time or core co-founder): - CEO. Cannot be fractional. The legal manufacturer obligations under Article 10 attach to the company, and someone has to be accountable at the top full-time. - Technical lead / CTO. The device architecture cannot be outsourced. Engineering decisions happen daily, and the person making them has to live inside the company.

Can be fractional or external in early stage, but must become internal as you scale: - Quality and regulatory lead. Can start as an external consultant or a fractional hire. Must become internal before the QMS goes live in operation, because a QMS without an internal owner drifts. See Hiring Your First Regulatory Affairs Person for the timing question. - Clinical voice. Can be a clinical advisor or fractional medical director in early stage. Becomes more important (and often internal) once clinical evaluation and usability engineering move into depth.

Can legitimately be external indefinitely, if structured correctly: - PRRC under Article 15(2). For micro and small enterprises, an external PRRC arrangement is explicitly allowed by the Regulation. This is not a workaround. It is a legal route designed into the text. - Specialist support. Clinical evaluation authors, notified body interface specialists, biocompatibility experts, cybersecurity specialists. These are legitimate external relationships.

The trap is confusing "external is allowed" with "external means you don't need an owner inside the company." You always need an internal owner. The external expert reports to the internal owner. The internal owner reports to the CEO. If there is no internal owner, the external expert is functioning as a fig leaf, and that is the pattern that produced the "dedicated expert" disaster.

The PRRC obligation. MDR Article 15 in detail

The PRRC is worth reading carefully because it is the one role where MedTech startups most often get the legal shape wrong.

Under MDR Article 15(1), manufacturers shall have available within their organisation at least one person responsible for regulatory compliance who possesses the requisite expertise in the field of medical devices. The expertise is evidenced either by (a) a diploma, certificate, or other evidence of formal qualification in law, medicine, pharmacy, engineering, or another relevant scientific discipline, plus at least one year of professional experience in regulatory affairs or in quality management systems relating to medical devices; or (b) four years of professional experience in regulatory affairs or in quality management systems relating to medical devices.

Those are the Article 15(1) qualification criteria. Read them carefully. The "or" between (a) and (b) matters. The four-year experience route does not require the formal qualification.

Under MDR Article 15(2), micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC are not required to have the person responsible for regulatory compliance within their organisation but shall have such person permanently and continuously at their disposal. This is the external PRRC route. It exists because the Regulation recognises that the smallest companies cannot always carry a qualified PRRC on payroll, and it is a legitimate path. Not a loophole.

Two things are worth emphasising about Article 15(2). First, "permanently and continuously at their disposal" is a real obligation. An external PRRC who is hard to reach, who covers dozens of companies without bandwidth for yours, who does not know your device, is not at your disposal in any meaningful sense. The phrase is not satisfied by a contract. It is satisfied by an actual working relationship. Second, the micro and small enterprise definition is specific: under Commission Recommendation 2003/361/EC, a small enterprise has fewer than 50 employees and annual turnover or balance sheet below EUR 10 million; a micro enterprise has fewer than 10 employees and annual turnover or balance sheet below EUR 2 million. Once you cross those thresholds, Article 15(2) no longer applies and the PRRC has to be internal.

Article 15(3) sets out the tasks of the PRRC: ensuring that the conformity of the devices is appropriately checked in accordance with the QMS before a device is released; ensuring that the technical documentation and the EU declaration of conformity are drawn up and kept up to date; ensuring that post-market surveillance obligations are complied with; ensuring that the reporting obligations referred to in Articles 87 to 91 are fulfilled; and, in the case of investigational devices, ensuring that the statement referred to in Section 4.1 of Chapter II of Annex XV is issued. These are not suggested activities. They are the legal definition of what the PRRC does.

Article 15(6) protects the PRRC from disadvantage within the organisation in connection with the proper fulfilment of their duties. This is the line that says, in effect, the PRRC cannot be fired for telling the CEO no. In a startup, this protection matters more than it sounds. The PRRC is the person who has to be able to say "we are not ready to release" without worrying about their job.

For the full walk-through of the article and the startup-specific options, see PRRC and MDR Article 15 and PRRC Options for Startups.

Leadership commitment as prerequisite

There is a line Tibor comes back to whenever the topic is team building. If top management does not care about regulatory, nobody cares. The war is already lost.

This sounds like a soft point. It is not. In every MedTech startup Tibor has watched fail at the regulatory layer, the failure traced back to a leadership team that treated regulatory as a tax rather than a core part of the product. The tax framing shows up in specific, diagnosable ways. Budget conversations where regulatory is the first line to be cut. Cross-functional meetings where the regulatory lead is the person being talked over. Product decisions made without asking "how does this land in the technical file?" Hiring plans that put ten engineers in front of the first quality person. The external signals of a company that has lost the war before the first audit.

EN ISO 13485:2016+A11:2021 codifies this as "management responsibility" and "management commitment". The QMS has to have visible, active, documented engagement from top management. Auditors look for it directly. A company where the CEO cannot articulate the QMS policy from memory is a company with a management commitment problem, not just a documentation problem.

The practical test is this. When the CEO walks into the weekly team meeting, what do they ask about first? If the answer is revenue or engineering velocity and regulatory only comes up when there is a crisis, the problem is already present. The regulatory state of the company is supposed to be a standing agenda item at the top, not a firefighting topic at the bottom.

When to hire vs. when to contract

A simple decision rule Tibor has found useful.

Hire when: - The work is ongoing and embedded in daily operations (QMS operation, internal audits, training, CAPA, complaint handling). - The person needs to carry deep context about your specific device across months and years. - The role is a legal obligation that demands "permanently and continuously at the disposal of" the company and you are no longer a micro or small enterprise. - The competence in question needs to be transferable to other team members over time.

Contract when: - The work is episodic and specialist (biocompatibility testing interpretation, cybersecurity penetration testing, specific clinical evaluation review milestones). - The work requires a scale of experience you cannot economically reproduce internally. - The role is explicitly structured as an Article 15(2) external PRRC and the arrangement is real and documented. - The work is short-lived. A Notified Body response sprint, a gap analysis, a technical file review.

The trap is contracting work that should be hired, because it feels cheaper, and then discovering the contractor has no continuity and no ownership when a crisis hits. The mirror trap is hiring work that should be contracted, because it feels more in control, and then carrying a salary for specialist expertise you need twice a year.

The founder-as-everything trap

In almost every early-stage MedTech startup Felix sees, there is a phase where the CEO is also the regulatory lead, also the clinical voice, also the fundraiser, also the QA manager, also the project manager. Sometimes this is necessary for a few months. Sometimes it becomes the permanent operating model, and when it does, the company breaks.

The reason is not that the CEO is incompetent. It is that the CEO is a bottleneck, and every decision routes through one brain that is already saturated. Regulatory decisions start getting made at midnight when the CEO is tired. Clinical evidence strategy gets decided in a fifteen-minute gap between two fundraising calls. The QMS becomes whatever the CEO remembers to do. The technical file accumulates inconsistencies because nobody has the time to read it end to end.

The subtraction move here is not "hire more people faster." It is "name the work honestly, and for each chunk of work, decide whether the CEO is the right owner or whether the seat needs to be filled by somebody else." Some of that work legitimately belongs to the CEO. Most of it does not. The discipline is to move it out of the CEO seat deliberately, with a named owner, before the bottleneck breaks.

Felix's silent-rebuild story is the extreme version of this. A founder with a team of eight who still acted as if they were solo. The team was the problem not because the people were bad but because the founder had never let go of ownership, and the team had learned to route everything through the centre. Rebuilding the team meant rebuilding the founder's relationship with delegation before it meant replacing any individual.

Team stage transitions: 3 → 10 → 30

Team shape changes with size, and each transition has its own trap.

3 people (pre-seed / seed). Usually two or three co-founders wearing every hat. The core risk here is the founder agreement. No vesting, no leaver clauses, no agreement about what happens when someone leaves. Felix has seen this pattern end companies years later with 40% dead equity on the cap table. The fix is boring and cheap: a real shareholders' agreement with vesting and leaver provisions, written before anyone is angry. The second risk is assuming regulatory can wait until Series A. It cannot. The intended purpose and classification decisions made at 3 people shape the entire regulatory path.

10 people (seed / Series A). The first hires outside the founding team. This is where the quality-and-regulatory lead usually needs to become internal if they were external. This is where the PRRC arrangement needs to be formalised. Either a competent internal hire who meets Article 15(1) criteria, or a real Article 15(2) arrangement documented and actually working. This is where the CEO has to stop doing regulatory personally and start managing the regulatory function. The trap is hiring ten engineers before the first quality person, and then trying to retrofit a QMS around engineering processes that were built without one.

30 people (Series A / B, approaching CE). The team has to cover QA and RA as distinct functions, post-market surveillance infrastructure, vigilance capability, supplier management, complaint handling. Pre-CE work and post-CE work are overlapping. The PRRC becomes a more senior role, often a dedicated head-of-RA hire. The trap here is assuming the same people who took you to CE will run the post-market phase. Sometimes they will. Sometimes the post-market phase requires a different shape of team, and the founder has to make uncomfortable hiring decisions before the certificate lands.

The Subtract to Ship angle

The Subtract to Ship framework applies to team building the same way it applies to the technical file. The test is not "do we have all the people the org chart template says we should have." The test is "for each piece of work that has to happen in the next 12 months, who is the named owner, is the competence real, and does the work trace to a specific MDR obligation or a specific company-critical outcome?"

Subtraction in team building looks like this. Do not hire until the work is real. Do not hire a title until you can verify the competence. Do not assume a consultant is a substitute for an internal owner. Do not fill an org chart seat because an investor deck said you should. Fill a seat because the work will fail without it. And conversely, do not leave a seat empty because you do not want to spend the money, when the seat is load-bearing for the regulatory file and for the survival of the company.

The first-time-founder guide in No-BS MDR Guide for First-Time Founders makes a related point: the right team is the team whose skills and commitment match the actual work, not the team that matches your funding-round narrative.

Reality Check. Where do you stand?

  1. Can you name. By name. The person accountable for each of the five core seats (CEO, technical lead, clinical voice, quality and regulatory lead, PRRC)? Not "the team handles it." A name.
  2. For each named person, can you describe the evidence behind their competence in plain terms, independent of their CV and their job title?
  3. If your PRRC is internal, do they meet the Article 15(1) qualification criteria by a specific path (either diploma plus one year, or four years of regulatory/QMS experience) that you can document?
  4. If your PRRC is external under Article 15(2), does the "permanently and continuously at their disposal" standard actually describe the working relationship, or is it aspirational?
  5. Does your CEO treat regulatory as a standing agenda item at the top of every weekly meeting, or only when there is a crisis?
  6. Do you have a founder agreement with vesting and leaver clauses, written and signed, covering every co-founder on the cap table?
  7. If the person in your quality-and-regulatory seat left tomorrow, how long would it take to continue the work without loss of context? (Measure in weeks. Anything more than eight is a warning.)
  8. When was the last time your CEO personally asked a regulatory question that was not a firefighting question?

Frequently Asked Questions

What are the absolute minimum roles a MedTech startup needs before CE marking? Five seats: CEO, technical lead, clinical voice, quality and regulatory lead, and a PRRC arrangement under MDR Article 15. In the earliest stage, one person can hold two seats if the competence is real, and some seats can be fractional or external. What you cannot do is leave a seat empty and pretend.

Can a MedTech startup use an external PRRC instead of hiring internally? Yes, under MDR Article 15(2), if the company qualifies as a micro or small enterprise under Commission Recommendation 2003/361/EC (broadly, fewer than 50 employees and turnover or balance sheet below EUR 10 million for small; fewer than 10 and EUR 2 million for micro). The PRRC must still be permanently and continuously at the disposal of the company, which is a real working-relationship requirement, not just a contract. Once the company grows past the micro/small threshold, the PRRC has to be internal. See PRRC Options for Startups.

Does the CEO of a MedTech startup need regulatory experience? Not necessarily experience, but necessarily commitment and understanding. The CEO does not need to be a regulatory specialist. That is why the quality and regulatory lead seat exists. The CEO does need to treat regulatory as core product work rather than a tax, carry the MDR Article 10 manufacturer obligations seriously, and make sure regulatory gets the budget, time, and cross-functional priority it needs. A CEO who delegates regulatory to "the expert" and stops asking questions is the single most common failure mode Tibor sees.

When should a MedTech startup hire its first dedicated regulatory affairs person? Usually at the transition from 3-5 people to 10 people, or earlier if the device is in a classification grey zone or if the clinical evidence strategy is unclear. Before the first dedicated internal hire, the function can be covered by a fractional consultant or an external quality and regulatory lead, but the work still needs a named internal owner at CEO or co-founder level. See Hiring Your First Regulatory Affairs Person for the detailed timing.

How do we verify whether our "dedicated regulatory expert" is actually competent? Ask them to walk you through the intended purpose of your device, the Annex VIII rule that governs classification, and the clinical evidence strategy, citing specific MDR articles. Ask them to describe a device they got wrong. Ask them what parts of MDR they do not know well enough to decide alone. A competent expert will answer specifically and honestly. A fluent-but-incompetent one will deflect into process vocabulary. See DIY vs. Hiring a Regulatory Consultant for the full evaluation framework.

What founder agreement mistakes most often kill MedTech startups? A clean equity split with no vesting, no leaver clauses, and no agreement about what happens when one founder leaves or disengages. MedTech timelines are long. Five to seven years from founding to meaningful revenue is common. And dead equity on the cap table makes the company un-investable at the worst possible moment. The fix is a real shareholders' agreement with vesting and leaver provisions, written before anyone is angry.

Can one person be both QA and RA in a MedTech startup? Yes, in early stages, provided the competence is real in both. The quality and regulatory lead seat is deliberately singular in the minimum viable team. As the company grows past ten people, the QA and RA functions usually need to separate because the work diverges in depth. See Building a Quality Team: QA and RA for the split timing.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers), Article 15 (person responsible for regulatory compliance), Article 15(1) (qualification requirements), Article 15(2) (micro and small enterprise external PRRC arrangements), Article 15(3) (tasks of the PRRC), Article 15(6) (protection of the PRRC within the organisation). Official Journal L 117, 5.5.2017.
  2. Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises. Official Journal L 124, 20.5.2003.
  3. EN ISO 13485:2016 + A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes. Sections on management responsibility and management commitment.

This post is the pillar for the Team Building, Operations & Scaling category in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. Use it as the map: the spoke posts in this category each go deeper on one of the roles, transitions, or hiring decisions named here. If the team discussion in your company is stuck in "we have a dedicated expert handling regulatory," this is the post to hand to your board.