The MedTech startup paradox: you need significant resources to achieve regulatory compliance, but you do not have significant resources until you achieve regulatory compliance and start generating revenue. The regulatory path is designed for established manufacturers with dedicated teams. You are three people in a co-working space with a prototype and a seed round.
This post is for you.
The concept of a Minimum Viable Regulatory Strategy (MVRS) borrows from the startup playbook. But with a critical distinction. In product development, "minimum viable" means you can ship something incomplete and iterate based on feedback. In regulatory, "minimum viable" means you do exactly what is required, nothing less and nothing more. There is no shipping incomplete regulatory compliance. The CE mark is binary: you have it or you do not.
So the MVRS is not about cutting corners. It is about cutting waste. It is about identifying every activity that does not directly contribute to meeting MDR requirements and eliminating it. So your limited resources go exactly where they must.
The Principle: Subtract the Noise, Keep the Signal
MDR Annex I lists the General Safety and Performance Requirements (GSPRs). Not all of them apply to every device. The first act of your MVRS is determining which GSPRs are applicable to your specific device and which are not.
A software-only device does not need biocompatibility testing. A non-sterile device does not need sterilization validation. A device without a measuring function does not need metrological verification. These are obvious examples, but the same principle applies throughout the regulation. MDR is a framework designed to cover every conceivable medical device, from a simple tongue depressor to a robotic surgical system. A huge portion of its requirements are simply not applicable to your specific product.
Your GSPR checklist (a systematic mapping of which requirements apply and how you address each one) is the foundation of your MVRS. Do it first. Do it thoroughly. It becomes the master plan for everything else.
Tibor calls this the "divide and conquer" approach: "The regulation looks overwhelming because founders read it as if every single requirement applies to them. It does not. Your first job is to figure out which 30-40% of the regulation is directly relevant to your device. Then that is your regulation. The rest is noise for other device types."
Step 1: Nail Your Intended Purpose
Everything in MDR flows from intended purpose. Your classification depends on it. Your clinical evaluation scope depends on it. Your testing requirements depend on it. Your labeling depends on it.
The MVRS starts with writing a precise, carefully scoped intended purpose statement. Not vague. Not aspirational. Not what you hope the device will eventually do. What it does right now, in its first version.
Why this matters for limited resources: A broader intended purpose means a higher risk class, more testing, more clinical evidence, and more Notified Body scrutiny. A precisely scoped intended purpose. Covering exactly the use case you can support with evidence today. Keeps your regulatory burden proportional to what you can actually demonstrate.
This is not about gaming the system. It is about honest, precise communication of what your device does. MDR requires it. Your resources demand it.
Example: "Software intended to assist trained healthcare professionals in detecting potential anomalies in chest X-ray images" is more precise than "AI-powered diagnostic tool for respiratory diseases." The first is a clear, bounded intended purpose. The second is a marketing claim that could trigger higher classification and broader clinical evidence requirements.
Step 2: Classify Once, Classify Right
Get your device classification right the first time. Classification errors are among the most expensive mistakes a startup can make. Not because the classification itself is costly, but because everything downstream depends on it.
Go through every classification rule in MDR Annex VIII systematically. Document which rules apply and which do not. Apply the implementing rules. Arrive at your classification. Then get it validated by someone who has classified devices before.
For the MVRS, correct classification is existential. If you plan your entire regulatory strategy around Class IIa and your device is actually Class IIb, you will discover this when the Notified Body rejects your conformity assessment approach. Months into the process, with budget already spent.
Resource-saving tactic: Many Notified Bodies will confirm or discuss your classification during a pre-submission meeting. Some competent authorities in EU Member States also provide classification guidance. Use these resources before committing to a path.
Step 3: Build a QMS That Fits. Not One That Impresses
The biggest QMS mistake startups make is over-engineering it. They look at large manufacturers with hundreds of SOPs and think they need the same thing. They do not.
MDR Article 10(9) requires a quality management system. ISO 13485:2016 provides the framework. But the standard itself says that the extent of QMS documentation should be proportionate to the size of the organization, the type of activities, and the complexity of the processes.
For a three-person startup building a single software product, your QMS might consist of:
- 15-25 SOPs covering the core processes (design control, risk management, document control, CAPA, complaint handling, PMS, management review, supplier management, and the key supporting processes)
- A design and development file for your product
- A risk management file
- Records of your management reviews, CAPAs, and complaints
- A training matrix
That is it. You do not need 100 SOPs. You do not need a paper-based system with physical signatures. You do not need enterprise QMS software with 50 user licenses.
The MVRS QMS approach: 1. Start with an eQMS platform (monthly subscription, EUR 200-500/month for a small team) 2. Use template SOPs from a reputable source as your starting point 3. Customize them for your actual processes. Remove anything that does not apply to your company and device 4. Train your team on the SOPs (document the training) 5. Start living the QMS from day one. Use it as you develop your product, do not bolt it on afterward
Tibor's perspective: "I have audited startups with 15 clean SOPs that they actually follow, and I have audited companies with 200 SOPs that nobody reads. Guess which one passes the audit? The QMS that works is the one people use. Build what you need, use what you build."
Step 4: The Testing Strategy. Test What Matters
Testing is expensive. Laboratory time is expensive. Waiting for results is expensive. A lean testing strategy tests exactly what is needed to demonstrate conformity. Nothing more.
Your GSPR checklist drives your testing plan. For each applicable GSPR, identify the evidence needed to demonstrate conformity. For many GSPRs, the evidence is a reference to a harmonized standard and the corresponding test report.
Resource-saving tactics for testing:
Prioritize risk-based testing. Test the things that could harm patients first. Biocompatibility for patient-contacting devices. Electrical safety for powered devices. Software verification for software devices. Performance testing for the core intended purpose. These are non-negotiable.
Use harmonized standards. Testing to a harmonized standard gives you a presumption of conformity. Testing to a non-harmonized standard requires additional justification for why it is equivalent. The harmonized standard path is simpler, cheaper, and faster.
Combine tests where possible. Some test laboratories offer package deals for related standards. IEC 60601-1 electrical safety and IEC 60601-1-2 EMC testing, for example, can sometimes be done in the same facility with logistical efficiencies.
Understand what you can test internally. Not all verification testing requires an accredited laboratory. Functional performance testing, software testing, and some design verification can be done internally with proper documentation of methods, acceptance criteria, and results. Only tests where accredited laboratory reports are expected by the Notified Body need external testing.
Test on a design-frozen product. Testing a prototype that is still changing is wasted money. Freeze your design, test it, and document the frozen configuration. If you make changes after testing, assess whether the changes affect the test results. If they do, you test again.
Step 5: Clinical Evaluation. Start with What Exists
Clinical evaluation is required for every medical device under MDR Article 61. But clinical evaluation does not necessarily mean a clinical investigation (clinical trial).
For the MVRS, the clinical evidence hierarchy matters enormously:
- Published literature. Cheapest, fastest
- Equivalent device data. Moderate cost if equivalence can be established
- Clinical investigation. Most expensive, longest timeline
Your MVRS should exhaust options 1 and 2 before considering option 3.
Literature-based clinical evaluation: For well-established device types with extensive published clinical data, a systematic literature review and a well-written Clinical Evaluation Report (CER) may be sufficient. This is especially true for Class I and many Class IIa devices.
Equivalence route: If a substantially similar device already exists on the market with published clinical data, you may be able to claim equivalence. Under MDR, equivalence requires demonstration of technical, biological, and clinical equivalence. And for Class III and implantable devices, you typically need contractual access to the equivalent device manufacturer's technical documentation per Article 61(5).
When a clinical investigation is unavoidable: For novel devices, higher-risk devices, or devices where no equivalent exists and literature is insufficient, a clinical investigation is the only path. If this is your situation, plan for it from the beginning. Do not discover it at month 12 when you have already spent your clinical evaluation budget on a literature approach that turns out to be insufficient.
Tibor's reality check: "When I ask a startup about their clinical evidence strategy and they say 'we will do a literature review,' I ask them: have you actually checked if literature exists? Have you done a preliminary search? Because the worst outcome is investing in a CER based on literature that turns out to be insufficient, and then needing to pivot to a clinical investigation. Check the evidence landscape before you commit to a strategy."
Step 6: The Notified Body Relationship. Be Ready, Not Perfect
If your device requires a Notified Body, the engagement is a significant cost and time driver. The MVRS approach to Notified Bodies:
Apply early. Queue times exist. Use the waiting time to prepare your documentation.
Have a pre-submission meeting. Most Notified Bodies offer this. Bring your classification rationale, your conformity assessment route, and your questions. The feedback you get prevents costly misalignment later.
Submit quality over speed. A well-prepared submission that addresses the obvious questions upfront saves revision cycles. Every avoided revision cycle saves weeks and thousands of euros in your time and the Notified Body's review fees.
Understand the fee structure. Notified Body fees are typically structured as: application fee + QMS audit fee + technical documentation review fee + certificate issuance fee + annual surveillance fee. Get the full fee schedule upfront so there are no surprises.
Step 7: Regulatory Expertise. The Force Multiplier
For a resource-constrained startup, external regulatory expertise is not a luxury. It is a force multiplier. The question is not whether to get help, but how to structure it efficiently.
The MVRS model for regulatory expertise:
Phase 1 (strategy, month 1-2): Engage a senior regulatory professional for 20-30 hours to define your classification, conformity assessment route, and overall regulatory strategy. Cost: EUR 3,000 - 10,000. This investment prevents strategic errors that would cost 10x to fix later.
Phase 2 (execution, ongoing): Retain a fractional regulatory lead for 20-40 hours/month to guide QMS development, review documentation, and prepare for the Notified Body engagement. Cost: EUR 4,000 - 12,000/month.
Phase 3 (Notified Body interaction): Increase engagement during the Notified Body review and audit phase. Your regulatory partner should be available for audit support and finding resolution.
This is more cost-effective than either hiring a full-time regulatory lead (EUR 70,000-100,000/year when you may only need part-time support) or engaging a full-service consultancy on an hourly basis (unpredictable costs, often higher total spend).
What You Can Skip (Without Cutting Corners)
The MVRS is about eliminating waste, not requirements. Here is what you can legitimately skip or simplify:
You can skip: Overly complex QMS documentation that describes processes you do not actually perform. If you do not have a warehouse, you do not need a warehousing SOP.
You can skip: Third-party ISO 13485 certification. MDR requires a QMS. It does not require a separate ISO 13485 certificate. Your Notified Body will assess your QMS against ISO 13485 requirements as part of the conformity assessment. A separate certification audit by a certification body is an additional cost that, for a startup's first product, may not add value. (Some larger customers or distributors may require it, but that is a commercial decision, not a regulatory one.)
You can skip: Premium office space and infrastructure. Your QMS and technical documentation can be entirely digital. You can work from a co-working space and pass a Notified Body audit.
You can skip: Conference attendance and industry networking (in the regulatory budget context). Useful, but not a regulatory requirement.
You cannot skip: Any MDR requirement. Any applicable GSPR. Any element of the conformity assessment procedure. These are not optional and no amount of "lean thinking" changes that.
The MVRS Budget Framework
For a Class IIa device (the most common startup scenario):
| Category | MVRS Estimate |
|---|---|
| QMS setup (lean, eQMS-based) | EUR 20,000 - 35,000 |
| Technical documentation | EUR 40,000 - 65,000 |
| Testing (software device example) | EUR 25,000 - 50,000 |
| Clinical evaluation (literature-based) | EUR 15,000 - 30,000 |
| Notified Body fees | EUR 20,000 - 40,000 |
| Regulatory expertise (fractional model) | EUR 30,000 - 60,000 |
| Total | EUR 150,000 - 280,000 |
Compare this to the full-range estimate from our cost breakdown post (EUR 200,000 - 500,000 for Class IIa). The MVRS saves by eliminating waste and over-engineering, not by skipping requirements.
When the MVRS Does Not Work
The MVRS approach has limits. It does not work well when:
- Your device is Class III or high-risk Class IIb. The regulatory scrutiny at these levels is too high for a minimal approach. Invest in robustness from the start.
- You are in a novel device category with no established standards or clinical evidence. Without clear standards and precedent to lean on, you need more extensive documentation to justify your approach.
- Your team has zero regulatory experience. The MVRS requires someone who can distinguish between necessary and unnecessary activities. Without that experience, you risk cutting the wrong things.
- Your investors or commercial partners demand ISO 13485 certification, ISO 27001, or other certifications beyond CE marking. These are additional costs on top of the MVRS.
The Mindset Shift
The MVRS is ultimately about a mindset shift: from "regulatory is a burden we must endure" to "regulatory is a design constraint we optimize around."
Every engineering team understands design constraints. Weight limits. Power budgets. Cost targets. These constraints make products better, not worse, because they force intelligent trade-offs. Regulatory requirements are the same. They constrain what you can do and how, but within those constraints, there is room for efficiency, creativity, and lean execution.
Tibor's summary: "It is not rocket science. It is a systematic process with clear requirements. The founders who struggle are the ones who either ignore the requirements or over-invest in theater. Fancy documentation that looks impressive but does not actually demonstrate compliance. The founders who succeed are the ones who understand the requirements, do exactly what is needed, and move forward."
At the end of the day, the MVRS is about respect. For the regulation, for your resources, and for the patients who will use your device. Do what the regulation requires. Do not do what it does not require. And do it well enough to be proud of the result.