If you are a first-time MedTech founder and you want the real picture of MDR compliance, here it is. MDR is a 180-page European regulation that decides whether your device can be sold in the EU. It is not optional, it is not going to be watered down, and it is not a 3-month project. Done honestly, it takes 12 to 24 months, costs six figures, and rests on four early decisions — intended purpose, classification, conformity assessment route, and Notified Body. Everything in this guide exists to help you make those four decisions well and survive the rest.

By Felix Lenhard and Tibor Zechmeister. Last updated 10 April 2026.

TL;DR

  • MDR is Regulation (EU) 2017/745. It is the single source of truth for placing a medical device on the European market. No workaround exists.
  • The four decisions that unblock everything else are: intended purpose (Article 2(12)), classification (Article 51 and Annex VIII), conformity assessment route (Article 52), and Notified Body selection.
  • Realistic timeline for anything above unmeasured, non-sterile Class I is 12–24 months from a disciplined start. Realistic cost is EUR 150,000 to well over EUR 500,000 depending on class and clinical evidence.
  • Every first-time founder underestimates cost and time. Every single one. Take your estimate and double it, then budget for that.
  • The non-negotiable red lines are patient safety and legal compliance. Subtraction cuts waste. It does not cut safety and it does not touch the law.
  • You need a small, sharp team — not a giant one. One regulatory lead, one QMS owner, one clinical owner, and one PRRC under Article 15. Everything else is on-demand.
  • The founders who survive MDR treat the regulation with respect. The founders who fight it lose — slowly, expensively, and predictably.

The 2-month delusion

A first-time founder once told Felix, with complete confidence, that their MDR certification was going to take two months. They had a plan. They had a consultant lined up. They had a timeline on a Miro board. The product was not a simple device. The company was not a large organisation. Two months.

Felix asked them what classification they thought the device was. They were not sure. He asked them what the intended purpose was in writing. They had a paragraph, but it had not been reviewed by anyone who understood MDR Article 2(12). He asked them which Notified Body they had approached. None yet — they were planning to "reach out when the file was ready."

That company did not get certified in two months. They did not get certified in six months. By the time they understood what the project actually was, the runway was gone. The device was real. The founder was smart. The plan was a fantasy.

This is the most common failure pattern in MedTech. It is not technical incompetence. It is a gap between what founders think MDR is and what MDR actually is. Closing that gap in the first week of your project is worth more than any consultant, any template, and any software tool you will ever buy. That is what this post is for.

The mindset shift you need to make

Most first-time founders arrive at MDR with the wrong frame. They see it as a bureaucratic obstacle between their idea and the market. They expect it to be irrational, bloated, and adversarial. They plan to survive it with minimum engagement and maximum speed.

That frame is why they lose.

Here is the reframe. MDR is not a tax. It is not a hazing ritual. It is a well-thought-through necessity written by people who know what happens when unsafe medical devices reach patients. You do not have to love it. You have to respect it. If you want to build a medical device and sell it in Europe, this is the game you chose. Nobody is forcing you. But if you want to play, play with your eyes open.

Founders move through three emotional stages with MDR. First they ignore it — "we'll figure that out later." Then they deny it — "it can't really be that much work, there must be a shortcut." Then they accept it, and that is when the real project starts. The earlier you reach acceptance, the more runway you keep. The founders who never reach acceptance run out of money in the denial stage.

Felix's line for this is simple. "I can do this. We can do this. But we need to do it right." That is the mindset. Not pretend it is easy. Not pretend it is impossible. Do it right, slow and steady, and treat the boring things as the work that wins.

What MDR actually is, in one paragraph

Regulation (EU) 2017/745 — the Medical Device Regulation, usually called MDR — is a directly applicable EU law that sets out the requirements for placing a medical device on the market in the European Union, keeping it there, and supervising it after launch. Article 5(1) makes the bar explicit: no device may be placed on the market or put into service unless it complies with the Regulation. (Regulation (EU) 2017/745, Article 5, paragraph 1.) The law covers what counts as a medical device (Article 2(1)), how it is classified (Article 51 and Annex VIII), what the manufacturer must do (Article 10), how conformity is assessed (Article 52), how clinical evidence is built (Article 61 and Annex XIV), and how the device is monitored after it reaches patients (Article 83). Everything you will do in the next 12–24 months maps to one of those anchors. That is MDR in one breath. Everything else is detail.

The four decisions that unblock everything

Before you can plan a technical file, hire a QMS owner, or talk to a Notified Body, you need four decisions in writing. Tibor calls these the first small win — the sequence that turns an overwhelming project into a tractable one.

Decision 1: Intended purpose. Article 2(12) defines it as "the use for which a device is intended according to the data supplied by the manufacturer on the label, in the instructions for use, or in promotional or sales materials or statements, and as specified by the manufacturer in the clinical evaluation." (Regulation (EU) 2017/745, Article 2, paragraph 12.) That one sentence decides whether you are a medical device at all, and if so, what kind. Most wrong classifications start with a sloppy intended purpose. Write it, review it, defend it, and do not let anyone on your team improvise it on a website or a pitch deck.

Decision 2: Classification. Article 51 and Annex VIII assign a device to Class I, IIa, IIb, or III based on the rules in Annex VIII — duration of contact, invasiveness, active vs. non-active, software function, and so on. (Regulation (EU) 2017/745, Article 51 and Annex VIII.) The classification determines almost everything else: how much clinical evidence you need, whether a Notified Body is involved, what your QMS has to cover, and how long the project will take. Get the classification wrong and you rebuild the whole plan.

Decision 3: Conformity assessment route. Article 52 specifies which conformity assessment procedure applies to which class. (Regulation (EU) 2017/745, Article 52.) Class I with no measurement and no sterile component is self-declared. Everything else involves a Notified Body to some degree. Within a class there are usually multiple valid routes — you pick the lightest legitimate one for your situation, not the heaviest one your consultant knows best.

Decision 4: Notified Body. For any device above basic Class I, you need one. There are not many of them, they are overbooked, and first contact to contract can take months on its own. Choose based on scope (they must cover your device code), capacity (ask about current queues), and fit (your device type should not be exotic for them). This is the decision founders delay the longest and regret the most.

These four decisions have an order. You cannot pick a Notified Body before you know your classification. You cannot classify without a clean intended purpose. Run the sequence in order, write every answer down, and you have the spine of a real regulatory plan.

The two-phase discipline

The second-biggest mistake after underestimating time is doing everything at once. The first-time founder plan looks like this: design the product, prototype it, iterate, and wire MDR in "when we're closer to launch." That plan does not survive contact with reality. By the time the product is "close to launch," the design decisions that drive regulatory cost are already locked, the wrong risks are baked in, and re-opening them costs months.

The discipline is to run your project in two phases. Phase one is exploratory — you are finding the product, testing users, proving the concept, and you have not yet committed to a specific intended purpose or a specific classification. In phase one, you do not build a full MDR file. You avoid claims that force early classification lock-in, you keep the clinical hypothesis flexible, and you learn fast.

Phase two starts the moment you commit. You have an intended purpose. You have a classification. You are building the device you will certify, not the one you might certify. From that moment, every design decision runs through the regulatory lens, the QMS starts building up, risk management under EN ISO 14971:2019+A11:2021 tracks every new hazard, and the technical file grows along with the product — not after it. The transition between phase one and phase two is a real gate, not a vibe.

The failure mode is staying in phase one too long — running unconstrained until you are out of runway — or jumping to phase two too early, locking in a certification path before you know what the product actually is. Both failures are expensive. The discipline is knowing which phase you are in, and ending phase one deliberately.

The documentation reality

The technical file you will eventually submit to a Notified Body is laid out in Annex II of the MDR. (Regulation (EU) 2017/745, Annex II.) It contains the device description, intended purpose, classification rationale, design and manufacturing information, GSPR checklist against Annex I (Regulation (EU) 2017/745, Annex I), risk management file, clinical evaluation per Article 61 and Annex XIV, verification and validation evidence, labelling, and post-market surveillance plan per Article 83.

Here is what first-time founders get wrong about documentation. They assume more pages equal more quality. They write 40-page procedures that nobody in the company ever reads. They buy template packs with hundreds of documents and rename the placeholder company to their own. They hire contractors to "write the QMS" as a standalone deliverable disconnected from the actual operations.

The reality is the opposite. EN ISO 13485:2016+A11:2021 — the QMS standard used to meet MDR Article 10 — does not reward volume. It rewards documentation that represents real processes accurately and completely. A five-page procedure that is actually followed beats a fifty-page procedure that is ignored. Auditors can tell the difference in the first ten minutes of an audit. They ask an employee to walk them through the process, and if the person cannot do it from memory the way the document describes, you fail the finding even if the document is pretty.

Your documentation should be as lean as the Regulation allows and as real as your company actually is. Anything beyond that is drag.

The money and time reality

This is the part most founders do not want to hear. Take it anyway.

For an average Class IIa device with a reasonable clinical dataset, built by a disciplined team that does not waste runway, you are looking at 12–18 months of certification work and total regulatory spend of roughly EUR 150,000 to EUR 300,000 by the time you account for QMS build-out, technical documentation, clinical evaluation, Notified Body fees, testing, and the internal time you will not be able to spend on product and sales. Class IIb and Class III run longer and cost more — often substantially more if clinical investigation is required.

For Class I with no measurement and no sterile component, the bill is lower and the timeline can be compressed, but it is still not a weekend project. Tibor's fastest Class I certification from a standing start was roughly nine months. Below that, people are either skipping obligations or lying about what they shipped.

Felix has a rule for first-time founders: estimate the real investment and time honestly, then double it. Every founder he has coached who went into MDR has underestimated cost and time. Every one. The ones who budgeted for 2x their first estimate survived. The ones who did not, did not. Tibor's version is blunter. Do not believe MDR is a three-month project for EUR 5,000. If you believe that, you should either get educated fast or shut the project down before you burn the runway.

There is a harder version of the same rule, also from Tibor: if you cannot afford regulatory, you cannot afford a MedTech project. That is not a guilt trip. It is arithmetic. Regulatory is a fixed cost of entering the market. You can make it lean, you cannot make it free.

Who you actually need on the team

You do not need a twelve-person regulatory department to get a Class I or Class IIa device certified. You need four roles, and most of them can be part-time or fractional in the early phase.

Regulatory lead. One person who owns the regulatory plan end to end — intended purpose, classification, conformity assessment route, Notified Body relationship, submission. This is the most important hire or external contractor you will make. Can be a fractional expert in phase one, should be dedicated by late phase two.

QMS owner. One person who owns the QMS build-out and the documentation. Often the same person as the regulatory lead in small companies. Must understand EN ISO 13485:2016+A11:2021 in practice, not just in theory. If they cannot sit with an engineer for an hour and write a procedure that matches what the engineer actually does, they are the wrong person.

Clinical lead. One person who owns the clinical evaluation and — if needed — the clinical investigation. Usually has a clinical or scientific background. For literature-based evaluations this can be a contractor. For new clinical investigations it has to be someone more senior with trial experience.

PRRC. Article 15 of the MDR requires every manufacturer to have a Person Responsible for Regulatory Compliance with defined qualifications. (Regulation (EU) 2017/745, Article 15.) For micro- and small enterprises, Article 15(2) allows the PRRC to be available on a permanent and continuous basis without being employed — meaning you can contract this role externally in the early phase, which most startups do.

That is the core team. Everything else — testing labs, notified body interactions, cybersecurity specialists, usability engineers — is bought on demand when the project needs it, not hired as headcount before it does.

Felix's "opportunity keeps you poor" line applies directly here. Every extra role you hire "in case" is a cost that slows the project. The discipline is to resist adding anything that is not load-bearing on the current phase. You can always bring in specialists later. You cannot un-hire a bad early headcount cheaply.

The red lines that are not negotiable

Everything in this guide is about subtraction — cutting the work that does not earn its place. But there are red lines that subtraction never touches. Cross them and you are not a lean startup. You are a liability.

Patient safety. If a decision trades patient safety for speed or cost, the answer is no. Not "let's minimise it and move on." No. EN ISO 14971:2019+A11:2021 risk management exists precisely for this — every identified hazard must be reduced as far as possible given the state of the art, and the residual risks must be justified. Skipping a risk control because it slows you down is the kind of decision that ends careers and hurts people.

Illegal shortcuts. Selling an uncertified device while claiming it is certified. Running "pilot studies" that are actually commercial use in disguise. Shipping software updates that change intended purpose without notifying the Notified Body. Forging test reports. All of these have ended companies. Some have ended careers. Do not do them, do not let a team member do them, and do not let a consultant talk you into them.

Misrepresentation to the Notified Body. The Notified Body is not your opponent. They are the gate. Lying to them — about a finding, about a test result, about a process you do not actually run — turns a manageable compliance issue into a fraud issue. The cost of telling the truth late is always lower than the cost of being caught in a lie.

These red lines are absolute. They are also the cheapest discipline you will ever enforce, because they are binary: you either cross them or you do not. Everything else in this guide is judgment. These are not.

The Subtract to Ship angle

Everything above is the honest picture. The Subtract to Ship angle on that picture is this: treat every activity, every document, every meeting, and every hire in your regulatory plan as something that has to earn its place by tracing to a specific MDR article, annex, or harmonised standard obligation. If you cannot name the article, cut the activity. If you can, keep it and execute it cleanly.

That discipline does not make MDR cheaper by skipping requirements. It makes MDR cheaper by cutting the parallel, redundant, consultant-driven, template-imported, "just in case" work that inflates startup regulatory projects by 50% or more without adding compliance value. The companies that survive MDR on a startup budget are not the ones that worked harder. They are the ones that refused to do work that was not real.

Read the Subtract to Ship framework for MDR post for the full methodology with the four passes.

Reality Check — Where do you stand?

Answer these honestly. If you do not like the answers, do not move forward until you do.

  1. Can you state your device's intended purpose in one clean paragraph that you would be comfortable defending in front of a Notified Body auditor?
  2. Do you know your device's classification, the specific Annex VIII rule that applies, and why?
  3. Have you chosen a conformity assessment route under Article 52, or are you still assuming "the consultant will tell us"?
  4. Have you started Notified Body conversations — or at least identified two or three bodies whose scope covers your device?
  5. Is your current MDR cost estimate the first number you wrote down, or is it the doubled version of the first number? (If you have not doubled it, you have not accepted the project yet.)
  6. Do you have a regulatory lead, a QMS owner, a clinical lead, and a PRRC either hired, contracted, or identified? If any of these is "we'll figure it out," that is a gap.
  7. Are you currently in phase one (exploratory, flexible) or phase two (committed, building the device you will certify)? Can you articulate what moves you from one to the other, and when?
  8. When you imagine the first Notified Body audit of your QMS, can you name three procedures you know will hold up under questioning? Can you name two you are worried about?
  9. Have you identified any activity in your current regulatory plan that you cannot trace back to a specific MDR article, annex, or harmonised standard? What is it still doing in the plan?
  10. If MDR doubled in cost and timeline tomorrow, would your company survive it? If not, what is your plan for finding that out before you have spent the money?

Frequently Asked Questions

Is MDR really not a 2- or 3-month project? No. For any device above unmeasured, non-sterile Class I, two to three months is a fantasy timeline. Realistic durations are 9 months for the fastest disciplined Class I, 12–18 months or more for Class IIa and Class IIb, and longer for Class III. Founders who budget for 2–3 months run out of runway before they finish the intended purpose.

Can a first-time founder do MDR without a consultant? Sometimes, at Class I with simple devices, yes — if the founder is willing to put in the hours to learn the Regulation properly. For Class IIa and above, most founders benefit from at least a fractional regulatory sparring partner. The point is not DIY vs. consultant as an ideology. The point is: do you have someone on the team who knows what they are doing? If not, hire the knowledge. If yes, keep the hire lean.

What is the single biggest mistake first-time founders make with MDR? Underestimating cost and time, and therefore committing to a plan that cannot finish. Every other mistake — wrong classification, bloated QMS, late Notified Body engagement, missing clinical evidence — is a symptom of that first miscalculation. Fix the estimate first and the rest of the plan becomes realistic.

Do I need a full QMS before I start talking to a Notified Body? No. You need enough QMS to show that you understand what EN ISO 13485:2016+A11:2021 asks for and that you are building it in a disciplined way. Notified Bodies understand that QMS maturity grows through phase two. What they will not tolerate is a company that does not understand what a QMS is.

Is MDR going to be watered down or replaced? No. The Regulation has been in force since 26 May 2021. Transitional provisions were extended — not removed — by Regulation (EU) 2023/607, giving certain legacy devices additional time under specific conditions but preserving the substantive requirements. Planning your company around a future deregulation that is not coming is a losing bet.

When should I start regulatory work — at the product idea or after the MVP? Earlier than you think, and lighter than you fear. Phase one starts the moment you have a serious intention to build a medical device — even before the MVP — because the decisions you make about intended purpose and classification in that early phase determine everything that follows. You do not need a full QMS in phase one. You need clarity on the four decisions and the discipline not to make design choices that lock you into a class you cannot afford. See when to start MDR regulatory work for the detail.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, consolidated text. Specific articles cited: Article 2(1) definition of medical device; Article 2(12) intended purpose; Article 5 placing on the market; Article 10 manufacturer obligations; Article 15 Person Responsible for Regulatory Compliance; Article 51 classification; Article 52 conformity assessment procedures; Article 61 clinical evaluation; Article 83 post-market surveillance. Annexes cited: Annex I GSPR; Annex II technical documentation; Annex VIII classification rules; Annex XIV clinical evaluation. Official Journal L 117, 5.5.2017.
  2. Regulation (EU) 2023/607 of the European Parliament and of the Council of 15 March 2023 amending Regulations (EU) 2017/745 and (EU) 2017/746 as regards the transitional provisions for certain medical devices and in vitro diagnostic medical devices. Official Journal L 80, 20.3.2023.
  3. EN ISO 13485:2016 + A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes.
  4. EN ISO 14971:2019 + A11:2021 — Medical devices — Application of risk management to medical devices.

This post is part of the MDR Fundamentals & Regulatory Strategy series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. It is the post you send to a technical co-founder on day one. Read it, then read the linked posts in order.