Outsourcing regulatory work does not outsource responsibility. Under MDR Article 10, the manufacturer remains accountable for every obligation, no matter who drafts the documents. A regulatory consultant is a supplier under EN ISO 13485:2016+A11:2021 clause 7.4 and must be qualified, contracted, and monitored accordingly.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • MDR Article 10 places manufacturer obligations on the manufacturer. A consultant can produce the work; they cannot absorb the legal responsibility.
  • Any external party performing regulatory work that affects product conformity is a supplier under EN ISO 13485:2016+A11:2021 clause 7.4 and must be qualified, documented, and monitored.
  • Outsource when the work is specialised, intermittent, or requires experience your team does not have. Hire when the work is continuous, central to your product, or scales with your business.
  • Common consultant red flags: no traceability to specific MDR articles, over-promised timelines, templates with no tailoring, and an inability to explain their own Notified Body track record.
  • Contracts should cover scope, deliverables, review rights, confidentiality, conflict of interest, PRRC role if applicable, and termination.
  • A well-managed consultant accelerates your path; a poorly managed one multiplies your risk.

Why this matters

MedTech founders outsource regulatory work for three honest reasons: they do not have the in-house expertise, they cannot justify a full-time hire yet, and the work is too specialised to learn on the fly without risking the device. These are all legitimate reasons. Outsourcing is often the right answer.

The failure mode is not outsourcing itself. It is outsourcing badly. The founder hands a consultant a brief, goes back to building the product, and six months later discovers that the Clinical Evaluation Report does not match the intended purpose, the risk management file references an obsolete version of EN ISO 14971, and the technical documentation has a structure the Notified Body has never seen before. The consultant is gone, the invoice is paid, and the founder is now explaining to the board why certification has slipped by six months.

The root cause is almost always the same: the founder treated the consultant as a replacement for their own understanding, not as a supplier delivering work the manufacturer is still responsible for. Under MDR, that responsibility cannot be transferred. Article 10 is unambiguous. The manufacturer's obligations are the manufacturer's, full stop.

What MDR and ISO 13485 actually say

MDR Article 10 lists the general obligations of manufacturers. It places those obligations directly on the manufacturer. It does not say "unless you hire a consultant". It does not say "to the extent the manufacturer performs the work in-house". It says the manufacturer shall ensure, the manufacturer shall establish, the manufacturer shall maintain. You can pay someone else to draft the document. You cannot pay someone else to be legally accountable for it.

Article 15 creates the Person Responsible for Regulatory Compliance role and explicitly allows micro and small enterprises to have the PRRC available through a contractual arrangement. That is the one place where the Regulation anticipates outsourcing of a regulatory function, and it comes with specific conditions. Competence, availability, and a real contract.

EN ISO 13485:2016+A11:2021 clause 7.4 covers purchasing controls. It requires the organisation to establish criteria for the evaluation and selection of suppliers, to evaluate and select suppliers based on their ability to supply product (including services) in accordance with the organisation's requirements, and to maintain records of the evaluation. A regulatory consultant whose work affects product conformity. Which is nearly any regulatory consultant. Falls squarely into this clause. That means qualification records, not just invoices.

The practical implication: every regulatory consultant you engage should be in your supplier list, qualified under clause 7.4, monitored on deliverable quality, and reviewed periodically. If your QMS does not include your consultants, your QMS has a hole an auditor will find.

A worked example: Class IIb device startup choosing a CER consultant

A Class IIb device startup needs a Clinical Evaluation Report. The founders are engineers. They have no clinical evaluation experience. They need external help. They interview three consultants.

Consultant A sends a proposal quoting a fixed fee, a three-week turnaround, and a "CER template we have used for fifty clients". When asked for a Notified Body track record, Consultant A says they have "worked with all the major ones" but cannot name specific submissions that passed without major findings. When asked how they will ensure the CER matches the intended purpose, they say "we will use your product description".

Consultant B sends a longer proposal. They ask for the current draft of the intended purpose per MDR Article 2(12), the classification rationale, the device risk file, and the literature search terms the team has already considered. They quote a range, not a fixed fee, and explain that the range depends on how much existing clinical data is suitable and how much gap analysis is needed. They offer references to two prior clients whose Notified Bodies accepted the CER with minor findings only.

Consultant C is a friend of a friend, cheaper than both, and offers to "handle the whole regulatory side" for a flat monthly retainer. When asked about the PRRC arrangement, they say "I can be your PRRC too if you want".

The correct choice is Consultant B. Consultant A is selling templates, not thinking. Consultant C is triggering red flags on scope, conflict of interest, and the PRRC independence expected under MDR Article 15. The founders pick B, put B in their supplier list under clause 7.4, agree a scope document that references MDR Article 61 and Annex XIV Part A, and set up biweekly reviews. The CER is delivered on time with revisions traced to Notified Body feedback. The founders understand what is in it because they reviewed it. No surprises at audit.

The Subtract to Ship playbook for outsourcing regulatory work

Step 1: Decide what to outsource and what to keep. Outsource work that is specialised (clinical evaluation, biocompatibility interpretation), intermittent (one CER, one PMS plan, one internal audit cycle), or requires experience the team genuinely does not have. Keep work that is continuous (day-to-day QMS operation), central to the product (intended purpose, design inputs, risk management decisions), or must be defended at audit by someone still employed by the company.

Step 2: Qualify the consultant as a supplier. Add them to the supplier list under EN ISO 13485:2016+A11:2021 clause 7.4. Record their qualifications, relevant experience, references, and scope of approved services. This is not paperwork theatre. It is the record an auditor will ask to see.

Step 3: Ask the questions that separate professionals from templates. Can they cite the specific MDR article for every major deliverable? Can they name recent Notified Body submissions they worked on and describe how the reviews went? Can they explain what they will not do and why? Can they articulate the difference between their role and the PRRC role?

Step 4: Write a real contract. Scope, deliverables, acceptance criteria, review rights, confidentiality, conflict of interest, data ownership, liability cap, termination, and. Critically. A clause stating that the manufacturer retains all obligations under MDR Article 10. If the consultant will serve as PRRC under Article 15, the contract must reflect the specific requirements of that role, including availability and independence.

Step 5: Review deliverables against MDR, not against their own templates. Every deliverable the consultant produces should be reviewed by someone on your team who has read the relevant MDR article and annex. If no one on your team has that capability, buy a review from a second independent party before accepting the deliverable.

Step 6: Manage the handoff. When the consultant's engagement ends, the work must be transferable to your team or your next supplier. Insist on native file formats, clean version history, traceability matrices, and a handover meeting. Do not accept PDFs as the only deliverable.

Step 7: Maintain the relationship for post-market. The device will generate PMS data, complaint trends, and CER updates for its entire lifecycle. If you drop the consultant after launch, you will pay more to re-onboard them when the first PSUR is due than you would have paid to keep them on a light retainer.

Common consultant red flags

No traceability to MDR articles. If a consultant cannot tell you which MDR article a deliverable satisfies, they are working from templates, not from the Regulation.

Over-promised timelines. A CER for a Class IIb device cannot be properly done in two weeks. Anyone promising that is either cutting corners or has not understood the scope.

Templates with no tailoring. Templates are fine as starting points. They are not fine as deliverables. If the final document looks like every other client's document, it will not survive a Notified Body review tied to your specific intended purpose.

No Notified Body track record. A consultant who cannot describe what their last three Notified Body interactions looked like is selling theory.

Refusal to be reviewed. A good consultant welcomes review. A bad one resists it.

Conflict of interest. A consultant who is also your PRRC and also owns the template and also signs off on the CER has stacked roles in a way that creates independence issues under Article 15.

Pay-for-certification promises. No consultant can guarantee certification. Article 52 conformity assessment is the Notified Body's decision, not the consultant's. Anyone who promises otherwise is misrepresenting how MDR works.

Inability to explain what they will not do. Professionals have scope boundaries. Amateurs promise everything.

Reality Check

  1. Have you decided which regulatory work is outsourced and which is in-house, with reasons for each?
  2. Are all your regulatory consultants listed as suppliers under EN ISO 13485 clause 7.4?
  3. Can you produce supplier qualification records for each consultant?
  4. Does each consultant contract state that MDR Article 10 obligations remain with the manufacturer?
  5. Does someone on your team review every deliverable against the relevant MDR article before acceptance?
  6. If your lead consultant disappeared tomorrow, could you continue the work with another provider?
  7. Do you have an independence check in place if the same consultant acts as PRRC under Article 15?
  8. Is your consultant budget line tied to specific MDR deliverables rather than an open retainer?

Frequently Asked Questions

Can a founder fully outsource regulatory affairs at pre-seed? Yes, for most practical purposes, but the founder or a named team member must still understand what is being produced and why. Full outsourcing without in-house literacy creates dependency that is dangerous at audit.

Is a regulatory consultant legally liable for your MDR compliance? No. Under MDR Article 10, the manufacturer is liable. The consultant may have contractual liability to you for poor work, but not regulatory liability to authorities or patients.

Can the same consultant act as your PRRC? Possibly, if the conditions of MDR Article 15(1) are met and independence and conflict-of-interest concerns are managed. For micro and small enterprises the Regulation explicitly permits contractual PRRC arrangements. Document the arrangement carefully.

How do you evaluate a consultant's Notified Body track record without breaching confidentiality? Ask for anonymised case descriptions, device class, Notified Body identifier numbers, and outcome summaries. Reputable consultants will provide these without naming specific clients.

Should you use multiple consultants or a single full-service provider? It depends on your scale. Early stage, a single trusted provider simplifies management. As you grow, specialist providers for clinical, QMS, and cybersecurity often deliver better results than one generalist.

How do you know when to stop outsourcing and hire in-house? When the consultant spend exceeds the loaded cost of a full-time regulatory hire, or when the work has become continuous rather than project-based, or when audit exposure means you need someone who is in the building during Stage 2.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Articles 10, 15, 52, 61; Annex XIV.
  2. EN ISO 13485:2016+A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes. Clause 7.4 on purchasing.