Preparing a MedTech startup for acquisition is a 6-12 month project, not a week-long data dump. The founder's job is to make every regulatory and operational fact about the company traceable, verifiable, and boring. Boring is what gets deals closed at full valuation.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • Start preparing at least 6-12 months before you expect a term sheet.
  • The acquirer's regulatory diligence lead will read your Technical Documentation, QMS index, PMS reports and CAPA log in that order.
  • CE certificates are issued to the legal manufacturer under MDR Article 10; they do not automatically "transfer" on a share deal and may require notified body re-issuance on an asset deal.
  • Fix known non-conformities and open CAPAs before the data room opens, not during it.
  • A clean PMS trail under MDR Article 83 is one of the most overlooked valuation levers in MedTech M&A.

Why founder-side prep decides the valuation

The acquirer already knows how to do buyer-side diligence. They have a checklist, external regulatory counsel, and a notified body specialist on call. What they do not have is full knowledge of your startup. Every gap, every missing signature, every CAPA without a closure record becomes a negotiation lever.

Most MedTech founders see diligence as something that happens to them. The founders who exit well treat it as a six-to-twelve-month construction project they run themselves. You build the data room, you audit your own evidence, and you fix the red flags before anyone from the other side sees them.

This post is the founder-side playbook. Post 800 in this series covers buyer-side review from the acquirer's perspective. Read this one if you are the one being bought.

What MDR actually says about manufacturer status and certificate continuity

The legal foundation for every M&A conversation in MedTech is Article 10 of Regulation (EU) 2017/745. Article 10 lists the general obligations of the manufacturer: QMS, technical documentation, conformity assessment, post-market surveillance, vigilance, PRRC, financial coverage. Every single one of these obligations attaches to the legal entity named on the Declaration of Conformity and the CE certificate.

Three consequences matter for acquisition prep:

  1. Share deal. The legal entity stays the same. The CE certificate and notified body relationship continue in place, but the notified body must still be notified of significant changes under Annex IX Section 2.4, including changes to ownership that affect the QMS or management.
  2. Asset deal. The manufacturer changes. The certificate does not travel with the product. The acquirer will need to re-submit technical documentation under their own QMS and legal manufacturer identity, or run a parallel transfer procedure with the notified body. This can take months and is a standard deal-killer when founders discover it late.
  3. PRRC continuity. Article 15 requires the person responsible for regulatory compliance to be permanently and continuously at the disposal of the manufacturer. If your PRRC is you and you walk away at closing, the acquirer needs a bridging plan on day one.

The notified body is not a party to the transaction, but every major notified body has a policy on change-of-control notifications and certificate transfer. Know your notified body's policy before you sign a term sheet, not after.

A worked example: two startups, one deal

Two Class IIa software-as-a-medical-device startups get an offer from the same strategic acquirer in the same month. Both have CE marks. Both have around 15 people. Both have roughly the same revenue.

Startup A spent nine months preparing. Their data room has a single index document mapping every acquirer question to a numbered evidence file. Their CAPA log shows eleven opened, ten closed with full root cause and effectiveness check, one in progress with a realistic target date. Their PMS report for the previous twelve months references actual complaint data, actual literature monitoring, and actual PMCF findings from a 120-patient registry. Their PRRC is a part-time external consultant under a two-year contract that survives change of control.

Startup B started preparing the week the term sheet arrived. The data room is a Google Drive folder with five levels of nesting. The CAPA log shows three opened and none closed. The last PMS report is six months overdue. The PRRC is the CTO-founder, with no backup.

Same offer on paper. Startup A closes at the headline number with a six-month retention for the founders. Startup B closes sixty days later at an eighteen percent discount with a twenty-five percent holdback tied to closing specific regulatory findings. The difference is not the product. It is the evidence trail.

The Subtract to Ship acquisition prep playbook

Month -12 to -9: Foundation audit

Before you touch the data room, run your own internal mock diligence. Pretend you are the acquirer's regulatory lead with two days and no patience. Ask four questions:

  • Can I trace any GSPR in Annex I to a verification test, a risk control, and a clinical justification in under five minutes? If no, your technical documentation is not ready.
  • Can I see every non-conformity from every notified body audit, surveillance audit and internal audit in one table, with status, owner and closure date? If no, your QMS evidence is not ready.
  • Can I see the last twelve months of complaints, incidents, trend data and literature review in one PMS report that actually references Article 83 and Annex III? If no, your PMS is not ready.
  • Is every critical supplier under a signed quality agreement that names specific MDR obligations they flow down? If no, your supplier file is not ready.

Whatever fails these four questions is your nine-month work list. Everything else is decoration.

Month -9 to -6: Fix the red flags

The fixable red flags are almost always the same across MedTech startups:

  • Open CAPAs older than twelve months with no effectiveness check
  • Technical documentation written for the original MDD submission, never fully updated for MDR
  • Risk management file referencing an outdated edition of EN ISO 14971
  • PMS plan that names "quarterly review" but with no actual records of quarterly reviews
  • Supplier files missing quality agreements for contract manufacturers and sterilisation providers (see our post on outsourced processes)
  • PRRC designation letter signed but no evidence of actual PRRC activity
  • Declaration of Conformity still referencing superseded standards

None of these are deal-killers on their own. All of them together are. Close them methodically. Every closure gets a dated record, a responsible owner, and an effectiveness verification. Auditors love effectiveness verification because most startups skip it.

Month -6 to -3: Build the data room properly

The data room is not a file dump. It is an argument. The argument is: "Every MDR obligation is met, every piece of evidence is traceable, every open item has a plan."

Structure it this way:

  • Section 1. Company and legal. Cap table, incorporation, licenses, insurance under Article 10(16) financial coverage requirement.
  • Section 2. Regulatory status. CE certificates, Declarations of Conformity, notified body correspondence, classification justification, intended purpose document.
  • Section 3. Technical documentation. Full Annex II and Annex III pack, with a single cross-reference index.
  • Section 4. QMS. ISO 13485 certificate, management reviews, internal audit reports, CAPA log, training records.
  • Section 5. Clinical. CEP, CER, PMCF plan and report, underlying data.
  • Section 6. PMS and vigilance. PMS plan, PMS or PSUR reports, complaint log, vigilance submissions.
  • Section 7. Supply chain. Supplier list, quality agreements, audit reports of critical suppliers.
  • Section 8. Personnel. PRRC designation and evidence, key regulatory CVs, training matrix.
  • Section 9. Open items. Every known issue, every open CAPA, every planned change, with owner and target date. Do not hide open items. Acquirers find them anyway and punish concealment harder than they punish the items themselves.

Month -3 to 0: Rehearse the Q&A

Every acquirer sends a regulatory Q&A list. Write your own before they do. The questions are predictable: classification rationale, equivalence claims, software safety class, PMS adequacy, notified body standing, any open non-conformities, any pending significant changes. Draft answers now. Have your external regulatory advisor review them. When the real Q&A arrives, you are editing, not writing.

Reality Check

  1. Can you produce your full CAPA log, with closure evidence, in under one hour?
  2. Is your latest PMS or PSUR report filed on schedule and does it cite actual data sources?
  3. Has your notified body been informed of any material change in ownership, management or QMS scope in the last twelve months?
  4. Is your PRRC arrangement robust to the founder walking away on closing day?
  5. Do your critical suppliers have signed quality agreements that name MDR flow-down obligations?
  6. Is your Declaration of Conformity consistent with the current editions of the standards you cite?
  7. If a buyer asks "show me the evidence for GSPR 14.1" right now, how long does it take you to produce it?
  8. Do you know whether your deal structure will trigger certificate re-issuance or a simple change-of-control notification?

Less than six "yes" answers means start your prep this week, not next quarter.

Frequently Asked Questions

How long before the first investor conversation should I start acquisition prep? Twelve months is ideal, nine months is workable, six months is tight. Under six months and you are accepting a valuation haircut as the price of being unprepared.

Does the CE certificate transfer automatically in a share deal? The certificate stays with the legal entity, so in a share deal it continues in place. But you must notify your notified body of the change of control, and they will assess whether it affects the QMS under their Annex IX arrangement. Do not assume silence means approval.

What happens to the CE certificate in an asset deal? The certificate does not follow the asset. The acquirer becomes a new manufacturer in the eyes of the notified body and must restart or transfer conformity assessment. Build this cost and timeline into your deal negotiation.

Should I disclose open non-conformities in the data room? Yes. Acquirers find everything eventually. Disclosed issues with closure plans are a neutral to mildly positive signal. Concealed issues discovered later are a breach of representations and warranties and cost far more than the original finding.

Who should lead my internal diligence prep? Ideally your PRRC or head of quality, with an external regulatory advisor running the mock audit. The founder should not run their own diligence because founders are systematically blind to the weaknesses of their own evidence.

Is a clean PMS trail really a valuation driver? Yes. A clean PMS trail under Article 83 is one of the few pieces of evidence that shows the acquirer the product is actually being sold, used and monitored in the real world. It converts regulatory cost into commercial proof.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Articles 10, 15, 56, 83, Annex IX.
  2. EN ISO 13485:2016+A11:2021. Medical devices. Quality management systems.
  3. MDCG 2025-10 (December 2025). Post-market surveillance.