--- title: How to Prepare Your MedTech Startup for Acquisition: Regulatory and Operational Due Diligence description: M&A due diligence in MedTech scrutinises regulatory assets and QMS health. Here is what acquirers look for and how to prepare the data room. authors: Tibor Zechmeister, Felix Lenhard category: Team Building, Operations & Scaling primary_keyword: prepare MedTech acquisition regulatory due diligence canonical_url: https://zechmeister-solutions.com/en/blog/prepare-medtech-acquisition-regulatory-due-diligence source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # How to Prepare Your MedTech Startup for Acquisition: Regulatory and Operational Due Diligence *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **M&A due diligence in MedTech is not a generic financial review with a regulatory footnote. It is a forensic examination of the regulatory assets, the QMS health, and the operational record — because in MedTech, the regulatory file is a large fraction of what the acquirer is actually buying. Preparing for acquisition means building a data room that presents the CE certificate, the technical documentation, the QMS under EN ISO 13485:2016+A11:2021, the post-market surveillance track record, and the people behind them in a form that survives antagonistic scrutiny. The companies that close cleanly are the ones whose QMS was built honestly, whose MDR Article 10 obligations were met without shortcuts, and whose records match reality on the first pass. Everything else gets discounted, delayed, or killed at the term sheet.** **By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.** --- ## TL;DR - In MedTech M&A, regulatory due diligence is often the decisive workstream. A clean financial picture with a broken QMS will not close at the price the founders expected, and sometimes will not close at all. - Acquirers look at five things first: the CE certificate and its scope, the technical documentation and GSPR coverage, the QMS as lived versus as written, the post-market surveillance track record, and the continuity of the people who built all of it. - MDR Article 10 places manufacturer obligations on the legal entity. When the legal entity changes hands, the acquirer inherits those obligations — and the liabilities that come with them. - MDR Article 56 governs certificates issued by Notified Bodies. Certificates are not freely transferable between legal entities, and the mechanics of a share deal versus an asset deal drive very different regulatory outcomes. - The data room must be built around the technical file, not around a generic legal checklist. If the technical file is clean, every other workstream moves faster. - The most common acquisition killers are undocumented design decisions, a PMS system that exists only on paper, and a QMS that was copied from a template rather than built around the real work. - Subtract to Ship applied to M&A preparation means: do not invent new artefacts for the data room, present the ones that already exist honestly, and fix the real gaps rather than papering over them. --- ## Why regulatory due diligence is the decisive workstream In a normal software startup acquisition, the due diligence dance has a predictable shape. Finance is primary. Legal is primary. Customers and contracts are primary. Technology diligence exists but rarely drives price. In MedTech, the order changes. The regulatory file is a large part of what the acquirer is actually buying, and the regulatory workstream can discount the valuation, change the deal structure from a share deal to an asset deal, or kill the transaction entirely. The reason is simple. An acquirer who buys a MedTech company is buying the legal authority to place a device on the EU market under that company's CE certificate and QMS. If the certificate turns out to be narrower in scope than the product roadmap assumed, or the QMS turns out to be a template nobody actually follows, or the post-market data show a pattern the seller did not disclose, the asset the acquirer thought they were buying is not the asset on offer. Regulatory diligence is the mechanism that surfaces those mismatches before the money moves. The founders who prepare for this workstream deliberately tend to close at or near their asking price. The founders who do not prepare tend to lose months to diligence, give up price on discovered gaps, and in the worst cases watch the deal evaporate when the acquirer's regulatory counsel returns with a list of findings the founders did not know existed. The difference between those two outcomes is not luck. It is the work done — or not done — in the twelve to eighteen months before the diligence starts. ## The regulatory data room: what actually belongs in it A MedTech data room is not a generic virtual data room with a regulatory folder bolted on. The regulatory folder is the spine of the room, and everything else hangs off it. The structure that survives acquirer scrutiny has the following sections, in this order. **Legal entity and manufacturer status.** The registered entity, its role as manufacturer under MDR Article 10, the PRRC designation, the Authorised Representative if applicable, and the chain of legal entities if the device has moved between subsidiaries. This section establishes who actually holds the regulatory obligations. **CE certificate and Notified Body correspondence.** The current certificate, the Notified Body that issued it, the scope of the certificate (devices, classes, and conformity assessment route), the full audit history including any non-conformities raised and closed, the expiry date, and the surveillance audit schedule. Every letter the Notified Body has sent the company in the last three years. **Technical documentation.** The full technical file per Annex II of MDR, GSPR coverage matrix against Annex I, the clinical evaluation file, risk management file under the applicable risk standard, usability file, software lifecycle file if applicable, and the design and development file. This is where acquirer technical diligence spends the most time. See [How to Structure Technical Documentation for MDR](/blog/technical-documentation-mdr-startup) for the structure that presents well in a data room. **QMS under EN ISO 13485:2016+A11:2021.** The QMS manual, the procedure list with owners, the document control register, training records, internal audit reports for the last three years, management review minutes for the last three years, CAPA register, complaint handling records, and supplier evaluation records. See [Building a Lean QMS for MedTech Startups](/blog/lean-qms-startup) for what a scale-appropriate QMS looks like in a data room. **Post-market surveillance and vigilance.** The PMS plan, PMS reports or PSUR as applicable, complaint trends, field safety corrective actions if any, vigilance reports filed with authorities, and the evidence that the PMS system is a real operating function rather than a binder. See [Post-Market Surveillance Operations for MedTech Startups](/blog/pms-operations-medtech-startup) for what a working PMS looks like from the outside. **People and continuity.** Key regulatory personnel, the PRRC, the quality lead, the clinical lead, retention agreements, and the handover plan for the post-close period. This is the spine. Financial, commercial, and IP workstreams run alongside it, but none of them carry the same weight in a MedTech transaction. ## What acquirers ask about first The sophisticated acquirer opens diligence with a small number of pointed questions. The questions are not random. They are the questions whose answers, taken together, reveal whether the regulatory file is healthy or whether the seller has been running on debt. The first question is about the certificate scope. Does the certificate cover every device the company currently sells, every variant, every configuration, every intended use? A certificate that is narrower than the commercial reality is a material finding. The second question is about the last Notified Body audit and every non-conformity raised. The acquirer wants to see the findings, the root cause analyses, the CAPAs, and the evidence of closure. A pattern of repeat findings in the same area of the QMS is a red flag that will be priced in. The third question is about design changes since the last certificate. MedTech startups frequently iterate after certification, and the question is whether every change went through a documented change control process, whether the Notified Body was notified where required, and whether the technical file reflects the current device. A device that has drifted from its technical file is one of the most expensive findings an acquirer can surface. The fourth question is about the PMS track record. Real complaints, real trends, real decisions made on real data. A PMS system that produced no findings and no signals in three years is not a clean system — it is almost always a system that is not running. The acquirer knows this. The fifth question is about the people. Who actually built the QMS? Who actually owns the technical file? Who actually handles vigilance? If the honest answer is "the founder, and the founder is planning to leave," the acquirer has to price the rebuild of that capability. ## QMS health signals a sharp acquirer reads instantly An experienced regulatory diligence lead can read the health of a QMS in the first hour of document review. The signals they read for are not secret, and they are worth knowing because the same signals that impress a diligence lead are the signals that impress a Notified Body lead auditor. The two audiences overlap more than sellers expect. A QMS with healthy signals looks like this. Procedures are short, specific, owned by named people, and clearly describe what the company actually does — not what a template said an ISO 13485 company should do. Internal audits find things. Management review minutes show real decisions with follow-ups. CAPAs are closed with evidence, not with a signature. Training records match the people actually doing the work. Document control is consistent, version history is clean, and a spot-check on any document returns the current version from the official location. A QMS with unhealthy signals looks like this. Procedures are long, generic, and obviously copied from a template or a previous company. Internal audit reports find nothing substantial for three years running. Management review is a once-a-year signature on a pre-filled template. CAPAs drift open or close without evidence. Training records are filled in retroactively. Version control drifts between documents, and the "current" version of a key SOP lives in three different places with three different revision numbers. The pattern is always the same. The unhealthy QMS was built to pass an audit. The healthy QMS was built to run the work, and it passes audits as a by-product. Acquirers pay for the second kind and discount the first kind hard. See [Management Review That Is Not Compliance Theatre](/blog/management-review-medtech-startup) for the management review rigour acquirers look for. ## Certificate transferability: share deal versus asset deal The single biggest regulatory question in structuring a MedTech acquisition is what happens to the CE certificate. MDR Article 56 governs certificates of conformity issued by Notified Bodies. Certificates are issued to a specific legal entity — the manufacturer — and are tied to that entity and to the QMS that underlies the certificate. Certificates are not freely transferable between legal entities. In a share deal, the legal entity that holds the certificate continues to exist under new ownership. The certificate stays with the entity. The QMS continues. The Notified Body relationship continues. The PRRC designation may or may not need updating depending on personnel changes. This is usually the cleanest structure from a regulatory perspective, and it is one of the reasons MedTech acquisitions often favour share deals even when the acquirer would prefer an asset deal for other reasons. In an asset deal, the device, the technical file, and the IP move to a different legal entity. The certificate does not automatically move with them. The acquiring entity either needs its own certificate for the device — which usually means a new conformity assessment — or a structured arrangement with the Notified Body to transfer or re-issue the certificate. This is not impossible, and Notified Bodies have processes for it, but it is slow, it involves the Notified Body directly, and it cannot be assumed. Any founder negotiating an asset deal without early Notified Body contact is taking a material risk. The practical implication is simple. Structure the deal with the certificate mechanics in mind, not as an afterthought. Involve the Notified Body early if any transfer is contemplated. And do not let the legal counsel on either side decide the structure without regulatory input — because the regulatory structure drives the commercial continuity of the device on the market, and a deal that closes without a clear path for the certificate is a deal that may freeze post-close. ## Technical file review: what the acquirer's consultant will find Technical file review is where acquirer regulatory diligence goes deep, and it is where most findings land. The acquirer typically hires an experienced regulatory consultant — often a former Notified Body reviewer — to read the file as if they were running a surveillance audit. What they find depends entirely on the discipline of the original work. The common findings are predictable. GSPR coverage gaps where a requirement in Annex I was addressed with a placeholder rather than a real argument. Risk management files where the risk analysis does not reflect the current device. Clinical evaluation files where the literature search has not been updated, or where equivalence is claimed without meeting the MDCG 2020-5 criteria. Software lifecycle files that do not match the software actually running on the device. Usability files that show validation against an outdated use specification. None of these findings are fatal on their own. All of them cost time, and each one gets priced into the deal. A clean technical file closes fast and at full price. A file with ten small findings closes slow and at a discount. A file with two or three large findings — for example, a GSPR gap on a safety-critical requirement, or a clinical evaluation that does not support the current intended purpose — can re-open the entire valuation conversation. See [The Subtract to Ship Framework for MDR](/blog/subtract-to-ship-framework-mdr) for the discipline that prevents these gaps from accumulating in the first place. ## PMS track record: the record that acquirers trust most The post-market surveillance record is the one part of the regulatory file that is hardest to retrofit, and therefore the one acquirers trust most. A PMS system that has been running for two years on a real device on a real market produces a record that cannot be backfilled convincingly. Complaints come in, get logged, get triaged, get investigated, get closed. Trends get analysed. Signals get escalated. Decisions get made. If that loop has been running, the record shows it. The record acquirers look for is simple. Complaint intake with timestamps and evidence that the timestamps are real. Triage decisions with named reviewers. Investigations with actual root cause analysis. Trend analysis that led to at least one concrete decision — a labelling change, a software fix, an IFU update, a risk file revision. PMS reports or PSURs written on time, with content that reflects the actual data rather than generic text. Any vigilance reports filed on time. If any field safety corrective actions were taken, the full file for them. A PMS record that shows all of this in three years is worth substantially more to an acquirer than a product with no record at all, because the acquirer can trust the data going forward. A PMS record that shows none of this is a red flag the acquirer will follow with pointed questions — and the answers to those questions are usually the ones that cost the seller on price. See [Post-Market Surveillance Operations for MedTech Startups](/blog/pms-operations-medtech-startup) for the working PMS loop. ## Team continuity: the asset that walks out the door In MedTech, the acquirer is not only buying the device and the file. They are buying the ability to keep the device on the market, and that ability is carried by a small number of people — typically the PRRC, the quality lead, and the clinical lead. If these people leave at close, the acquirer inherits a regulatory asset without the institutional memory required to defend it. If they stay, the transition is manageable. The preparation work here starts long before the deal. Key regulatory personnel need to be documented in a form that survives their departure — procedures that a replacement can read and execute, decision logs that a successor can trust, and handover documentation for anything that would otherwise live only in someone's head. Retention agreements are the legal layer on top of that, but they only work if the underlying documentation also works. A retention agreement for a regulatory lead whose QMS lives only in their head is a retention agreement for a hostage, not an employee. See [The MedTech Startup Operations Playbook: From 3 People to 30](/blog/medtech-startup-operations-playbook-3-to-30) for the operational scaffolding that makes the regulatory function survive personnel changes. ## Common acquisition diligence failures Across the transactions we have watched, the failures cluster into a small number of patterns. The first is undocumented design decisions. The device evolved, the technical file did not, and the acquirer's consultant can see the gap on the first read. The fix is expensive and slow, and the negotiation loses time. The second is the template QMS. The QMS documents look impressive on the surface but do not describe the actual work. One hour with the team reveals that nobody follows the procedures as written. The acquirer discounts the value of the QMS to near zero and prices the rebuild. The third is the silent PMS. The PMS plan exists, the PMS system exists on paper, and the PMS has produced no meaningful data in two years. The acquirer reads this as a system that was built for the audit and never ran, and treats the post-market capability as a future cost rather than an existing asset. The fourth is certificate scope drift. The commercial product has expanded beyond the certificate scope — a new variant, a new intended use, a new configuration — and the seller did not realise until diligence surfaced it. The fix requires Notified Body engagement and time, both of which the deal timeline cannot absorb. The fifth is personnel concentration. The entire regulatory function lives in one person's head, and that person is leaving at close. The acquirer prices the rebuild of the capability and discounts accordingly. All five are preventable, and all five are cheaper to prevent than to negotiate through. ## The Subtract to Ship angle on M&A preparation [Subtract to Ship](/blog/subtract-to-ship-framework-mdr) applied to acquisition preparation is not about building new artefacts for the data room. It is about presenting the work that already exists honestly and fixing the gaps that real exposure has created. The discipline looks like this. Do not invent new documentation for the data room that did not exist before — acquirers spot retrofit artefacts in the first hour. Do not fabricate internal audit findings to make the QMS look "alive" — a real audit history is irreplaceable and cannot be faked convincingly. Do not paper over scope drift on the certificate — engage the Notified Body and fix the scope before diligence starts. Do not promise personnel retention that the person has not actually agreed to. Do not rewrite procedures the week before the data room opens to make them look better. The move that works is the opposite. Twelve to eighteen months before a contemplated exit, run an internal diligence exercise on yourself as if you were the acquirer. Identify the real gaps. Fix the ones that can be fixed. Document the ones that cannot. Present the whole thing honestly in the data room. Acquirers pay premiums for honesty because honesty is the single strongest signal that the rest of the file can be trusted. ## Reality Check — Where do you stand? 1. If an acquirer opened diligence tomorrow, would the CE certificate scope cover every device and configuration you currently sell, without exception? 2. Does the current technical file reflect the current device, or has the device drifted since the last major technical file revision? 3. Does your QMS describe what your company actually does, or is it a template nobody follows? 4. Does your PMS system produce real signals and real decisions, or has it produced nothing in the last two years? 5. If your key regulatory person left tomorrow, would a successor be able to run the QMS from the documentation alone? 6. Has a deal structure conversation with your legal counsel been informed by MDR Article 56 certificate transfer mechanics, or is the structure being decided without regulatory input? 7. When was the last internal audit, and what did it find? A clean audit for three years is usually not a clean company. 8. Have you ever run an internal diligence exercise on your own data room, as if you were the acquirer? ## Frequently Asked Questions **Why is regulatory due diligence so central in MedTech M&A?** Because the regulatory file is a large part of what the acquirer is actually buying. The CE certificate, the technical documentation, and the QMS together establish the legal authority to place the device on the EU market. A problem in any of those three areas can discount the valuation, change the deal structure, or kill the transaction. Finance and legal diligence are important, but regulatory diligence is usually the workstream that decides whether the deal closes at the asking price. **Is a CE certificate transferable between legal entities in an acquisition?** Not automatically. MDR Article 56 governs certificates issued by Notified Bodies, and certificates are tied to a specific legal entity and its QMS. In a share deal the legal entity continues under new ownership and the certificate stays with it. In an asset deal the certificate does not automatically move, and any transfer requires direct engagement with the Notified Body. This is why deal structure decisions in MedTech must involve regulatory input from the start. **What is the single most damaging finding an acquirer can surface in regulatory diligence?** A technical file that does not reflect the current device. Design changes that were made without going through proper change control, variants that were released without technical file updates, or an intended purpose that has drifted from the one the certificate covers. These findings cost time to remediate, and they almost always cost price in the negotiation. **How far in advance should a MedTech startup start preparing for acquisition diligence?** Twelve to eighteen months is the practical minimum. That is the time needed to run an internal diligence exercise, identify real gaps, fix the fixable ones, engage the Notified Body on any scope drift, and let at least one internal audit cycle run against the improved state. Preparation that starts three months before the data room opens usually produces obvious retrofit artefacts that the acquirer discounts. **Does a PMS system that has produced no findings look good to an acquirer?** No. It looks like a system that is not running. Acquirers and Notified Body auditors read the same signal. A healthy PMS system on a real device in a real market produces complaints, trends, investigations, and at least one concrete decision over any two-year period. A record with nothing in it is one of the clearest red flags an experienced diligence lead looks for. **How do acquirers value people continuity in the regulatory function?** Heavily, and specifically for the PRRC, the quality lead, and the clinical lead. These people carry the institutional memory that makes the regulatory file defensible. The ideal situation for an acquirer is documentation robust enough that a successor can run the QMS from the files alone, combined with retention agreements that keep the existing people in place through the transition. Founders who can offer both close at better terms than founders who can offer neither. **What is the most common mistake founders make when preparing the data room?** Building new artefacts to make the regulatory file look better. Acquirers and their consultants spot retrofit documents in the first review pass, and the discovery damages trust across the whole data room. The better move is to present the real file honestly, fix the real gaps in the months before diligence starts, and let the quality of the actual work speak for itself. ## Related reading - [How Much Does MDR Certification Really Cost for a Startup?](/blog/mdr-certification-cost-startup) — the cost baseline that informs valuation discussions in acquisition scenarios. - [The Subtract to Ship Framework for MDR](/blog/subtract-to-ship-framework-mdr) — the underlying methodology behind clean, defensible regulatory files. - [Building a Lean QMS for MedTech Startups](/blog/lean-qms-startup) — the QMS build approach that survives acquirer scrutiny. - [Risk Management for MedTech Startups: ISO 14971 Done Right](/blog/risk-management-medtech-startup) — the risk file discipline that technical due diligence reads first. - [MedTech Startup Fundraising: Aligning Capital With Regulatory Milestones](/blog/medtech-startup-fundraising-regulatory-milestones) — the fundraising framing that sets up exit readiness. - [MedTech Startup Financial Modeling for MDR Certification](/blog/medtech-startup-financial-modeling-mdr) — the financial layer that interacts with regulatory valuation. - [When to Raise Venture Capital as a MedTech Startup](/blog/when-to-raise-venture-capital-medtech) — the capital structure decisions that shape exit optionality. - [Grant Funding for MedTech Startups in Europe](/blog/grant-funding-medtech-europe) — non-dilutive funding that strengthens the exit position. - [Bridge Financing Through MDR Certification](/blog/bridge-financing-mdr-certification) — the runway strategy that gets a company to an exit-ready state. - [The MedTech Startup Operations Playbook: From 3 People to 30](/blog/medtech-startup-operations-playbook-3-to-30) — the operational scaffolding that makes the regulatory function defensible at diligence. ## Sources 1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers) and Article 56 (certificates of conformity issued by Notified Bodies). Official Journal L 117, 5.5.2017. 2. EN ISO 13485:2016 + A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Sections on management responsibility, document control, internal audit, management review, and CAPA. --- *This post is part of the Team Building, Operations & Scaling category in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. Acquisition preparation is the point at which every earlier operational and regulatory decision gets priced — the founders who prepare honestly, twelve to eighteen months in advance, close at terms the founders who prepare late cannot reach.* --- *This post is part of the [Team Building, Operations & Scaling](https://zechmeister-solutions.com/en/blog/category/team-operations) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*