The PRRC decision for a startup is not a cost question. It is a competence and accountability question with three legitimate answers. Under MDR Article 15(1), every manufacturer must have a Person Responsible for Regulatory Compliance with specific qualifications. Under Article 15(2), micro and small enterprises as defined by Commission Recommendation 2003/361/EC can meet this obligation through arrangements other than employment, provided the person is permanently and continuously at the disposal of the company. That gives startups three real options: hire a qualified PRRC internally, train an internal candidate into the qualification path, or contract an external PRRC who genuinely knows your device. Each option has a competence test, a cost profile, and a liability reality. The wrong move. Common in MedTech. Is to pick the cheapest arrangement and claim the title without the substance.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • The PRRC is a legal function under MDR Article 15, not a job title you assign. The qualification criteria in Article 15(1) are specific: either a relevant degree plus one year of device regulatory or QMS experience, or four years of such experience on its own.
  • Under Article 15(2), micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC are not required to have the PRRC within their organisation and may satisfy the obligation through arrangements other than employment, provided the person is permanently and continuously at the disposal of the company.
  • Startups have three legitimate paths: hire internally, train an internal candidate, or outsource through a real Article 15(2) arrangement. The wrong path is "claim a title without verifying the substance."
  • The Austrian fake-expert pattern. A person who owns the vocabulary but not the regulation. Is the single most dangerous failure mode in this decision, and it shows up in all three paths if the competence test is skipped.
  • External PRRC providers must be evaluated against red flags: vague device experience, dozens of concurrent clients, no audit history, no willingness to put "no" in writing, no clear contractual definition of availability.
  • PRRC liability is real. Article 15(3) defines the tasks, and Article 15(6) protects the PRRC from disadvantage within the organisation when they fulfil their duties properly. Signing off on work you have not actually reviewed is not a cost-saving strategy; it is a career-ending one.
  • The Subtract to Ship move is to pick the cheapest path that actually works for your specific device and your specific stage, and refuse the path that only looks like compliance on paper.

The story that sets up every PRRC decision

There is an Austrian company we came across where the founders had one sentence they used to close every difficult conversation. "We have a dedicated expert handling regulatory." The board stopped asking. The investors stopped asking. The incoming auditor stopped asking. Under the surface, the expert was a beginner. Fluent in the vocabulary, empty on the substance. Intended purpose was inconsistent between documents. Classification pointed at the wrong Annex VIII rule. The clinical evaluation strategy would not have survived a serious Notified Body review. The company had been running for years on a foundation that looked competent and was not, and when the gap finally surfaced, the cost of the correction was far larger than the cost of hiring the right person in the first place would have been.

That story is not a hiring story. It is a PRRC story. The title existed. The CV existed. The contract existed. What did not exist was the competence, and nobody in the company had the ability to test for it because the test requires someone who already knows the answer.

This is the heart of the PRRC decision. The decision is not really between hiring, training, and outsourcing. It is between three ways of getting to real competence and one way of faking it. The three honest paths have different cost profiles and different trade-offs. The fake path has exactly one profile, which is eventually catastrophic.

Article 15 decoded. The qualification paths

Before the decision, the facts. Under MDR Article 15(1), the manufacturer must have available within their organisation at least one person responsible for regulatory compliance who possesses the requisite expertise in the field of medical devices. The expertise is evidenced either by (a) a diploma, certificate, or other evidence of formal qualification awarded on completion of a university degree or of a course of study recognised as equivalent by the member state concerned in law, medicine, pharmacy, engineering, or another relevant scientific discipline, and at least one year of professional experience in regulatory affairs or in quality management systems relating to medical devices; or (b) four years of professional experience in regulatory affairs or in quality management systems relating to medical devices.

Two routes. "Or" between them. The four-year experience route does not require the formal qualification. The degree-plus-one-year route does not require four years of experience. The law gives you both doors, and the right door depends on the people you actually have.

Article 15(3) sets the tasks: ensuring that the conformity of devices is appropriately checked in accordance with the quality management system before a device is released; ensuring that the technical documentation and the EU declaration of conformity are drawn up and kept up to date; ensuring that post-market surveillance obligations are complied with; ensuring that the reporting obligations referred to in Articles 87 to 91 are fulfilled; and, in the case of investigational devices, ensuring that the statement referred to in Section 4.1 of Chapter II of Annex XV is issued. These are not negotiable scope lines. They are the legal definition of what the PRRC does, and they apply to the hire, the internal trainee, and the external contractor equally.

Article 15(6) adds the protection line: the PRRC shall suffer no disadvantage within the manufacturer's organisation in connection with the proper fulfilment of their duties. This is the clause that says, in effect, the PRRC cannot be punished for telling the CEO the device is not ready to release. In a startup, this protection matters more than it sounds because the PRRC is often the only person in the room whose job is to say no.

Article 15(2). The micro and small enterprise route

Article 15(2) is the clause that makes the PRRC decision interesting for startups. It says that micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC are not required to have the person responsible for regulatory compliance within their organisation, but shall have such a person permanently and continuously at their disposal.

Two things matter about this. First, the enterprise definition is precise. Under Commission Recommendation 2003/361/EC, a small enterprise is one that has fewer than 50 employees and an annual turnover or annual balance sheet total not exceeding EUR 10 million. A micro enterprise has fewer than 10 employees and an annual turnover or annual balance sheet total not exceeding EUR 2 million. If your startup has raised a large round and the balance sheet total has crossed EUR 10 million, you may no longer qualify as a small enterprise even if your headcount is still below 50. The Recommendation also has rules for linked and partner enterprises. If your startup is part of a group, the thresholds may be calculated at the group level.

Second, "permanently and continuously at their disposal" is a real obligation, not a contractual formality. A person who sees your company once a quarter, does not know your device architecture, and cannot be reached during a vigilance event is not at your disposal in any meaningful sense. The phrase is satisfied by an actual working relationship, evidenced by records of regular involvement, defined response times, and documented oversight activities.

If your startup qualifies under Article 15(2), you have the full menu of three options below. If your startup has grown past the thresholds, the external route is no longer available under the law, and the PRRC has to be within the organisation.

The three honest options

Option 1. Hire a qualified PRRC internally

The cleanest path. You find someone who already meets the Article 15(1) qualification criteria. Either the degree-plus-one-year route or the four-year experience route. And bring them onto the team. They carry the title from day one. They do the work from day one. They build deep knowledge of your device in parallel because the device is now the thing they spend their days on.

When this works. The device is complex enough that the team needs a dedicated RA owner anyway. The budget can support a senior hire. The timeline to certification is close enough that external PRRC continuity risk feels uncomfortable. The founders do not themselves have the qualifications.

When this does not work. The company is at three people and the runway is short. The device is simple enough that a senior full-time RA hire is overkill for the current stage. The right candidates do not exist on the market in your geography and the search would take six months.

Cost reality. A qualified regulatory affairs professional in Western Europe is generally in the range of EUR 60,000–110,000 per year fully loaded, depending on experience, seniority, and location. The lower end buys you someone who meets Article 15(1) and can do the work under supervision. The higher end buys you someone who has been through Notified Body audits and can run the function independently. Paying below the lower end generally means the qualification claim is thinner than it looks. And that is exactly the profile that produced the Austrian story.

Option 2. Train an internal candidate into the qualification path

The underrated path. Someone on the team. A co-founder, a senior engineer with a relevant degree, a quality manager who has been doing RA work informally. Is close to the Article 15(1) qualification criteria but not yet there. The path to competence runs through time, structured work, and real exposure to the regulation. You invest in bringing that person to the point where they are a defensible PRRC.

When this works. The internal candidate already has the formal qualification route requirement. The relevant degree in engineering, law, medicine, pharmacy, or another relevant scientific discipline. And needs to accumulate the one year of professional experience in regulatory affairs or QMS relating to medical devices that Article 15(1) requires. Or the candidate has been doing regulatory and QMS work for medical devices informally for years without the title and is closing in on the four-year experience threshold from the second route. The company is small enough and patient enough to invest in the development.

When this does not work. The internal candidate has neither the qualification base nor the relevant experience, and the timeline to certification is measured in months, not years. The candidate is also the CTO and cannot take on a second load-bearing role without breaking something else. The founders assume that reading a few books counts as "training". It does not. Article 15(1) asks for documented experience, not self-study.

Cost reality. The salary is whatever the person already costs. The hidden cost is the bridge. During the training period, the company still needs a real PRRC, and that person is usually an external contractor under Article 15(2) who also mentors the internal candidate. Plan for 12–24 months of overlap. Budget for the external PRRC plus the internal salary during that window. The return is a company that, on the far side of the bridge, has a fully competent internal PRRC without having done a senior external hire.

Option 3. Outsource through a real Article 15(2) arrangement

The most common path for early-stage startups, and also the path most often done badly. If the company qualifies as a micro or small enterprise under Commission Recommendation 2003/361/EC, Article 15(2) allows the PRRC obligation to be met through arrangements other than employment, provided the person is permanently and continuously at the disposal of the company.

When this works. The company is genuinely a micro or small enterprise. The external PRRC has deep experience in devices comparable to yours. The arrangement is written clearly. Scope, availability, response times, escalation, termination. The PRRC is actively involved in your compliance work, not just reviewing documents at the end. The relationship includes an explicit transition plan for when the company grows past the micro/small threshold.

When this does not work. The company has already grown past the threshold and is clinging to the Article 15(2) route because it is cheaper than hiring. The external PRRC has twenty other clients and cannot actually be reached during a vigilance event. The arrangement is a signature on a letter and no working relationship behind it. The founders chose the cheapest provider and never checked the competence.

Cost reality. External PRRC engagements commonly fall in the range of EUR 500–3,000 per month depending on the experience level of the PRRC, the frequency of involvement, the device complexity, and the market [flag as observed range, not a regulated price]. The low end is a light-touch arrangement that fits a very simple device with a small volume of regulatory events. The high end approaches the cost of a part-time internal hire and buys you a senior PRRC with real availability. Below the low end, the arrangement usually does not satisfy "permanently and continuously at their disposal" in any meaningful sense.

Red flags in external PRRC providers

If you go the outsourcing route, here are the patterns we have seen fail.

  • Vague device experience. The provider says they have worked with "many medical devices" but cannot point to specific experience with devices like yours. Classification, risk class, technology stack, and clinical context all matter. A Class III implantable PRRC is not automatically the right fit for a standalone software medical device.
  • Too many concurrent clients. A single PRRC covering dozens of companies cannot be permanently and continuously at the disposal of all of them. Ask directly how many companies they currently serve as PRRC and what their allocation model looks like.
  • No willingness to say no in writing. Ask the candidate for an example where they told a client "we cannot release this device" and the client had to delay. If the answer is silence, the PRRC is a signing service, not a function.
  • No audit history. Ask whether they have been a PRRC during a Notified Body audit. Ask what the auditor checked regarding their role. If they have never been through this, you are their learning ground, and you will absorb the cost of the learning.
  • No clear contractual definition of availability. "Permanently and continuously at their disposal" has to be operationalised in the contract. Minimum contact frequency. Guaranteed response times for urgent events. Defined escalation. If the contract is vague, the relationship will be too.
  • Unwillingness to meet the team or review the device in depth. A PRRC who is willing to sign without understanding the device is a red flag so large it is its own category.

The cost trade-off. Honestly

A simple matrix of what each option actually costs over 24 months, assuming a micro or small enterprise with a single Class IIa device heading toward CE marking. The numbers are ranges, not quotes, and they depend heavily on geography, seniority, and device complexity.

  • Hire internally. Roughly EUR 120,000–220,000 fully loaded over 24 months. Deep internal ownership. Continuity during crises. Immediate capacity for growth beyond the micro/small threshold. The cost is real, but so is the value.
  • Train internally with external bridge. Roughly EUR 30,000–70,000 for the external bridge over 24 months, layered on top of the internal candidate's existing salary. Requires a candidate who is actually close to the qualification threshold. Pays off only if the bridge is used to build real competence, not just sign documents.
  • Outsource through Article 15(2). Roughly EUR 12,000–72,000 over 24 months depending on provider seniority and involvement level. Cheapest on paper. Most dependent on the quality of the specific person you contract with. Breaks down when the company crosses the micro/small threshold or when the provider's availability degrades.

The cost gap between the cheapest option and the most expensive option is real. It is also smaller than the cost of one bad Notified Body finding, one withdrawn certificate, or one serious incident that surfaces a PRRC who was never really in the loop. The cheapest option is the cheapest option only if it actually works.

The liability reality

The PRRC has legal exposure. Article 15(3) defines specific duties, and the PRRC is the person accountable for ensuring those duties are met. Article 15(6) protects the PRRC from disadvantage within the company for fulfilling their duties properly. A protection that only matters because the exposure is real.

What this means practically. Signing off on a technical file you have not read is not a contractual matter; it is a regulatory matter. Approving a device release you have not actually reviewed is the same. An external PRRC who signs without reviewing is accepting liability without the oversight that would normally justify it, and a startup that structures the arrangement this way is buying a problem that will mature later.

This is one of the reasons the cheapest external arrangements are often also the shortest-lived. A PRRC who understands the liability will not sign blind, and a PRRC who signs blind will eventually be replaced. Either by the startup after a bad audit, or by the PRRC themselves after a near-miss that made the exposure real to them.

The Subtract to Ship angle

The Subtract to Ship framework applied to the PRRC decision looks like this. Do not hire until the work is real. Do not outsource until you can name the person, verify the competence, and write the arrangement in terms that satisfy "permanently and continuously at their disposal" for your specific device and stage. Do not train an internal candidate as a cost move. Train them because they are close to the qualification and will be load-bearing for the company over the next five years.

The subtraction move is not "pick the cheapest path." It is "refuse the path that only looks like compliance." The Austrian fake-expert pattern is the canonical version of the path that looks like compliance. The external PRRC with twenty clients and no device knowledge is another version. The internal candidate who was handed the title without the qualification or the time to grow into it is a third.

What you keep is the path that actually produces a named person with real competence, real availability, and real authority. That is the only path that survives the first Notified Body audit and the first serious post-market event. Everything else is expensive decoration on a problem that has not surfaced yet.

Reality Check. Where do you stand?

  1. Does your company qualify as a micro or small enterprise under Commission Recommendation 2003/361/EC right now, and will it still qualify in 12 months? If not, the Article 15(2) external route is closing and you need an internal plan.
  2. Can you name your PRRC by name today? Not "we are working on it." A name on the org chart and on a formal appointment letter.
  3. For that named person, can you describe the specific Article 15(1) qualification path they meet. The degree plus one year, or the four years of device regulatory or QMS experience. And can you produce the documentation?
  4. If the PRRC is external, can you point to evidence from the last 90 days that they have been permanently and continuously at your disposal. Meeting minutes, review records, written sign-offs, response times documented?
  5. If the PRRC is external, how many other companies do they currently serve as PRRC, and what is their allocation model?
  6. Has your PRRC ever told your CEO "we cannot release this yet"? If not, is that because nothing has justified it, or because they do not feel they have the authority under Article 15(6)?
  7. If your PRRC left tomorrow, how long would it take to replace them without losing device context? Measure in weeks. More than eight is a warning.
  8. If the Notified Body audited your PRRC arrangement next week, would you present the contract, or would you present the working relationship?

Frequently Asked Questions

What is the PRRC under MDR Article 15? The Person Responsible for Regulatory Compliance is a legally defined role under MDR Article 15. Every manufacturer must have at least one PRRC with the qualifications in Article 15(1). Either a relevant degree in law, medicine, pharmacy, engineering, or another relevant scientific discipline plus at least one year of professional experience in regulatory affairs or QMS relating to medical devices, or four years of such experience without the formal qualification. The tasks of the PRRC are defined in Article 15(3), and Article 15(6) protects the PRRC from disadvantage within the organisation when fulfilling those duties.

Can a small startup outsource the PRRC role? Yes, under MDR Article 15(2), if the company is a micro or small enterprise within the meaning of Commission Recommendation 2003/361/EC. The Recommendation defines a small enterprise as one with fewer than 50 employees and annual turnover or balance sheet total not exceeding EUR 10 million, and a micro enterprise as one with fewer than 10 employees and annual turnover or balance sheet total not exceeding EUR 2 million. The external PRRC must be permanently and continuously at the disposal of the company, which is a real working-relationship obligation, not just a contractual formality.

What is the difference between hiring and outsourcing a PRRC for a startup? Hiring internally means the PRRC is an employee of the company, with deep daily context and continuous availability, at the cost of a full regulatory affairs salary. Outsourcing under Article 15(2) means contracting a qualified external professional who serves as the PRRC under an arrangement that satisfies "permanently and continuously at their disposal," at a lower monetary cost but with greater continuity risk and a harder integration challenge. Both routes are legal when correctly structured. The wrong move is to claim either route without verifying the competence of the person behind the title.

Can a startup train a PRRC internally? Yes, if the internal candidate can genuinely reach the Article 15(1) qualification criteria during the training period. If they already have a relevant degree, they need to accumulate at least one year of documented professional experience in regulatory affairs or QMS relating to medical devices. If they do not have the formal qualification, they need four years of such experience. During the training period, the company typically contracts an external PRRC under Article 15(2) to meet the legal obligation and mentor the internal candidate. Training is not a synonym for self-study. Article 15(1) asks for experience, not reading.

How much does an external PRRC cost for a startup? Market rates commonly fall in the range of EUR 500–3,000 per month for an external PRRC serving a micro or small enterprise, depending on the experience level of the PRRC, the frequency of involvement, the device complexity, and the market. The lower end corresponds to light-touch arrangements suitable only for very simple devices. The higher end buys a senior PRRC with real availability and audit experience. Below the lower end, the arrangement typically does not satisfy "permanently and continuously at their disposal" in practice.

What are the red flags when selecting an external PRRC? Vague experience with devices like yours, too many concurrent clients, no audit history, unwillingness to say no in writing, no clear contractual definition of availability, and unwillingness to engage deeply with the device. A PRRC who is willing to sign without understanding the device is the most dangerous profile and the pattern that produces the "dedicated expert" disaster we see in companies that later face serious Notified Body findings.

Does the PRRC have legal liability? Yes. Article 15(3) defines the PRRC's duties, and the PRRC is accountable for ensuring those duties are met. Article 15(6) protects the PRRC from disadvantage within the manufacturer's organisation in connection with the proper fulfilment of their duties. A protection that exists because the exposure is real. Signing off on conformity checks, technical documentation, post-market surveillance compliance, or vigilance reporting without actually reviewing the work is a liability, not a cost-saving strategy.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 15(1) (qualification requirements for the Person Responsible for Regulatory Compliance), Article 15(2) (micro and small enterprise derogation and the "permanently and continuously at their disposal" standard), Article 15(3) (tasks of the PRRC), Article 15(6) (protection of the PRRC from disadvantage within the organisation). Official Journal L 117, 5.5.2017.
  2. Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises. Official Journal L 124, 20.5.2003. Defines a small enterprise as fewer than 50 employees with annual turnover or balance sheet total not exceeding EUR 10 million, and a micro enterprise as fewer than 10 employees with annual turnover or balance sheet total not exceeding EUR 2 million.

This post is part of the Team Building, Operations & Scaling category in the Subtract to Ship: MDR blog, under the PRRC Decisions subcategory. Authored by Felix Lenhard and Tibor Zechmeister. If your startup is in the middle of the "hire, train, or outsource" PRRC decision, this post is the one to read before the decision is made, not after.