Most MedTech founders budget for CE marking as a one-time cost. A spike before launch, then done. The MDR does not work that way. Article 10 obligations continue for the life of the device: PMS, PSURs, surveillance audits, CER updates, vigilance, and notified body fees. These are recurring, per-device, and per-year costs. If you do not model them inside your unit economics, your margins are wrong.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • CE marking is not a one-time cost. MDR Article 10 creates lifetime obligations.
  • Post-market surveillance, vigilance, PSUR updates, CER updates, and surveillance audits are recurring, predictable, budgetable line items.
  • Treating regulatory cost as one-off CapEx distorts gross margin and misleads investors.
  • The honest model treats it as COGS (or near-COGS): a per-device or per-year charge that scales with the portfolio.
  • Investors who understand MedTech expect to see this. Investors who do not will learn the hard way with your cap table.
  • The companies that model it honestly make better pricing, portfolio, and subtraction decisions.

Why treating certification as one-time is the default. And why it is wrong

Almost every first-time MedTech founder builds the same budget. There is a line labelled "regulatory" or "CE mark". It contains a number. The cost of getting the first device certified. And that line ends when the certificate arrives. After that, the budget assumes the product generates revenue and the regulatory cost is in the rear-view mirror.

This is wrong in every direction that matters.

The MDR does not distinguish between the effort to get a device certified and the effort to keep it certified. Article 10 lists manufacturer obligations as ongoing duties, not one-time deliverables. The notified body surveillance cycle does not stop at certificate issuance. It starts there. The post-market surveillance system is an Article 10(10) obligation that runs for as long as the device is on the market. The clinical evaluation must be kept up to date. The PSUR must be produced on a defined schedule. Vigilance must be active. The QMS must be maintained and audited.

These are not optional. They are not deferred. They are not absorbed into overhead. They are real, recurring, per-device costs that most founders fail to account for until the second year, when the finance sheet does not match reality and the next fundraise becomes harder to justify.

What MDR actually says about ongoing cost

Article 10 of Regulation (EU) 2017/745 sets out the general obligations of manufacturers. Several are explicitly lifecycle obligations, not one-off deliverables:

  • Article 10(9) requires a QMS that is maintained. ISO 13485:2016+A11:2021 conformance is not achieved once; it is demonstrated at every surveillance audit.
  • Article 10(10) requires the manufacturer to establish, document, implement, maintain, keep up to date, and continually improve a post-market surveillance system proportionate to the risk class. The words "maintain" and "continually improve" are not decorative.
  • Article 10(12)–(14) cover reporting, cooperation with authorities, and corrective actions.

The post-market surveillance framework itself sits in Articles 83–86 and Annex III:

  • Article 83. The PMS system as an integrated part of the QMS.
  • Article 84. The PMS plan, with required content defined in Annex III.
  • Article 85. The PMS report for Class I devices.
  • Article 86. The Periodic Safety Update Report (PSUR) for Class IIa, IIb, and III devices, with defined update frequencies and review cycles.

Vigilance obligations sit in Articles 87–92, including reporting of serious incidents and field safety corrective actions, trend reporting under Article 88, and analysis of serious incidents under Article 89.

On top of these, the clinical evaluation report must be updated throughout the life of the device. MDR Article 61(11) requires it to be updated with data obtained from PMS, and specifically with PMCF data where applicable. The technical documentation must be kept current.

None of these end at CE marking. All of them generate recurring cost.

The recurring cost categories, named honestly

Here are the categories that belong in your regulatory line item for every year the device is on the market:

1. Notified body surveillance fees (for Class IIa and above). The notified body does not go away after issuing your certificate. Surveillance audits continue annually, unannounced audits can occur, and technical documentation sampling occurs on a defined cycle. These fees are per-year, per-certificate, and non-negotiable.

2. QMS maintenance and internal audit effort. The QMS needs internal audits, management reviews, CAPA processing, document control, training records, and supplier controls. For a small startup, this can be a meaningful fraction of a full-time role. It does not scale to zero.

3. Post-market surveillance system operation. Complaint handling, trend analysis, data collection from user feedback, literature monitoring, competitor vigilance feed monitoring, and documentation of all of it. Annex III defines what must be in the PMS plan, and every item generates ongoing work.

4. PSUR production (Class IIa, IIb, III). Article 86 requires periodic safety update reports. Producing one is not a weekend task. It aggregates PMS data, complaints, vigilance, CER updates, and benefit-risk analysis. For Class IIb and III, the PSUR is submitted into Eudamed and reviewed.

5. CER updates. The clinical evaluation report must be kept current with new literature, new PMS data, and new clinical findings. The cadence depends on risk class and the PMS plan, but it is never zero.

6. PMCF activities. Post-market clinical follow-up, where required, generates its own ongoing cost: surveys, registries, prospective studies, and the analysis and reporting of them. For devices that cannot justify waiving PMCF, this can be the single largest recurring line item.

7. Vigilance operations. Incident monitoring, decision-making on reportability, report drafting and submission within MDR timelines, FSCA management where needed, and corresponding CAPA workflows.

8. Regulatory intelligence. MDCG guidance documents are updated. Harmonised standards are republished. Implementing regulations amend transitional rules. Someone has to track these, assess impact, and update your files accordingly.

9. Change management. Every product change triggers an impact assessment and often notified body review. Not once. Every time.

10. Re-certification. Certificates have a finite validity. Re-certification is a multi-month effort and a material cost, and it arrives on a predictable schedule.

A worked example: the margin that was not there

Consider a Class IIa software-based medical device sold at €1,200 per user per year on a subscription model. The founder's original plan modelled cost of delivery as hosting plus support plus customer success. Around €180 per user per year. And reported a headline gross margin of 85 percent.

The regulatory budget was treated as a one-time CapEx of roughly €400,000 for the CE mark. After certification, the regulatory line was assumed to drop to near zero.

In year two, reality landed. The recurring regulatory costs for that single device, across a year, included notified body surveillance fees, QMS maintenance effort allocated from the quality lead's time, PMS system operation, PSUR preparation effort, a partial CER update, PMCF survey operation, vigilance system operation, and a portion of a regulatory lead's salary. Aggregated and allocated, these added tens of thousands of euros per year in direct regulatory operating cost, plus additional allocated effort from engineering and clinical.

Distributed across the active user base that year, the recurring regulatory cost per user was meaningfully larger than the hosting bill. The true gross margin, once regulatory costs were treated as COGS, was materially lower than the headline figure. Not catastrophically lower, but low enough to change the conversation in the Series A meeting.

The company survived because they caught it early and raised accordingly. But the lesson is universal: regulatory cost that is not modelled is not absent. It is just hidden until it is too late to plan for.

The Subtract to Ship playbook for regulatory as COGS

Step 1. Build two cost tables, not one. The first is the one-time path to CE mark. The second is the annual recurring regulatory operating cost once on the market. Never collapse them into a single line.

Step 2. Line-item the recurring table. Use the ten categories above. Get a quote from your notified body for surveillance fees. Estimate QMS maintenance hours. Estimate PMS system operation hours. Estimate PSUR and CER update effort. Estimate PMCF cost. Convert hours to fully loaded cost per role.

Step 3. Allocate recurring regulatory cost to COGS or opex deliberately. There are two defensible approaches. The COGS approach allocates recurring regulatory cost across revenue-generating units and reports a regulatory-inclusive gross margin. The opex approach separates it as a fixed regulatory operating line. Either is honest if you are consistent and transparent. The dishonest approach is pretending it does not exist.

Step 4. Model it per device across the portfolio. Every additional SKU, every additional significant variant, every additional intended-purpose extension adds to the recurring table. Portfolio decisions are regulatory cost decisions. This is where the subtraction discipline pays off: fewer SKUs, narrower intended purpose, fewer variants all directly reduce recurring regulatory cost.

Step 5. Put it in your pitch deck. Investors who have funded MedTech before will ask. Investors who have not should still see it. A founder who models lifecycle regulatory cost is a founder who has understood the business. A founder who does not is a founder who will surprise their cap table in year two.

Step 6. Re-forecast annually. Notified body fees change. Guidance documents create new obligations. Standards get re-issued. The recurring table is a living document.

Step 7. Use it to drive subtraction decisions. When the recurring cost table is real, the cost of widening intended purpose or adding a device variant becomes real too. The audit discipline at the front of the product cycle connects directly to the margin discipline at the back.

Reality Check

  1. Does your financial model have a distinct recurring regulatory cost line that runs for every year of the product's life?
  2. Have you quoted your notified body surveillance fees for the next three years?
  3. Do you know, in hours, how much QMS maintenance your team spends per month?
  4. Have you estimated the effort for your next PSUR or PMS report?
  5. When is your next CER update due, and is the effort for it in the budget?
  6. Do you have a PMCF budget, or are you assuming waiver without documented justification?
  7. What is your gross margin with recurring regulatory cost allocated to COGS?
  8. If your recurring regulatory cost doubled, would your unit economics still work?

Frequently Asked Questions

Are recurring regulatory costs really COGS or are they opex? Either treatment can be defended depending on your accounting framework, but what cannot be defended is leaving them out. If you treat them as opex, make sure your gross margin disclosure is paired with a visible regulatory operating cost line. If you treat them as COGS, allocate them consistently across SKUs and periods.

Does this apply to Class I self-certified devices? Yes. Class I devices still carry Article 10 obligations, PMS plan requirements, Article 85 PMS reports, vigilance, technical documentation maintenance, and QMS-equivalent discipline. The absence of a notified body reduces cost; it does not eliminate it.

What is the biggest recurring cost category most founders miss? PMCF is often the most underestimated. For devices that cannot justify a waiver, ongoing clinical data collection can dominate the recurring regulatory line.

Do notified body surveillance fees really go up? They can. Fee schedules are updated, unannounced audits are billable, and scope expansions trigger additional effort. Model conservatively.

How do I explain this to a non-MedTech investor? Frame it the same way you would explain hosting costs to a SaaS investor: a real, recurring, unavoidable cost of operating in this market. The investor who is worth having will appreciate that you have modelled it.

Can regulatory cost be reduced over time? Yes. Through portfolio discipline, QMS automation, and experience. But it never goes to zero for any device that remains on the market.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Articles 10, 61, 83–86, 87–92; Annex III.
  2. MDCG 2025-10 (December 2025). Guidance on post-market surveillance.
  3. MDCG 2023-3 Rev.2 (January 2025). Vigilance terms and concepts Q&A.
  4. EN ISO 13485:2016+A11:2021. Medical devices. Quality management systems.