--- title: Remote Teams and MDR Compliance: A Field Guide description: How distributed MedTech startups run a compliant QMS, handle document control, and survive Notified Body audits on remote teams MDR compliance. authors: Tibor Zechmeister, Felix Lenhard category: Team Building, Operations & Scaling primary_keyword: remote teams MDR compliance canonical_url: https://zechmeister-solutions.com/en/blog/remote-teams-mdr-compliance source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # Remote Teams and MDR Compliance: A Field Guide *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Remote MedTech teams can be fully MDR compliant, but only if the QMS is built for distributed work from day one. MDR Article 10(9) requires a quality management system in accordance with EN ISO 13485:2016+A11:2021, and nothing in that standard prohibits remote operation. What breaks compliance is not geography — it is weak document control, unclear authority, and Notified Body audits planned as if everyone still sits in one building.** **By Tibor Zechmeister and Felix Lenhard.** ## TL;DR - MDR Article 10(9) requires manufacturers to establish, document, implement, maintain, and update a QMS — it does not require a single physical site. - EN ISO 13485:2016+A11:2021 clause 4.1 (QMS processes), clause 4.2 (documentation), and clause 6.2 (human resources) are the backbone of any compliant distributed operation. - An eQMS with enforced access control, versioning, and e-signatures solves the document control problem that destroys most remote teams under audit. - Notified Bodies audit where the work happens — including home offices of design authority holders, when relevant — and manufacturers must plan audit logistics accordingly. - "Remote-first" is a QMS design choice, not an HR convenience; retrofitting a colocated QMS to a distributed team is the most expensive path. - Manufacturing-sensitive activities (production, sterilization, final release) usually remain physically anchored even when product development is fully remote. ## Why this matters When I audit distributed MedTech startups, the first thing I look for is not where people sit. It is whether there is one authoritative version of any given document and whether the people who need to sign it can prove they were the ones who actually signed it. Geography is a red herring. A single-site team with a shared drive and Word documents is usually in worse shape than a twelve-timezone remote-first company running a well-configured eQMS. The founders who get this wrong tend to come from two opposite directions. The first group treats remote work as a legal problem: they assume MDR requires a "headquarters" and waste months on office leases they do not need. The second group treats remote work as so normal it does not need designing: they let people edit documents on laptops in airport lounges, use three different chat tools, and discover at Stage 1 that they cannot prove who approved the software requirements. Both are fixable. The fix is the same: build the QMS the way you actually work, and make sure the way you actually work satisfies ISO 13485. ## What MDR actually says **MDR Article 10(9).** Manufacturers of devices other than investigational devices shall establish, document, implement, maintain, keep up to date, and continually improve a quality management system that shall ensure compliance with the requirements of the regulation in the most effective manner and in a manner that is proportionate to the risk class and the type of device. Article 10(9) then lists the aspects the QMS shall address: regulatory strategy, GSPR identification, management responsibility, resource management, risk management, clinical evaluation, product realisation, unique device identification, PMS, vigilance, communication with authorities, processes for monitoring product output, and so on. Nothing in this list mentions a physical site. Compliance is about processes, documentation, and responsibility — not about walls. **EN ISO 13485:2016+A11:2021.** The harmonised standard that gives you presumption of conformity with the QMS requirements of MDR Article 10(9) carries a few clauses that matter most for distributed teams: - **Clause 4.1 — General QMS requirements.** The organisation shall document a QMS, determine the processes needed, apply a risk-based approach to control these processes, and determine criteria and methods to ensure effective operation and control. "Organisation" is not defined geographically. - **Clause 4.1.5.** When the organisation outsources any process that affects product conformity, it shall ensure control over such processes. For distributed teams, this includes cloud infrastructure and SaaS tools that host regulated records. - **Clause 4.2 — Documentation requirements.** The QMS documentation shall include a quality manual, documented procedures, records, and any other documents the organisation determines to be necessary. Clause 4.2.4 covers control of documents: approval, review, updates, identification of changes and current revision status, legibility, availability at points of use. Clause 4.2.5 covers control of records. - **Clause 6.2 — Human resources.** Personnel performing work affecting product quality shall be competent on the basis of appropriate education, training, skills, and experience. The organisation shall document the process for establishing competence, providing training, and ensuring awareness. Remote teams must still run this process — just remotely. **What MDR and ISO 13485 are silent on.** Neither specifies a single headquarters, co-located engineering, paper records, or wet-ink signatures. Electronic signatures are acceptable if you control them under clause 4.2.4 and can demonstrate authenticity, integrity, and non-repudiation. Your Notified Body will test whether your electronic signatures and your audit trail actually do what you claim. ## A worked example A 14-person Class IIa SaMD company. Headquarters (for legal purposes) in Vienna. Two engineers in Lisbon, one in Kraków, regulatory affairs in Berlin, clinical in Ljubljana, founders split between Vienna and remote. No shared physical office. One cleanroom partner for hosted service deployment in Frankfurt, outsourced under a supplier agreement. Their QMS is deliberately built for distribution. Specifically: - **Single eQMS instance** with role-based access control, automatic versioning, 21 CFR Part 11-style audit trails, and embedded e-signature. Quality manual, SOPs, forms, and records all live there. Nothing lives on laptops. - **Document control SOP** specifies that no regulated document exists outside the eQMS. Drafts on local drives are explicitly prohibited, with an exception path for short-term offline editing that requires check-in within 24 hours. - **Training records** for every team member maintained in the eQMS, linked to specific SOPs they have read and acknowledged with e-signature. - **Design authority and signature matrix** names individuals — not roles — for every release gate. Vienna signs device release. Berlin signs regulatory submissions. Both are documented with location and authority. - **Management review** runs quarterly via video conference. Minutes, attendance, and action items live in the eQMS. The PRRC attends every session. - **Internal audits** are conducted remotely via video, screen sharing, and eQMS access. Objective evidence is captured as links to records. Their Notified Body Stage 2 audit runs over four days. Two days on-site at the Vienna office (the legal manufacturer location, where the founder-CEO and head of quality are present). One day remote with the Lisbon engineering pair for design and development processes. Half a day remote with the Berlin regulatory lead for post-market surveillance and vigilance procedures. Half a day at the Frankfurt hosting partner for infrastructure and supplier control review. The NB team plans this logistics with the company six weeks in advance and confirms that physical evidence at Vienna is sufficient plus remote observation for distributed activities. They pass with three minor non-conformities — none related to remote operation. All three relate to clinical evaluation update frequency. ## The Subtract to Ship playbook **1. Pick the eQMS before you pick the team structure.** The eQMS is the infrastructure. Running a distributed team on shared drives and Word is a guaranteed audit failure. Evaluate tools on versioning, e-signature compliance, audit trails, access control, validation documentation from the vendor, and export capability. Validate it per your SOP on validation of QMS software. **2. Write one document control SOP and obey it ruthlessly.** The single most common finding in distributed teams is uncontrolled document copies. Your SOP must define: where documents live, who can create/edit/approve, how versions are identified, how obsolete versions are removed from points of use, and how external copies (e.g., PDFs shared with a Notified Body) are tracked. **3. Put authority on names, not job titles.** "Head of Engineering approves design output" is ambiguous when three engineers could qualify and two work remotely. "Maria Schmidt, employee ID 007, approves design output for the mobile application module" is unambiguous. Update the matrix when people change roles. **4. Design the management review around distribution.** Quarterly video calls with a documented agenda aligned to clause 5.6 of ISO 13485. Attendance tracked. Minutes approved. Actions traced to closure. Do not skip a quarter because "we talk all the time anyway" — talking is not management review. **5. Run training remotely but with real evidence.** Assign SOPs in the eQMS. Require e-signed acknowledgment. Track read/not-read by person. For practical skills, record video demonstrations or use structured competence assessments. Store everything in the personnel file. **6. Treat every home office as a site for audit logistics only if regulated activity happens there.** A developer in Kraków who writes code subject to EN 62304 is doing regulated work in Kraków. Your NB may want to observe that work. Plan it: agree in advance which activities are observable remotely (code review, requirements traceability, unit test evidence) and which need physical presence (hardware interaction, wet-lab work). **7. Book Notified Body audits six to eight weeks ahead with a detailed logistics plan.** Tell them up front how many locations are involved, who is where, what happens at each, and propose a hybrid on-site/remote approach. Most Notified Bodies are comfortable with remote audit portions for distributed teams if the QMS supports it. **8. Anchor physical activities clearly.** Manufacturing, sterilization, final release, and (for physical devices) device handling are almost always site-bound. Define those sites explicitly, list them on your EU declaration of conformity where required, and make sure your QMS shows clear control over each. **9. Do not let time zones become a CAPA black hole.** Distributed teams need written rules for CAPA ownership, target dates, and escalation. "Anyone can pick it up" usually means nobody does. Assign CAPA owners by name with explicit SLAs. **10. Test your disaster scenarios.** What happens if your eQMS vendor goes down for 72 hours during an audit? Your document control SOP should have a documented offline procedure. Rehearse it once before you need it. ## Reality Check 1. Can you produce, within five minutes, the current approved version of any SOP in your QMS from any team member's laptop? 2. Do you have one authoritative eQMS, or do regulated records still live in shared drives, email attachments, or chat tools? 3. Is your signature authority matrix written in terms of named individuals with documented competence evidence? 4. When was the last time you tested document control by asking a team member to find an obsolete version they should no longer have? 5. Does your management review minute book show four sessions in the last 12 months with full attendance and action tracking? 6. Have you discussed audit logistics with your Notified Body in terms they recognise — on-site vs remote activities, per location? 7. For every regulated activity that happens outside your legal manufacturer location, can you show how the QMS controls it? 8. If your eQMS went down tomorrow for 48 hours, do you have a written offline document control procedure your team has actually rehearsed? ## Frequently Asked Questions **Does MDR require a physical headquarters?** MDR requires a legal manufacturer with an identifiable address, a PRRC available permanently and continuously, and (for non-EU manufacturers) an authorised representative. It does not require physical co-location of staff. Your registered manufacturer address is a legal requirement; a working office is not. **Can a Notified Body audit be fully remote?** Some portions can be, particularly for software companies. Full audits are rarely fully remote under current practice, and unannounced audits (MDR Article 52 and Annex IX requirements on Notified Bodies) usually involve physical presence. Expect a hybrid model. **What eQMS features matter most for distributed teams?** Role-based access control, enforced check-in/check-out or workflow-based editing, automatic version control, compliant e-signature with audit trail, linking between records (design inputs to outputs to verification), and reliable export for audit evidence. Validation documentation from the vendor also matters, because you must validate the tool per your own SOP. **Can we hire engineers in non-EU countries?** Yes. MDR does not restrict where your engineers live. What matters is that they are subject to your QMS, trained, competent, and that your IP and data transfer arrangements are sound. Non-EU hosting of regulated data raises separate GDPR questions — handle those explicitly. **How do we handle unannounced audits with a distributed team?** Your QMS must identify your "manufacturing site" or sites for audit purposes. That is where an unannounced audit happens. If your company does not do physical manufacturing and everything is software, the site is typically the legal manufacturer's primary address. Make sure someone authorised is always reachable there during business hours. **Is a single shared drive an acceptable document control system?** No, not for MDR purposes. Shared drives typically lack enforced versioning, e-signature, access control by role, and audit trail. Auditors routinely find major non-conformities around document control in shared-drive setups. Use a real eQMS. ## Related reading - [QMS for multi-site and remote teams](/blog/qms-multi-site-remote-teams) — deeper dive on multi-location quality systems - [Document control for startups](/blog/document-control-startup) — the backbone discipline for distributed work - [eQMS platforms for startups in 2026](/blog/eqms-platforms-startups-2026) — tool selection - [Preparing for your first Notified Body audit](/blog/prepare-for-first-notified-body-audit) — audit logistics and expectations - [Minimum viable QMS](/blog/minimum-viable-qms) — scoping a lean compliant QMS ## Sources 1. Regulation (EU) 2017/745 on medical devices, consolidated text. Article 10(9). 2. EN ISO 13485:2016+A11:2021, clauses 4.1 (QMS processes), 4.1.5 (outsourced processes), 4.2 (documentation requirements), 4.2.4 (control of documents), 4.2.5 (control of records), 5.6 (management review), 6.2 (human resources). 3. MDR Annex IX (conformity assessment based on a quality management system). --- *This post is part of the [Team Building, Operations & Scaling](https://zechmeister-solutions.com/en/blog/category/team-operations) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*