Stage 1 is a documentation and readiness review. The auditor checks whether your QMS exists on paper, whether your technical documentation is structured and complete, and whether you are ready for the real assessment. Stage 2 is the on-site operational assessment. The auditor verifies that what you wrote down is actually what you do. Both stages come from the ISO/IEC 17021-1 convention that Notified Bodies apply to the EN ISO 13485:2016+A11:2021 portion of the audit. The MDR itself does not use the Stage 1 / Stage 2 language. It describes the conformity assessment in Annex IX. But in practice the QMS assessment under Annex IX Section 2 runs through this two-stage structure when your NB is also accredited to issue ISO 13485 certificates.
By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.
TL;DR
- Stage 1 is a documentation readiness check. Stage 2 is an on-site operational assessment. Both are part of the same initial certification cycle.
- The Stage 1 / Stage 2 terminology comes from ISO/IEC 17021-1, the standard governing management system certification bodies. It is not MDR terminology. The MDR describes conformity assessment in Annex IX without naming these stages.
- In a combined MDR + ISO 13485 audit, the QMS assessment under MDR Annex IX Section 2 maps onto the Stage 1 / Stage 2 structure, and the technical documentation assessment under Annex IX Section 4 runs alongside it.
- Stage 1 findings are usually about missing or immature documentation. Stage 2 findings are usually about gaps between documented practice and actual practice.
- You cannot skip Stage 1. A weak Stage 1 almost always produces a postponed or painful Stage 2.
Where the Stage 1 / Stage 2 language actually comes from
A point of honest clarification before we go further. The MDR does not contain the words "Stage 1" or "Stage 2." If you search Regulation (EU) 2017/745 for that language, you will not find it. What you will find is Article 52, which sets out the conformity assessment procedures, and Annex IX, which describes the full quality management system and technical documentation assessment route used for most Class IIa, IIb, and III devices.
The Stage 1 / Stage 2 structure comes from ISO/IEC 17021-1, the international standard that accredits certification bodies for management system audits. Your Notified Body is almost always also accredited as a certification body under ISO/IEC 17021-1 so it can issue EN ISO 13485:2016+A11:2021 certificates. When it runs your initial audit, it applies the Stage 1 / Stage 2 method to the ISO 13485 portion. And in practice, the MDR QMS assessment under Annex IX Section 2 runs through the same structure because the underlying system being assessed is the same system.
The requirements the Notified Body itself must meet are set out in Annex VII of the MDR. The conformity assessment route for your device is set out in Article 52 and the relevant annex. Most commonly Annex IX. Everything in this post sits within that framework.
What happens in Stage 1
Stage 1 is the readiness check. The auditor. Usually a lead auditor from your Notified Body, sometimes with a technical expert alongside. Reviews your quality management system documentation and your technical file at a high level. The goal is not to find every problem. The goal is to answer one question: is this organisation ready to be audited at depth?
Concretely, in Stage 1 the auditor will:
- Review the scope of certification and confirm it matches your device, your classification, and the conformity assessment route you have chosen.
- Look at the structure of your QMS. Document control, management review records, internal audit records, CAPA system, training records, the top-level process map.
- Review the structure of your technical documentation against MDR Annex II and check that the main sections exist and can be navigated.
- Check that you have addressed the General Safety and Performance Requirements in Annex I with a GSPR checklist.
- Interview a small number of key people. Usually the management representative, the regulatory lead, and the person responsible for the QMS. To confirm that the system is understood at the leadership level.
- Identify the specific processes and technical file sections that will be sampled in depth during Stage 2.
- Produce a Stage 1 report listing any concerns that must be addressed before Stage 2 can proceed.
Stage 1 can happen on-site, remotely, or as a hybrid. For a small startup, a one-day remote Stage 1 is common. For more complex scopes it can run one to two days on-site.
The Stage 1 outcome is either "proceed to Stage 2" or "address these points first and then we will schedule Stage 2." A Stage 1 that surfaces major gaps is not a failure. It is a valuable warning. Fixing problems between Stage 1 and Stage 2 is far cheaper than fixing them after a failed Stage 2.
What happens in Stage 2
Stage 2 is the real assessment. The auditor comes on-site, usually for two to five days depending on device complexity and class, and verifies that your QMS and technical documentation work in practice, not just on paper.
Concretely, in Stage 2 the auditor will:
- Sample your processes end to end. For example, pick a specific design change, follow it from the change request through impact analysis, design control evidence, verification and validation, risk file update, clinical evaluation update, and labeling update.
- Sample the technical documentation. Pick specific GSPR items and trace them through the file to the evidence. Pick a specific risk from the ISO 14971 risk file and follow it to the design controls and the IFU.
- Interview process owners. Not the management representative. The people who actually run the work. They are asked to describe their processes in their own words and to show the records.
- Observe live records. Meeting minutes from management review. Closed CAPAs. Completed internal audits. Training records. Supplier qualification records.
- Verify that the nonconformities from any previous internal audit or mock audit have been genuinely closed.
- Cross-check document versions in use against versions in the QMS.
Stage 2 produces the formal audit report with any nonconformities. Majors, minors, and observations, depending on the NB's convention. Major nonconformities must be closed before the certificate can be issued. Minors typically get a defined closure window.
The difference in one table
| Stage 1 | Stage 2 | |
|---|---|---|
| Purpose | Documentation and readiness review | Operational assessment of the real system |
| Depth | High-level structural check | Deep end-to-end sampling |
| Duration (startup scale) | 0.5–2 days | 2–5 days |
| Location | Remote, on-site, or hybrid | On-site almost always |
| Who gets interviewed | Leadership, QMS owner, regulatory lead | Process owners at every level |
| What failure looks like | Missing sections, unclear structure, no GSPR checklist | Documents do not match practice, records missing, process owners cannot describe their own work |
| Typical outcome | "Proceed to Stage 2" or "address points first" | Formal audit report with nonconformities |
How to prepare for Stage 1
Stage 1 preparation is about completeness and structure, not depth. You need every document to exist, every section of the technical file to be in place, and every top-level QMS process to be defined with at least one cycle of evidence behind it. If your CAPA procedure exists but has never been used, say so honestly. The auditor will notice anyway.
Three things make Stage 1 go well:
- A genuine table of contents. Your technical file has to be navigable by someone who has never seen it before. If the auditor cannot find the intended purpose, classification rationale, or GSPR checklist in under a minute, that is a Stage 1 concern.
- A GSPR checklist that is actually filled in. Each item in Annex I addressed. Applicable or not applicable. If applicable, how it is met and where the evidence lives. "To be completed" is not an answer.
- Honest answers about immaturity. If management review has happened once and not yet twice, say so. Stage 1 is not the place to over-sell. Over-selling at Stage 1 is exactly what produces catastrophic Stage 2s.
How to prepare for Stage 2
Stage 2 preparation is about reality. Every process in your QMS must be the process your team actually runs. Every document version must be the version in use. Every record the auditor asks for must exist and be findable quickly.
The single best preparation for Stage 2 is an internal mock audit run two to four weeks before by someone who did not write the documents. A peer founder, a regulatory partner, or an internal person from a different function. The mock audit surfaces the gap between documented practice and actual practice. Every mock finding becomes a CAPA to close before the real Stage 2. Anything left open at the mock will be left open at the real audit.
There is a Lower Austria company we have watched go through both stages cleanly. Three people, one product, disciplined documentation. They walked into Stage 1 with a file that followed Annex II and a QMS that was small but real. Stage 1 passed with notes, not concerns. Stage 2 produced zero nonconformities. A three-person company outperformed much larger companies audited by the same Notified Body in the same quarter. The difference was not resources. It was that their documented processes were descriptions of actual work, not aspirations.
Common mistakes
- Treating Stage 1 as a formality. Showing up at Stage 1 with half the technical file missing because "we will fix it before Stage 2." The auditor cannot assess what does not exist, and Stage 1 concerns push Stage 2 back.
- Rewriting documents between Stage 1 and Stage 2. Rewriting major QMS procedures in the gap creates version control problems and introduces errors. Close Stage 1 concerns surgically. Do not touch anything you do not have to.
- Assuming Stage 2 only looks at what Stage 1 flagged. It does not. Stage 2 is a fresh deep assessment against the full scope. Stage 1 concerns are a minimum.
- Letting the management representative answer questions for process owners in Stage 2. The auditor will stop this. Process owners must answer in their own words.
- Panicking at the Stage 1 report. A Stage 1 that surfaces concerns is working as intended. That is what Stage 1 is for.
The Subtract to Ship angle
The two-stage audit model is not bureaucratic overhead. It is a correction mechanism. A chance to fail small instead of failing large. A weak Stage 1 is cheap. A weak Stage 2 is expensive, slow, and sometimes fatal to a funding round.
The subtraction discipline here is simple: do not prepare for two audits. Prepare for one system that can survive both stages. A QMS that is small, honest, and fully used will pass Stage 1 and Stage 2 with roughly equal ease. A QMS that is large, aspirational, and partially lived will struggle at both.
Everything traces back to MDR Annex IX. The two stages are the mechanism by which your Notified Body confirms that Annex IX Section 2 (QMS assessment) and Section 4 (assessment of technical documentation) have been met. The stage names are ISO 17021-1 convention. The underlying requirement is MDR.
Reality Check. Where do you stand?
- Can someone who has never seen your technical file navigate it to the intended purpose, classification rationale, GSPR checklist, risk file, and clinical evaluation in under a minute each?
- Is your GSPR checklist complete. Every Annex I item addressed with applicability and evidence, no "to be completed" entries?
- Has your management review run at least one full cycle with documented outputs, and has at least one internal audit cycle been closed?
- If the Stage 2 auditor interviewed your three most senior process owners tomorrow morning without warning, could they describe their own processes in their own words?
- Are the document versions your team is using today the same versions recorded in your controlled QMS?
- Have you run a mock audit with someone who did not build the QMS, and have the findings been closed?
- Do you understand which conformity assessment annex applies to your device, and why?
Frequently Asked Questions
Is Stage 1 required under the MDR? The MDR itself does not use the Stage 1 / Stage 2 language. The conformity assessment is described in Article 52 and Annex IX. The two-stage structure comes from ISO/IEC 17021-1 and is applied by Notified Bodies when they also issue ISO 13485 certificates. In practice, almost every initial Notified Body audit of a startup uses this structure.
How long is the gap between Stage 1 and Stage 2? Typically four to twelve weeks, depending on how many Stage 1 concerns need closing and when the auditor's calendar allows Stage 2 to be scheduled. A well-prepared Stage 1 with few concerns can see Stage 2 scheduled within a month. A messy Stage 1 can push Stage 2 out by a quarter or more.
Can I fail Stage 1? You cannot formally "fail" Stage 1 in the same way you can fail Stage 2, but a Stage 1 can conclude that you are not ready to proceed. The NB then lists the concerns, you address them, and Stage 2 is rescheduled when readiness is confirmed. The practical effect is a delay, not a terminated relationship.
Does the Stage 1 auditor look at the technical documentation too? Yes, at a structural level. They check that the technical file exists, follows MDR Annex II, has a GSPR checklist, and is navigable. The deep sampling of technical documentation. Tracing specific risks to specific evidence. Happens in Stage 2 and in the parallel technical documentation assessment under Annex IX Section 4.
Do surveillance audits also have Stage 1 and Stage 2? No. The Stage 1 / Stage 2 structure applies to the initial certification audit. Surveillance audits in later years are single-stage on-site assessments under the surveillance requirements of Annex IX Section 3.
Related reading
- How to Prepare for Your First Notified Body Audit as a Startup – the full preparation sequence for the combined Stage 1 / Stage 2 cycle.
- How to Respond to Audit Non-Conformities: A Step-by-Step Guide for Startups – what to do with the findings that come out of Stage 2.
- The 10 Most Common MDR Non-Conformities Found in Startup Audits – the patterns that repeat across Stage 2 reports.
- The Auditor's Perspective: What Notified Body Auditors Actually Look For – what the other side of the table is thinking in each stage.
- How to Choose the Right Notified Body for Your MedTech Startup – the decision that determines who runs your Stage 1 and Stage 2.
- What Is a Notified Body and How Do They Audit Your Startup? – the underlying role of the NB in the MDR conformity assessment system.
Sources
- Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 52 (conformity assessment procedures), Annex VII (requirements to be met by notified bodies), Annex IX (conformity assessment based on a quality management system and on assessment of technical documentation). In particular Section 2 (quality management system assessment), Section 3 (surveillance assessment), and Section 4 (assessment of technical documentation). Official Journal L 117, 5.5.2017.
- EN ISO 13485:2016 + A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes.
- ISO/IEC 17021-1. Conformity assessment. Requirements for bodies providing audit and certification of management systems. Part 1: Requirements. (The source of the Stage 1 / Stage 2 audit convention applied by accredited certification bodies.)
This post is part of the MDR Fundamentals & Regulatory Strategy series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. Tibor has conducted Stage 1 and Stage 2 audits from the Notified Body side and has sat on the company side of both as a founder of four MedTech companies. This post is written from that dual perspective.