A Notified Body is the gatekeeper between your medical device and the EU market. For any device that requires third-party conformity assessment. Which is every device above Class I (non-sterile, non-measuring). A Notified Body must review your quality management system and technical documentation, audit your operations, and issue certificates before you can apply the CE mark.
Tibor spent years as a Notified Body lead auditor before founding his consulting practice. Here is the inside perspective on what Notified Bodies are, how they work, and what they actually look for when they audit a startup.
What Exactly Is a Notified Body?
A Notified Body is a conformity assessment body that has been designated by a national competent authority (called the "designating authority") under the MDR and has been notified to the European Commission. The "notified" in the name means the Commission has been formally informed of the body's designation and scope.
Notified Bodies are typically private organizations. Testing laboratories, certification companies, or technical assessment organizations. They are not government agencies, though they operate under government oversight. Examples include TUV SUD, BSI, DEKRA, and SGS .
The designation process under the MDR (Articles 35–44) is rigorous. Notified Bodies must demonstrate: - Organizational independence and impartiality - In-house competence for the device types they certify - Adequate financial resources and liability insurance - Quality management systems for their own operations - Staff with specific qualifications and ongoing training
This is why there are fewer Notified Bodies under the MDR than under the MDD. The designation requirements are significantly stricter, and many former MDD Notified Bodies either did not apply for MDR designation or did not meet the new requirements.
How Does the Notified Body Audit Process Work?
The conformity assessment process typically follows this sequence:
Phase 1: Application and Contract
You submit an application to the Notified Body, describing your device, its classification, and the conformity assessment procedure you will follow. The Notified Body reviews the application, confirms the device falls within their scope of designation, and provides a quotation. Once you sign the contract, you enter the audit queue.
The queue is the bottleneck. Depending on the Notified Body and their current workload, you may wait 6 to 18 months between signing the contract and your first audit .
Phase 2: Stage 1 Audit (Document Review)
The Stage 1 audit is primarily a document review. The Notified Body examines your quality management system documentation to determine: - Whether your QMS addresses all MDR requirements - Whether your processes are defined and documented - Whether your technical documentation structure is adequate - Whether your organization has the necessary resources and competences
Stage 1 may be conducted off-site (desk review) or on-site, depending on the Notified Body and the complexity of the device. At the end of Stage 1, the auditor identifies any gaps that must be addressed before Stage 2.
Phase 3: Stage 2 Audit (On-Site Assessment)
The Stage 2 audit is the main event. Auditors visit your premises and assess:
QMS implementation. Not just whether processes are documented, but whether they are actually followed. Auditors interview your team, review records, trace processes from input to output, and check that what you do matches what you documented.
Technical documentation. For the specific device under assessment, auditors review the technical documentation for compliance with Annex II. This includes the device description, design and manufacturing information, GSPR checklist, risk management file, clinical evaluation report, labeling, and PMS plan.
Competence. Do the people responsible for regulatory compliance, quality management, and technical functions have the qualifications and experience the MDR requires?
Manufacturing. If you manufacture (or have a contract manufacturer), auditors review the manufacturing process, process validations, incoming inspection, and final release procedures.
The Stage 2 audit typically takes 2 to 5 days on-site, depending on the scope .
Phase 4: Non-Conformity Resolution
After the audit, the Notified Body issues a report documenting any non-conformities. Non-conformities are categorized as:
Major non-conformities: Significant failures to meet MDR or QMS requirements. These must be resolved before certification can proceed. You typically have 60 to 90 days to submit your corrective actions .
Minor non-conformities: Less significant deviations. These must be addressed, but they do not necessarily block certification. The Notified Body verifies resolution at the next surveillance audit.
Observations: Areas for improvement that are not non-conformities but should be addressed proactively.
Phase 5: Certificate Issuance
Once all major non-conformities are resolved to the Notified Body's satisfaction, they issue the relevant certificates:
- EU QMS Certificate (per Annex IX, Chapter I). Certifying that your quality management system conforms to the MDR requirements
- EU Technical Documentation Assessment Certificate (per Annex IX, Chapter II, or other applicable annexes). Certifying that the technical documentation for the specific device conforms to MDR requirements
These certificates are valid for a maximum of five years .
Phase 6: Surveillance
Certification is not the end. Notified Bodies conduct periodic surveillance audits. Typically annually. To verify that your QMS continues to function and that any changes to your device or processes are properly managed.
Additionally, the MDR requires unannounced audits. Article 52(8) mandates that Notified Bodies conduct unannounced audits at the manufacturer's premises . These can happen at any time, and you must be ready.
What Do Auditors Actually Look For?
Having been on both sides of the audit table. As an auditor and as a consultant preparing companies for audits. Tibor identifies these as the areas where startups most commonly fail:
1. Traceability. Can the auditor trace a design requirement through the development process to verification, validation, and risk management? If the trail breaks, it is a non-conformity.
2. Risk management integration. Is risk management a living process integrated into design, manufacturing, and post-market activities? Or is it a standalone document that was written once and never updated? Auditors check for evidence of ongoing risk management activities.
3. Clinical evaluation rigor. Is the clinical evaluation based on a systematic literature search with defined criteria? Does it adequately address safety, performance, and benefit-risk? For claims of equivalence, is the equivalence justification robust? This is one of the most scrutinized areas.
4. Process adherence. Does the team actually follow the documented processes? Auditors check records against procedures. If your CAPA process says complaints are evaluated within 5 business days but the records show evaluations taking 30 days, that is a non-conformity.
5. Document control. Are documents controlled, versioned, and approved? Are obsolete versions removed from use? Is there a clear record of who approved what and when?
6. Supplier management. If you use contract manufacturers or critical suppliers, how do you manage them? Are they qualified? Are incoming materials inspected or verified? Are there quality agreements in place?
We cover audit preparation in detail in How to Prepare for Your First Notified Body Audit as a Startup.
The Auditor Is Not Your Enemy
This is a point Tibor makes emphatically: the audit is not adversarial. A good auditor wants to find a compliant system. They are not looking to fail you. They are looking to verify that your system works.
The worst thing a startup can do during an audit is try to hide problems. Auditors are experienced professionals who know what problems look like. If you have a gap, acknowledge it, explain what you are doing about it, and show your corrective action plan. This is vastly better than pretending the gap does not exist and forcing the auditor to discover it.
The relationship with your Notified Body should be professional and collaborative. They are not your friend. They must maintain independence. But they are a partner in ensuring your device meets the requirements. Treat the audit as a quality check on your system, not as an exam you might fail.
At the end of the day, the Notified Body audit is verifying one thing: that your device is safe, performs as intended, and that you have the systems in place to maintain that safety and performance throughout the device's lifecycle. If your systems genuinely work, the audit will confirm that.
Next: How to Choose the Right Notified Body for Your MedTech Startup in 2026.