A contract manufacturer (CMO) that produces or assembles any part of a medical device is an outsourced process under EN ISO 13485:2016+A11:2021 clause 4.1.5, not a supplier of purchased product. The legal manufacturer under MDR Article 10 retains full responsibility for the device regardless of where the physical production happens. That means the startup must select the CMO with defined criteria, control the relationship through a signed quality agreement, verify output through documented oversight, and handle manufacturing transfer as a formal change. A CMO is not a solution to MDR obligations. It is a way of executing them, with the obligations still sitting squarely on the legal manufacturer.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • A contract manufacturer that makes or assembles any part of a medical device is an outsourced process under EN ISO 13485:2016+A11:2021 clause 4.1.5, and the legal manufacturer retains every MDR Article 10 obligation regardless of the contract.
  • CMO selection for a MedTech startup rests on five criteria: ISO 13485 certification status, demonstrated experience with comparable device classes, willingness to sign a meaningful quality agreement, transparent change-control practices, and compatible production economics at startup volumes.
  • The quality agreement is the single most load-bearing document in the relationship. It defines change notification, non-conformity handling, record retention, right-to-audit, and the boundary between the manufacturer's QMS and the CMO's.
  • Oversight is a monitoring process, not a one-time qualification. Monthly or quarterly quality data, scheduled audits, and documented review of CMO output are what clause 4.1.5 actually requires in practice.
  • Manufacturing transfer between sites or between CMOs is a design and process change under the QMS. It has to be planned, validated, documented, and re-verified before a single unit ships from the new location.
  • The most common startup mistake is treating the CMO as a supplier rather than as an outsourced process owner. That single misclassification produces most of the audit findings that follow.

Why CMOs deserve their own playbook

A Vienna-based startup we worked with had designed a small Class IIa electromechanical device, raised a seed round, and signed a contract with a European CMO to produce the first 500 units. The founders treated the signed contract as the finish line for the manufacturing question. Nine months later, at the first Notified Body stage 1 audit, the auditor asked a simple question: show me the quality agreement with the CMO, the process validation records for the production line, and the last three internal audits you performed at the CMO site.

The founders had none of those. The contract was a commercial document. It covered price, volume, and delivery. It said nothing about change notification, nothing about record retention, nothing about right-to-audit. The CMO's process validation was the CMO's property, not shared. Internal audits at the CMO site had never happened because the founders had not understood they were required.

The audit finding was a major non-conformity, and the remediation took four months. Renegotiating the quality agreement with a CMO that had no commercial reason to help, running a catch-up supplier audit on-site, and recovering process validation evidence that the founders should have owned from day one. The certification slipped by a quarter. The round after the seed got harder.

This is the pattern we see repeatedly with startups and CMOs. The commercial contract gets signed first, the regulatory relationship gets signed later, and by the time the gap is visible the leverage has moved to the CMO. The point of this post is to help you avoid that sequence.

Clause 4.1.5. What an outsourced process actually is

EN ISO 13485:2016+A11:2021 clause 4.1.5 is the provision that governs CMO relationships. It says that when the manufacturer chooses to outsource any process that affects product conformity with requirements, the manufacturer must monitor and ensure control over such processes. The manufacturer retains responsibility of conformity to the standard and to customer and applicable regulatory requirements for the outsourced processes. The controls must be proportionate to the risk involved and the ability of the external party to meet the requirements, and they must include written quality agreements.

Read that carefully. The clause does three things. It confirms that outsourcing is allowed. It makes the manufacturer, not the CMO, responsible for conformity of the outsourced process. And it mandates a written quality agreement. Not a commercial contract, not a purchase order, a quality agreement. The word "must" is not optional.

MDR Article 10 reinforces the same point from the regulatory side. Article 10 places obligations on the manufacturer across the device lifecycle. Design, production, technical documentation, clinical evaluation, PMS, vigilance, and the QMS itself under Article 10(9). None of those obligations transfer to a sub-contractor when the manufacturer signs a contract. The CMO executes production; the manufacturer owns the compliance.

The practical consequence is that a CMO is categorically different from a supplier of purchased product. A purchased component is controlled under clause 7.4. An outsourced process is controlled under clause 4.1.5. The two clauses overlap but they are not interchangeable. A CMO that assembles your device is not selling you a component. It is executing a step of your production process under your QMS obligations. That distinction is the single most load-bearing idea in the entire CMO relationship.

The CMO selection criteria

The startup instinct in CMO selection is to prioritise price and capacity. The regulatory reality is that five criteria have to clear a minimum bar before price and capacity even enter the conversation.

The first criterion is QMS certification status. An ISO 13485-certified CMO is the default starting point because the certification gives you a baseline of QMS maturity and allows you to lean on the CMO's certification in your own supplier file. A non-certified CMO is not automatically disqualified, but working with one means you have to perform the supplier audit yourself, document the findings, and take on the compensating oversight activities. The cost of that oversight is real and has to be priced into the decision.

The second criterion is demonstrated experience with comparable device classes and technologies. A CMO that has produced Class IIa electromechanical devices for other MedTech customers understands the expectations around process validation, change control, and production records. A CMO whose experience is consumer electronics does not, even if the physical processes look similar. The gap between "can build it" and "can build it under MDR" is exactly where startup projects fail.

The third criterion is willingness to sign a meaningful quality agreement. Some CMOs have a template quality agreement they insist on using. Some have none and will sign yours. Some refuse to sign anything beyond a commercial contract. The last category disqualifies the CMO for a MedTech startup regardless of price. If the CMO will not commit to change notification, non-conformity reporting, record retention, and right-to-audit in writing, the relationship cannot meet clause 4.1.5.

The fourth criterion is transparent change-control practice. Ask the CMO how they handle a change to a raw material, a sub-supplier, a production line, or a test method. If the answer is "we just do it" or "we tell customers when we get around to it," the relationship will produce a vigilance event at some point. If the answer is a documented change-control process with defined customer notification triggers, the CMO understands the game.

The fifth criterion is compatible production economics at startup volumes. Many excellent CMOs have minimum order quantities that are realistic for an established company and unworkable for a startup. Price-per-unit at 500 units is different from price-per-unit at 50,000 units. The selection has to match the volume curve the startup is actually on, not the volume curve the CMO would prefer.

The quality agreement. What it must cover

The quality agreement is where the selection decision becomes operational control. A startup working with a CMO needs the quality agreement to cover, at minimum: the scope of outsourced processes, the division of QMS responsibilities between the manufacturer and the CMO, change notification triggers and timelines, non-conformity handling and escalation, CAPA interaction, complaint handling and vigilance information flow, record retention periods and access rights, right-to-audit provisions, sub-contracting rules, confidentiality, and termination terms that preserve manufacturer access to records after the relationship ends.

The change notification clause deserves special attention. This is the clause that protects you from unannounced changes to the production process, the bill of materials, or the test setup. The clause should list the categories of change that trigger notification, the minimum notice period before implementation, and the manufacturer's right to approve or reject. The CMO world is full of "minor" changes that are only minor from the CMO's perspective. A swapped solder paste supplier, a recalibrated test fixture, a moved production line. And any of them can break your validated state.

The right-to-audit clause is the second clause that carries most of the weight. Clause 4.1.5 requires monitoring and control, and in practice that means the manufacturer performs supplier audits at the CMO site on a planned schedule. The quality agreement has to give you the legal right to show up, see the production floor, review records, and interview staff. A quality agreement that restricts audits to paper review from a distance does not give you what clause 4.1.5 requires.

The record retention clause is where startup founders consistently under-invest. MDR and the standard together require retention of technical documentation, production records, and QMS records for specified periods. Typically ten years for most medical devices, longer for implantables. If the CMO goes out of business, gets acquired, or ends the relationship, your ability to access those records has to survive the event. Negotiate this up front. It is much harder later.

The oversight mechanism

Clause 4.1.5 does not just require selection and a quality agreement. It requires ongoing monitoring and control of the outsourced process, proportionate to the risk. In practice, the oversight mechanism has four components.

The first component is routine quality data review. The CMO should be providing periodic data on production yield, non-conformities, rework rates, complaints, and changes. The manufacturer reviews this data on a defined cadence. Monthly for active production, quarterly for lower-volume arrangements. And the review is documented. A QMS that has a CMO but no record of reviewing CMO quality data has a clause 4.1.5 finding waiting to be raised.

The second component is scheduled on-site audits. For a critical CMO. And a CMO that assembles your finished device is always critical. The manufacturer audits the CMO site at least annually for active production, with the scope covering process validation, change control, complaint handling, record management, and any areas where prior data suggested weakness. The audit is a supplier audit, documented the same way every supplier audit is documented.

The third component is change-control participation. When the CMO proposes a change that falls within the notification clause, the manufacturer evaluates the impact on the device, the technical documentation, and the regulatory status, and either approves or rejects in writing. Silent acceptance is not acceptance. It is evidence of a broken oversight process.

The fourth component is documented output verification. The finished or semi-finished product coming out of the CMO still has to be verified on receipt. Clause 7.4.3 applies alongside clause 4.1.5: incoming inspection at a depth proportionate to the risk and the CMO's track record. A mature CMO with strong process validation and a clean history needs a lighter touch than a new CMO with limited history, but every shipment has verification that is documented and retrievable.

Manufacturing transfer. Handling it as a change

Manufacturing transfer is one of the highest-risk activities a MedTech startup can undertake. It happens when you move production from an internal site to a CMO, from one CMO to another, or from one line to another within the same CMO. Every one of those events is a design and process change under the QMS, and every one of them can invalidate prior validation evidence.

A proper manufacturing transfer has a written transfer plan, a process validation at the new site (IQ, OQ, PQ as appropriate), updated technical documentation reflecting the new site, a risk assessment of the change under EN ISO 14971 principles, an evaluation of whether the change is substantial under MDR change-notification rules, and formal release of the new site before production volume begins shipping. Skipping any of those steps produces findings and, worse, produces devices that were built under a validation state you cannot defend.

The Subtract to Ship discipline applies here with force. A transfer plan does not have to be a hundred pages, but it has to be honest. Cut the sections that do not apply. Keep the sections that establish the validated state at the new location. The shortest defensible transfer plan is the right plan. A bloated transfer plan that nobody follows is the wrong plan regardless of volume.

Common mistakes startups make

  • Signing the commercial contract before the quality agreement, which permanently shifts leverage to the CMO.
  • Treating the CMO as a supplier of purchased product rather than an outsourced process owner, producing a clause 4.1.5 gap.
  • Accepting a CMO quality agreement template without negotiating change notification, right-to-audit, and record retention terms.
  • Assuming ISO 13485 certification of the CMO removes the manufacturer's oversight obligation. It reduces it. It does not remove it.
  • Failing to perform on-site supplier audits at the CMO, producing no clause 4.1.5 monitoring evidence.
  • Missing periodic CMO quality data review because no cadence was ever defined.
  • Treating a manufacturing transfer as a logistics exercise rather than a design and process change requiring validation.
  • Losing access to production records after the CMO relationship ends because the quality agreement said nothing about post-termination access.
  • Running the CMO relationship through the commercial team without a named regulatory owner on the manufacturer side.

The Subtract to Ship angle

The Subtract to Ship discipline (post 65) applied to CMO relationships produces a short list of the things that actually matter. Start with the five selection criteria and do not shortlist a CMO that fails any of them. Negotiate the quality agreement before the commercial contract or, at minimum, in parallel. Build the oversight mechanism. Data review, scheduled audits, change-control participation, output verification. At the depth clause 4.1.5 requires and no deeper. Treat manufacturing transfer as a real change that needs real validation. Name one person on the manufacturer side who owns the CMO relationship end to end.

Everything else is optional. Template clauses that do not reflect the actual division of responsibility are waste. Oversight activities that produce no usable data are waste. Audit checklists that duplicate the CMO's own ISO 13485 audit trail are waste. The test is the same test the framework ends with every time: can every activity be defended by pointing to a specific MDR article or a specific clause of EN ISO 13485:2016+A11:2021? Clause 4.1.5 and Article 10 between them justify the playbook above. Nothing else needs to be added.

Reality Check. Where do you stand?

  1. Is every CMO relationship classified as an outsourced process under clause 4.1.5, with a written scope of what is outsourced and what is not?
  2. Does every CMO have a signed quality agreement that covers change notification, right-to-audit, non-conformity handling, record retention, and post-termination access?
  3. Did the quality agreement get signed before, with, or after the commercial contract, and how did that sequence affect the terms?
  4. Can you produce documented evidence of periodic CMO quality data review at a defined cadence over the last six months?
  5. When was the last on-site supplier audit at the CMO site, and does the audit report exist in your QMS?
  6. For every CMO change in the last twelve months, is there a documented manufacturer evaluation and a written approval or rejection?
  7. Do you have process validation records from the CMO under your control, or only a promise that the CMO has them?
  8. If a manufacturing transfer happened in the last twelve months, does it have a written transfer plan, validation evidence at the new site, and formal release documentation?

Any "not yet" on this list is where the CMO oversight work still is.

Frequently Asked Questions

Is a contract manufacturer a supplier under EN ISO 13485:2016+A11:2021? A CMO is both a supplier and an outsourced process owner, and the outsourced-process characterisation dominates. Clause 7.4 on purchasing still applies to the transaction itself, but the governing clause for the relationship is clause 4.1.5 on outsourced processes. The practical consequence is that the manufacturer retains responsibility for conformity of the outsourced process and must maintain monitoring and control proportionate to the risk, including a written quality agreement.

Can my ISO 13485-certified CMO remove my obligation to audit them? No. The CMO's certification reduces the depth of your oversight but does not remove it. MDR Article 10 places the obligations on the legal manufacturer, and clause 4.1.5 requires the manufacturer to monitor and control outsourced processes. You can lean on the CMO's certification to shorten the scope of your supplier audit, but you still perform it, document it, and review the CMO's quality data on a planned cadence.

What is the difference between a commercial contract and a quality agreement? The commercial contract covers price, volume, delivery, intellectual property, and liability. The quality agreement covers regulatory and QMS responsibilities. Change notification, non-conformity handling, record retention, right-to-audit, complaint information flow, and the scope of outsourced processes. They are separate documents because they serve different purposes and are read by different people. The quality agreement is the one the auditor will ask for.

Who owns the process validation at the CMO site. The CMO or the manufacturer? The manufacturer owns the compliance responsibility for process validation of the outsourced process. The CMO often executes the validation and holds the primary records, but the quality agreement must give the manufacturer access to those records, and a copy or controlled reference must exist in the manufacturer's technical documentation. If you cannot produce the validation on request, you do not own it and clause 4.1.5 is not satisfied.

What happens if my CMO refuses to sign a meaningful quality agreement? You have three options. Negotiate harder. For many CMOs, the first refusal is a bargaining position. Choose a different CMO that understands MedTech expectations. Or, if neither is possible, accept the compensating controls on the manufacturer side (deeper incoming inspection, on-site presence during production, independent validation activities) and document the risk-based decision. The third option is expensive and rarely stable. The first two are almost always the right answer for a startup.

How do I handle manufacturing transfer from one CMO to another without a quality gap? Treat it as a formal change under the QMS. Write a transfer plan covering scope, timeline, validation activities, and acceptance criteria. Run IQ, OQ, and PQ as appropriate at the new site. Update the technical documentation. Assess whether the change is substantial under MDR change-notification rules and notify the Notified Body if required. Release the new site formally before production volume ships. The transfer is not complete when the new line makes its first unit. It is complete when the validation and release documentation is closed.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers, including paragraph 9 on the quality management system covering selection and control of suppliers and sub-contractors). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016+A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes. Clause 4.1.5 (control of outsourced processes, including the written quality agreement requirement and the manufacturer's retained responsibility for conformity), clause 7.4 (purchasing process, purchasing information, and verification of purchased product).

This post is part of the Team & Operations cluster in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. A CMO is not a way of handing off MDR obligations. It is a way of executing them with another company on the production floor, with the obligations still sitting where MDR Article 10 places them. On the legal manufacturer.