Notified Body audits are a critical component of the conformity assessment process for manufacturers of non-self-certified devices under the EU device regulatory framework. For manufacturers seeking CE certification that requires Notified Body involvement under the EU MDR/IVDR for the first time, adequately preparing for these audits can be challenging. The same applies to manufacturers transitioning their legacy devices to CE marking under the updated regulations, as Notified Body audits and expectations have evolved significantly.
In this article, we provide an overview of the types of Notified Body audits, the assessments conducted during initial certification audits, and common Notified Body audit findings. We also offer information and guidance on how manufacturers can prepare to minimize the likelihood of such findings.
Types of Notified Body Audits
There are three types of audits performed by Notified Bodies in compliance with the MDR/IVDR and the TEAM NB Code of Conduct for Notified Bodies, comprising:
Certification and Re-certification Audits
These audits cover initial certification audits conducted when a device manufacturer is pursuing CE marking for a device. Initial certification audits result in the issuance of relevant conformity assessment evidence by the Notified Body, which is valid for five years from the date of issuance. Re-certification audits are performed close to the expiration of the conformity assessment evidence to renew the evidence, pending a favorable audit result. The manufacturer collaborates with the Notified Body to schedule these audits.
Surveillance Audits
These periodic audits are conducted by Notified Bodies at least annually to verify the manufacturer’s ongoing compliance with the MDR/IVDR. They are typically shorter than certification/re-certification audits, as Notified Bodies sample relevant evidence to confirm the manufacturer’s continued compliance with its QMS and Technical File. Manufacturers also work with the Notified Body to schedule these audits.
Unannounced Audits
These audits are performed randomly, at least once every five years, by Notified Bodies without any prior communication to the manufacturer. They are similar to unannounced inspections conducted by regulatory agencies such as the US FDA. These audits may take place at the facilities of manufacturers or their suppliers/subcontractors. Unannounced audits are typically conducted by two auditors within a single day (i.e., an audit day comprising eight hours). However, Notified Bodies can document justifications for reducing the number of auditors or the duration of the audit.
NOTE: While these audits are unannounced, manufacturers may nominate periods of unavailability (within limits established by each Notified Body) when contracting a Notified Body. Manufacturers typically inform the Notified Body of their normal working weeks, hours, and shift operations to ensure facilities are operational when the Notified Body conducts such audits.
Assessments Performed During Initial Certification Audits
For the majority of manufacturers who apply conformity assessment under Annex IX of the MDR / IVDR, the initial certification audit typically comprises three different assessments, comprising:
QMS Assessment
Most Notified Bodies begin with this assessment (e.g. BSI, TÜV SÜD), however this is not mandatory (e.g. DNV GL begins with the Technical File Assessment) which comprises an assessment of the manufacturer’s QMS which is performed on-site at the manufacturer’s facility in order to verify compliance with MDR / IVDR QMS requirements. In other words, the Notified Body reviews the QMS documentation as well as the manufacturing facility to ensure that the manufacturer is complying with both its own QMS and the MDR / IVDR.
This may also include an audit of critical suppliers by the Notified Body, particularly for legal manufacturers that do not perform any on-site manufacturing activities.
For manufacturers applying conformity assessment under Annex IX, if no findings are identified by the Notified Body, or if any identified findings are resolved, the Notified Body issues an MDR/IVDR QMS certificate as conformity assessment evidence.
In addition, Notified Bodies may request evidence that manufacturers have agreements with their Importer(s) covering MDR Article 13. To meet this requirement, manufacturers must work with an Importer that complies with all MDR requirements.
Manufacturers can assign their distributors as Importers, but this means managing multiple Importers, adding complexity to their regulatory and supply chain processes.
Alternatively, they can designate MedEnvoy as their sole Regulatory Importer. This simplifies compliance by consolidating Importer responsibilities under one entity. MedEnvoy fully meets MDR Importer requirements, making it the safer option. Relying on multiple distributors as Importers carries the risk that some may not be fully compliant, potentially leading to non-conformities during an MDR audit.
Technical File Assessment
This assessment involves a review of all components of the device’s Technical File, with the exception of records related to Clinical Evaluation (MDR) or Performance Evaluation (IVDR), as these require assessment by appropriately qualified individuals.
Clinical Evidence Assessment
Under this assessment, the Notified Body reviews the following records:
-
- Devices CE marked under the MDR:
- Clinical Evaluation Plan
- Clinical Evaluation Report, including Literature Search Protocol / Report
- Devices CE marked under the MDR:
-
- Devices CE marked under the IVDR:
- Performance Evaluation Plan
- Scientific Validity Report, if applicable
- Analytical Performance Report, if applicable
- Clinical Performance Report, if applicable
- Performance Evaluation Report, including Literature Search Protocol / Report
- Devices CE marked under the IVDR:
For certain devices (e.g., Class D IVDs), this will also include a review of any additional relevant evidence required under the MDR/IVDR (e.g., reports issued by EU Reference Laboratories).
Once the Notified Body has reviewed both the Technical File and the clinical evidence and provided there are no findings or all identified findings are resolved, the Notified Body will issue a Technical Documentation Assessment certificate as conformity assessment evidence.
Notified Body Audit Findings
As indicated above, each type of assessment performed by the Notified Body may result in findings, which consist of incidents of non-compliance with MDR/IVDR requirements. Depending on the manufacturer’s level of experience with CE marking requirements under the former Directives, these findings are typically related to the following:
QMS Assessments
Common QMS assessment findings include:
-
-
- Lack of adequate procedures for post-market surveillance (PMS) and post-market clinical follow-up (PMCF) (MDR) / post-market performance follow-up (PMPF) (IVDR)
- Lack of adequate procedures for clinical evaluation
- Lack of adequate provisions under design and risk management procedures aligned with MDR / IVDR requirements (e.g. definition of risk being ‘reduced as far as possible’ not aligned with GSPR 2, inappropriate / missing provisions for benefit-risk analysis, and no consideration for compliance with the GSPR under design controls)
- Lack of adequate provisions for the reporting of serious incidents, field safety corrective actions (FSCAs) and other reporting requirements (e.g. trending reporting and notification of interruption or discontinuation in device supply of certain devices)
- Lack of adequate controls for processes that are typically identified as having issues in regulatory inspections e.g. CAPA, complaint handling, supplier controls, manufacturing controls, etc.
-
In preparing for QMS assessments, manufacturers should familiarize themselves with the MDR/IVDR requirements and MDCG guidance relevant to QMS processes, including (non-exhaustive list):
-
- MDCG 2020-7 Guidance on PMCF Plan Template (April 2020)
- MDCG 2020-8 Guidance on PMCF Evaluation Report Template (April 2020)
- Q&A rev. 1 Q&A Obligation to inform in case of interruption or discontinuation of supply (December 2024)
Findings from QMS assessments are generally straightforward to resolve unless they involve issues in areas such as process or software validations. Resolving these findings typically requires the manufacturer to provide an action plan, with the Notified Body following up until all findings are addressed.
Technical File Assessments
Common Technical File assessment findings include:
-
-
- Non-alignment of the Technical File with the minimum content requirements established under Annexes II and III.
- Risk management files not aligned with the MDR / IVDR risk management requirements, particularly regarding benefit-risk analysis.
- Usability has not been adequately addressed for the device (for devices where usability is relevant)
- Labeling not compliant with GSPR requirements and standards relevant to labeling content have not been applied to the device.
-
It is important for manufacturers to note that while the MDR/IVDR do not specifically list the Summary for Safety and Clinical Performance (SSCP) (MDR) / Summary for Safety and Performance (SSP) (IVDR) or the Declaration of Conformity as part of the minimum Technical File content under Annexes II and III, these documents are reviewed by the Notified Body during the Technical File assessment. In the case of the SSCP/SSP, these should align with the relevant MDCG guidelines (MDG 2019-9 rev. 1 and MDCG 2022-9 rev. 1, respectively).
Clinical Evidence Assessments
Common clinical evidence assessment findings include:
-
-
- Inappropriate performance or safety benefits and outcome parameters
- Inappropriate literature searches that do not address all relevant considerations (e.g. valid clinical association / scientific validity, clinical performance, state of the art)
- Insufficient information to support claims of equivalency
- All relevant GSPRs requiring support from clinical evidence have not been identified / considered
-
In the case of Clinical Evidence assessments, there are typically a maximum of three rounds of review, during which the manufacturer has the opportunity to provide revised documentation to address findings identified in the first round. While, in theory, no additional findings should be raised in subsequent review rounds, some Notified Bodies do, unfortunately, raise additional findings in later rounds.
Manufacturers of devices pursuing CE certification under the MDR are strongly encouraged to review the MDCG 2020-13 Clinical Evaluation Assessment Report Template (July 2020) when preparing their clinical evaluations, as it includes guidance and considerations for Notified Bodies when assessing clinical evidence under the MDR. Unfortunately, as of the date of this article, no corresponding guidance has been published for Notified Body clinical evidence assessments under the IVDR.
Notified Body Audits & Findings: Guidance from MedEnvoy
MedEnvoy’s regulatory experts can assist manufacturers in preparing for Notified Body audits and responding to Notified Body audit findings. Furthermore, MedEnvoy provides EU Authorized Representative services. Please reach out should you need assistance by clicking here and for information about our regulatory experts click here.
Related Resources
Related Guidance
We share our expertise because we believe in removing barriers to global commercialization.
The Business Impact of EUDAMED on Market Access
The European Database on Medical Devices (EUDAMED) is often viewed by manufacturers purely as a compliance burden when…
MedEnvoy at RAPS Euro Convergence 2026
We are excited to share that MedEnvoy will be participating in RAPS Euro Convergence 2026 as an exhibitor! This year’s…
Key FDA Changes MedTech Manufacturers Need to Know
The FDA has issued an update for MedTech Manufacturers to its List of FDA-Recognized Consensus Standards, published as …