Medical Device Due Diligence Checklist: What to Review Step by Step

A rigorous medical device due diligence checklist helps you verify safety, effectiveness, and marketability before investment, partnership, or acquisition. Use the following step-by-step review to confirm regulatory fit, the strength of the ISO 13485 QMS, the completeness of technical documentation, and readiness for CE marking, market surveillance, and audits.

Regulatory Requirements

Start by mapping the product’s intended use and claims to the correct regulatory pathways in each target market. Confirm MDR compliance for medical devices and IVDR classification for in vitro diagnostics, and determine whether Notified Body engagement is required. Validate that country-specific registrations, such as EUDAMED registration in the EU, are complete or planned.

Step-by-step checks

1. Define intended purpose, indications, contraindications, and patient populations; match to device or IVD rules for classification.
2. Select the applicable regulations (MDR or IVDR) and identify essential requirements/General Safety and Performance Requirements (GSPRs).
3. Determine the conformity assessment route and whether a Notified Body is needed; shortlist and evaluate NB capacity and scope.
4. Map labeling, Unique Device Identification, language translations, and country registrations, including EUDAMED actor and device modules where applicable.
5. Confirm clinical evidence expectations (CER under MDR or performance evaluation under IVDR) and applicable standards.

Evidence to collect

• Classification rationale and rule mapping, including IVDR classification if an IVD.
• GSPR checklist with objective evidence references.
• Clinical Evaluation Report or Performance Evaluation, including equivalence rationale and literature appraisal.
• Regulatory correspondence, Notified Body engagement records, and registration numbers.

Red flags

• Ambiguous intended use, promotional claims exceeding cleared indications, or mismatched classification.
• Gaps in clinical evidence versus risk class or intended use.
• Lack of a plan for EUDAMED registration where required or uncertainty about NB availability and scope.

Quality Management System Implementation

Assess whether the organization operates a robust ISO 13485 QMS aligned to current regulatory expectations. Verify certificate validity, scope (sites, products, and processes), and integration of risk management, design controls, and production.

What to verify

• Valid ISO 13485 certificate covering all relevant sites and activities; recent audit reports and closure of findings.
• Management review, quality objectives, and resourcing that demonstrate ongoing QMS effectiveness.
• Internal audit program, risk-based planning, and timely corrective actions.
• Document control, training records, and change management tied to product risk.

Design and risk integration

• Design and development procedures with stage-gate reviews and stakeholder approvals.
• Risk management file ISO 14971 with clearly linked hazards, controls, verification evidence, and residual risk acceptability.
• Usability engineering, software lifecycle files, and cybersecurity risk treatment where applicable.

Supplier and production controls

• Approved supplier list, qualification, and monitoring with incoming inspection and quality agreements.
• Process validation (including sterilization and packaging), equipment calibration, and environmental controls.
• Traceability, batch records, acceptance activities, and release authorization.

Technical Documentation Review

Evaluate the completeness, currency, and traceability of the technical documentation (Annex II/III for MDR, or equivalent device/IVD file). Ensure every claim is supported by design outputs, verification/validation, and clinical or performance data.

Core elements to examine

• Device description, variants, accessories, and intended purpose with classification rationale.
• Design inputs/outputs, verification/validation plans and reports, and a master traceability matrix.
• Biocompatibility, electrical safety, EMC, software validation, sterilization, shelf-life, packaging validation, and transportation testing.
• GSPR checklist tied to objective evidence, labeling and IFU with translations, and UDI implementation.
• Clinical Evaluation Report or IVD performance evaluation, and Post-Market Clinical Follow-up PMCF plans where required.

Common red flags

• Outdated reports, missing raw data, or lack of traceability between hazards, controls, and test evidence.
• Claims in labeling not supported by verification/validation or clinical/performance data.
• Unjustified deviations from recognized standards or incomplete change history.

CE Marking and Conformity Assessment

Confirm that the chosen conformity assessment route fits the classification and that Notified Body engagement is appropriately planned or completed. Verify that certificates, the EU Declaration of Conformity, CE marking, and EUDAMED registration are accurate and consistent.

Conformity assessment path

• Class I/IIa/IIb/III devices under MDR or IVDR categories for IVDs, with the correct module selection.
• NB scope alignment with product codes and technologies; documented audits, reviews, and decisions.

Step-by-step dossier flow

1. Finalize classification and risk class; select conformity module.
2. Complete technical documentation and ISO 13485 QMS readiness.
3. Submit application and respond to NB questions with objective evidence.
4. Address nonconformities, finalize certificates, and sign the EU Declaration of Conformity.
5. Affix CE mark and complete EUDAMED actor/device registration as applicable.

Outputs to verify

• Valid NB certificate(s) listing sites, product families, and standards applied.
• EU Declaration of Conformity referencing GSPRs and harmonized standards where used.
• Labeling with CE mark and NB number (if applicable) consistent with DoC and certificates.

Post-Market Surveillance and Vigilance

Evaluate how the company monitors device performance and safety once on the market. The PMS plan should define data sources, analysis, thresholds, and actions, including Post-Market Clinical Follow-up PMCF where needed for MDR compliance.

PMS system checks

• PMS plan and reports (e.g., PSUR/PMCF evaluation) aligned to risk class and market scope.
• Complaint handling, trend analysis, malfunction rates, and field safety corrective action processes.
• Vigilance procedures with clear timelines, decision trees, and regulatory reporting mechanisms.

Metrics and evidence

• Closed-loop CAPA from post-market signals with effectiveness checks.
• Clinical follow-up data quality, literature surveillance, and registry participation where relevant.
• Management review inputs and quality indicators driving preventive actions.

Audit Readiness and CAPA

Strong audit readiness demonstrates control and culture. Review planning for internal, supplier, and external audits, along with a risk-prioritized CAPA system that resolves root causes and verifies effectiveness.

Audit readiness checks

• Audit schedule covering all processes and sites, competent auditors, and timely follow-up.
• Top-level “audit book” with certificates, org charts, process maps, and key metrics.
• Staff interview preparedness and objective evidence readily retrievable.

CAPA program indicators

• Risk-based triage, clear problem statements, and robust root cause methods.
• Action plans with owners, dates, interim risk controls, and verification of effectiveness.
• Trend metrics (cycle time, backlog age, recurrence rate) presented in management review.

Cross-Market Gap Analysis

Compare EU requirements with other target markets to avoid late surprises. Map differences in classification, clinical evidence, registration, UDI, labeling, language/translation, and post-market obligations to build a sequenced launch plan.

How to perform the gap analysis

1. List target markets and product variants; confirm claims and indications per market.
2. Align standards/testing to each market’s accepted references; plan supplements where gaps exist.
3. Map registration and listing steps (e.g., NB certificates and EUDAMED for EU), fees, and timelines.
4. Assess resourcing for translations, vigilance reporting, and distributor controls.
5. Prioritize actions by risk, time-to-revenue, and dependency on Notified Body reviews.

Deliverables

• Gap matrix with owners, due dates, and evidence references.
• Regulatory strategy summarizing MDR compliance, IVDR classification (if applicable), and NB/EUDAMED milestones.
• Integrated project plan linking design, testing, clinical/performance data, and submissions.

Conclusion

Effective due diligence confirms the right regulatory path, a mature ISO 13485 QMS, complete technical evidence, and a credible CE marking plan. Strength in PMS, vigilance, and CAPA reduces lifecycle risk, while a cross-market gap analysis aligns resources to the fastest, safest route to global access.

FAQs

What are the key regulatory documents to review during medical device due diligence?

Prioritize the classification rationale, GSPR checklist, Clinical Evaluation Report or IVD performance evaluation, labeling/UDI, and the EU Declaration of Conformity. Include Notified Body certificates and correspondence, registration records such as EUDAMED entries, and a documented regulatory strategy covering MDR compliance and, if relevant, IVDR classification.

How do I verify compliance with ISO 13485 in due diligence?

Check the ISO 13485 certificate scope and validity, latest audit reports, and closure of findings. Sample core processes—design control, document/change control, risk management per ISO 14971, supplier controls, production validation, complaint handling, CAPA, and internal audits—to confirm they function as written and link back to management review.

What steps ensure proper CE marking and registration?

Confirm correct classification and conformity route, complete technical documentation, and a functioning ISO 13485 QMS. Verify timely Notified Body engagement, successful resolution of review comments, valid NB certificate(s), a signed EU Declaration of Conformity, correct CE labeling, and completion of EUDAMED registration activities where applicable.

How is post-market surveillance assessed in medical device due diligence?

Review the PMS plan, periodic safety updates, complaint and trend analyses, and evidence of closed-loop CAPA with effectiveness checks. For higher-risk or innovative devices, verify the presence and execution of Post-Market Clinical Follow-up PMCF, plus clear vigilance procedures and on-time regulatory reporting.