In February 2026, the FDA adopts ISO 13485 as part of the new QMSR regulations. You can anticipate that Medical Device manufacturers will be asking their suppliers to get ISO Certification. This is not a regulatory requirement but provides a kind of 'security blanket'.
In Europe, a similar scene with different regulatory requirements but still many organizations with the potential to supply components, packaging, and other goods and services (incl. logistics) to the Medical Device Sector are scared off by talk of CE Marking, Notified Bodies, regulatory inspections, unannounced/surprise audits, and the like.
It's all nonsense (well, almost all). You don't believe me? Then read on. There could be a lot of high-margin business that you're missing out on.
In this article, we’ll consider nine frequently asked questions:
Let’s get started.
We're considering the position of component and packaging (including labeling) manufacturers and logistics/distribution companies. The former provides input materials and services to medical device manufacturers, and the latter provides distribution and other services for the finished product.
To answer the question: ISO 13485 is designed and intended for use by the entire medical device supply. And what tends to happen is that those evaluating potential suppliers often ask about ISO 13485.
Indeed, some manufacturers mandate it as a prerequisite. So, it can only help to have such a certification. Surprisingly, it is not necessary to be a supplier to the medical device sector to get ISO 13485 certification.
Yes, you can obtain certification as a medical device component manufacturer without actually manufacturing any components.
Many suppliers in the sector hold ISO 9001 certification alone, with additional requirements addressed in a Sales Contract or service level agreement (SLA).
It gets a bit more complex for distributors. Some regulatory bodies (e.g., Ireland HPRA) have guidelines that mention ISO 13485 certification. Regulators of the pharma and medical device sectors have a long history of treating guidelines as ‘holy writ’. They will audit/inspect against guidelines as if they were mandatory.
While it is far from certain, many certification bodies (CBs) expect ISO 13485 certification to become the norm for distributors and prospective distributors in the near future.
So, if customers are happy with ISO 9001 certification, don’t change. But, if you want to add to your list of medical device customers or enter the sector, ISO 13485 certification is necessary.
No, it’s not. There are two significant differences between ISO 9001 and ISO 13485
An integrated management system is often suggested here. But this is not a practical proposition. These are two distinctive standards that require two management systems, albeit ones that are compatible with each other and share common processes/procedures (e.g., a combined internal audit program and a single nonconformance procedure).
A definite "Yes."
The auditing standard, ISO 19011, brings Supply Chain risks and other issues to the attention of ISO auditors. The 2016 version of the ISO 13485 Standard was written with this in mind (see Section 1). Here are some of the key Medical Device Supply Chain issues arising:
Component quality can (critically) affect, for example,
Relevant warehousing, handling, storage, and delivery issues include ...
The vast range of services here includes...
It makes sense that Manufacturers define their requirements in SLAs (service level agreements) developed in consultation with Suppliers so that hazards and threats to patient/user safety and the effective and efficient operation of medical devices can be best assured.
These threats and hazards can then be reviewed and documented, and ongoing agreements to maintain the necessary controls and precautions can be managed in the context of a medical device management system nd ISO 13485 Certification.
In the USA, CE Marks don't arise as they are a requirement in EU Regulations only.
In the EU, the answer is no. While you may be asked by a customer to affix a CE mark to a component, you will be doing so on the ‘manufacturer’s’ behalf.
Regulations under ISO standards define the ‘manufacturer’ as the entity that holds the marketing authorization/license. Only ‘manufacturers’ need to engage in the protracted and (usually) expensive process of getting a CE Mark for a medical device or an IVDMD.
Suppliers to manufacturers (including distributors) do NOT require CE Marks (unless specified in the Customer contract).
Again, no. Regulatory requirements will be defined in the contract (or SLA) by the ‘manufacturer’. There are no regulations that you would be directly subject to.
Yet again, no. Regulatory guidelines, to the extent applicable, will remain the responsibility of ‘manufacturers’ and will be reflected, where necessary, in contracts and SLAs.
As a component manufacturer and supplier to the medical device sector, you will only be subject to Unannounced Audits (a.k.a. Surprise Audits) if your customer - the ‘manufacturer’ - has designated your company as a ‘crucial supplier’ or a ‘critical subcontractor ‘in paperwork submitted in pursuit of CE marking.
Your contract or SLA with the ‘manufacturer’ will advise you of the designation, if applicable. If it doesn’t, ask them in writing (an email will suffice) about your status.
It is more likely that distributors will be subject to Unannounced Audits because of the critical role they play in maintaining the integrity of product identification and traceability.
A combined audit is not a practical proposition, as the two standards are significantly different. ISO 9001 focuses on customer satisfaction, and ISO 13485 focuses on the product (quality, performance, traceability, market feedback, etc.).
Of course, audit fees are always negotiable. If you request back-to-back audits against the two standards, you can expect a significant discount.
In a word, no. Risk (and opportunity) in ISO 9001 Clause 6.1 focuses on business risks, whereas risk in ISO 13485 Clause 7.1 addresses patient/end-user safety.
I hope these answers have encouraged you. The market for medical devices and in vitro devices is growing at an astonishing rate. There are more than 10,000 different types of devices registered globally. The compound rate of market growth exceeds 14% per annum in value terms.
In seeking new suppliers, ‘manufacturers’ place a far higher priority on quality and on-time delivery than on price. You need to get into this high-margin sector. As a basic confirmation of your capability, you need ISO 13485 Certification.
What are you waiting for?
In
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.
We offer courses for ISO 9001, ISO 13485, ISO 14001, ISO 17025, ISO 27001, ISO 45001, Data Protection, and Risk Management, among others.