What does a surveillance audit do, and how does it differ from the initial evaluation?

A surveillance audit verifies that conformity is being maintained between full evaluations of the certificate. It is not intended to re-evaluate the design or to re-issue the certificate. The notified body checks that the quality management system continues to function as audited, that deviations and complaints are handled, that post-market documentation is current, and that notifiable changes have been declared. Full re-evaluation occurs at renewal, typically at the five-year boundary for MDR, IVDR and most quality system certificates (modules D, E, H).

How often must a notified body audit an MDR or IVDR manufacturer?

For MDR (Regulation (EU) 2017/745) and IVDR (Regulation (EU) 2017/746), the notified body performs at least one surveillance audit per year throughout the certificate's validity (Annex IX section 3.5 of the MDR, section 3.5 of the IVDR). In addition to that annual cadence, at least one unannounced audit is conducted over the certificate's life, in line with Annex VII section 4.5.6 of the MDR and guidance MDCG 2019-3. The maximum certificate duration is five years.

How does an unannounced audit unfold, and what does it cover?

An unannounced audit is performed without prior notice to the manufacturer. The audit team turns up at the manufacturing site, or directly at a critical subcontractor, during normal working hours. MDCG 2019-3 lists the sites that receive priority attention: manufacturing sites, subcontractors handling critical operations (sterilisation, manufacture of specific raw materials, final controls), and the sites where UDI traceability is generated. Scope focuses on operational evidence, batch records in progress, day-of quality controls, training of staff present, calibration of measurement equipment in use that day.

What is the difference between a minor, major and critical non-conformity?

The grading reflects sector practice, transposed into each notified body's procedures. A minor non-conformity is an isolated deviation with no immediate effect on product conformity, addressed by a targeted corrective action plan with evidence provided typically within 60 to 90 days. A major non-conformity is a systemic deviation or a failure of a key process (risk management, post-market surveillance, design controls), requiring immediate corrective action, frequently with a verification audit, on pain of certificate suspension. A critical non-conformity is an immediate risk to safety or a severe quality system failure, liable to trigger suspension or withdrawal of the certificate under Article 56 of the MDR.

Which records does the notified body systematically examine during surveillance?

The standard scope covers evolution of the quality management system (management review, internal audits, quality indicators), complaint and non-conformity records since the previous audit, the vigilance log and post-market reports (PMS, PSUR, PMCF under MDR), changes notified to the notified body, critical supplier control records, traceability of lots manufactured since the previous audit, calibration records for test equipment, design controls and design change management. Technical files are reviewed by sampling depending on the device class.

What happens if a non-conformity is not closed within the deadline?

The notified body may extend the deadline, trigger an additional verification audit, or suspend the certificate. Under MDR and IVDR, Article 56(5) requires the notified body to inform competent authorities and other notified bodies of any suspension, restriction or withdrawal, and these decisions are published in EUDAMED. A certificate suspension prevents placing the affected devices on the market during suspension, except in narrow public-health exceptions framed by the competent authorities.

Can a manufacturer switch notified body during the certificate's life?

Yes, but through a regulated procedure. MDR and IVDR provide for a notified body transfer procedure. In practice, the outgoing and incoming notified bodies sign a transfer agreement specifying the documentation transmitted, the surveillance responsibility during transition, and the effective date. The existing certificate is not automatically transferable, the incoming body conducts its own evaluation and issues a new certificate. Observed practice is that transfers are complex and long, and manufacturers seldom undertake them except when the outgoing body ceases activity or loses scope.

NB surveillance audits: cadence and conduct

Author Hugues Orgitello Last updated 27 May 2026 ~14 min read

Guide. Conduct of surveillance audits

Issuance of a notified body certificate does not mark the end of the manufacturer's obligations, it marks their beginning. Throughout the certificate's validity, the notified body conducts surveillance audits whose purpose is not to re-evaluate the design, but to verify that the conformity originally established still holds. This page describes the regulatory framework for that surveillance, its cadence directive by directive, the audit scope, the mechanics of the unannounced audits introduced by MDR and IVDR, and the handling of non-conformities. The intended reader is the regulatory affairs or quality manager who prepares for or hosts these audits.

Framing: surveillance is not re-evaluation

Regulatory practice distinguishes three moments in a certificate's life: the initial evaluation that issues the certificate, the periodic surveillance during validity, and the renewal evaluation at expiry. The three moments mobilise distinct vocabulary and intensities.

The initial evaluation examines conformity ab initio, technical file, quality system, clinical evaluation where applicable. It ends with certificate issuance. The renewal evaluation, typically every five years for MDR, IVDR and quality system certificates, conducts a fresh full evaluation, equivalent in depth to the initial evaluation. Surveillance, between those two bounds, has a narrower purpose, to verify that nothing has drifted since the initial finding.

The distinction is legally grounded. Annex IX section 3 of the MDR explicitly isolates evaluation surveillance as something that occurs after certificate issue. Annex VI part III of the RED does the same for module H, separating initial evaluation from regular surveillance. The practical consequence is that surveillance should not routinely reopen the design, except where new elements warrant it (notified change, complaint, post-market signal).

For broader framing of module choice, see the self-declaration vs notified body comparison. For the general CE procedure, /en/ce/procedure/. For the MDR overview on which this page builds, the MDR guide.

Surveillance cadence directive by directive

Frequency and intensity of surveillance are not uniform. Each directive or regulation that mobilises a notified body sets its own cadence, generally anchored to a module or to a conformity assessment annex.

Text	Applicable module or annex	Surveillance cadence	Unannounced audit
Regulation 2017/745 (MDR)	Annex IX section 3.5 (QMS), Annex VII section 4.5 (NB)	At least one audit per year	At least one per certificate (typically over five years), MDCG 2019-3
Regulation 2017/746 (IVDR)	Annex IX section 3.5, Annex VII section 4.5	At least one audit per year	At least one per certificate
Directive 2014/53/EU (RED) module H	Annex IV section 4	Annual QMS audit	Not systematic, possible upon signal
Directive 2014/53/EU (RED) module D	Annex III section 3	Annual production QMS audit	Not systematic
Directive 2014/34/EU (ATEX) module D, E	Annex IV or V, proportionate surveillance	Annual QMS audit	Possible at NB's discretion
Directive 2006/42/EC (Machinery) Annex IX, X	Surveillance per applicable annex	Annual audit	No systematic unannounced framework
Directive 2014/33/EU (Lifts) module H1	Annex XI section 4	Annual QMS + design audit	Not systematic
Regulation (EU) 2016/425 (PPE) module D, H	Surveillance per module	Annual audit	Not systematic
Directive 2014/68/EU (PED) module D, E, H	Surveillance per module	Annual audit + retest sampling depending on module	Not systematic

The annual cadence is therefore the common denominator of every module that rests on a quality system (D, E, H and their variants). The MDR/IVDR specificity is the unannounced audit, introduced in response to the surveillance failures observed under the earlier MDD and IVDD directives. Commission Implementing Regulation (EU) 920/2013, as amended, sets its operational framework.

The MDR/IVDR logic: five-year certificate, annual surveillance

The MDR caps certificate duration at five years (Article 56(2) for QMS certificates, Article 56(3) for EU type-examination certificates, renewable). Over those five years, the notified body conducts:

a scheduled annual surveillance, combining QMS audit and documentary re-review of sampled technical files (exhaustive sampling for class III and implantable class IIb under Article 52(6) and Annex IX section 3.5);
at least one unannounced audit during the certificate's life, which may target the manufacturer's headquarters, a manufacturing site or a critical subcontractor;
periodic PSUR re-evaluation for class III and implantable class IIb, with assessment reports uploaded to EUDAMED;
review of notified changes, handled separately from scheduled surveillance.

At the end of the five-year period, a full recertification is conducted. It is equivalent in scope to the initial evaluation, and conditions the issuance of a new certificate for a new five-year cycle.

Scope of a surveillance audit

The perimeter of a surveillance audit varies by module and by device criticality, but it organises around a stable set of control points.

Items typically examined

Management review, minutes, quality indicators, review decisions, follow-up of actions arising from the previous audit.
Internal audits, annual programme, minutes, handling of findings, qualification of internal auditors.
Complaints, complaint log since the previous audit, categorisation, root-cause analysis, corrective actions, handling timelines, trend statistics.
Internal and external non-conformities, log, handling, closure, verification of corrective action effectiveness, recurrence indicators.
Vigilance and post-market surveillance (MDR/IVDR), incident reports, PMS plan, PMS or PSUR reports, PMCF, FSCAs, FSNs, integration of post-market data into risk management and clinical evaluation.
Design controls, follow-up of design changes since the previous audit, qualifications, validations, traceability of design decisions.
Management of changes notified to the NB, registry of substantial changes, NB acknowledgement and responses, implementation.
Critical supplier control, supplier audit plan, qualifications, audits carried out, handling of findings, contracts and quality clauses.
Lot traceability since the previous audit, sampled batch records, consistency with UDI declared in EUDAMED.
Calibration and maintenance of test and measurement equipment, calibration schedule, certificates, deviations, withdrawal of non-conforming equipment.
Staff training and qualification, training plan, records, qualifications for critical operations.
Sterilisation, validations and requalifications (where applicable), conformity to the applicable harmonised standard (EN ISO 11135, EN ISO 11137, EN ISO 17665), conformity of critical processes.
Software and cybersecurity, software lifecycle (EN 62304 for medical, EN 18031 for RED article 3.3), post-market vulnerability management.
Labelling and UDI (MDR/IVDR), accuracy of EUDAMED data, consistency with physical markings, direct marking of reusable implantables.
Manufacturing and storage sites, environmental conditions, segregation of flows, identification of products, statuses (in process, released, held, scrap).

The relative weight of items varies by risk profile. For a manufacturer of class III implantables, clinical documentation and PMCF carry a large share of the attention. For a manufacturer of industrial equipment under RED module H, follow-up of software design changes and vulnerability management may dominate.

Physical audit of the manufacturing site

A surveillance audit regularly includes an on-site component, distinct from the documentary audit. Items typically checked:

conformity of premises to declared conditions (controlled zones, separation of incompatible activities, flow management);
physical presence of declared test equipment, visible calibration status, maintenance records;
sampling of open batch records at the time of the audit (day-of production);
interviews with operators at their workstation, verification that declared training matches observed practice;
consistency between documented procedures and observed practice.

The gap between documentation and practice is one of the most frequent sources of major non-conformities.

Unannounced audits: the MDR and IVDR specificity

The unannounced audit is the most striking surveillance innovation of MDR and IVDR. It responds to surveillance failures that marked the final years of the MDD and IVDD directives, notably the PIP breast implants affair, which made plain the inability of notified bodies to detect systemic fraud through audits scheduled in advance.

Legal framework

Article 56(7) of the MDR requires notified bodies to conduct unannounced audits at manufacturing sites and, where relevant, at critical subcontractor sites. Commission Implementing Regulation (EU) 920/2013 as amended details the modalities. Guidance MDCG 2019-3 consolidates the expected practice: at least one unannounced audit per certificate life, in addition to the scheduled annual surveillance.

Practical conduct

The audit team arrives without notice during normal working hours. The manufacturer may be required to produce, on short notice, operational records: day-of batch records, current quality control logs, identification of staff on duty and their corresponding qualification, calibration certificates for equipment in service that day. The audit may extend over several consecutive days.

MDCG 2019-3 specifies that critical subcontractor sites are targeted on the same footing as manufacturer sites. A subcontractor performing sterilisation, surface treatment, calibration or manufacture of a critical raw material may receive a direct visit from the principal's notified body, as the subcontracting contract must allow.

Typical triggers

Beyond the minimum cadence of one unannounced audit per certificate life, additional triggers may prompt an unscheduled audit:

substantiated complaint transmitted to the notified body or to a competent authority;
serious post-market signal, marked rise in incidents, FSCA;
information transmitted by another authority or another notified body;
request from a national competent authority as part of an investigation.

Preparation for a surveillance audit

Preparation conditions the outcome. The operational sequence to engage ahead of a scheduled audit:

Preparation sequence

Receipt of the audit plan, sent by the notified body typically four to eight weeks before the scheduled date. Verification of scope, sites concerned, audit team composition, and documents requested in preparation.
Internal gap analysis, comparison of the quality system as audited at the previous surveillance with its current state. Identification of changes, procedural updates, site changes, new device variants.
Full internal audit, conducted by qualified internal auditors, ideally four to six weeks before the NB audit. The internal audit report and its corrective action plan are elements that demonstrate maturity of the system.
Review of complaint and non-conformity logs, completeness, categorisation, handling, end-of-cycle statistics. Verification that all non-conformities from the previous NB audit are closed with evidence.
Preparation of the evidence pack, management review minutes, indicators, PMS/PSUR/PMCF reports (MDR/IVDR), training records, recent calibration certificates, batch records ready for sampling.
Briefing the staff, on expected behaviour during the audit, on interview etiquette (answer what is asked, do not invent, show the documentation). Staff must know where to find the procedures relevant to their post.
Logistics check, audit room, read-only access to information systems for the auditors, ability to print or scan, designated accompanists.
Special case unannounced audit, the evidence pack must be kept in a permanently presentable state, not assembled ad hoc. That is the fundamental difference between preparing for a scheduled audit and the posture that an unannounced audit imposes.

Self-assessment template

A self-assessment matrix, aligned with the standard scope of a surveillance audit, serves as the gap analysis support. Typical headings: management review, internal audits, complaints, non-conformities, vigilance, design controls, notified changes, suppliers, traceability, calibration, training, sterilisation, software, UDI/EUDAMED, sites. For each heading, status (compliant, minor deviation, major deviation), available evidence, actions to take.

Non-conformity grading

Non-conformities raised by the notified body are graded along a scale set by the body's procedure. Three levels dominate the practice, captured below in a severity-by-correction-deadline matrix that serves as an operational reference.

Level	Definition	Typical correction deadline	Certificate consequence
Minor	Isolated deviation, no immediate effect on product conformity, addressable by a targeted corrective action	30 to 90 days depending on the finding	No suspension, action plan reviewed at the next audit
Major	Systemic deviation or failure of a key process (risk management, post-market surveillance, design controls), requiring immediate corrective action	30 to 60 days for immediate action, 90 days for effectiveness verification, often paired with a verification audit	Risk of suspension if not closed, the NB informs competent authorities in case of prolonged failure
Critical	Immediate risk to patient or user safety, or severe quality system failure	Immediate action required, on-site verification within short deadlines	Certificate suspension or withdrawal under Article 56 of the MDR, authorities informed and publication in EUDAMED

Closure mechanics

For each non-conformity, the notified body expects a structured CAPA dossier:

description of the non-conformity, wording lifted directly from the audit report;
root-cause analysis, method used (5 whys, Ishikawa, other), demonstration that the root cause is identified;
immediate correction, addressing the observed effect on the products or records concerned;
corrective action, preventing recurrence of the cause, with an implementation schedule;
evidence of implementation, revised procedures, training delivered, additional records;
effectiveness check, measurement that the cause does not recur, scheduled at a deadline.

The notified body examines the dossier and pronounces closure, occasionally with a request for further evidence. Formal closure is verified at the next surveillance audit. Closure traceability (date, NB evaluator signature, reference to the audit report) must be retained.

Suspension case

Article 56(5) of the MDR allows the notified body to suspend, restrict or withdraw a certificate. The decision is notified to the manufacturer, to the competent authorities of the member states in which the device is placed on the market, and to the body that designated the notified body. The decision is uploaded to EUDAMED. During suspension, the device may no longer be placed on the market, except in a narrow public-health exception framed by the competent authority.

Suspension is lifted once the non-conformities are closed and a favourable verification audit has occurred. Withdrawal is rarer and more severe, it ends the certificate, and the manufacturer must engage a new initial evaluation procedure to resume placing on the market.

Surveillance and change notification

The surveillance audit is not the sole control instrument during the certificate's life. The manufacturer has an autonomous obligation of substantial change notification to the notified body, distinct from the scheduled audit cadence.

Under MDR and IVDR, Article 56(8) requires notification of any modification liable to affect conformity. Under RED module H, Annex IV section 4.4 requires notification of changes to the quality system. The granularity of notifiable changes (design modification, site, critical subcontractor, sterilisation process, raw material) is detailed in each notified body's procedures and in MDCG guidance (notably MDCG 2020-3 on significant changes under MDR).

The separation of the two instruments is essential: surveillance verifies execution, change notification handles evolution. Failure to notify a substantial change is itself a non-conformity, frequently raised at surveillance audits. For the detail of the change management regime, see the related guide on change management (sibling).

Notified body switch-over

The manufacturer may need to change notified body during a cycle, principally in two cases: loss of scope by the outgoing body (the NB ceases to be designated for a device category), or strategic choice of the manufacturer. The transfer procedure is regulated.

Transfer sequence

Selection of the incoming body, whose NANDO scope must cover the device. See the self-declaration vs notified body guide for the selection method.
Transfer agreement between the outgoing body, the incoming body and the manufacturer. The agreement specifies the documentation transmitted, the effective date, and the surveillance responsibility during transition. The MDCG has issued guidance on transfers between notified bodies under MDR.
Evaluation by the incoming body, which is, in most cases, equivalent to an initial evaluation, and ends with the issuance of a new certificate (the old one being withdrawn). In practice, the incoming body can leverage part of the documentation already constituted, but cannot mechanically inherit the evaluation conducted by the outgoing body.
Information to competent authorities and EUDAMED registration of the new certificate and the withdrawal of the old one.

Transfer is heavy and slow, typically several months, and the manufacturer bears the cost of a fresh evaluation. Effective transfers remain uncommon.

Cost structure of a surveillance audit

Costs vary by notified body, site size, number of sites, and device complexity. The typical cost structure:

Annual fees, flat, covering administrative management of the certificate. They are independent of audit effort.
Audit days, billed at a man-day rate. The number of days is calculated against an internal NB grid, dependent on device class, number of sites, and process complexity. For an average MDR manufacturer with a single site, the order of magnitude is typically several days per annual audit.
Unannounced audit charges, billed at a man-day rate, like any audit.
Auditor travel expenses, rebilled to the manufacturer.
Change-notification and PSUR evaluation charges, when evaluations are systematic (class III and implantable class IIb).

The manufacturer is well advised to request a detailed annual quote ahead of each cycle, and to compare tariff grids when initially selecting the notified body. See the certification costs guide for the broader budget framing.

Common pitfalls observed

Several deviations recur at surveillance audits. Avoiding them is more a matter of operational discipline than technical sophistication.

Under-preparation for unannounced audits. The evidence pack is assembled ad hoc when a scheduled audit is announced and stays unavailable in between. When the unannounced audit arrives, the records are not ready. The remedy is to keep the pack in an operational state permanently.
Complaint log not reviewed. Complaints are recorded, but their trend analysis and integration into PSURs are not conducted. The notified body quickly spots the gap by cross-referencing log and PSUR.
Missing critical supplier control records. The subcontracting contract provides for supplier audits, but no audit is performed, or reports are missing. Frequent non-conformity on sterilisation and critical component manufacturing sites.
Expired calibration on in-service equipment. The calibration schedule exists, but drift caused a piece of equipment to fall out of validity without withdrawal. Detected on-site during the physical audit.
CAPA closed without demonstration of effectiveness. The corrective action is described, implemented, but the effectiveness check is not conducted or not documented. Closure is judged premature.
Substantial change not notified. A manufacturing site change, a critical subcontractor change, or a sterilisation process change is implemented without notification to the notified body. Detected at audit, major non-conformity.
EUDAMED data inconsistent with internal records (MDR/IVDR). Discrepancies between declared UDI and physical marking, or between declared variants and actually produced variants.
Staff unaware of the procedures for their post. An interview with an operator reveals that procedures described at headquarters are not known on the shop floor. Indicator of a documentation-practice gap.
PMCF planned but not executed (MDR implantable class IIb and III). The plan is formally part of the clinical evaluation, but no operational implementation is demonstrable.

Links to other pages

For the framing of self-declaration and module choice, the self-declaration vs notified body comparison.
For the MDR overview, the MDR guide, prerequisite to MDR surveillance questions.
For the general CE procedure, /en/ce/procedure/.
For the budget framing of annual NB and surveillance costs, the certification costs guide.
For definitions (notified body, NANDO, CAPA, PSUR, PMCF, EUDAMED, unannounced audit), the glossary.