← All posts

Do I need ISO 13485 before I can sell my product?

By QualiHQ Team

You have a product, or nearly. Somewhere between the pitch deck and the first customer conversation, someone said the words "ISO 13485" and now you are not sure whether you are allowed to sell anything at all.

Short answer: it depends on three things, your device class, your market, and your customers. Here is the honest version of each, because the answer is more encouraging than the consultants' version and more careful than the optimists'.

What the law actually requires

Start with the EU, since that is where most of our readers sell first. The law, EU MDR, requires manufacturers to have a quality management system. It does not require that system to be certified by anyone for a Class I device. Read that again, because it is the crux: for Class I software, you self-declare. You build the QMS, compile technical documentation, sign a Declaration of Conformity, register in EUDAMED, and you are on the market. No audit happens first. No certificate is issued. ISO 13485 is the recognised way to build that QMS, and operating in line with it is exactly what you should do, but the framed certificate on the wall is not a legal precondition.

At Class IIa and above, the picture changes: a notified body must audit your QMS and review your technical documentation before you can CE mark. In practice that audit is conducted against ISO 13485, so while the law technically demands "a compliant QMS" rather than "a certificate", the distinction stops mattering. You will be audited either way, and most manufacturers take the certification since they are being assessed anyway.

Not sure which class you are? That is the first question to settle, before this post can even apply to you. Our classifier gives you a likely answer in five minutes, and flags when the call is close enough to need a specialist.

What your customers require

Here is the part the legal answer misses. Hospitals, health systems, and enterprise partners run procurement processes, and procurement loves certificates. A Class I product that legally self-declared can still lose a deal because the buyer's checklist says "ISO 13485 certificate: yes/no."

This is not universal. Early customers, pilot sites, and innovation-friendly buyers frequently accept a well-run QMS demonstrated through documentation, especially from a startup they want to work with. But if your go-to-market runs through large institutions, expect the certificate question early, and treat certification as a commercial investment with a revenue case attached, not a legal tax.

There is a useful middle position many startups miss: you can be compliant now and certified later. Build and operate the QMS today. When a customer makes the certificate commercially necessary, you are booking an audit of a system that already runs, which is a matter of months, not starting from zero, which is a matter of a year.

What the timeline looks like

Certification is not fast, so the trap is waiting until a deal depends on it. A certification body will want to see your system operating: months of real records, closed CAPAs, an internal audit, a management review. Then a two-stage audit, then findings to close. From a standing start, teams commonly need twelve months or more; from an operating QMS, roughly half that. The single best thing a pre-revenue founder can do is start the operating clock early, because evidence has a minimum age and no amount of money compresses it later.

So, can you sell?

If you are Class I in the EU: quite possibly sooner than you feared. Build the QMS, do it properly, self-declare, and sell, while knowing which customers will eventually push you toward certification. If you are Class IIa or above: the notified body stands between you and the market, so the QMS work is on the critical path right now, and the timeline deserves its own planning. If you are not sure what you are: stop reading pricing pages and classify your product first, because the other answers depend on it.

The pattern across all three: the QMS itself is not wasted effort, and it rarely comes too early. The certificate is a purchase you time against revenue. Founders get into trouble by conflating the two, either buying the certificate years early or building nothing until a buyer asks, and then discovering that evidence takes months to exist.

Start the system now. Buy the certificate when it sells something. That is the whole strategy, and it is going to be fine.

Not sure where you stand? Find out in two minutes.