Page Last Reviewed: 21 January 2026

Background

Manufacturers who have applied MDR/IVDR Annex IX conformity assessment procedures are subject to unannounced Notified Body (NB) audits.

Unannounced NB audits are not a new concept* for manufacturers with devices CE Marked under the MDD/AIMDD/IVDD. However, as it is now prescribed under the MDR/IVDR, there is increased scrutiny on NBs to ensure they are conducting such audits.

Below we answer questions manufacturers frequently have regarding unannounced NB audits. We provide feedback based on our experience and relevant guidance, including the Code of Conduct for Notified Bodies (version 5.2; last revised April 21, 2026).

*They were covered by Annex III of Commission Recommendation 2013/473/EU and Article 5 of Implementing Regulation (EU) 920/2013, largely in response to the PIP Implant scandal.  

How “unannounced” are unannounced audits?

Unlike certification, surveillance, and recertification audits, there is no prior coordination for unannounced audits, i.e., it is truly unannounced. The manufacturer will not receive advance warning of the audit, similar to an unannounced domestic establishment inspection performed by the US FDA.

This is consistent with Annex III of Commission Recommendation 2013/473/EU and guidance provided by NBs (e.g., the BSI FAQ on Unannounced Audits), which states that these audits are performed “without prior notice”.

The MDR/IVDR establishes that unannounced audits may be performed of manufacturers, as well as their suppliers/subcontractors. And, we have received reports from manufacturers that their suppliers/subcontractors have also been subjected to such audits without prior notification.

As established under MDR/IVDR Annex IX, Section 3.4, NBs must establish plans for their unannounced audits, but not disclose them to manufacturers. This is aligned with the practice of NBs not notifying manufacturers and/or their suppliers/subcontractors before these audits. Per the NB Code of Conduct, unannounced audits are planned and executed separately from, and in addition to, the regular audit cycle.

However, there are also obvious exceptions to when unannounced audits may occur, such as during public holidays or other periods when the site is not operational. For example, SGS Belgium NV (NB 1639) utilizes an annual questionnaire, which allows manufacturers to nominate periods of unavailability (up to a maximum of six weeks per year). And indicate normal work week/hours, as well as provide information on shift operations.

What to Expect During the Unannounced Audit

How long do they last?

Per the NB Code of Conduct, unannounced audits are typically completed by two auditors with a duration of one day (with an audit day constituting 8 hours). However, a rationale can be documented by the NB for utilization of a single auditor or reduction/increase in duration.

Note that where final product inspection is performed on-site at the legal manufacturer’s site, the minimum duration of an unannounced audit is one day.

What are the areas of focus?

As noted in the NB Code of Conduct, unannounced audits are product-focused. Therefore, it should be based on verifying the conformity of a recently produced, adequate sample of an approved device type, e.g., serial number, batch, lot.

Such audits involve an approach focused on traceability, based upon principles such as:

• Selection of a single (or multiple) catalogue number(s) covered by the Declaration of Conformity and linked to a valid CE certificate;
• Random selection of a recent serial number, batch/lot within scope of the selected catalogue number;
• For the selected serial number, batch/lot, requesting the relevant supply chain documentation covering the complete process. This is from the point of incoming goods (e.g., materials/components), up to final release (e.g., batch/lot history records, manufacturing travellers, bills of material, etc). From a finished device perspective, this would encompass documentation comprising the device history record and device master record/master device file;
• The auditors will typically review the process performed by the supplier/subcontractor, verifying aspects such as:
  • Received/Released incoming goods comply with the established specifications (and are aligned with those in the Technical File for the finished device);
  • Process equipment is aligned with the specifications established in the Technical File for the finished device, e.g., parameters and release criteria for validated processes are consistent;
  • Incoming, in-process, and final inspection steps (including acceptance criteria) are aligned with information provided in the Technical File for the finished device;
  • Comparison of testing results on a sample or 100% basis during in-process or final inspection, with equal testing performed during design verification, to ensure that specifications are aligned with the Technical File for the finished device (including witnessing the realization of such testing at the site);
  • Verify alignment of process controls and product conformity, with any changes to the Technical File approved by the NB.

Onsite vs Offsite Audits

With the notable exception of public health emergencies (e.g., COVID-19 pandemic), unannounced audits are exclusively performed on-site.

Specifically, MDR/IVDR, Annex IX, Section 3.4, establishes that unannounced audits are performed “on the site of the manufacturer and, where appropriate, of the manufacturer’s suppliers and/or subcontractors”.

Audit Cycle

How soon after a device is CE Marked, should a manufacturer expect to be subject to an unannounced audit?

The MDR/IVDR establishes that a minimum of at least one unannounced audit be performed every five years. Aside from this, however, there are no other explicit requirements on how soon after obtaining CE certification, an unannounced audit may be performed.

The NB Code of Conduct states that the frequency of unannounced audits can increase depending upon:

• If the devices are high risk, e.g., Class III, Class IIb implantable, Class D
• Devices are often non-compliant, such as:
  • High frequency of vigilance issues received by the NB;
  • Significantly higher complaint rates observed during the regular audit schedule, compared to similar devices;
  • Significant increase in the number of non-conforming product observed during the regular audit schedule.

Unannounced audits may also take place for specific reasons, in a similar manner to “for cause” inspections performed by the US FDA. For example, where manufacturers are suspected of having significant quality issues, including reports of fraudulent practices in mass media.

The NB Code of Conduct also establishes that, at the discretion of the NB, subcontractors that have already been subjected to an unannounced audit in the previous 12 months, may be eligible for waiving the need to be subjected to another unannounced audit.

It should be noted that under Annex III of Commission Recommendation 2013/473/EU, high-risk devices were required to be subject to unannounced audits once every two years, while this frequency was decreased to once every three years for medium/low-risk devices.

Which suppliers are subject to unannounced audits?

Commission Recommendation 2013/473/EU establishes that, if it is likely to ensure more efficient control, then 1) subcontractors in charge of processes that are essential for ensuring compliance with legal requirements (‘critical subcontractor’) or 2) suppliers of crucial components or of the entire device (both ‘crucial supplier’), are subject to unannounced audits.

Notified Body document NBOG BPG 2010-1, which is aligned with GHTF SG3/N17/2008, further defines a ‘critical supplier’ as a supplier delivering materials, components, or services that may influence the safety and performance of the device.

It also notes that critical suppliers are those in which the failure to meet specific requirements could cause 1) unreasonable risk to the patient, clinician, or other, or 2) a significant degradation in performance. This can include suppliers of services needed for compliance with QMS or regulatory requirements, e.g., internal audit contractors or Authorized Representatives.

The NB Code of Conduct indicates that any manufacturer, supplier, and subcontractor can be subject to unannounced audits (and that the whole supply chain be taken into consideration). However, it also requires documenting a rationale for sampling any particular site. And it provides several examples of the types of subcontractors/suppliers that should be considered for unannounced audits.

The examples provided in the NB Code of Conduct are aligned with the criteria established in NBOG BPG 2020-1, for NBs to determine the need to audit a supplier’s site. These include:

• The outcome of audits of the manufacturer’s purchasing process and other QMS processes, i.e., is there sufficient evidence demonstrating the robustness of the manufacturer’s purchasing controls or is more efficient control necessary?
• The criticality of the item or process being purchased. i.e., criticality in regard to compliance with legal requirements, and device safety and performance.

Consequently, manufacturers should be prepared for those critical subcontractors essential for compliance with legal requirements, and crucial suppliers that may impact the safety and/or performance of the device as described above, to be subjected to unannounced audits.

Appendix 2 of NBOG BPG 2010-1 establishes that, among the items to be checked by NBs in agreements with suppliers, are procedures governing access of the manufacturer, Notified Body, and Competent Authorities to the premise(s) of the supplier, if required. Therefore, Manufacturers should include clauses in supply/quality agreements that provide for the possibility of unannounced audits.

Legal Manufacturer vs Supplier Audit Ratio

There is no established ratio of unannounced audits between a legal manufacturer and its suppliers/subcontractors. Instead, as explained above, the cycle of unannounced audits is based on several factors. Some of the most critical considerations are the efficiency of manufacturer purchasing controls, and risks related to the products/services provided.

Manufacturers with robust purchasing controls in place, including their own on-site audits of crucial suppliers, may minimize the probability of supplier unannounced audits. However, there is no 100% guarantee that such suppliers will not be selected for unannounced audits.

Logistics if a Supplier/Subcontractor is Audited

Upon Arrival

Similar to unannounced audits of a manufacturer, the NB will show up without prior notice. Upon arrival, the auditors will present their credentials for identification and explain the objective of their visit. They will then ask to speak with the most senior executive/manager on-site.

Access to the Site

If there are any manufacturer, supplier, or sub-contractor sites that require 1) prior authorization/approval for visitors, or 2) additional security checks or clearances, the NB should be informed of this. This is so that these arrangements do not disrupt the ability of the NB to perform unannounced audits.

Sites are expected to fully comply with all auditor requests, including access to relevant documentation and manufacturing/testing facilities.

Areas of NB Focus During the Audit

Unannounced audits are product focused. Therefore, the primary criteria that suppliers/subcontractors will be audited against are the specifications and requirements established in the relevant Technical File. This is because, those were established for demonstrating conformity with applicable General Safety and Performance Requirements (GSPRs), and establishing the safety and performance of the device.

These requirements also include any relevant information pertaining to the supplier/subcontractor, e.g., QMS certifications they hold and their own QMS requirements. And to the contractual requirements between the manufacturer and the supplier/subcontractor.

Post-Audit

Upon completion of the audit, the site will be provided with a brief audit summary. The full audit report will be compiled off-site and is typically completed within one week post-audit. It will be provided to the manufacturer who holds the CE certificate.

If applicable, a corrective action plan will need to be presented to the NB to address any identified findings, similar to routine audits.

Can the legal manufacturer attend the unannounced audit of the supplier?

Given the unannounced manner of such audits, unless a supplier is located geographically close to the legal manufacturer, it is typically impossible for them to physically participate in the unannounced audit of a supplier.

That said, it is possible for a representative of the legal manufacturer to participate remotely in the unannounced audit. There are no explicit restrictions on the participation of the legal manufacturer in such audits. Therefore, restrictions on participation are based upon technological, geographical, and contractual (with the supplier) considerations.

Payments

An important consideration for unannounced audits is payment. As is the case with routine audits, manufacturers are charged for unannounced audits – including those performed at supplier sites.

Any manufacturer that refuses to pay will be 1) in breach of the contract between them and their NB and 2) risks suspension, and ultimately withdrawal, of their CE certification. This also applies in situations where a supplier/subcontractor obstructs or prevents an NB from performing an unannounced audit.