If you manufacture medical devices in Spain and want to place a CE-marked product on the European market, sooner or later you will come up against ISO 13485:2016. It is the international standard for quality management systems specific to the medical device sector, and in practice it has become a de facto requirement for the Notified Bodies that audit under Regulation MDR (EU) 2017/745. The question we receive most often from SMEs is always the same: how much is this going to cost me? In this article we break down real market price ranges, the factors that drive costs up or down, typical timelines and what you should demand from any consultancy you hire.
What is ISO 13485 and why is it different from ISO 9001?
ISO 13485 builds on the structure of ISO 9001 but adds specific and more stringent requirements for the healthcare sector: product traceability, risk management aligned with ISO 14971, validation of special processes (sterilisation, software, cleanrooms), critical supplier control and post-market surveillance obligations. While an ISO 9001 for a generic industrial SME can be implemented in 4–6 months, ISO 13485 requires more exhaustive documentation and validation processes that can extend the timeline to 9–18 months depending on product complexity.
Furthermore, ISO 13485 does not operate in a vacuum: in Europe it coexists with Regulation MDR (EU) 2017/745 for medical devices and Regulation IVDR (EU) 2017/746 for in vitro diagnostics. Having ISO 13485 implemented and certified is the starting point for a Notified Body (BSI, TÜV, Dekra, SGS, Intertek…) to be able to audit your management system and endorse the CE marking of the product.
Market cost ranges in Spain (2025–2026)
The total cost of implementing and certifying ISO 13485 in a Spanish SME is distributed across three main categories: implementation consultancy, certification audit and internal costs. Below are indicative market ranges based on typical projects for 10–80 employees:
| Item | Small SME (<20 employees, class I–IIa) | Medium SME (20–80 employees, class IIa–IIb) | Notes |
|---|---|---|---|
| Implementation consultancy | €8,000 – €18,000 | €18,000 – €40,000 | Depends on scope, number of special processes and prior QMS maturity |
| Certification audit (year 0) | €3,500 – €7,000 | €7,000 – €14,000 | AENOR, SGS, Bureau Veritas, DNV, Intertek. Calculated in auditor-days based on headcount and scope |
| Surveillance audits (years 1 and 2) | €1,500 – €3,500 / year | €3,500 – €7,000 / year | Mandatory to maintain the certificate; surveillance audit is shorter than the initial one |
| Internal costs (staff hours, training, validations) | €5,000 – €15,000 | €15,000 – €50,000 | The largest variable is special process validation (IQ/OQ/PQ of equipment, software validation) |
| Total first year (estimate) | €17,000 – €40,000 | €40,000 – €104,000 | Excluding document management software and Notified Body costs for product CE marking |
Source: in-house compilation based on market data from specialised Spanish consultancies and sector references (G-CERTI, Normapymes, DNV). Indicative ranges; each project requires a prior diagnosis. Summum Calidad does not publish fixed rates because every project is different.
If your company already has a mature, implemented ISO 9001, the starting point is much better: the gap the consultancy needs to close is smaller and costs can be reduced by 20–35%. Starting from scratch means substantially greater documentation and training effort.
The eight factors that most affect the price
1. Device risk class
The MDR Regulation classifies devices into class I, IIa, IIb and III. A class IIb device (for example, an electrosurgical unit) or class III device (cardiac valve, coronary stent) requires far more extensive technical documentation, deeper risk management under ISO 14971 and more rigorous process validations. The higher the class, the greater the cost and timeline.
2. Number of product lines and special processes
Each product line with distinct manufacturing characteristics multiplies the documentary scope. Special processes — ethylene oxide or radiation sterilisation, ISO 7–8 cleanrooms, medical plastics welding, software as a medical device (SaMD) — require IQ/OQ/PQ validation protocols that consume time and specialised technical resources.
3. Number of manufacturing sites
Each additional facility included in the certificate scope adds auditor-days. In multi-site projects, the increase compared with a single site can range from 20% to 40% in audit costs.
4. Maturity of the current management system
A company that already manages its processes in a structured way — even without any certification — starts with an advantage. If there are written procedures, records and a culture of non-conformity review, the consultant can focus on adapting what exists to the specific requirements of the healthcare standard rather than building from scratch.
5. Availability of internal resources
ISO 13485 is not implemented through external consultancy alone: it requires an internal quality manager who leads the project, trains the team and acts as the point of contact with the auditor. If that profile does not exist in the company or has very limited availability, the timeline extends and consultancy costs rise because the external consultant must cover work that the internal team would ideally perform.
6. Document management software
ISO 13485 demands rigorous control of documents and records, with version and access traceability. Many companies in the sector opt for specialised platforms such as Greenlight Guru, MasterControl or more accessible solutions based on Microsoft 365. Licence costs can range from €2,000 to €20,000 per year depending on document volume and number of users.
7. Need for translation or adaptation to external markets
If the product is to be sold outside the EU — FDA 21 CFR Part 820 in the US, MHLW in Japan, ANVISA in Brazil — the consultancy must address harmonisation with those regulatory frameworks. This adds a significant layer of complexity and cost.
8. Choice of certification body
AENOR, SGS, Bureau Veritas, DNV, Intertek and TÜV are the bodies with the strongest presence in Spain for ISO 13485. Their fees are calculated on auditor-day tables based on the number of employees in scope, and can vary between them. Requesting quotes from two or three bodies before choosing is common practice.
Typical timelines for a Spanish SME
The implementation timeline from project kick-off to the initial certification audit depends on the factors described above, but as an indicative reference for the Spanish market in 2025–2026:
- Small SME, class I–IIa, with prior ISO 9001: 6–9 months.
- Small SME, class I–IIa, with no normative foundation: 9–12 months.
- Medium SME, class IIa–IIb, with special processes: 12–18 months.
- Company with SaMD (software as a medical device): 14–24 months, as IEC 62304 compliance is required.
These timelines assume genuine commitment from the internal team and a consultancy with sector experience. Projects with low internal availability or mid-project scope changes may exceed these ranges.
ISO 13485 consultancy vs. going it alone: what really costs more
Some manufacturers attempt to implement ISO 13485 with in-house resources to save on consultancy fees. Market experience shows this option tends to be more expensive in the long run for three reasons:
- Failed audits. The rate of major non-conformities in the first audit is significantly higher without expert support. A major non-conformity requires a follow-up audit with additional cost and a delay in certification, which can affect contracts or product launches.
- Internal opportunity cost. The time the quality manager spends researching, drafting and correcting procedures without expert guidance is much greater. In man-hour terms, the saving on consultancy fees can be absorbed by the internal overrun.
- Documentation not aligned with MDR. ISO 13485 and MDR have intersections that a specialist consultancy knows well. A system implemented without that insight may require a complete revision when the technical file for the product is submitted to the Notified Body.
A specialist ISO 13485 consultancy not only reduces the risk of audit failure: it also structures the system from the outset so that it serves as the basis for the MDR technical file, avoiding duplicated work.
What the consultancy service should include: a checklist
When requesting a quote from any consultancy, check that the scope covers at least the following points:
- Initial gap analysis against the requirements of ISO 13485:2016 and, where applicable, MDR 2017/745.
- Project plan with milestones, responsible parties and realistic dates.
- Full documentary development: quality manual (if retained), system procedures, work instructions, forms and records.
- Process risk management (not to be confused with the product risk analysis under ISO 14971, which is the manufacturer's responsibility).
- Team training on regulatory requirements and new procedures.
- Internal audit before the certification audit to identify deviations before the external auditor sees them.
- On-site support on audit day and management of detected non-conformities.
- Post-audit support for the first surveillance cycle (at least one year).
If the quote does not detail these points or leaves the documentary scope ambiguous, ask for clarification before signing. The difference between a solid implementation and a system that passes the initial audit but does not work day-to-day almost always lies in the details of the contracted scope.
ISO 13485 and its relationship with the MDR Regulation: do not confuse the standard with CE marking
A frequent mistake among manufacturing SMEs is believing that ISO 13485 certification is equivalent to having CE marking. They are two different things:
- ISO 13485 certifies that your quality management system meets regulatory requirements. It is issued by an accredited certification body (AENOR, SGS, Bureau Veritas…).
- CE marking under MDR certifies that your specific product meets the essential safety and performance requirements of Regulation 2017/745. For class IIa, IIb and III devices, it must be assessed by a Notified Body designated by the European Commission (such as BSI, TÜV SÜD, Dekra…), which has entirely different and much higher fees.
Having ISO 13485 certified is practically a prerequisite for the Notified Body to agree to audit your technical file, but it does not replace that process. Plan both in a coordinated manner from the outset to avoid spending time and money on two disconnected projects.
Frequently asked questions
Is ISO 13485 mandatory to manufacture medical devices in Spain?
Technically, Regulation MDR (EU) 2017/745 does not cite ISO 13485 by name as mandatory, but it requires manufacturers to have a quality management system in place that meets the requirements of Article 10.9 of the Regulation. In practice, all Notified Bodies accept ISO 13485 as evidence of compliance with those requirements, and many major buyers and distributors require it contractually. It is the most efficient route to demonstrate conformity.
How long does it take to obtain certification from scratch?
For a Spanish manufacturing SME with no prior normative foundation, the typical timeline is 9 to 14 months from project kick-off to receipt of the certificate. This timeline includes the implementation phase (documentation, training and system launch), the minimum evidence period required by certification bodies (typically three months of operational system records), the initial audit and resolution of minor non-conformities. Having a current ISO 9001 in place can shorten the timeline by two to four months.
Can I implement ISO 13485 without hiring an external consultancy?
Yes, it is possible if you have a quality manager with proven experience in the healthcare sector and sufficient time to dedicate to the project. However, the risks are greater: a higher rate of non-conformities in the first audit, possible misalignments with MDR that later complicate the product technical file, and a generally longer implementation timeline. For most manufacturing SMEs without prior experience in healthcare regulations, the return on investing in expert support is positive in terms of time, total cost and robustness of the resulting system.
Which bodies certify ISO 13485 in Spain?
The main bodies accredited by ENAC to certify ISO 13485 in Spain include AENOR, SGS, Bureau Veritas, DNV, Intertek and TÜV Rheinland. All of them calculate their audit fees based on the number of employees in scope, process complexity and device class. It is advisable to request quotes from at least two of them before deciding, as price differences can be significant for an SME.
At Summum Calidad we have been supporting industrial and healthcare sector manufacturers in the implementation of management systems since 2007. If you want to understand the real gap between your company and ISO 13485 and receive a project estimate tailored to your specific case, contact our team. We are consultants, not certifiers: the certification is issued by the accredited body; we prepare you to reach that audit with the system running and no surprises.