All terms
    Investment & FinanceStartup Lifecycle

    Due Diligence

    Investigation of a company before an investment, financing, or acquisition.

    Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

    Definition

    Due diligence is the structured review an investor or acquirer conducts before closing a transaction. MedTech diligence spans regulatory (510(k) history, warning letters, recalls), clinical (trial protocols, data integrity), IP (freedom-to-operate, patent prosecution), quality (QMS, FDA inspections), commercial (pipeline, contracts), and financial.
    What the regulation says
    Regulators do not explicitly define "due diligence" as a specific process they require. However, they expect medical device manufacturers to maintain a robust Quality Management System (QMS) as per 21 CFR Part 820 (FDA) and EU MDR (Regulation (EU) 2017/745) which would implicitly require thorough evaluations of acquisitions or partnerships to ensure continued compliance. For example, the FDA expects manufacturers to evaluate suppliers and contractors, which can be seen as a form of due diligence.

    What this means in practice

    Regulatory and quality DD findings frequently kill or reprice MedTech deals. A clean inspection history and well-organized DHF/DMR speed transactions materially.

    Examples

    • A MedTech acquiring company thoroughly reviews the target company's 510(k) submissions and associated FDA correspondence to identify any outstanding issues or unaddressed deficiencies.
    • During a potential merger, a quality assurance team from the acquiring company audits the target's manufacturing facility to verify compliance with ISO 13485:2016 and 21 CFR Part 820.
    • Before an acquisition, cybersecurity experts evaluate the target's medical device software architecture and network security protocols against FDA's pre-market and post-market cybersecurity guidance.
    Common pitfalls
    • Confusing the legal and financial aspects of due diligence with the technical regulatory and quality assessments.
    • Failing to involve regulatory, quality, and cybersecurity experts early in the due diligence process, leading to overlooked critical issues.
    • Underestimating the impact of unresolved regulatory actions, such as Warning Letters or 483s, on deal valuation and post-acquisition integration.
    • Not verifying the accuracy and completeness of submitted regulatory documentation, like 510(k) clearances or technical files.
    • Ignoring cybersecurity risks and past breaches during due diligence, which can lead to significant post-acquisition liabilities and reputational damage.

    Frequently asked questions

    The primary goal is to identify and assess all potential regulatory risks, liabilities, and compliance gaps associated with a target company's products and operations, ensuring they meet applicable regulatory requirements like those from the FDA or under the EU MDR.
    Shared paths + category

    Latest in MedTech

    Primary references

    3 sources
    Link health: 3 verified· last checked 2026-06-20
    AdvaMed·1PitchBook·1NVCA·1
    1. 1
      AdvaMed M&A guide
      Verified
      AdvaMedadvamed.org
    2. 2
      PitchBook - MedTech Coverage
      Verified
      PitchBookpitchbook.com
    3. 3
      NVCA Model Documents
      Verified
      NVCAnvca.org

    Inline markers like [1] jump to the matching reference above.