The Short Answer: It Depends on What You Make and Who You Sell To
If you work in the medical device industry in New Zealand, you have almost certainly come across ISO 13485. It is the international standard for quality management systems in the design, manufacture, and supply of medical devices. But here is the question that comes up constantly: is it actually mandatory in New Zealand, or is it just strongly recommended?
On this page
The honest answer is that ISO 13485 is not written into New Zealand law as a direct legal requirement. However, for many businesses in the medical device sector, it is effectively unavoidable. The regulatory framework, market access requirements, and customer expectations all point in the same direction. If you manufacture, import, distribute, or supply medical devices in New Zealand, you will almost certainly need ISO 13485 certification at some point, even if no single piece of legislation explicitly demands it.
This article breaks down exactly how the regulatory landscape works in New Zealand, where ISO 13485 fits into it, which types of businesses are most affected, and what you should do if you are trying to figure out your obligations.
How New Zealand Regulates Medical Devices
New Zealand does not have a standalone medical devices act in the same way that the European Union has its Medical Device Regulation. Instead, medical devices are regulated primarily under the Medicines Act 1981 and the Therapeutic Products Act 2023, which is progressively coming into force.
The Therapeutic Products Act 2023 is a significant piece of legislation that will eventually replace the Medicines Act 1981 and bring New Zealand into closer alignment with international regulatory standards. Under this framework, Medsafe, which sits within the Ministry of Health, is the regulatory authority responsible for the safety, quality, and efficacy of therapeutic products including medical devices.
The Medsafe Framework and WAND
New Zealand currently operates a recognised third-country regulatory system for medical devices. This means that if a device has been approved by a recognised overseas regulator, such as the Australian Therapeutic Goods Administration (TGA), the US Food and Drug Administration (FDA), or a notified body under the EU MDR, Medsafe can use that approval as the basis for allowing the device onto the New Zealand market.
This arrangement is facilitated in part through the Web Assisted Notification of Devices (WAND) database, which is a notification system rather than a pre-market approval scheme for most device classes. Suppliers notify Medsafe of their devices, and higher-risk devices require more substantial evidence of compliance.
Here is where ISO 13485 becomes critical. To satisfy Medsafe and to meet the expectations of recognised overseas regulators whose approvals New Zealand relies on, manufacturers almost always need to demonstrate that their quality management system meets ISO 13485. It is not a legal tick box in New Zealand legislation, but it is the accepted evidence of a compliant QMS.
Where ISO 13485 Becomes Effectively Mandatory
Supplying into Australia Under the Trans-Tasman Agreement
New Zealand and Australia have a close regulatory relationship under the Trans-Tasman Mutual Recognition Arrangement (TTMRA). Many New Zealand businesses supply medical devices into the Australian market, which is regulated by the TGA.
The TGA requires that manufacturers of medical devices hold a conformity assessment certificate, and for most device classes, this means demonstrating compliance with the essential principles of safety and performance. ISO 13485 certification from a TGA-recognised conformity assessment body is the standard pathway for meeting this requirement.
So if your New Zealand business supplies devices into Australia, ISO 13485 is effectively mandatory for you. Full stop. The TGA will not accept your device application without evidence of a compliant QMS, and ISO 13485 is the accepted benchmark.
Exporting to the European Union
If you export medical devices to the EU, you must comply with the EU Medical Device Regulation (MDR 2017/745) or the In Vitro Diagnostic Regulation (IVDR 2017/746). Both regulations require manufacturers to have a quality management system that meets the requirements of ISO 13485. EU notified bodies assess conformity, and ISO 13485 certification is the standard they look for.
For New Zealand exporters, this is not optional. If you want access to the EU market, ISO 13485 is part of the entry price.
Exporting to the United States
The US FDA has its own quality system regulation, known as 21 CFR Part 820. In recent years, the FDA has moved to harmonise its QSR with ISO 13485, and the updated Quality Management System Regulation (QMSR) that came into effect in 2024 now incorporates ISO 13485:2016 by reference. This means that for US market access, ISO 13485 compliance is increasingly central to demonstrating regulatory conformity.
Domestic Supply of Higher-Risk Devices
Within New Zealand itself, the notification requirements under Medsafe and the incoming Therapeutic Products Act framework mean that higher-risk devices, those in Class IIb or Class III equivalent categories, require substantial evidence of quality system compliance. While the legislation does not say “you must hold an ISO 13485 certificate,” the evidence requirements are structured in a way that makes ISO 13485 the practical standard for demonstrating compliance.
You can learn more about how biological evaluation requirements intersect with device quality systems in our article on ISO 10993 biological evaluation of medical devices, which covers another standard that frequently appears alongside ISO 13485 in device regulatory submissions.
Which Industries and Business Types Are Most Affected in New Zealand
Medical Device Manufacturers
If you design and manufacture medical devices in New Zealand, ISO 13485 is the foundation of your regulatory compliance strategy. This includes everything from surgical instruments and diagnostic equipment to software as a medical device (SaMD). The standard covers the entire product lifecycle, from design controls through production, post-market surveillance, and complaint handling.
Contract Manufacturers and Component Suppliers
Businesses that manufacture components or sub-assemblies for medical device OEMs are also strongly expected to hold ISO 13485 certification. Device manufacturers are required under ISO 13485 to control their suppliers, and the most common way they do this is by requiring suppliers to be ISO 13485 certified. If you supply into medical device supply chains, your customers will likely make certification a contractual requirement.
Importers and Distributors
New Zealand importers and distributors of medical devices are considered “sponsors” under the Medsafe framework and carry regulatory responsibility for the devices they bring to market. While ISO 13485 is primarily a manufacturing standard, distributors with significant post-market responsibilities, such as complaint handling, storage, and traceability, are increasingly expected to demonstrate ISO 13485 compliance for their own operations. Some distributors pursue certification of their distribution and warehousing activities under the standard.
Sterile Device Manufacturers
If your devices are supplied sterile, the requirements become even more demanding. ISO 13485 works alongside standards such as ISO 11135 for sterilisation of health care products and ISO 11607 for sterile medical packaging. Together, these standards form the compliance backbone for sterile device manufacturers, and all of them are expected by regulators across Australia, the EU, and the US.
In Vitro Diagnostic (IVD) Manufacturers
IVD manufacturers in New Zealand face a particularly complex regulatory environment because IVDs are regulated separately from general medical devices in many jurisdictions. ISO 13485 is equally applicable to IVD manufacturers and is the expected QMS standard for this product category.
What ISO 13485 Actually Requires
ISO 13485:2016 is structured around a quality management system that is specifically designed for the medical device industry. Unlike ISO 9001, which is a general quality management standard, ISO 13485 includes specific requirements for regulatory compliance, risk management integration, sterile device manufacturing, and post-market surveillance.
Key areas the standard covers include:
- Management responsibility: Top management must demonstrate commitment to quality and regulatory compliance, not just general business performance.
- Risk management: ISO 13485 requires risk management to be integrated throughout the product lifecycle, typically in conjunction with ISO 14971, which is the medical device risk management standard.
- Design and development controls: Manufacturers must maintain documented design history files and demonstrate that design outputs meet design inputs and regulatory requirements.
- Supplier controls: Suppliers must be evaluated and controlled, with documented criteria for selection and ongoing monitoring.
- Post-market surveillance: The standard requires systematic processes for collecting and reviewing post-market data, including complaint handling and vigilance reporting.
- Traceability: Implantable devices and certain other device categories require robust traceability systems linking finished devices back to raw materials and components.
If you are familiar with ISO 9001, you will recognise the general structure, but the medical device specific requirements add significant depth. Understanding how quality management system principles apply across different standards can be helpful, and our beginner's guide to ISO 9001:2015 provides useful context for the foundational QMS concepts that underpin ISO 13485.
The Certification Process for ISO 13485 in New Zealand
Finding an Accredited Certification Body
To obtain ISO 13485 certification that will be recognised by Medsafe, the TGA, and international regulators, you need to be certified by an accredited certification body. In New Zealand and Australia, accreditation is overseen by JAS-ANZ, the Joint Accreditation System of Australia and New Zealand, which is the national accreditation body for both countries.
For medical devices specifically, some regulators require certification from bodies that hold specific authorisation. For example, the TGA maintains its own list of recognised conformity assessment bodies. You should confirm that your chosen certification body is recognised by the relevant regulators for your target markets, not just accredited by JAS-ANZ.
How Long Certification Takes
For a small to medium sized medical device business, the ISO 13485 certification journey typically takes between 12 and 24 months from the point of starting implementation. This is longer than most other ISO standards because the requirements for documented procedures, design controls, and validation activities are substantial.
The process generally involves:
- Gap analysis against ISO 13485 requirements
- Development and implementation of the quality management system
- Internal audits and management review
- Stage 1 audit (document review) with the certification body
- Stage 2 audit (on-site assessment)
- Corrective action on any nonconformities raised
- Certificate issuance
Ongoing surveillance audits are conducted annually, with a full recertification audit every three years.
Working With a Specialist Consultant
ISO 13485 is one of the more complex standards to implement, particularly if you are also navigating regulatory submissions to Medsafe or the TGA simultaneously. Many New Zealand businesses work with a specialist ISO consultant who has medical device industry experience to guide them through the implementation and prepare them for audit.
The quality of the consultant you choose makes a significant difference to both the speed of certification and the robustness of the system you end up with. Our article on how to select the best ISO consultant for certification covers what to look for, including the importance of industry-specific experience.
Common Mistakes New Zealand Businesses Make With ISO 13485
Treating It Like ISO 9001
This is the most common mistake. Businesses that already hold ISO 9001 sometimes assume that ISO 13485 is just a medical version of the same thing. It is not. The regulatory compliance requirements, design control documentation, risk management integration, and post-market surveillance obligations are substantially more demanding. If you approach ISO 13485 with an ISO 9001 mindset, you will almost certainly end up with a system that passes the audit on paper but does not actually meet regulatory expectations.
Scoping Too Broadly
Some businesses include too many products or processes in their ISO 13485 scope, which creates an enormous documentation burden and makes the QMS difficult to maintain. Being precise about what is in scope, which product lines, which sites, which activities, is important both for manageability and for regulatory clarity.
Underestimating the Documentation Requirements
ISO 13485 is significantly more documentation-intensive than most other ISO standards. Design history files, device master records, risk management files, validation protocols, and complaint records all need to be maintained in a controlled manner. Businesses that underestimate this often find themselves scrambling before their first surveillance audit.
Not Integrating Risk Management Properly
Risk management under ISO 13485 is not a standalone activity. It needs to be woven into design and development, production processes, supplier management, and post-market surveillance. Many businesses treat risk management as a separate document exercise rather than an integrated process, which creates gaps that auditors will find.
Is ISO 13485 Worth Pursuing Even If You Are Not Sure It Is Required?
If you are in the medical device space in New Zealand and you are asking whether you need ISO 13485, the answer is almost certainly yes. Even if your current regulatory obligations do not explicitly require it, the following realities make certification the sensible path:
- Your customers, particularly OEM partners and large hospital procurement teams, will likely require it as a condition of doing business.
- If you ever want to export, you will need it for virtually every major market.
- The incoming Therapeutic Products Act framework in New Zealand is moving toward more rigorous pre-market assessment, which will make ISO 13485 more central to domestic compliance over time.
- Having a certified QMS demonstrates to Medsafe that you take your regulatory obligations seriously, which matters during post-market surveillance and in the event of a product issue.
The investment in ISO 13485 certification is not trivial, but for any serious medical device business, it is a foundational business requirement rather than a nice-to-have.
Getting Started With ISO 13485 in New Zealand
If you are ready to begin the certification journey, or if you simply want to understand what it would cost and how long it would take for your specific business, the most practical first step is to get quotes from experienced ISO consultants and accredited certification bodies who work in the medical device space.
That is exactly what CertBetter was built for. You submit one form, and you receive up to three competing quotes from vetted ISO consultants and certification bodies. The service is completely free for businesses. It saves you the time of tracking down providers, and because the providers are competing for your business, you tend to get more transparent pricing than you would by approaching them individually. If you are working through your ISO 13485 obligations in New Zealand, it is a sensible place to start.
