The rapid advances in artificial intelligence and the entry into force of the DigiG are promoting the integration of intelligent medical devices into healthcare by making diagnostics, therapy and assistance systems more efficient and at the same time improving access and reimbursement of digital applications.
From theory to practice: effectively implementing the EU AI [...]
Digital health applications (DiGA) are changing medical care in the long term, but are subject to strict data protection requirements as they process particularly sensitive health data; in the fast-track procedure of the Federal Institute for Drugs and Medical Devices, compliance with the GDPR and DiGAV is therefore checked in addition to functionality in order to ensure security and trust in digital solutions.
With the Cyber Resilience Act (CRA) and the upcoming AI Act, the EU is setting new requirements for IT security and the use of artificial intelligence (AI). These regulations play a central role, particularly in the area of digital healthcare products, which include connected medical devices. The new regulations set standards that require an integrated safety strategy in order to make innovations such as AI in medicine safe and compliant.
Two current German proceedings highlight key MDR interpretation issues: intended purpose of products, risk classification of software and consequences for manufacturers.
The European legal framework, including the Medical Device Regulation ("MDR") and the soon to come into force AI Regulation ("AI Regulation"), places strict requirements on the safety and performance of AI-based medical devices. The relationship between the Medical Device Regulation and the AI Regulation is characterized by supplementary certification requirements: While the MDR regulates the safety and performance of physical medical devices, the AI Regulation addresses specific risks and the data integrity of AI systems. Products that fall under both sets of regulations must meet the requirements of both regulations in order to be certified, which provides a double safety guarantee for both physical and software-related safety.
With the introduction of the MDR (Regulation (EU) 2017/745) and Rule 11 in particular, the requirements for the risk classification of medical software have been significantly tightened, as software that provides information for diagnostic or therapeutic decisions is generally assigned to at least Class IIa; the Higher Regional Court of Hamburg confirmed in its decision of 22.09.2023 that the provision of such information alone is sufficient for a higher classification - regardless of whether the software itself makes a diagnosis - and emphasized the priority of health protection, even if this broad interpretation is sometimes viewed critically by experts.
