Regulatory Update

Knowing what will move the medtech industry

New operator responsibility for AI in medicine – human oversight as a regulatory obligation

The new EU Regulation 2024/1899 on Artificial Intelligence (AI Regulation) clarifies for the first time that healthcare facilities such as hospitals are considered operators when they use high-risk AI-based medical devices, regardless of whether they develop them themselves or only use them. This results in new independent obligations, in particular with regard to human supervision of the systems used.

These include, among other things:

Appointment of a supervisor with technical, clinical, and ethical expertise.
Introduction of technical and organizational measures to minimize risk.
Ensuring transparency and traceability of algorithmic decisions.
Documentation of system interventions and errors.

The regulation shifts the perspective from the traditional technical “user” (as previously in the MDR) to an operator who is ethically and legally responsible. Black box models and adaptive systems are particularly targeted by the regulation, as they are difficult to understand and influence potentially irreversible decisions.

For hospitals, this means adapting quality management systems, closer integration with data protection, IT security, and ethics committees, and a new culture of critical engagement with AI systems in everyday clinical practice.

When is a product a medical device? Two court cases bring (some) clarity

Two current cases in Germany highlight key issues of interpretation of the MDR that are crucial for many manufacturers. The Bochum Regional Court has referred the question to the European Court of Justice as to whether unprinted patient wristbands, which are intended to help prevent errors in everyday hospital practice, should already be classified as medical devices, even though they have no direct effect on or in the body. The issue at stake is the significance of the intended purpose and whether a purely organizational benefit is sufficient for classification. An ECJ decision is not expected until the end of 2025 at the earliest.

Even more far-reaching is the ruling of the Hanseatic Higher Regional Court on a teledermatology app. Although the app itself does not make a diagnosis, but only transmits structured health data to medical specialists, it was classified as a Class IIa medical device. The court interprets Rule 11 of the MDR broadly: it is sufficient for software to contribute to medical decisions; an active diagnostic function is not necessary. This makes it clear that software no longer automatically falls into the lowest risk class.

Both cases show that MDR-related issues such as intended use and risk classification are increasingly being clarified in court – with major implications for approval requirements, competitive conditions, and market opportunities. Manufacturers who invested in compliance early on are increasingly finding themselves at a regulatory disadvantage compared to less compliant competitors. Uniform and binding standards are therefore urgently needed.

Legal changes in healthcare – What’s new

In spring 2025, numerous new legal regulations came into force in the healthcare sector, affecting key areas of care. The Healthcare Strengthening Act (GVSG) excluded GP services from budgeting, removed the age limit for emergency contraception, and extended the deadlines for consultation procedures at the G-BA, among other things. The revised Medical Device Operator Ordinance (MPBetreibV) and the amended Medical Device Dispensing Ordinance (MPAV) now regulate the CE-compliant reprocessing of single-use products and relax the dispensing requirements for in vitro diagnostics. At the same time, the 22nd AMVV amendment made 29 new active ingredients prescription-only and made adjustments to e-prescriptions. Further changes concern the interchangeability of drug forms (e.g., levodropropizine syrup), the continuation of price moratoriums and manufacturer discounts, and a targeted price increase for atropine to ensure supply. Overall, the measures show stronger government control in the direction of supply security, economic efficiency, and regulatory clarity.

For further reading: Regulatory Updates of the past months

News in April / May 2025 News in March 2025 News in Jan/Feb 2025 News in Nov/Dec 2024 News in October 2024 News in September 2024 News in August 2024 News in July 2024 News in June 2024 News in May 2024

Single Studies: Pioneers for Biomarker-Personalized Medicines and Their Diagnostic Precision

Paradigm Shift in Drug Development: Individualization of Therapy

Modern drug development is undergoing a fundamental shift toward therapy individualization – particularly in oncology, immunotherapies, and increasingly in rare diseases. In these fields, treatment effectiveness often depends on whether the patient exhibits certain genetic or molecular characteristics.

Such characteristics, called biomarkers, can only be reliably identified through specific tests.

Companion Diagnostics (CDx): Key to Personalized Medicine

This is where Companion Diagnostics (CDx) come into play: highly specialized in-vitro diagnostics developed specifically for this purpose. The joint development and testing of a drug and its associated CDx within a single clinical study – a so-called Single Study – enables targeted patient selection and increases the likelihood of therapeutic efficacy.

Single Studies in Oncology: Proven Practice for Maximum Effectiveness

In oncology, this form of study planning has long been common practice: Only patients with a specific tumor profile are included, significantly increasing the study’s validity and the drug’s benefit for defined subgroups. This approach is also suitable for rare diseases with limited patient numbers and high diagnostic uncertainty.

Regulatory Challenges in Europe

In Europe, implementing such studies is complex, as drugs and diagnostics follow two separate regulatory paths – pharmaceutical law (EU-CTR) on one hand and IVDR on the other. Regulatory interconnection is limited, while the practical need for coordination is high.

Solution Approach for Early Development Phases

Especially in early phases of clinical development, collaboration with academic laboratories using in-house CDx can be a viable way to implement biomarker-based selection strategies in compliance with regulations even before CE marking of the CDx. In parallel, the Companion Diagnostic can be brought to market maturity through a conformity assessment procedure.

BAYOOCARE: Your Experienced Partner for CDx Projects

BAYOOCARE has extensive experience in handling IVDR and planning combined development projects. In collaboration with research-intensive partners like Heidelberg University Hospital, Mainz University Medicine, and Marburg University Hospital, we support studies where diagnostics and therapy are considered together from the beginning.

BAYOOCARE supports as Legal Manufacturer in regulatorily complex CDx projects – experienced, networked, and IVDR-compliant.

Health Apps Between Therapeutic Claims and Legal Boundaries: What the Medical Practice Reservation Can Achieve – and What It Cannot

Digitalization of Traditional Medicine: The New Role of Health Apps

Digital health applications are increasingly taking over functions traditionally located in medicine – they analyze symptoms, structure treatment courses, remind about medications, or provide behavioral recommendations for chronic diseases.

Public discussion repeatedly raises the question of whether such applications should already be considered “practice of medicine” – and whether they consequently fall under the classic medical practice reservation according to the Alternative Practitioner Act (HeilprG).

Legal Classification: Why the HeilprG Doesn’t Apply

However, legally much speaks against this. The HeilprG explicitly addresses natural persons – “who” practices medicine – but not technical systems or software. Health apps don’t make independent medical decisions but operate within predetermined algorithmic processes.

The developers or distributors of the software also cannot be meaningfully integrated into the system of medical licensing requirements. The regulatory logic of the HeilprG doesn’t fit digital applications – neither systematically nor historically.

Modern Regulatory Approaches Instead of Regulatory Gap

Moreover, there’s no reason to close a “regulatory gap” through analogous application of the HeilprG. Digital medical devices today – at least since the introduction of the MDR – are subject to a differentiated safety and quality assurance regime: risk classification, CE marking, conformity assessment procedures, and clinical performance evaluation ensure that health apps with therapeutic claims are reviewed before market entry.

DiGA Directory: Additional Quality Assurance

For digital health applications (DiGAs) seeking inclusion in the BfArM directory, additional requirements apply regarding data protection, interoperability, and proven care effects.

Comparison of Different Regulatory Approaches

Compared to traditional alternative practitioners, whose professional practice largely moves outside state-standardized quality standards, modern health apps are thus – also regulatorily – not uncontrolled. While a difference remains in the form of health protection: While for alternative practitioners personal permission and civil liability are in the foreground, medical device law and product liability secure app use technically and systematically.

This different design appears logical, as digital applications are not medical practitioners in the classical sense.

Independent Regulatory Approach for Digital Health Products

Health apps with therapeutic benefits thus don’t operate in a legal vacuum, but also not in classic medical professional law. With the MDR and DiGA framework, the legislature has deliberately chosen an independent regulatory approach that evaluates software and AI-based medical devices according to technical, functional, and care-related criteria – not according to person-related access barriers.

This model is currently constitutionally viable and simultaneously open to future adjustments if new risks or deficits emerge.

BAYOOCARE: Your Partner for Compliance and DiGA Approval

BAYOOCARE supports manufacturers of digital health applications in implementing the MDR and on the path to DiGA listing – competent, regulatorily experienced, and at the interface of technology and law.

No Admission of Guilt Through Regret – Veterinary Voice Message Insufficient for Liability

Current Court Decision Creates Clarity

In a current decision, the Dresden Higher Regional Court clarified: A veterinarian’s regret about a dog’s death, expressed in a voice message, does not constitute an admission of guilt in civil law terms (OLG Dresden, Decision of 6.1.2025 – 4 U 1192/24).

The Underlying Legal Dispute

The owner of the deceased dog had claimed that the veterinary operations for treatment and removal of an implant plate were faulty and causally responsible for her animal’s death. She relied, among other things, on a voice message from the treating veterinarian, in which she stated it was “terribly sorry.”

Court’s Legal Assessment

However, the court clarified that such a statement represents neither a constitutive nor a declaratory acknowledgment within the meaning of § 781 BGB. An express intention to be legally bound is not recognizable, especially since the medical relationship ended with the animal’s death anyway. The regret should be viewed as an expression of human compassion – not as assumption of liability.

Significance for Medical Communication

The decision shows that not every compassionate statement after an unfortunate treatment outcome can or should be legally interpreted as an admission. Anyone who understands every compassionate word from doctors or veterinarians as a legal admission of guilt not only misunderstands the emotional complexity of such situations but also demands an untenable legalization of human communication.

The attempt to derive liability-relevant consequences from empathy simply goes too far.

Digital psychological applications (DPA) – opportunities and regulatory challenges

Digitalization has brought about significant innovations in medical care, particularly in the area of psychological health applications. Digital psychological applications (DPA) are becoming increasingly relevant as they complement traditional therapeutic approaches and enable low-threshold access to psychological support.

The integration of artificial intelligence significantly expands the potential of these applications, but at the same time entails complex regulatory challenges.

DPA as a driver of innovation in the healthcare sector

The spectrum of DPA covers a wide range of applications, including therapeutic apps, digital coaching programs and AI-supported chatbots that can respond to users’ behaviour and mood in real time. These systems offer a flexible and cost-effective supplement to conventional treatments and help to bridge the often criticized “therapy gap”.

During the COVID-19 pandemic, the increasing demand for psychological support services became particularly evident as the need for alternative forms of care increased dramatically. At the same time, the DPA sector is developing into an economic growth industry whose development potential is significantly influenced by the regulatory framework.

Regulatory challenges and the new AI regulation

The new EU Regulation on Artificial Intelligence (AI Regulation) places digital psychological applications in a new regulatory framework. The classification of AI-supported applications with health relevance as high-risk AI has far-reaching consequences for developers and providers:

Increased requirements for risk management and conformity assessment
DPAs with AI components must undergo extensive documentation and testing procedures to prove their safety and effectiveness.
Stricter data protection and data quality requirements
AI-supported DPAs often work with sensitive personal data. The AI Regulation requires traceable data processing and the protection of individual health information.
Duty of human supervision
The regulation requires high-risk AI systems to be supervised by humans. This could make the use of DPA more difficult, especially in contexts where direct human intervention is not practicable.

Possible impact on the market

Although some of the new requirements serve to protect patients, there is a risk that innovation will be hampered. Small and medium-sized companies in particular could experience competitive disadvantages due to increased compliance costs and regulatory hurdles. Providers could be forced to forego innovative functionalities in order to avoid a high-risk classification and the associated requirements.

It seems particularly problematic that the regulation does not provide for any specific rules for digital psychological applications, but rather classifies them as a blanket part of general AI regulation. This could impair the availability of effective, evidence-based DPA in Europe, while less regulated international markets benefit from technological advances.

Recommended actions for companies

Given the changing regulatory landscape, companies operating in the DPA sector should be proactive.

Regulatory monitoring
Continuous monitoring of AI Regulation developments and their implementation in national law
Integration of compliance mechanisms
Adaptation of internal processes and product developments to new requirements, particularly in the areas of risk management and data protection
Cross-industry cooperation
Exchange with other providers, research institutions and regulatory authorities to develop practical solutions
Strategic product adjustments
Reviewing and adapting products to new regulatory requirements in order to secure EU market access

Conclusion

Digital psychological applications have the potential to sustainably improve mental healthcare. However, the new AI regulation poses significant challenges for the industry. While increased safety requirements can strengthen the protection of patients, there is a risk that excessive regulatory hurdles will inhibit innovation and make access to modern psychological support services more difficult.

It is therefore advisable for companies to address the new requirements at an early stage and adapt their strategies accordingly.

Desire to have children after death: Frankfurt Regional Court rules in case of post-mortem family planning

The recent decision of the Frankfurt Regional Court raises significant ethical and legal questions in the field of reproductive medicine. In a remarkable case, a woman was granted the right to receive the cryopreserved sperm of her deceased husband in order to undergo artificial insemination in Spain.

Background to the decision

The clinic in question had initially refused to hand over the preserved genetic material and invoked a contractually agreed “destruction clause”. However, the Frankfurt Regional Court came to the conclusion that the contract did not necessarily provide for the destruction of the sperm and that the protective purpose of Section 4 of the Embryo Protection Act was not violated.

Consideration of the patient’s will

The verifiably documented will of the deceased husband was of central importance for the ruling. The wife was able to credibly demonstrate to the court that her deceased partner had expressly spoken out in favor of the post-mortem use of his genetic material before his death. This expression of will was recognized by the court as a decisive factor in the decision-making process.

Conclusion

This legal decision could set an important precedent that raises important questions about self-determination in family planning, the handling of genetic material after death and cross-border medical care. The ruling makes it clear that case law in this sensitive area must carefully weigh up the individual circumstances, ethical dimensions and the express will of all those involved.

The decision opens up an important social discourse on the limits and possibilities of modern reproductive medicine and the associated ethical and legal challenges.

Digital health applications (DiGA): Data protection as the foundation for trust and progress in healthcare

The introduction of DiGA has the potential to fundamentally change medical care. These applications, which are prescribed by doctors or psychotherapists, facilitate the treatment, monitoring and alleviation of illnesses. Since the introduction of the Digital Healthcare Act in 2019, such applications can be reimbursed by statutory health insurance under certain conditions. At the heart of this development is data protection – an issue that is crucial to the success of digital solutions in the healthcare sector.

The fast-track procedure of the Federal Institute for Drugs and Medical Devices checks whether a digital health application meets the necessary requirements. In addition to technical and functional aspects, the focus here is on compliance with data protection regulations. Health data is among the most sensitive personal data of all.

Providers must therefore prove that their applications are not only secure, but also comply with the legal regulations defined by the General Data Protection Regulation and the Digital Health Applications Regulation.

Key data protection requirements

These include

a clear purpose limitation of data processing
compliance with the highest safety standards

Processing may only be carried out for medically necessary purposes, such as

ensuring the functionality of the application
the generation of evidence
or the improvement of technical reliability

Advertising or detailed tracking of user activities are strictly prohibited. Such requirements not only protect the rights of patients, but also strengthen trust in digital solutions.

The challenging road to certification

Despite these positive aspects, the path to certification remains a challenge. Smaller companies in particular often struggle with the high demands that require resources and expertise. Nevertheless, it is essential to maintain a balance between promoting innovation and protecting healthcare data. After all, only a system that creates trust can establish itself in the healthcare sector in the long term.

The responsibility for the success of digital health applications does not lie solely with the manufacturers. Interaction with legislators, health insurance companies and medical professionals is also crucial.

Transparency in the processes and clear communication of requirements promote understanding and facilitate cooperation between all parties involved.

Conclusion

DiGA offer the opportunity to close gaps in care and actively involve patients in their treatment. They open up new avenues in diagnostics and therapy and help to increase the efficiency and precision of medical care.

At the same time, they place high demands on providers, but meeting these demands can make all the difference.

In a world where the value of data is constantly growing, the protection of this information remains the foundation of any innovation. Digital health applications show that progress and data protection can go hand in hand – provided they are implemented with the necessary care and foresight.

Finding this balance and constantly developing it further is not only a challenge, but also an opportunity for everyone involved in shaping the future of healthcare.

Why the Frankfurt Higher Regional Court banned a manufacturer of dextrose products from combating hangovers

The party was legendary, the morning after less so – and this is exactly where a manufacturer of dextrose products wanted to score points with its mineral supplements as an “anti-hangover” miracle worker. However, the Frankfurt Higher Regional Court has drawn a clear line through this advertising.

What had happened?

The manufacturer of dextrose products advertised its mineral tablets on Amazon as an “anti-hangover” aid. The idea: a small drop after partying and the typical symptoms of a hangover are supposed to be a thing of the past. Sounds practical, doesn’t it? Unfortunately, too practical – and legally untenable.

The judgment in detail

The Higher Regional Court of Frankfurt ruled that, in accordance with the European Food Information Regulation, foods may not be attributed any healing or disease-preventing properties. And yes, a hangover officially counts as an illness here.

The reasoning:

Mineral supplements are food
– and not medicines.
Hangover = illness
The typical symptoms after excessive alcohol consumption (headaches, nausea, etc.) fall under the broad term of illness.
No drug advertising for food
The aim is to prevent consumers from seeing food as a substitute for medicines – without the necessary warnings or medical basis.

What does this mean for the manufacturer?

The advertising on Amazon must be revised. Advertising the drops as “anti-hangover” supplements is no longer permitted. However, the judgment was issued as a default judgment and is not yet legally binding. The supplier can lodge an appeal and continue the proceedings.

Cyber Resilience Act, medical devices and the AI Act – An integrated perspective on cybersecurity and AI in the healthcare industry

With the Cyber Resilience Act (CRA) and the upcoming AI Act, the EU is setting new requirements for IT security and the use of artificial intelligence (AI).

These regulations play a central role, particularly in the area of digital healthcare products, which include connected medical devices. The new regulations set standards that require an integrated safety strategy in order to make innovations such as AI in medicine safe and compliant.

CRA and AI Act – safety standards for digital health products

The CRA aims to harmonize IT security standards for products with digital elements and sets strict requirements for networked devices and software. Among other things, it requires security updates, compliance with a secure standard configuration level and detailed documentation, such as a software bill of materials (SBOM).

The AI Act supplements these safety requirements with specific specifications for AI-supported systems and products that are classified as “high-risk”, which applies to many applications in medicine.

The combination of these regulations is intended to ensure comprehensive risk management for digital health products, especially when AI is used for diagnoses or patient-specific therapies.

Integration into the requirements of the MDR and IVDR

Medical devices, especially those that are based on AI or are networked, are already subject to the MDR and IVDR. However, the CRA and the AI Act create additional standards and requirements that are particularly important for manufacturers of digital health products. These must integrate the following aspects:

Cybersecurity according to CRA
The MDR already requires safety over the entire life cycle of medical devices. The CRA expands on this with detailed safety requirements for networked devices, which also apply to medical AI applications. Ongoing IT security checks and documentation are essential in order to avoid security gaps.
Risk management for AI in accordance with the AI Act
The AI Act sets out strict requirements for the risk management and transparency of AI algorithms. Medical devices with AI components must therefore not only meet the medical safety requirements of the MDR, but also ensure that their algorithms are robust, fair and transparent. In addition, the AI Act requires that these AI systems are designed to be controllable and traceable, which is particularly important for use in critical medical applications.

Overlaps and synergies – an integrated approach to security

The combination of CRA, AI Act, MDR and IVDR creates a comprehensive framework for the safety of digital health products. Manufacturers must prepare for new compliance challenges, especially if their products are both connected and AI-powered.

For example, the CRA introduces basic safety requirements that should be combined with the specific AI risk requirements of the AI Act. This means:

Standardized certification and CE marking
Both the CRA and the AI Act require conformity assessments. CE marking will be required for many products, bringing together the requirements for cybersecurity and AI use.
Software Bill of Materials (SBOM)
The obligation to maintain an SBOM is not only relevant for CRA compliance, but also makes sense for monitoring the components for AI applications. Especially with AI software, which often uses open source libraries, the documentation of all modules used is crucial for identifying security vulnerabilities.
Risk management and transparency
The AI Act requires a comprehensible explanation and transparency of AI processes in cases of high risk. Combined with the CRA requirements, products in the healthcare industry must therefore carefully monitor and control both technical and ethical risks.

Conclusion

With the CRA and the AI Act, the EU is creating a vision for the future of digital health that combines innovation and safety. Manufacturers of connected and AI-supported medical devices are required to adapt their development processes and implement new standards for cybersecurity and AI.

In this way, products can be created that meet the highest safety requirements and at the same time fulfill the demand for innovation in the healthcare sector.

Pharmaceutical order data and data protection – current issues before the ECJ

The German Federal Court of Justice (BGH) recently referred a question to the European Court of Justice (ECJ) regarding pharmaceutical order data, which could have a significant impact on data protection in the online retail sector.

Are pharmaceutical order data health data?

The focus is on the question of whether order data for pharmacy-only but non-prescription medicines is already considered “health data” in accordance with Art. 9 para. 1 of the General Data Protection Regulation (GDPR). Customers who order medicines via platforms such as Amazon provide information such as their name, delivery address and details that are necessary for the individual composition of the medicine.

The BGH asks whether this information – even if it does not provide any direct reference to the use or medical prescription of the medicine by the purchaser – nevertheless allows conclusions to be drawn about the state of health and should therefore fall under the special protection of health data.

If the ECJ confirms that the purchase of pharmacy-only medicines already discloses health data, pharmacies selling via online marketplaces could be subject to stricter data protection requirements and explicit consent in the ordering process. This would strengthen data protection for customers, but would also have far-reaching consequences for the online pharmaceutical trade.

Other important data protection issues

At the same time, two further issues are to be decided that could have a significant impact on the topic of data protection in online sales:

Competition law claims for data protection violations: The ECJ is to clarify whether competitors can assert data protection violations under competition law. This means that pharmacies could also be sued for injunctive relief by competitors if they do not comply with data protection regulations. This would be a significant step towards strengthening data protection standards, but could also increase the legal burden on companies.

Consent and processing of special categories of personal data: If pharmaceutical order data is considered health data, it will be clarified that pharmacy customers must give explicit consent for their data to be processed. This could achieve a higher level of protection, especially when processed by third parties such as large online platforms.

These issues underline the growing importance of data protection in e-commerce and the wide-ranging impact that an ECJ ruling could have on the online sale of sensitive products such as medicines.

Current updates in patent law: implications for medical device manufacturers

In recent months, two important decisions by the Federal Court of Justice (BGH) and the Karlsruhe Higher Regional Court (OLG) have had a significant impact on patent law in Germany.
This poses new challenges for manufacturers of medical devices in particular, as the requirements for claims for damages and destruction have been tightened.

Compensation for follow-up business after patent infringement: What does the BGH ruling on the “upholstery machine” mean?

One example of this is the BGH ruling on the “upholstery machine” from November 2023.
Here, it became clear that patent infringements not only affect the sales price of a product, but also all sales from downstream transactions such as maintenance or consumables. The manufacturer of the infringing machine not only had to transfer its profits from the sale, but also those from downstream transactions.

Particularly explosive: the patent holder’s claim for damages applied not only to the term of the patent, but also to transactions made after the patent expired. This means a considerable and long-lasting financial burden for affected manufacturers.

This ruling has far-reaching consequences for the medical device industry. Companies that manufacture durable products must ensure that they are not only protected during the patent term, but must also be prepared to be confronted with claims for damages years after the patent has expired.

Early workarounds crucial: court demands modification in case of patent infringement

The Karlsruhe Higher Regional Court also dealt with a case in which a medical device manufacturer had used a patent-infringing control unit in its pressure wave treatment devices. Although the manufacturer carried out a software update in the course of the proceedings that eliminated the infringement, the court confirmed the patent holder’s claim for destruction.

However, the court ruled that the devices in question did not have to be completely destroyed, but had to be modified under the supervision of a bailiff. This shows how important it is to develop technical alternatives (so-called workarounds) at an early stage.

Conclusion

For medical device manufacturers, this means that it is often not enough to stop the production of patent-infringing products. Devices already on the market must also be adapted in order to avoid future patent infringements. This can not only be expensive, but also requires extensive logistical measures.

There are some important lessons to be learned from these judgments: Careful attention should be paid to potential patent conflicts as early as the product development stage. In addition, technical alternatives should be available in order to be able to react quickly in the event of a legal dispute.
Close cooperation with patent and legal departments is essential in order to find solutions and prevent major economic damage. It is particularly important to review and adapt existing products on the market in good time before expensive patent disputes arise.

Overall, these judgments show how complex patent law has become. It is becoming increasingly important for manufacturers of medical devices to act strategically and with foresight in order to protect themselves from the growing legal risks.

Further news

NIS-2: New cybersecurity obligations for medical device manufacturers

With the entry into force of the NIS-2 Directive on January 16, 2023, manufacturers of medical devices in the European Union will have to meet stricter cybersecurity requirements in the future. This directive is an extension of the previous regulations and affects not only healthcare providers, but now also players such as medical device and in-vitro diagnostics manufacturers.

The focus is on a minimum catalog of obligations that all affected institutions must implement.

National implementation of the NIS 2 Directive

The EU member states must transpose the directive into national law by October 17, 2024. In Germany, the draft “NIS2UmsuCG-E” (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz) provides for a specific implementation of the obligations, which primarily include comprehensive cybersecurity risk management and reporting obligations in the event of security incidents. Similar regulations can be found in the Austrian draft of the NISG 2024 and in the Hungarian implementation law, which has been in force since January 2024.

Essential requirements

The NIS 2 directive requires manufacturers to implement a comprehensive information security management system (ISMS). This system must reflect the current state of the art and help to minimize security risks for IT and network systems. It is essential for affected companies to prepare for these new requirements at an early stage, as non-compliance can result in severe fines.

Conclusion

For manufacturers of medical devices, the NIS 2 Directive means a significant expansion of cybersecurity obligations. It is advisable to closely monitor national developments and start implementing the minimum requirements now in order to avoid future risks.

Implementation of video consultations outside the contract doctor’s practice: New flexibility through § 24 (8) of German Authorisation regulation for statuary insurance physicians (Ärzte-ZV)

The introduction of Section § 24 (8) Ärzte-ZV represents an important step towards making telemedicine more flexible. SHI-approved physicians can now also provide their video consultations outside of their contract doctor’s office – for example in branch practices, outsourced practice rooms or in the home office.

This change, which was introduced by the Act to Accelerate the Digitization of the Healthcare System (DigiG), makes it easier to conduct video consultations and improves the compatibility of professional and private life.

Core elements of the new regulation

The new regulation allows doctors to hold video consultations at alternative locations as long as the obligations regarding minimum consultation hours and open consultation hours at the contract doctor’s practice are complied with. Video consultations outside the contract doctor’s practice are only permitted in addition to these face-to-face consultations and are still subject to the general regulations on medical care and data protection.

Conclusion

With this innovation, the legislator has responded to the demand for more flexibility in telemedicine. Panel doctors benefit from the new freedom to hold their consultations outside of the practice premises, which can increase the attractiveness of medical practice in particular.

Remuneration negotiations for digital health applications

Since 2020, digital health applications (DiGA) have been reimbursed by the statutory health insurance funds. This process, regulated by Section 33a SGB V, enables DiGA to be included in the statutory health insurance (SHI) benefits catalog.

As a result, they are potentially available to all insured persons. However, this process poses a considerable challenge for manufacturers of digital health solutions.

The development and market launch of a DiGA are associated with numerous hurdles. Following the complex development process, the DiGA must first be included in the DiGA directory of the Federal Institute for Drugs and Medical Devices (BfArM) in accordance with Section 139e SGB V.

This is followed by the reimbursement negotiations between the National Association of Statutory Health Insurance Funds and the manufacturer, as stipulated in §134 SGB V. Finally, the DiGA must be prescribed by a treating physician and reimbursed by the health insurance company.

Remuneration agreement: How is the reimbursement price determined?

A key aspect of the remuneration agreement is the proof of positive care effects in accordance with Section 134 (4) SGB V. From 2026, a performance-based component will be included in the reimbursement agreement, which will fundamentally change the reimbursement model. The manufacturer sets the reimbursement price itself in the first year – on average this is around 510 euros. After that, a price negotiated with the National Association of Statutory Health Insurance Funds (GKV-Spitzenverband) comes into effect, which averages around 221 euros. However, this price can also be significantly lower, with discounts of up to 60 percent.

Negotiating the amount of remuneration is often a challenge, especially for start-ups that dominate the market but have limited financial and human resources. Rapid monetization of the product idea is therefore essential. Large pharmaceutical companies often cooperate with start-ups instead of entering the market themselves.

Decisive factor: the negotiation strategy

Nevertheless, the negotiated remuneration amount is not always sufficient to secure the company’s economic existence. Some DiGA manufacturers have already had to file for insolvency even though their products were successfully prescribed. This shows how important a careful negotiation strategy is.

Manufacturers should carefully analyze comparable SHI benefits, the evidence base, product characteristics and economic considerations. A tailored argumentation that meets the requirements of the arbitration board is essential. Particular attention needs to be paid to identifying weaknesses in the evidence assessment – this requires the most preparation time.

DiGA as a statutory benefit

In addition, manufacturers should consider the possibility of offering their DiGA as a statutory benefit in accordance with Section 11 (6) SGB V. This could represent a competitive advantage, as the services are not published and can achieve higher prices with individual health insurance funds, but this has the disadvantage that the products are only offered to the respective health insurance fund members.

The negotiation procedure

Negotiations with the National Association of Statutory Health Insurance Funds usually take place in Berlin or online in three meetings of three hours each. Following a successful agreement, a contract under public law is concluded between the manufacturer and the GKV-Spitzenverband, which can be terminated with a notice period of three months to the end of the quarter. If no agreement is reached, the arbitration board will decide on the remuneration amount within three months. The adjusted supply costs as well as self-payer prices and prices in other EU countries are taken into account.

Conclusion

The remuneration process for DiGA is complex and places high demands on manufacturers. Careful preparation and a well thought-out negotiation strategy are essential in order to secure an appropriate remuneration amount and ensure the economic survival of the product. Manufacturers should also consider alternative marketing strategies in order to strengthen their competitive position and minimize potential risks. However, there is no guarantee that these strategies will lead to effective results with the health insurance funds.

Further news

From theory to practice: effectively implementing the EU AI Regulation

The EU Regulation laying down harmonized rules on Artificial Intelligence (AI Regulation) marks a decisive step towards the regulation of AI systems in the EU. It has been gradually coming into force since August 2, 2024 and has since set clear rules for the use of AI systems that require companies to make extensive adjustments and take compliance measures.

The increasing spread of AI creates both opportunities and risks. In order to protect privacy and fundamental rights, the EU AI Regulation created a legal framework to ensure the safe and responsible use of AI systems.

The legislative process for the AI Regulation began in March 2024 and ended in July 2024. The Regulation came into force in August 2024 and will be successively extended until 2027. This gives companies time to prepare for the new requirements.

This is what the AI Regulation contains

The AI Regulation is a specialized product safety law that focuses on AI products themselves. It applies to providers and operators of AI systems in the EU, regardless of where they are based, with a few exceptions for national safety issues and private use.

A central element of the AI Regulation is the categorization of AI systems. These are machine systems that can autonomously derive predictions, recommendations or decisions from inputs. The regulation covers systems that use machine learning and knowledge-based approaches and distinguishes between four main categories of AI systems:

Prohibited AI systems
Systems that use manipulative methods or exploit weaknesses are prohibited.
High-risk AI systems
These are subject to strict regulations, such as risk management and fundamental rights impact assessments.
AI systems with limited risk
Transparency obligations are the main focus here, e.g. in the case of “deep fakes”.
AI systems with minimal risk
These, such as spam filters, are hardly regulated, but must be used safely.

This applies to providers and operators in accordance with the AI Regulation

The AI Regulation sets out extensive obligations for providers and operators. Companies must identify their AI systems and classify them into risk categories. Strict requirements apply to high-risk systems in particular. Providers must create detailed documentation covering the entire life cycle of the system, and operators must ensure that human supervision is possible.

Violations of the provisions of the AI Regulation can result in high financial penalties, with fines of up to 35 million euros or 7 percent of annual global turnover. In addition, civil law claims can be enforced more easily in the event of violations.

Recommendations for companies

Companies should start implementing an AI compliance framework immediately. This includes mapping all AI systems and classifying them into risk categories. Measures to comply with the regulation must be implemented promptly. Employee training is essential to raise awareness of the opportunities and risks of AI systems and avoid compliance violations.

It is advisable to create a central office or committee for AI matters. This should ensure that legal requirements are complied with and risks are identified at an early stage. The involvement of experts from compliance, IT, data protection and risk management is crucial.

Judgment of the Higher Regional Court of Hamburg on the risk classification of medical device software

After we had already discussed the (decision) proceedings of the Higher Regional Court of Hamburg in an editorial on our website, the Higher Regional Court of Hamburg now issued a judgment on 20.06.2024 under file number 3 U 3/24. This ruling could represent a significant decision on the risk classification of software as a medical device.

What was it about?

The focus was on an app that enables patients to send images of skin conditions to selected dermatologists, fill out a medical history questionnaire and provide personal data. The app was declared as a CE-marked medical device in risk class I in accordance with Rule 11 of the Medical Devices Regulation (EU) 2017/745. A competitor took legal action against this risk classification, initially seeking interim legal protection.

At the heart of the dispute was the question of whether the software was correctly classified and could therefore be placed on the market. The opposing party argued that the app should not be classified as a medical device in risk class I, but as risk class IIa or higher. According to Rule 11 of the Medical Devices Regulation (EU) 2017/745, software used to support diagnostic or therapeutic decisions is classified as Class IIa. The defendant, on the other hand, took the view that its app was merely a data transmission and communication solution and therefore belonged in the lower risk class I.

The Higher Regional Court Hamburg ruled as follows

The court followed the opposing party’s argument and found that the app not only transmits data, but also intervenes in the diagnostic process by automatically adapting the medical history questionnaire. This happens independently of individual medical decisions and thus influences the basis for the medical diagnosis and therapy decision.

Therefore, the app is to be classified as a Class IIa or higher medical device, which requires more extensive certification, the involvement of the Notified Body and the affixing of the CE mark by the latter. Consequently, the defendant was ordered not to place the corresponding medical device on the market or make it available on the market as long as it is not certified as a medical device in risk class IIa or higher.

Criticism from legal experts and expert associations

As was already the case in the previous proceedings, the court’s decision will be subject to much criticism from legal experts and expert associations. Based on the court’s reasoning, there is already a risk that all medical software could potentially be classified as risk classification IIa or higher.

What now?

This ruling highlights the complex legal situation regarding the classification of medical software applications and could also have an impact on already approved digital health applications (DiGA) that are financed by statutory health insurance (SHI). Companies that develop or distribute such products should consider the following points:

Careful examination of the product classification
Incorrect classification can lead to legal problems and distribution bans. Manufacturers should therefore carefully consider what functions the software has and how they draft the intended purpose.
Consideration of the mode of operation
Additional functions such as the selection of anamnesis questions can lead to a higher classification.
Consideration of patient risk
Besonders bei Ferndiagnosen ohne persönlichen Arztkontakt ist ein erhöhtes Risiko gegeben, was eine strengere Regulierung erfordert.

Further news

Stigmatized diseases are uploaded less frequently to the electronic patient record (EPR)

A new study shows that patients are less likely to upload stigmatized diseases, such as depression or sexually transmitted diseases, to their electronic patient record (EPR), depriving treating physicians of important information. In contrast, non-stigmatized diseases such as a broken wrist or type 1 diabetes mellitus do not influence upload behavior.

The research by Niklas von Kalckreuth and Prof. Dr. Markus Feufel from the TU Berlin, published in the journal JMIR Human Factors, investigates the influence of disease characteristics on upload behavior to the EPR. The study shows that the social stigmatization of certain diseases leads to a reluctance of patients to share these diagnoses digitally – regardless of whether the disease is acute or chronic.

Niklas von Kalckreuth explains that previous surveys indicated a high willingness to use the EPR, but that other studies have shown that actual use often falls short of the stated intentions. This indicates a gap between stated intention and actual behavior, which has important implications for the implementation and use of the EPR.

GKV on digital health applications (DiGA): Too few, too expensive and without significant effects?

The German public health insurances (GKV) has published a report on the current provision of digital health applications (DiGA). The results shed a critical light on the successes and challenges of this innovative area of healthcare to date.

By October 2022, only 33 applications had found their way into the DiGA directory. In total, DiGA had been used around 164,000 times by September 30, 2022, resulting in service expenditure of 55.5 million euros. According to the umbrella organization, however, it is questionable whether this can be considered a success.

The report shows that the majority of applications were unable to demonstrate any positive effects on care when they were included in the DiGA directory. Two thirds of DiGAs were only provisionally included in the directory. Of the permanently approved applications, three were not included in the full scope of indications, and three trial DiGAs were even completely removed from the directory.

Another major problem is the high prices charged by manufacturers for their DiGAs. On average, these are around 500 euros per quarter. Trial DiGAs, which have no proven positive supply effect, are particularly expensive, with prices ranging from 600 to 952 euros. Even the maximum amounts introduced on October 1, 2022 could not significantly reduce the high price level.

The report by the German public health insurances clearly shows that the introduction and use of DiGA has so far been associated with considerable challenges. The high costs and the lack of evidence of positive healthcare effects in many applications call into question the sustainable integration of these digital healthcare solutions. There is an urgent need for measures to improve the cost efficiency and effectiveness of DiGA in order to fully exploit the potential of this technology.

The view of the umbrella organization is viewed very critically by service providers.

ECJ: TC string is personal data

In a recent ruling, the European Court of Justice (ECJ) classified the TC string, an alphanumeric character string that encodes the user’s consent preferences for online advertising, as personal data. This decision is based on Art. 4 No. 1 GDPR, according to which personal data means any information relating to an identified or identifiable natural person. Identification can also take place indirectly through assignment to an online identifier.

The ECJ has confirmed that it is sufficient for identifiability if a person can be indirectly identified by additional information. It is not necessary for all information to be available for a single person. Personal data also includes all information resulting from the processing of such data.

The TC-String contains the user’s preferences, which, according to the ECJ, can contribute to direct identification. In addition, the TC-String information can be used to create a user profile and identify the person concerned via an identifier, such as the IP address. The fact that the defendant itself cannot link the TC string to the IP address does not change this, as the relevant information does not have to be in the hands of a single person.

The defendant can use legal means to obtain information from its members that enables user identification. Therefore, the TC-String is to be considered as personal data.

The ECJ confirms its previous case law that the concept of personal data must be interpreted broadly. The decision makes it clear that information such as the TC-String, which can indirectly contribute to the identification of a person, must also be classified as personal data. This may have far-reaching consequences for the practice of online advertising and data protection.

The right to treatment with artificial intelligence and access to smart medical devices – potential challenges

In recent years, the development of artificial intelligence (AI) has made considerable progress, raising hopes of a new age of automation and optimization in medicine.

With the Digital Act (DigiG) coming into force on March 26, 2024, the German healthcare system is facing a significant change. This amendment to the law aims to improve the integration and use of digital healthcare applications and optimize their reimbursement mechanisms.

The rapid advances in the field of artificial intelligence (AI) promise a new era of automation and optimization in medicine. AI systems have the potential to analyze large and complex amounts of data and identify new patterns and correlations. This makes them particularly valuable for healthcare, from anamnesis and diagnosis to therapy.

The introduction of intelligent chatbots and apps offers patients constantly available access to medical help, for example to support psychological treatments.

The potential of AI is also evident in the field of medical aids: AI-supported exoskeletons can restore mobility to people with walking disabilities, while AI-based assistance systems can predict possible complications during surgical procedures, thereby improving surgical management and saving lives.

The analysis of medical images is another area of application in which AI systems are already outperforming humans. Doctors no longer have to spend hours examining MRI and CT images for cancerous tissue, as algorithms can now do this more efficiently and precisely. Given this potential, it is not surprising that patients are increasingly demanding treatment with AI. The legal provisions of the DigiG take this development into account by facilitating access to intelligent medical devices and expanding their eligibility for reimbursement.

Is there a right to treatment with AI?

Despite the advantages of AI in medicine, the question arises as to whether patients have a right to treatment with AI. In Germany, access to healthcare is usually via GPs or specialists, the first point of contact for potential treatment with intelligent medical devices. A key issue here is the tension between the patient’s right to self-determination and the doctor’s freedom to provide treatment.

A treatment contract between doctor and patient forms the basis for every medical intervention. While patients have the right to decide on their treatment, they cannot demand a specific treatment method. Medical freedom of therapy protects doctors from having to use methods that they consider unsuitable. There is only an obligation to use new treatment methods if they are recognized as the medical standard

The integration of intelligent medical devices into statutory health insurance (SHI) depends heavily on their costs and medical benefits. The Federal Joint Committee (G-BA) plays a decisive role in the evaluation and approval of new examination and treatment methods. So far, however, there are only a few AI-supported applications that have been officially recognized.

A special legal framework exists for digital health applications (DiGA), which allows their use under certain conditions. The question of whether limited access to AI-supported treatments is unconstitutional remains open. The Federal Constitutional Court has derived fundamental rights that could oblige the state to guarantee access to necessary resources.

However, innovative technologies are not yet recognized as absolutely necessary for basic care. An exceptional case could exist if established treatment methods are lacking and an AI treatment offers a realistic chance of recovery.

The question of whether limited access to AI-assisted treatments is unconstitutional remains open. The Federal Constitutional Court has derived fundamental rights that could oblige the state to guarantee access to necessary resources. However, innovative technologies are not yet recognized as absolutely necessary for basic care. An exceptional case could exist if established treatment methods are lacking and an AI treatment offers a realistic chance of recovery.

Conclusion

Access to smart medical devices and the right to AI treatment are complex issues that pose technical, medical and legal challenges. While AI offers considerable potential in medicine, financial, regulatory and ethical hurdles still stand in the way of its widespread application. However, technological progress and social developments will play a decisive role in how these new technologies are integrated into healthcare in the future.

New Developments in Digital Health Applications Through the Digital Health Act (DigiG)

With the enactment of the Digital Health Act (DigiG) on March 26, 2024, the German healthcare system is facing significant changes. These new regulations aim to improve the integration and utilization of digital health applications (DiGAs) and optimize their reimbursement mechanisms. This article summarizes the key changes and explores the implications for medical device manufacturers.

One of the central innovations of the DigiG is the expansion of reimbursement eligibility for DiGAs to include Class IIb medical devices. Previously, only Class I and IIa products were eligible for reimbursement. This expansion now allows for the integration of more complex and potentially riskier applications into healthcare, which is justified by the gained expertise of the Federal Institute for Drugs and Medical Devices (BfArM).

Another important point concerns pregnant women, who are now also entitled to DiGAs, provided they meet the requirements of § 33a SGB V. Additionally, specific regulations have been introduced for the treatment of diabetes in structured treatment programs. This has led to the creation of the category of digital medical applications (DimAs), which allows for greater integration of digital processes into therapy.

This applies to risk class IIb, agreements and performance measurements

For DiGAs of Class IIb, stricter proof requirements now apply. The positive healthcare effect must be demonstrated through a prospective comparative study that evidences the medical benefit of the application. This is intended to strengthen the insured’s trust in more complex DiGAs and ensure their efficacy and safety.

The DigiG prohibits DiGA manufacturers from making agreements with manufacturers of pharmaceuticals or medical aids that could restrict the choice of the insured or the freedom of therapy for physicians. This measure is intended to ensure that no DiGA is designed to be used only with specific drugs or aids, which could lead to negative cost implications for statutory health insurance.

A new feature is the introduction of accompanying success measurement. This aims to create more transparency regarding the use of DiGAs and will be used for future price determination. Manufacturers are required to submit anonymized and aggregated data that includes, among other things, the duration and frequency of use and patient satisfaction.

Turning point for the system of digital health applications

A significant portion of the reimbursement amounts for DiGAs must now be performance-based, at least 20% of the total amount. This regulation affects both new and existing reimbursement agreements and could pose a challenge for manufacturers as they will need to adjust their pricing accordingly.

The Digital Health Act marks a turning point for the system of digital health applications in Germany. While it creates new opportunities and expanded applications for DiGAs, it also brings stricter requirements and new challenges for manufacturers.

In particular, the expanded reimbursement eligibility, the introduction of success measurement, and the stricter proof requirements for higher risk classes are points that manufacturers need to strategically consider from the start. It remains to be seen how these regulations will perform in practice and what long-term effects they will have on the healthcare system

Illegal health advertising: alternative practitioner praised incense in TV shopping

In the case before the Higher Regional Court of Celle on 27.02.2024, the admissibility of advertising by a naturopath promoting the effects of frankincense and curcumin against diseases such as osteoarthritis, Alzheimer’s and long Covid in a teleshopping channel was denied. Statements such as “curcumin tends to work better than diclofenac for arthritic complaints” were made to promote the food supplements.

The natural herbs mentioned are subject to the provisions of the Health Claims Regulation and the Food Information Regulation (LMIV), to which the teleshopping channel is also subject.

The operator of the channel refused to issue a cease-and-desist declaration, as the alternative practitioner allegedly only spoke about his own experiences and made no direct reference to the products.

However, the Higher Regional Court (OLG) of Celle ruled that it was irrelevant whether the alternative practitioner only spoke about his own experiences. It was more important that the viewer’s statements conveyed the impression that the products had healing properties. This violates Art. 7 para. 3 and 4 of the FIR, according to which no healing properties may be attributed to foods.

In addition, the advertising for the detox product violated the Health Claims Regulation, as health claims were made that are not permitted. The OLG ordered the channel to cease and desist in accordance with the provisions of the Unfair Competition Act (UWG) and the LMIV.

EU Data Act: New requirements for the design of connected products

The Data Act represents a significant change in data regulation driven by the GDPR. The Data Act enables the sharing and utilization of personal and non-personal data (product data pursuant to Art. 2 No. 15 DA) for the benefit of users. It affects connected, smart products as defined in Art. 2 No. 5 DA, including medical devices such as laboratory devices connected to the internet via middleware and medical devices connected via Bluetooth, provided the associated companion app is internet-enabled. However, connected services according to Art. 2 No. 6 DA, such as apps or other applications, lead to delimitation difficulties and legal uncertainties, as not every connected service communicates directly with the medical device (e.g. diary apps that prepare data graphically).

The scope of the Data Act only extends to raw data and not to analysis results generated using this data. The five major regulatory acts (DSA, DMA, DGA, AI Act, DA) are intended to generate more than 270 billion euros from IoT data and save up to 120 billion euros in the healthcare sector. This creates an area of tension between data protection law and data economy law, as the scope of the personal reference of data has a large potential overlap with machine-generated data, which falls under the Data Act. According to Art. 1 para. 5 DA, however, the GDPR should take precedence over the Data Act.

Another problem is the dysfunctional triangular relationship between the data owner (manufacturer), user and third parties (e.g. repair companies). The data owner often has a data feedback loop due to the product design, which affects its de facto control over the data generated by the user. The Data Act does not give the user a data ownership right, so the data remains a non-private, public good. Third parties could have an interest in the data in order to develop their own algorithms.

Machine-generated data is not covered by the GDPR, so the user can only assert limited claims to this data. The relationship between the manufacturer and third parties is also new, as the manufacturer could cite data protection or trade secrets as a counterargument. Primary data in the area of medical devices is particularly relevant as it includes physical, biological-chemical and regulatory indicated values as well as the number of quality controls. According to Art. 3 para. 1 and Art. 4 para. 1 of the Data Act, users should have access to this data or be given direct access to it. This could be understood as an in-situ right, i.e. a processing right in the server environment of the data controller or at least a download option that also implements the rights of data subjects under the GDPR (self-service portal).

A legislative loophole currently exists for real-time data access, subject to the technical feasibility and relevance of the data. The obligation to provide data does not apply to small and micro-enterprises in accordance with Art. 7 para. 1 GDPR.

Revision of the European Packaging Ordinance

The EU is planning a new packaging regulation to increase the reusability of packaging and thus reduce greenhouse gas emissions, as required by the Climate Protection Act. A transition period of five years is intended to ensure that medical products, in-vitro diagnostics and human and veterinary medicines are also greenhouse gas-neutral by 2050.

Currently, 40% of plastics and 50% of paper in the EU are used to produce packaging made from primary raw materials. As 36% of packaging ends up as waste and around 30 million tons of plastic are incinerated every year, this results in CO2 emissions of around 80 million tons. The main aim of the new regulation is to improve the recyclability of materials and generate secondary raw materials.

The recycling rate in Germany was 46% in 2020, and even frontrunner Lithuania only reached 56%, far below the target for 2030. The new requirements cover the entire product life cycle, although special requirements, such as the Human Medicinal Products Directive, continue to apply. Compliance with the requirements is the responsibility of manufacturers and importers.

It is important to differentiate between recyclability and recycling rate. The former is assessed on the basis of the packaging components used and certified by external testing companies. The exact criteria are to be defined by delegated acts. Articles 5-10 of the regulation define the requirements that must be verified by technical documentation. As many details will only be specified later, not all details are known at the time of entry into force.

The regulation does not explicitly prohibit the use of certain materials, but sets requirements for the sorting and reuse of certain materials. According to Article 6, all packaging must be recyclable in future in order to replace primary raw materials with secondary raw materials.

Article 7 stipulates that plastics must contain a minimum amount of recycled plastics, which can be collected in the yellow garbage can, for example. Packaging for products with a medical purpose will not have to meet the requirements until 2035 and will be given a transitional period of five years as well as a special regulation on the use of post-consumer recyclates.

With this regulation, the EU is taking an important step towards a sustainable packaging industry and climate neutrality. Manufacturers and importers are now called upon to implement the new requirements and thus make a contribution to environmental protection.

In order to avoid the impact on the environment, the polluter pays principle should be implemented in the legislative process, which is one of the most important principles in EU environmental policy (Art 191 TEU).

The Packaging Regulation will be a challenge for medical device manufacturers, as some packaging (e.g. blister packs) is not yet recyclable, and since many different primary packaging types are used, it is difficult to accurately estimate recyclability. Switching to the new packaging regulations is therefore recommended as soon as possible.

However, medical devices and pharmaceuticals benefit from the longest transition period of 12 years, but it is foreseeable that ecological packaging will become a competitive criterion. For some member states, however, the regulation represents a step backwards, as they already have more advanced systems that exceed the minimum standards of the regulation.

Exploring Artificial Intelligence and Cybersecurity in the context of the MDR

The European legal framework, including the Medical Device Regulation (“MDR”) and the upcoming regulation on AI (“AI Regulation”), places strict requirements on the safety and performance of AI-based medical devices.

The relationship between the Medical Device Regulation and the AI Regulation is characterized by supplementary certification requirements: While the MDR regulates the safety and performance of physical medical devices, the AI Regulation addresses specific risks and the data integrity of AI systems. Products that fall under both sets of regulations must fulfil the requirements of both regulations in order to be certified, which offers a double safety guarantee for both physical and software-related safety.

What is the challenge?

The challenge is to find a balance between promoting technological innovation and ensuring the necessary safety standards. The regulatory framework must be constantly evolving to meet both advances in AI technology and patient safety requirements. This requires a continuous review and adaptation of regulatory provisions in order to promote and protect both innovation and patient safety.

Quick updates from various legal and regulatory areas:

Data Protection Law

Unauthorised data queries in German hospitals

On 22 April 2024, the State Commissioner for Data Protection and the Right to Inspect Files (LDA Brandenburg) published its activity report for 2023, in which cases of unauthorised data queries in various hospitals were identified in which employees had accessed a colleague’s electronic patient file without any official reason.

These breaches of data protection were categorized as employee excesses, for which fines were imposed on the employees concerned. However, it was emphasized that a possible breach of data protection must be investigated in such cases.

Possible amendment to the German Federal Data Protection Act

The German government is planning amendments to the Federal Data Protection Act (BDSG) in order to implement agreements made in the coalition agreement and to implement the results of a BDSG evaluation. The draft bill intends to institutionalize the Data Protection Conference (DSK) in the BDSG and introduce additional paragraphs to improve the enforcement and consistency of data protection.

In future, companies and research institutions with cross-border projects could be subject to only one state data protection supervisory authority, which should avoid legal uncertainties. Other provisions concern the application of the BDSG only to data processing with a domestic connection and the revision of the regulations on video surveillance of non-public areas.

Medical Law

BVMed and VDGH draw up white paper

The German Medical Technology Association (BVMed) and the Association of the Diagnostics Industry (VDGH) have drawn up a joint position paper. The paper highlights problems such as inefficient regulatory structures and bureaucratic obstacles that have arisen as a result of the regulations.

The white paper offers concrete proposals for solutions, including the introduction of fast-track procedures for innovations, efficiency gains through the implementation of good administrative practice and harmonisation through centralisation in order to make Europe a competitive MedTech location again.

Baden-Württemberg State Social Court (LSG) on digital health applications

According to a decision of the LSG Baden-Württemberg of 3 April 2024 (Ref.: L 11 KR 579/24 ER-B), digital health applications pursuant to Section 33a (1) SGB V are medical devices of a low risk class whose main function is based on digital technologies and are intended to support the detection, monitoring, treatment or alleviation of diseases in insured persons or in the care provided by service providers. The main function of the digital health application must be characterized by digital technologies in all areas of application.

These applications must not merely serve to supplement or control other medical devices. This applies in particular if the software merely reminds the patient of the procedure and provides recommendations for adjusting the therapy, as the software does not offer any independent diagnostic or therapeutic services.

Compliance

Germany shows no improvement in the CPI index

Transparency International published the Corruption Perceptions Index (CPI) 2023 at the end of January 2024, which is based on data from 12 independent institutions. Germany scored 78 points, one point less than the previous year and the same score as ten years ago.

The organisation’s points of criticism include gaps in the fight against corruption, particularly among elected officials, shortcomings in whistleblower protection and the lack of effective corporate criminal law. Denmark, Finland, New Zealand and Norway top the ranking, while South Sudan, Syria, Venezuela and Somalia are at the bottom of the list.