Cliff hanger for Digital Health-Regulation in Europe

Digital Health has seen explosive growth even before Covid-19. After Covid-19, the need for virtual healthcare solutions has added fuel to the fire.

Digital Health-an industry segment by itself within healthcare

Consider in 2019, there was $7.4 B invested in Digital Health in the USA which almost doubled to $14B in 2020. The need for scalable healthcare solutions has been severely felt globally across health systems in this new age of social distancing and redirection of clinical resources including staff towards Covid-19 acute care. Here Digital Health has been instrumental towards partly bridging the gap particularly solutions providing access to primary care clinicians via telemedicine and therapy enabled by software such as digital behavioural health and at-home wellness and care. So it is not surprising to see significant investments in these areas with notable investments in 2020 including Amwell ($194M), Mindstrong ($100M), Biofourmis ($100M) as well IPOs of GoodRx ($1.3B) and $18.5B acquisition of Livongo.

Within healthcare, Digital Health and Digital Therapeutics are here to stay. So we need to talk about an important facet of healthcare namely regulation of medical devices and IVDs.

Source: Rock Health

Digital Health regulation-an emerging story

Medical devices and in-vitro devices are highly regulated with regulatory authorities globally such as FDA, European Medicines Agency (EMA) and the UK’s own MHRA playing central roles in governing and ensuring patient safety is a key priority via their respective risk classification framework. As a fast growing and maturing industry which has been relatively less regulated, Digital Health and Digital Therapeutics including software which utilise Artificial Intelligence (AI) will have to go through some growing pains as they are considered as part of the healthcare solutions market.

Going forward digital apps and software-based devices and IVDs should expect to be more regulated. Specifically the tectonic changes in regulation for such devices and solutions in Europe in particular are likely to significantly impact the Go-to-market of startups in turn affecting eventually what they budget and fundraise from investors.

[For a primer on software and classification see detailed guidance from EU]

Self-certification for FDA and CE Mark-a cliff hanger

Self-certification of Digital Health apps via Cass I self-certification pathway within FDA (USA market) and Medical Device Directive (MDD) and In-vitro Device Directive (IVDD) for CE Mark in Europe has been the preferred path for many Digital Health apps. This route has provided distinct advantages over the years for medical device and IVD startups in particular whereby they could place software without requiring inspection by Notified Bodies as long as the risk classification of the devices have been low. This has also meant that more devices could be placed on the market at an accelerated pace.

The scope of self-certified risk classified devices is going to change significantly in Europe from this year and likely to effect the pace of innovation within Digital Health at least within Europe. This change is due to transition in regulatory framework to Medical Devices Regulation (MDR) per Regulation 2017/745 for Medical Devices this year and In-vitro Devices Regulation (IVDR) per Regulation 2017/746 in 2022 for in-vitro devices (IVDs).

MDR:- a significant new barrier for SaMD and connected medical devices

In Europe this year, MDR will be in effect after being delayed from May 2020 due to Covid-19. For Software as a Medical Device (SaMD) or Medical Device Software (MDSW) applicable for Digital Health apps, this has profound implications as most Digital Health solutions would be classified as Class II and above from Class I.

Most current Class I Digital Health apps with medical claims under MDR will need to have Conformity Assessments performed by a Notified Body starting May 2021.

The requirements for Class II devices and above are more rigid effectively ending any scope of self-certifying Digital Health apps under MDR. These requirements include:

a) Quality Management System (QMS)

Class II and above risk classified devices require organisations to have Notified Body inspections including assessment of the Quality Management Systems (QMS). Many if not most would do well therefore to have their QMS assessed for ISO 13485. This is a significant undertaking and due to implementation date of MDR in May 2021 (delayed from 2020), there is a long queue for Notified Bodies and certification companies. This will specially be likely disruptive for startups who have not previously engaged with such external bodies and may not have budgeted or raised money towards such regulatory approval processes.

Source: BSI white paper on Software as a Medical Device

b) Clinical evidence including Post Market Surveillance Clinical Follow-up (PMCF)

Additionally, startups included will be responsible for implementing Post Market Surveillance (PMS) system and will need to record Real World Evidence (RWE) via Post-Market Follow-up studies which will be part of their update reports to the Regulatory Authorities/Notified Bodies. This will certainly be even a greater challenge in a Covid-19 world where in-person clinical studies will be difficult and expensive to execute. Virtual clinical trials could be one possible option for such startups and will require them to have digital systems that are robust enough for capturing such data that can be verified.

The disruption will be less so for pharma and consumer healthcare organisations who are developing SaMD. However given their internal IT departments within such organisations are not geared towards such external assessments across the design cycle of the product and regulated Quality Assurance processes, it is expected there will be at least some impact.

IVDR:- a humongous barrier for SaMD and connected devices IVDs

In-vitro diagnostic companies similarly have been adding software and connected devices to their portfolios. The current regulatory framework of IVDD (In-vitro Device Directive) classifies devices into General, Self-testing, List B and List A. General IVDs are self-certified and do not need Notified Bodies inspection.

80% of IVDs on the market under IVDD are classified General IVDs and are self-certified.

IVDR takes a tougher stance for IVD regulation and almost all classes of IVDs from May 2022 will need to be inspected. In the risk classification, Class A will be self-certified only and is very specific in it’s list of devices. This is a different stance from IVDD where Class I covered a range of software apps and devices.

The catch all risk classification will be Class B which would mean that most General IVDs currently using software will NEED TO BE INSPECTED by a Notified Body prior to product being placed on the market.

Almost all Software IVDs with medical claims under IVDR will need to have Conformity Assessments performed by a Notified Body starting May 2022.

Source: BSI

This is expected to have a significant impact to the diagnostics industry as companies will be expected to get approvals for many of the current General IVD classified IVDs. What exacerbates this problem is that right now there are only 4 Notified Bodies approved by EU to carry out such evaluations. It is expected that more Notified Bodies will be added to this list. A limited set of Notified Bodies will prevent startups particularly to access them and certify their IVDs in a timely manner.

Such companies similar to MDR changes will see significant changes in requirements of Quality Management System (QMS) and Clinical evidence including Post-Market Surveillance Performance Follow-up (PMPF) compared to General IVD under IVDD.

Lastly, I would recommend startups to not delay evaluating regulatory approvals until the product development is completed. Rather, they should engage with Subject Matter Experts including Regulatory Authorities to understand the regulatory pathway for their SaMD (or MDSW) quite early in the design cycle starting from identifying patient needs to ensure they achieve their desired risk classification with a clear intended use for placing product on the market.

If you are a startup and interested to know how these regulations impact your future product launch and market access in Europe please connect with me at

Digital Health Executive advising pre-Series A startups in Europe and USA