Software and digital health

Medical Device software (MDSW), based for example on Artificial Intelligence and machine learning, and digital health are one of the areas in Medical Devices that are developing rapidly. As it is a new Medical Device area that is creating new avenues in health care, the regulation is still in a process of development.

In many cases, digital health technologies qualify as Medical Devices and thus need to comply with the MDR or IVDR, as applicable.

Software falls under the active devices' classes, which are defined as any Medical Device operation of which depends on a source of electrical energy. But the risk class they belong to depends on what they are designed for.

Software as a Medical Device and IVD

Medical Device software is software that is intended to be used, alone or in combination, for a purpose specified in the definition of a Medical Device in the MDR. The MDR contains the new risk classification rule 11 that was introduced specifically to apply to Medical Device software:

“Software intended to provide information which is used to make decisions with diagnostic or therapeutic purposes is classified as class IIa, except if such decision can have an impact that may cause [1]:

- death or irreversible deterioration of a person’s state of health, in which case it is class III; or

- serious deterioration of a person’s state of health or a surgical intervention, in which case it is classified as class IIb

Software intended to monitor physiological processes is classified as class IIa, except when it is intended for monitoring of vital physiological parameters, when the nature of the variations of those parameters is such that it could result in immediate damage to the patient, in which case it is classified as class IIb [2].

All other software is classified as class I.”

Digital monitors that are used in diabetes control, especially if the app/software in the device is also used to control the administration of the medication, fall within this category.

As a result of MDR classification rule 11, many software Medical Devices, that were self-certified as Class I under the previous Directives, are now ‘up-classified’ to a higher risk class.  This means, among other things, that their CE marking under the new MDR will be subject to Notified Body oversight.

Beyond the safety and performance requirements of the MDR, another issue is that of who owns the data processed by (or output from) the software, and what are they allowed to do with the data gathered. (Refer to the General Data Protection Regulation (GDPR) [3] and data ownership).

Decision tree for software in MDR and IVDR [4].

Figure 1. MDR and Regulation (EU) 2017/746 – IVDR (


[1] CE Marking of Digital Health Technologies: stricter rules for medical devices software under the EU MDR

[2] Bradley, R. New Guidance on the Classification of Software as Medical Devices.

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation_GDPR)

[4] MDCG 2019-11 Guidance on Qualification and Classification of Software in Regulation (EU) 2017/745 – MDR and Regulation (EU) 2017/746 – IVDR