Key Points
- Regulation in the medical technology and digital medicine space continues to evolve, with both horizonal and sector specific regulation from the EU giving rise to a multi-layered, regulatory framework.
- In Ireland, the Irish Government has not, as of current date, transposed the NIS2 Directive and the legislation required to fully implement the AI Act and Data Act into Irish law is not yet in place.
- Compliance with the GDPR remains a fundamental prerequisite for technologies that process personal data regardless of the technologies used.
Processing Personal Data: Compliance Challenges for New Technologies
Organisations across all sectors have, by and large, acquired a familiarity with the General Data Protection Regulation and have built compliance frameworks for the processing of personal data, supported by what is now a large body of case-law and guidance from Irish and European courts and regulators.
However, as new and fast changing technologies gain traction, such as AI, blockchain (distributed ledger technology), robotics and connected devices, the application of the GDPR now sits alongside a range of other regulatory obligations for the use of technologies. Specifically in the life sciences sector, with increasing usage of AI, medical devices and other data, and wearables, it is necessary that these technologies are, by default and design, developed and operated in compliance with data protection law. Guidance on how to navigate data protection compliance in new technologies is planned under the European Data Protection Board's programme for 2024 – 2025, to include: Guidelines on generative AI – data scraping; on telemetry and diagnostic data; and on blockchain (already published).
The European Data Protection Board's programme for 2024 – 2025 includes an action to develop guidance on how to navigate data protection compliance in new technologies, such as:
- Guidelines on generative AI - Data scraping
- Telemetry and diagnostic data
- Blockchain
Navigating the Artificial Intelligence Act
The AI Act entered into force on 1 August 2024, with many of its measures commencing on staggered dates over the coming years. Heralded as transformative for healthcare, use cases for its application in the public healthcare sector are already laid out in the Government's "Guidelines for the Responsible Use of Artificial Intelligence in the Public Service", published in May 2025. These Guidelines seek to empower public servants to use AI in the delivery of services, and also offer an insight into the Irish Government's strategies for the adoption of AI in the public service.
At EU level, the Commission is required to develop guidelines on the practical implementation of the Act (Article 96 AI Act). To date, guidelines on prohibited artificial intelligence practices and guidelines on the AI system definition have been published, and you can read more in our briefing The EU Commission Guidelines on prohibited AI practices. The final version of the General Purpose AI Code of Practice is due to be presented and published by August 2025. Further guidance is expected for high-risk classification and in other areas of the legislation. Organisations seeking legal certainty on non-contractual civil liability rules for damage caused by AI systems are monitoring the status of the proposed AI Liability Directive. In the Commission's 2025 Work Programme, the Commission announced its intention to withdraw the proposal. A final decision is due to be made on whether another proposal should be made or an alternative approach taken.
Data Regulation - Internet of Things ("IoT") and Health Data
Building on the regulatory framework for processing personal data, European Union legislators have maintained a focus on data in a broader sense i.e., connected device data, health data and finance data, and more particularly, how society can extrapolate value from them. The EU has laid out horizontal rules for data access, sharing and use in the Data Act, and health sector specific rules in the European Health Data Space Regulation (the "EHDS") to empower individuals to take control of their health data and to facilitate the reuse of health data for research and innovation, policy, and regulatory activities. For more on the Data Act, you can listen to our podcast here.
INTERPLAY WITH GDPR
Both the EHDS and the Data Act contain provisions that are complementary to the GDPR, including portability rights for data from loT objects in the Data Act, and access, portability, rectification and opt-out rights in the EHDS. The Data Protection Commission has a role in their operation, as data protection authorities are competent to enforce those obligations in the EHDS and Data Act that stem directly from the GDPR. Moreover, supervisory authorities may impose administrative fines up to the amount referred to in Article 83(5) GDPR in relation to infringements of Articles 3, 5 to 10 and 71 of the EHDS and infringements of the obligations laid down in Chapter II, III and V of the Data Act.
DATA ACT
Among the wide range of measures in the Data Act, those which apply to connected products and related services are particularly relevant for the life sciences sector. Connected products are items that obtain, generate, or collect data concerning their use or environment and that are able to communicate product data via an electronic communications service, physical connection or on-device access. Examples of connected products include smart watches, medical and health devices, and any device with sensors. Like the GDPR, the Data Act has extra-territorial effect. It applies to manufacturers, providers and data holders in the EU and outside of the EU if they market connected products or related services in the EU. However, the rights granted to "users" of connected products and related services are only available to users in the EU.
Cybersecurity and Resilience: A Focus on the Health Sector
Recognising that the healthcare sector is one of the most targeted by cyberattacks, with more incidents than in any other critical sector in the EU, the European Commission adopted the European Action Plan on the Cybersecurity of Hospitals and Healthcare Providers on 15 January 2025. The plan, which focuses on improving threat detection, preparedness, and crisis response in the healthcare sector, will provide tailored guidance, tools, services, and training to hospitals and healthcare providers. It builds on the broader EU framework to strengthen cybersecurity across critical infrastructure and is the first sector-specific initiative to deploy the full range of EU cybersecurity measures.
Organisations within scope of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union ("NIS2 Directive") and Directive (EU) 2022/2557 on the resilience of critical entities ("CER Directive"), to include organisations in the health sector, should ensure their policies and procedures are updated to comply with the new legislative requirements (see below).
NIS2 DIRECTIVE:
The health sector is designated as a sector of high criticality under the NIS2 Directive, which captures medium and large healthcare providers, laboratories, research and development bodies and manufacturers. Cloud-based service providers in the digital health space should also consider if they fall within the scope of the Directive. We set out more in our podcast on The Network and Information Security (NIS2) Directive.
By now, organisations within sectors in scope will have identified whether their activities fall within scope of the NIS2 Directive. If they do, those entities will next identify whether they constitute an "important" entity or an "essential" entity based on the parameters in the NIS2 Directive for personnel headcount and turnover/size of balance sheet, the key difference being the level of regulatory oversight to which these entities are subject.
Stakeholders should now monitor for publication of the National Cyber Security Bill implementing the Directive in Ireland. To date, the Irish Government has published the General Scheme for the National Cyber Security Bill 2024 to transpose the NIS2 Directive, but has not of current date introduced it to the legislative process in the form of the Cyber Security Bill. The legislation is required to: designate certain sectoral regulators as the competent authorities for the purpose of implementing NIS2; establish offences and fines at national level (which could be up to 1.4% of total annual worldwide turnover or EUR 7 million or 2% of total annual worldwide turnover or EUR 10 million); establish a register of entities which are within the scope of the proposed legislation; and establish the basis for issuing penalties (including in respect of the personal liability of management bodies).
CER DIRECTIVE
Leveraging off the national risk assessment, critical entities within the health sector, such as distribution, manufacturing, provision of healthcare, and medical services, are due to be identified by the relevant competent authorities, HIQA, HPRA and the Minister for Health, no later than 17 July 2026. A National Strategy for the Resilience of Critical Entities will be developed by the Department of Defence and is expected in Q1 2026. This will cover the governance framework, identification criteria, specific obligations, and resilience enhancement measures. Ireland has transposed the CER Directive in the European Union (Resilience of Critical Entities) Regulations 2024.
Certain manufacturers and developers in the life sciences sector will also be preparing for the Cyber Resilience Act, which largely applies from 11 December 2027 with some specific provisions applying from mid-2026. Products within scope include for example, personal wearable products that have a health monitoring (such as tracking) purpose. Notably, the Cyber Resilience Act expressly excludes products with digital elements subject to EU medical devices legislation.
DATE TO NOTE:
The Cyber Resilience Act will largely apply from 11 December 2027.
What's Next?
Robotics and Healthcare
On February 26, 2025, the European Economic and Social Committee adopted an opinion addressing the integration of robotics and the metaverse in healthcare. Its first recommendation is to develop a comprehensive regulatory framework for robotics and the metaverse in healthcare, to address in particular, the issue of liability for failures. The report also emphasises the need for strong data privacy and cybersecurity protections. We expect to see more activity in this area as the technology gains momentum.
Data Act
The regulation entered into force in January 2024 and starts to apply from 12 September 2025. From 12 September 2026, the design of medical devices within scope of the Data Act must allow users of these products and services to directly access user-generated data. Users will also have a right to share and transfer their data between providers to improve interoperability within the EU.
The Data Act is directly applicable in EU Member States, although supplementing domestic legislation is required to identify the relevant supervisory authority/authorities, to determine the type and level of penalties and to detail the procedure for the complaint mechanism. Stakeholders should monitor for publication of the EU Data Regulation Bill, which will indicate how the Government intends to implement these aspects.
AI
The Regulation of Artificial Intelligence Bill (when enacted) is intended to give full effect to the AI Act in Ireland. It will designate the National Competent Authorities responsible for implementing and enforcing the regulation and will provide for penalties for non-compliance.
In May 2025, the European Medicines Agency and the Heads of Medicines Agencies published a joint workplan "Data and AI in Medicines Regulation to 2028". It sets out how the European medicines regulatory network plans to leverage large volumes of regulatory and health data as well as new tools to encourage research, innovation, and to support regulatory decision making for better medicines that reach patients faster. Notably, as well as a roadmap for data, it also provides a framework for coordination to address new legislative initiatives, to include pharmaceutical legislation, EHDS Regulation, the Interoperable Europe Act and the AI Act.
Finally, joint guidance (PDF, 463 KB) has just been published by the EU's Artificial Intelligence Board and Medical Device Coordination Group, which clarifies the interaction between the medical devices legislation and the AI Act.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.