Welcome to the latest installment of Arnold & Porter's Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during June and early July 2025 from the United Kingdom and European Union.
There has been a flurry of new guidance from the Medical Device Coordination Group this month, including guidance on classification of medical device software, on supply of software apps through online platform such as the App Store and Google Play, and on the interaction between the Medical Device Regulation and the EU AI Act. These are welcome guidance documents to provide important clarification for manufacturers as they develop software medical devices, although the guidance documents inevitably cannot cover every situation and leave some questions unanswered.
Regulatory Updates
Revised EU Guidance on Qualification and Classification of Software. This revised guidance introduces a series of clarifications and expansions that impact how software is qualified and classified as a medical device under the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR). While the core principles remain unchanged, the revised guidance provides more detailed examples, specifically includes software using AI, and addresses modular software and interoperability with electronic health records under the European Health Data Space. You can read more in our July 2025 BioSlice Blog.
Guidance on Placing Software Medical Devices on the EU Market. This guidance provides important clarifications on how Medical Device Software (MDSW) apps should be made available via online platforms such as the App Store and Google Play, and on the role of these online platforms. In essence, the guidance clarifies that digital distribution does not reduce regulatory obligations, and MDSW is subject to the same level of regulatory scrutiny and compliance as traditional, physical devices. You can read more in our June 2025 BioSlice Blog.
FAQ on the Interplay Between the EU MDR and the Artificial Intelligence Act. The EU Medical Devices Coordination Group and the AI Board have jointly published an FAQ document on the interplay of the EU Artificial Intelligence Act (AI Act) with the EU MDR and IVDR. The document provides guidance on how manufacturers/providers of AI medical devices and IVDs that are also high-risk AI systems under the AI Act can comply with the overlapping requirements of the two regulatory frameworks, including in relation to conformity assessment, post-market surveillance, oversight, and data governance. Importantly, the document helps clarify how manufacturers can lawfully conduct clinical investigations and performance studies of non-CE-marked AI devices in compliance with the AI Act.
European Association of Medical Devices Notified Bodies Updates Position Paper on Software Qualification Under the IVDR. The position paper clarifies notified bodies' expectations for software used with in vitro diagnostics (IVDs) and helps manufacturers determine when software must be submitted for conformity assessment. The position paper outlines three "decision steps" to assess if software is covered by the IVDR: (1) if the software drives an IVD or is an integral part of an IVD; (2) if the software is an IVD in its own right; (3) if the software is an accessory for an IVD. Software not meeting these criteria is not covered by the IVDR.
Second Round of Applications for the UK MHRA AI Airlock Program. As previously reported in the June 2024 digest and our May 2024 BioSlice Blog, the AI Airlock aims to identify the regulatory challenges posed by AI medical devices (AIaMD). Following the conclusion of the pilot phase that tested four AIaMDs in the sandbox environment, the second round will consider applications for AIaMDs that (1) have potential for significant benefits for patients and the NHS; (2) have a new treatment approach; and (3) have a regulatory challenge that is ready to be tested.
UK MHRA Becomes First Member of Global Network of AI Health Regulators. The new network, known as the HealthAI Global Regulatory Network, has the aim of promoting safe and effective use of AI in health care. This will include sharing early safety warnings and gives the MHRA the platform to work with regulators worldwide to shape international standards of AI in health care. Singapore has also signed an agreement to be a part of the network.
Privacy and Cybersecurity Updates
The UK Data (Use and Access) Act 2025 (DUAA) Receives Royal Assent. The DUAA amends the UK GDPR and the Data Protection Act 2018. Some of the key changes in the DUAA include broadening consent in the context of scientific research to cover situations where the complete research objectives cannot be detailed at the point when consent is obtained, provided that all ethical standards are adhered to and that partial consent can be obtained. The new act has also expanded the scenarios in which further processing is compatible with the purpose limitation principle, including with respect to scientific research. Most provisions are expected to come into force within six months, while others will likely take up to one year to be implemented. Given that the DUAA creates further divergence between the UK and EU data protection regimes, it is important to note that the European Commission may make a new adequacy finding after December 27, 2025. However, it seems likely that a positive adequacy finding will be maintained. You can read more in our July 2025 Advisory.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.