Welcome to the latest installment of Arnold & Porter's Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during April and early May 2025 from the United States, United Kingdom, and European Union.
Cybersecurity is a hot topic in the UK and EU this month. In both, cybersecurity plans are developing, with the European Commission conducting a consultation on the EU Action Plan to strengthen cybersecurity within hospitals and health care providers, and the UK Cyber Security and Resilience Bill being published, introduced partly because of cyberattacks on UK hospitals. This is clearly an important area for developers of digital products and services, who should watch the progress of these policies closely.
Regulatory Updates
European Commission Launches Consultations on the EU Strategy for AI in Science and Apply AI EU Strategy. The consultations seek input to define the priorities of the upcoming strategies, both expected to be adopted by the European Commission in the second half of 2025. The EU Strategy for AI in Science aims to facilitate the use and development of AI technologies in scientific research. Potential measures include modernizing the scientific data ecosystem, facilitating access to AI infrastructure, and ultimately creating an EU AI research council in the future. The Apply AI EU Strategy aims to promote new industrial uses of AI technologies in strategic industrial sectors, while also boosting innovation in EU companies. Potential measures include promoting fast and responsible adoption of AI technologies and facilitating scientists' access to AI infrastructure. The consultation on the EU Strategy for AI in Science closes on June 5, 2025, while the consultation on the Apply AI EU Strategycloses on June 4, 2025.
The UK Government Announces Plans To Create New Health Data Research Service To Improve Access to NHS Data. This is part of the government's efforts to boost economic growth and to make Britain best in the world for health research. The new service, expected to be operational in 2026, will act as a single access point for data from the National Health Service (NHS) for use in health research. Since the announcement, the Health Research Authority has emphasized its role in the use of patient information, including that Research Ethics Committees review research proposals to ensure data use is ethical, necessary, and proportionate.
Privacy and Cybersecurity Updates
European Commission Launches a Consultation on the EU Action Plan To Strengthen Cybersecurity in the Health Sector. The consultation seeks input on the action plan published by the European Commission in January 2025, which is aimed at improving detection, preparedness, crisis response, and protection from cyber threats in hospitals and health care providers (see our February 2025 Digest). The input received is intended to help refine the measures proposed in the action plan and ensure their effective implementation in the EU. The consultation closes on June 30, 2025.
Details of the UK Cyber Security and Resilience Bill Published. In July 2024, the government announced its intentions to introduce a Cyber Security and Resilience Bill to address the increased threats of cyber criminals and state actors and the potential effect on public services and infrastructure, such as attacks that have previously taken place affecting NHS hospitals. The government has now published details of the measures to be included in the bill, such as expanding the scope of the entities that will need to comply with the regulatory framework. This includes entities deemed to be "Critical Suppliers." The policy statement references suppliers of critical goods or services whose disruption could cause a significant adverse effect on the essential or digital service supported. This may not be intended to capture manufacturers of medical devices and medicinal products, however the bill will be closely monitored as it progresses.
Liability Updates
Consumers Call On the European Commission To Prepare New EU AI Liability Rules. The call was made by a coalition of consumer organizations, including the European Consumer Organization known as BEUC, warning that the European Commission's withdrawal of the AI Liability Directive (see our March 2025 Digest) has left legal gaps regarding compensation for individuals harmed by AI systems. Consumers argue that the new AI liability rules should include a non-fault-based liability compensation system. They insist that this would not impose new obligations on AI operators before placing their AI systems on the market, as the rules would only apply in case of harm. They also argue that new AI liability rules would enhance consumer trust in AI and reduce fragmentation across EU countries.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
