Building Compliant Healthcare Software in Europe: MDR, GDPR and the Engineering Reality
A senior engineering team's guide to shipping healthcare platforms that satisfy EU MDR, GDPR, and national health-data regulations — without drowning in paperwork or sacrificing delivery speed.
Key takeaways
- 01Any software that influences a clinical decision may fall under EU MDR Class IIa — get a regulatory assessment in sprint one, not sprint twenty.
- 02GDPR's healthcare requirements go beyond standard consent: lawful basis is usually 'vital interests' or 'public health', not opt-in checkboxes.
- 03Data residency is non-negotiable: EU patient data must stay in EU data centres. Design your infrastructure for this from day one.
- 04Automated compliance evidence (audit logs, access reports, deployment records) saves months during certification and audit cycles.
- 05The biggest risk is not technical — it is building first and discovering regulatory requirements later.
Healthcare software in Europe operates at the intersection of three regulatory frameworks: the EU Medical Device Regulation (MDR) for anything that touches clinical decisions, the General Data Protection Regulation (GDPR) for all personal health data, and a patchwork of national standards — Germany's DiGA framework, the Netherlands' NEN 7510, the UK's DCB 0129. We have built platforms across all three and the lesson is always the same: compliance is an architecture decision, not a paperwork exercise.
When your software becomes a medical device
Under MDR, if your software is intended to provide information used to make a clinical decision — diagnosis, monitoring, treatment suggestion — it is a medical device and must be certified. This applies even to purely software-based products (Software as a Medical Device, SaMD). The classification is based on intended purpose, not on what the code actually does. A symptom checker that suggests 'see a doctor' may be Class I. A triage tool that prioritises patients is likely Class IIa. An algorithm that recommends dosage changes is Class IIb or III.
GDPR for health data: beyond consent
Health data is a 'special category' under GDPR Article 9. The lawful basis for processing is rarely simple consent — for clinical systems it is more often 'necessary for reasons of public health' (Art. 9(2)(i)) or 'necessary for the provision of healthcare' (Art. 9(2)(h)). This distinction matters because consent can be withdrawn at any time, potentially breaking your data pipeline mid-treatment. We design systems to support multiple lawful bases and document the legal rationale per data flow, not per application.
Data residency and infrastructure
EU patient data must remain in EU data centres. This is not optional and it is not satisfied by a US cloud provider's 'EU region' toggle if the parent company is subject to US CLOUD Act jurisdiction. Our default healthcare stack uses either a European cloud provider or a contractually firewalled EU region with explicit Data Processing Agreements. Database encryption at rest and in transit is baseline, not a feature.
| Layer | Our default | Why |
|---|---|---|
| Hosting | EU-only region (AWS eu-central-1 or Hetzner) | Data residency compliance |
| Database | PostgreSQL with row-level security | Granular access control per patient/provider |
| Encryption | AES-256 at rest, TLS 1.3 in transit, application-layer encryption for PII | Defence in depth |
| Auth | OpenID Connect with MFA, session-bound tokens | Regulatory expectation for healthcare access |
| Audit | Immutable append-only log (every read, write, export) | MDR and GDPR evidence requirements |
Automated compliance evidence
The most expensive part of healthcare software is not building it — it is proving to regulators that you built it correctly. Design History Files, risk management records, traceability matrices, test evidence. We automate as much of this as possible: CI pipelines that generate test-coverage reports, deployment logs that map to requirement IDs, and audit trails that export in the format your Notified Body expects. This is not glamorous work but it is the difference between a three-month certification process and a twelve-month one.
National frameworks to watch
- Germany DiGA: Digital Health Applications that want reimbursement through statutory health insurance must pass BfArM evaluation. The bar includes interoperability (FHIR), data security, and clinical evidence.
- Netherlands NEN 7510: The Dutch information security standard for healthcare. Essentially ISO 27001 with healthcare-specific controls. Mandatory for any organisation processing Dutch health data.
- UK DCB 0129 / 0160: Clinical risk management standards for health IT systems. Required for NHS suppliers.
- Belgium eHealth: The Belgian eHealth platform requires specific authentication (eID/itsme) and interoperability standards for healthcare software.
How we approach healthcare projects
We start every healthcare engagement with a regulatory triage: what classification does this product fall under, what data categories are involved, and what national frameworks apply. This shapes architecture decisions before a single line of product code is written. The result is a system that generates compliance evidence as a by-product of normal development, not as a separate workstream bolted on at the end.
Frequently asked questions
Direct answers to questions readers and AI assistants commonly ask about this topic.
Does all healthcare software need MDR certification?+
No. Only software intended to be used for a medical purpose — diagnosis, monitoring, treatment — falls under MDR. Administrative software (appointment scheduling, billing) and general wellness apps are typically exempt, though the boundary is narrower than most teams expect.
Can healthcare software use US cloud providers?+
Yes, but only in contractually firewalled EU regions with explicit Data Processing Agreements and Supplementary Measures as required post-Schrems II. The safest option for sensitive clinical data is a European-headquartered provider or a dedicated EU instance.
How long does healthcare software certification take?+
For Class I self-certification: 2-4 months if you have documentation ready. For Class IIa/IIb through a Notified Body: 6-18 months depending on complexity, clinical evidence requirements, and the body's backlog. Starting compliance architecture from sprint one significantly shortens the timeline.
What is the DiGA framework in Germany?+
DiGA (Digitale Gesundheitsanwendungen) is a German regulatory pathway that allows digital health apps to be prescribed and reimbursed through statutory health insurance. Apps must pass BfArM evaluation covering data security, interoperability (FHIR), usability, and clinical benefit evidence.
Last updated: April 27, 2026 · Written by Ribbsaeter Systems Engineering · Healthcare & Compliance Engineering