MDCG 2025-04 Rev.0
Guidance on the safe making available of medical device software (MDSW) apps on online platforms
Disclaimer: This document is an interactive version of the original MDCG document. We will keep it up-to-date.
This document has been endorsed by the Medical Device Coordination Group (MDCG) established by Article 103 of Regulation (EU) 2017/745. The MDCG is composed of representatives of all Member States and it is chaired by a representative of the European Commission.
Table of Contents
1. Introduction
Software Applications (Apps) are significantly changing our way of living, helping in various aspects of our daily lives, including healthcare. Medical device software (MDSW) Apps cover an extensive variety of uses such as those intended to drive insulin pumps, detect and diagnose skin cancers (e.g. melanoma) etc.
These apps are directly available on app platforms for download and use by patients. Their safety and compliance with the safety and performance requirements of the Medical Devices Regulations (1) is paramount. It is therefore of crucial importance that app platform providers enable manufacturers of MDSW to fulfil their requirements including but not limited to the transparency requirements set out in the MDR/IVDR.
This guidance aims to describe the obligations of app platform providers and their respective responsibilities under the MDR/IVDR as well as the Digital Services Act (DSA) (2), which introduces requirements for online intermediary service providers.
In accordance with Article 103 (8) of Regulation (EU) 2017/745 on Medical Devices (MDR) and Article 98 of Regulation (EU) 2017/746 on in vitro diagnostic medical devices (IVDR), this MDCG guidance provides clarifications regarding the role and responsibilities of app platform providers when facilitating the making available of medical device software (MDSW) (3) apps on the Union market. This guidance also provides information regarding information which should be provided by medical device manufacturers when making available their MDSW Apps.
2. Regulatory considerations
For the purpose of this guidance, the following definitions set out in Article 2 of the MDR and IVDR are of relevance:
“Placing on the market” means the first making available of a device, other than an investigational device / a device for performance study, on the Union market;
“Making available on the market” is defined as any supply of a device, other than an investigational device/ a device for performance study, for distribution, consumption or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge.
“Putting into service” is defined as the stage at which a device, other than an investigational device / a device for performance study, has been made available to the final user as being ready for use on the Union market for the first time for its intended purpose.
A “manufacturer” means a natural or legal person who manufactures or fully refurbishes a device or has a device designed, manufactured or fully refurbished, and markets that device under its name or trademark;
An “importer” is defined as any natural or legal person established within the Union that places a device from a third country on the Union market.
A “distributor” is defined as any natural or a legal person in the supply chain, other than the manufacturer or the importer, that makes a device available on the market, up until the point of putting the device into service.
Additionally, the following definitions set out in Article 3 of the DSA are of relevance:
An “intermediary service” means one of the following information society services:
(i) a ‘mere conduit’ service, consisting of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network;
(ii) a ‘caching’ service, consisting of the transmission in a communication network of information provided by a recipient of the service, involving the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information’s onward transmission to other recipients upon their request;
(iii) a ‘hosting’ service, consisting of the storage of information provided by, and at the request of, a recipient of the service;
An “online platform” means a hosting service that, at the request of a recipient of the services, stores and disseminates information to the public, unless that activity is a minor and purely ancillary feature of another service or a minor functionality of the principal service and, for objective and technical reasons, cannot be used without that service, and the integration of the feature or functionality into the other service is not a means to circumvent the applicability of this Regulation.
3. Medical Device Software (MDSW) apps on the Union market
On the basis of the New Legislative Framework, as clarified in the Commission notice ‘The “Blue Guide” on the implementation of EU product rules 2022’, the general rule is that more than one legal act of Union harmonisation legislation, such as the MDR and the IVDR and the DSA, may be applicable to one product, since the making available or putting into service can take place only when the product complies with all applicable Union harmonisation legislation.
Taking into consideration the definitions set out in the MDR and IVDR (some of which are outlined in section 2 of this document), the upload of a MDSW app by a manufacturer corresponds to the “placing on the market”. The time during which the MDSW app is available via the app platform provider corresponds to the “making available on the market” accordingly. Where an app platform provider is making its own MDSW available to users/patients, the app platform provider fully qualifies as an economic operator in the distribution chain of that medical device.
Note: the definition of “making available on the market” means any supply of a device in a commercial activity, whether in return for payment or free of charge.
Where the app platform provider only offers third party MDSW, it is only acting as an intermediary service between the app manufacturer and the user/patient downloading the app.
Taking into account the above regulatory considerations, two setups can currently be envisaged in regard to how MDSW apps are made available on the Union market, which will apply differently as they cover different roles, on a pure or hybrid model (for instance in case of existence of own and third-party apps).
3.1. App platform provider as an intermediary service provider under the DSA
In some cases, app platform providers may qualify as intermediary service providers and play a critical role in linking MDSW app manufacturers with patients.
In accordance with Article 3(i) of the DSA, an “online platform” means a hosting service that, at the request of a recipient of the service, stores and disseminates information to the public, unless that activity is a minor and purely ancillary feature of another service or a minor functionality of the principal service and, for objective and technical reasons, cannot be used without that other service, and the integration of the feature or functionality into the other service is not a means to circumvent the applicability of the DSA.
If the app platform provider acts as an intermediary service provider, including as an online marketplace, i.e. an online platform allowing consumers to conclude distance contracts with traders, where the product is made available to the user by the manufacturer, importer or distributor, then the app platform provider should in those circumstances not be considered either a distributor nor an importer and thus not an economic operator, In this case, overarching DSA principles as liability exemption (Article 6) and non-general monitoring obligations (Article 8) fully apply.
Online platforms allowing users and patients to conclude distance contracts with traders (e.g manufacturers under the MDR and IVDR) are subject to requirements under the DSA, which include and are not limited to:
✔︎ Notification of illegal content: Providers of hosting services, including online platforms, should put in place a notice and action mechanism for the content considered illegal that is present on their services. Such notices are deemed to give rise to actual knowledge or awareness and require the providers of hosting services to take timely and diligent decisions. In accordance with the MDR/IVDR and the DSA, national competent authorities for medical devices may issue orders (Article 9 and 10 DSA) to app perform providers, to remove illegal content related to medical devices, such as non-compliant or unsafe products.
✔︎ Transparency and compliance requirements: App platform providers, to the extent they qualify as online platforms allowing users and patients to conclude distance contract with traders (e.g. software device manufacturers/app developers), should ensure that their online interface is designed and organised in a way that enables traders (e.g. software device manufacturers/app developers) to comply with their obligations regarding, among others, compliance and product safety information under EU law, including for example requirements for the provision of information to users and patients under Annex I of the MDR and IVDR (Article 31 DSA), see also section 4 on “information obligations” below for more information. To ensure a safe, trustworthy and transparent environment, they should make best efforts to assess whether the required information about traders including their contact data (Article 30 DSA) is reliable, complete and available to their users.
✔︎ Accountability: Furthermore, Very Large Online Platforms, including app platform providers designated by the Commission, are subject to the risk assessment framework obligations. Among others, they must assess the risk of the dissemination of the illegal content, through their services and implement reasonable, proportionate and effective mitigating measures.
3.2. App platform providers as distributors or importers
Where the manufacturer makes a MDSW app available to an app platform provider in a commercial or non-commercial activity, and the app platform provider in turn makes that product directly available to the user as a distributor or importer by for example transferring the ownership or other right, then that app platform provider shall be subject to the relevant requirements laid down in Article 14 of the MDR and IVDR.
It should be noted that, if the manufacturer resides in a third country and the app platform provider is EU-based, the app platform provider would assume the role of an importer and is subject to the relevant requirements laid down in Article 13 of the MDR and IVDR. This is without prejudice to the additional requirements for the concerned non-EU manufacturer to appoint an authorised representative in the EU, without which the device may not be placed in the Union market.
By making MDSW apps available on their platforms under such conditions and the providers or that app platform are therefore qualified as distributors or importers according to MDR/IVDR. The DSA would not apply in those circumstances; instead, as distributors or importers they have specific obligations (non-exhaustive):
✔︎ Ensuring compliance: App platform providers must ensure that such apps comply with the requirements of the MDR and IVDR. This includes ensuring the safety, performance, and data protection aspects of those apps.
✔︎ Cooperation with authorities: App platform providers must cooperate with competent authorities, including providing them with information and documentation related to such apps available on their platforms.
4. Information obligations
This section intends to provide an overview of the information obligations which should be provided and made available to patients on app platforms. The following list contains information which should be supplied with the MDSW according to the MDR and IVDR and made available on app platforms. It also aims to facilitate the fulfilment of the DSA requirements by app platform providers.
4.1. Information to be requested from MDSW manufacturers and available to patients on app platform
Furthermore, in accordance Article 31 (1) and Article 31 (2) of the DSA, such platforms shall ensure that their online interface is designed and organised in a way that it allows traders, including medical device manufacturers, to provide at least the following:
a) the name, address, telephone number and email address of the economic operator as defined in Article 3, point (13), of Regulation (EU) 2019/1020 and other Union law,
b) the information necessary for the clear and unambiguous identification of the products or the services promoted or offered to consumers located in the Union through the services of the providers, including the MDSW.
c) any sign identifying the trader such as the trademark, symbol or logo;
d)where applicable, the information concerning the labelling and marking in compliance with rules of applicable Union law on product safety and product compliance (see more details below on the applicability of this provision with regard to the MDR and IVDR (Annex I Chapter III).
4.2. Clear product categories on app platforms: Medical Device (versus Health, Lifestyle, Medical)
For patients to unambiguously identify MDSW apps, it is recommended that app platform providers create a clear delineation in their libraries between MDSW apps and health apps with no intended medical purpose. This category should be an option selected by MDSW app manufacturers when making available their products with the app platform provider and should only be obtainable where the above information has been provided.
4.2.1. Information concerning the labelling and marking in compliance with rules of the MDR and IVDR
(*mandatory fields)
Product information
− The name or trade name of the device;*
− The name, registered trade name or registered trademark of the manufacturer and the address of its registered place of business; and Single Registration Number (SRN) *
− MD or IVD symbol or indication *
− Clear description of the device and its intended purpose, *
− Warnings or precautions to be taken that need to be brought to the immediate attention of the user of the device, and to any other person. This information may be kept to a minimum in which case more detailed information shall appear in the instructions for use, taking into account the intended users; *
− Link to eIFU, *
− Unique Device Identification number (UDI-DI), *
Legal compliance information: (additional information (where applicable))
− Authorised Representative (4) name and address,
− Notified body number,
− Certificate number,
Operating requirements: (additional information (where applicable))
− Any particular operating instructions,
− Information on whether a hardware medical device available from the manufacturer is also required for use as part of the device or accessories,
− Minimum requirements for hardware, setup and connection and security.
4.3. Information obligations for app platform providers considered as intermediary services providers
In accordance with Article 31(3) of the DSA, providers of online platforms allowing consumers to conclude distance contracts with traders, including the providers of app platform providers, should make best efforts to assess whether such traders have provided the required information prior to allowing them to offer their products or services on those platforms. After allowing the trader to offer products or services on the online platform that allows consumers to conclude distance contracts with traders, the provider shall make reasonable efforts to randomly check in any official, freely accessible and machine-readable online database or online interface whether the products or services offered have been identified as illegal.
In addition, Very Large Online Platforms, including app platform providers designated by the Commission, must comply with Article 34 and 35 of the DSA which require them to conduct risk assessments and mitigate those identified risks. In terms of risk assessments, they must at least on an annual basis diligently identify, analyse and assess any systemic risks stemming from the design or functioning of their service and its related systems, including algorithmic systems, or from the use made of their services. This includes but is not limited to systematic risks arising from the dissemination of illegal content through their services.
Footnotes
(1): Regulation (EU) 2017/745 on medical devices and Regulation (EU) 2017/746 on in vitro diagnostic medical devices
(2): Regulation (EU) 2022/2065 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act)
(3): MDCG 2019-11 defines ‘Medical device software’ as software that is intended to be used, alone or in combination, for a purpose as specified in the definition of a “medical device” in the medical devices regulation or in vitro diagnostic medical devices regulation.
(4): Article 11 MDR / IVDR