Data-driven digital health businesses challenged with balancing AI advances and tighter regulation in 2026

Data has become the defining battleground for digital health. As artificial intelligence (AI) capabilities accelerate, interoperable health records gain traction and hyper-personalised care moves into the mainstream, digital health businesses face a fundamental tension: how to square patient and customer demand for tailored, tech-enabled services with regulatory constraints on data use that have never been more demanding.

The stakes are high. Misjudging the balance and getting it wrong carry real consequences for digital health businesses. But those that get it right stand to unlock competitive advantage, deepen patient trust and build sustainable growth. Digital health businesses enter 2026 on the back of a year of significant developments that have created more opportunities across the sector. Their challenge will be to exploit these openings while focusing on the governance frameworks, contractual safeguards and compliance strategies that will be needed to build and capitalise on market advantage.

Hyper-personalised healthcare

Digital health systems that once "personalised" predictable ways using basic standardised data categories are increasingly tailoring healthcare by integrating unique biological, genetic, lifestyle and environment influences. This shift to “hyper-personalisation” made outsized progress in 2025 and will reshape how digital health businesses deliver value and how service users engage and what they expect.

Hyper-personalisation

Hyper-personalisation was a central theme underpinning last July's the NHS' much-anticipated 10-year health plan. The UK government positioned hyper-personalisation as a main feature of its plans for an expanded Digital NHS App to evolve into the "front door' for primary care. The revamped app allows patients to manage appointments, receive AI-powered advice, manage medicines and long-term conditions, choose their preferred provider and access personalised care plans. Smart hospitals and AI-enabled support systems for administrative and clinical tasks are becoming the reality.

Hyper-personalisation is also a main aspect of the UK government's wearables strategy. Data gathered from wearables can be connected to the NHS App, enabling patients to be monitored remotely via virtual wards and healthcare to be administered proactively when needed.

Impact for digital health providers

Hyper-personalisation brings significant opportunities to improve patient outcomes and to differentiate their services in an increasingly competitive market. OpenAI's ChatGPT Health product announcement continues this trend and has been designed to allow users to receive personalised health information. However, hyper-personalisation will also introduce new challenges around compliance, data governance, and interoperability, particularly as regulatory frameworks such as the European Health Data Space Regulation and the UK's Data (Use and Access) Act 2025 continue to evolve.

Enhanced health data interoperability

Enhanced access to health data has been a common trend in recent UK and EU policy-making. 2025 was no exception and saw two key regulatory developments designed to enhance the interoperability of health data systems in the UK and EU.

Health data interoperability

The European Health Data Space Regulation (EHDS) entered into force on 25 March 2025 and will be phased in over several years. It creates a common European framework for accessing and sharing health data.

Of particular importance to digital health businesses it introduces:

• Extensive transmission obligations for health data holders for secondary purposes.
• Access and usage rights for health data users, such as research institutions and life sciences companies, for secondary purposes – among other changes it does this by expressly defining permitted secondary purposes, such as training, testing and evaluating algorithms in medical devices, AI systems, and digital health applications.
• Testing, standardisation and documentation obligations for manufacturers, importers and distributors of software and devices for electronic health records.

In the UK, the Data (Use and Access) Act 2025 introduced a framework for the implementation of information standards across health and care to drive interoperability, support consistent data sharing and give clearer legal footing for trusted access. Detailed standards and governance are still to come and alignment with EHDS is uncertain. However, the strategic goal is similar: better, safer and more efficient care by moving accurate health information securely to where it is needed for both direct care and, under safeguards, secondary uses such as analytics and AI.

Impact for digital health providers

These interoperability requirements will bring a multitude of new obligations for digital health providers such as obligations to meet new technical standards. However, they also bring significant opportunities to unlock the value in health data for secondary purposes, such as research and development and for training and improving AI models.

Clarity in health data classification and sharing

The distinction between personal, pseudonymised, and anonymised data has significant commercial and legal consequences for digital health businesses: it dictates the scope of data protection obligations, shapes the commercial viability of data sharing arrangements and secondary use cases, and directly affects a company's risk exposure when processing sensitive health information at scale. Two developments in 2025 – a ruling from the Court of Justice of the EU and guidance from the Information Commissioner's Office (ICO) – provided welcome clarity and opened possibilities for more flexible data sharing.

Health data classification and sharing

In 2025, case law and guidance brought useful clarity:

• The Court of Justice of the EU confirmed that pseudonymised data does not automatically constitute personal data for all parties. It adopted a "relative" approach to personal data, meaning the same dataset may be personal data in the hands of the original controller but potentially anonymous for a recipient who lacks any reasonable means to re-identify individuals.
• The decision above aligns with the historic approach taken by the UK's data regulator, the ICO, who reinforced its positions through updates to its anonymisation and pseudonymisation guidance. That guidance also provides useful clarity around the ICO's expectations about governance and risk assessments when organisations claim that data is no longer personal.

Impact for digital health providers

These updates are more about evolution of existing law than revolution. But they are particularly significant for digital health businesses because they open possibilities for more flexible data-sharing arrangements with research partners, analytics firms or AI developers, provided that robust pseudonymisation measures are in place and the recipient has no means to re-identify data subjects. They are also supported in the UK by changes under the Data (Use and Access) Act 2025 which are intended to benefit organisations that conduct research or use research results.

At-scale AI opportunities

Governments internationally continued to look to AI as transformative technology that will be central to the delivery of modernised healthcare. At the same time, 2025 brought more specific, enforceable expectations for how AI can be developed, deployed and governed that could have a direct impact on handling patient data and the compliance posture of many digital health businesses.

AI opportunities+

The NHS 10-year plan identifies AI as e the main area for digital health providers to concentrate on and in which to innovate. Whether using AI to generate insights from wearables, power NHS digital tools or interpret genomic data, the plan makes a big bet on AI seamlessly integrating into clinical pathways. AI is being rapidly embedded across diagnostics and clinical workflows.

The UK continued with its sector-led, principles-based approach with new intellectual property (IP) guidance for the NHS in England focusing on how NHS data, algorithms and methodologies are developed, owned and commercialised, including value sharing and transparency expectations when partnering with commercial AI developers. This is already shaping how suppliers structure data access, IP, liability and audit rights in AI-focused NHS contracts.

The UK government has doubled down on investing in secure national health-data platforms to accelerate research and innovation including with a major £600 million health-data research hub.

The EU also saw a continued shift to specific expectations over how AI can be developed and deployed. For example:

The European Data Protection Board issued an opinion on using personal data to train and deploy AI models, emphasising lawful basis, purpose limitation, data minimisation and transparency. It stresses that “compatible use”, and legitimate interests will not serve as blanket justifications for repurposing large health datasets for AI development. Digital health businesses seeking to use patient data for AI training must demonstrate clear legal grounds and appropriate safeguards.

The EU AI Act was finalised, with many digital health tools and AI‑enabled medical devices likely to be classed as high risk. For businesses in-scope, it will bring prescriptive requirements on risk management, data governance, documentation, human oversight, robustness and post-market monitoring – all of which should not be underestimated. The European Commission has since proposed targeted changes to the AI Act as part of its Digital Omnibus simplification initiative.

Impact for digital health providers

For digital health providers, the opportunities that AI brings are myriad. However, the message is clear: regulatory compliance for AI in health now demands detailed operational readiness and tangible compliance measures.

The year ahead

New regulatory frameworks for AI, data governance and patient privacy are emerging in response to rapid digitalisation. These should enhance trust and safety but will inevitably result in more complicated requirements for developers and digital health providers.

Across all of these areas, digital health businesses that proactively align product design, data governance, AI development and cybersecurity with evolving UK and EU standards will be best placed to capitalise on richer, more connected health data in 2026.

Osborne Clarke comment

Data is a constantly evolving area of law and there are significant broader legal and regulatory developments that digital health businesses will be looking to keep abreast of this year and beyond. Data, AI and cyber security regulatory developments on the horizon (see our latest Regulatory Outlook and life sciences-focused regulatory overview for further coverage) include:

• The European Commission is expected to publish further practical guidance during 2026, including on high-risk AI classifications likely to impact digital health companies with products in-scope.
• The European Commission's Digital Omnibus simplification initiative proposals will be debated in the European Parliament and the Council and are expected to progress to the trilogue stage in mid-2026.
• Further consultations on guidelines on the EHDS Regulation, with the regulation set to apply from 26 March 2027;
• The main changes to data protection and privacy law introduced by part 5 of the Data (Use and Access) Act 2025 are expected to come into effect early this year.
• The Cyber Security and Resilience (Network and Information Systems) Bill is expected to come into force at some point, with phased implementation to be delivered through secondary legislation. The bill is likely to capture digital health entities in the healthcare supply chain that were not previously regulated.

Osborne Clarke's Life Sciences and Healthcare team has an impressive track record of advising innovative businesses in the digital health sector on complex transactions. The team possesses extensive experience and expertise in the sector, acquired through advising founders, partners, and investors on business establishment, funding, technology licensing and commercialisation, full regulatory compliance – including AI and data – and successful exits.

Shereen Younis, a trainee solicitor with Osborne Clarke, contributed to this Insight.