EU confirms app stores and developers are subject to medical device laws

The European Union’s regulatory framework for medical device software (MDSW) has evolved with the adoption of two significant Medical Device Coordination Group (MDCG) guidelines this June.

MDCG 2019-11 revision 1 updates the 2019 guidance on medical device software (MDS) qualification and classification, introducing enhanced concepts on modular software structures and referencing the European Health Data Space (EHDS). Meanwhile, MDCG 2025-4 clarifies the responsibilities of online operators such as app platform providers. It reinforces their roles as economic operators under the Medical Devices Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR), outlining specific obligations for safe market entry and post-market compliance.

Updates to the 2019 regulatory approach

The June revision of MDCG 2019-11 – published nearly four years earlier – brings important clarifications for app, software and algorithm developers on which types of digital technologies qualify as medical devices.

Responsibility for qualifying software and ensuring appropriate classification under the MDR and IVDR rests with the legal manufacturer. However, parties further along the digital supply chain – such as distributors or importers – may also assume regulatory obligations, and others parties may too as a result of their roles (for instance, where they assemble or relabel products).

The scope now explicitly extends to medical device artificial intelligence (MDAI) and the MDR's annex XVI products, meaning those without a direct medical purpose.

The guidance further underscores that every software function intended for a medical use must reflect a precise, unambiguous intended purpose and be supported by appropriate clinical evidence, with particular attention given to complex modular software structures.

The approach to classification is also now more granular: under rule 11 of the MDR, any software influencing diagnosis or therapy is generally class IIa, but it may shift to class IIb or III depending on the risks associated with erroneous outputs, while software "intended to prevent illness" is now also more tightly regulated.

Claims of interoperability with electronic health records require not only compliance with the MDR and IVDR but also with forthcoming EHDS standards, signalling higher expectations for technical, cybersecurity and documentation controls. The link to EHDS regulation is particularly relevant for software claiming electronic health record exchange functionality.

Apps and online platforms providers

MDCG 2025-4 complements this approach by focusing on providers who enable MDS apps to reach end users.

It distinguishes between online marketplaces that act solely as hosting providers – without taking ownership of MDR- or IVDR-regulated apps – and those that acquire the software prior to supply. This distinction is among key criteria to determine whether an entity acts as a distributor under article 14 of the MDR or IVDR, or as an importer under article 13 if the manufacturer is established outside the EU.

This status carries significant responsibilities, including pre-download verification of CE marking, the presence of a unique device identifier (UDI), compliance with language and instructions for use (IFU) requirements and access to appropriate documentation. Strict post-market obligations also apply, encompassing vigilance, event reporting, traceability and ongoing cooperation with national authorities should risks or safety events arise.

The MDCG further specifies the information platforms must obtain from each developer – such as name and address, single registration number, UDI device identifier, description of intended purpose, warnings and a direct link to the electronic IFU – and encourage platforms to ensure clear, transparent labelling for app users. The use of a prominent "Medical Device" category is recommended to distinguish certified products from wellness apps.

Entities subject to the Digital Services Act may have additional obligations, but these do not displace the core requirements under MDR and IVDR.

The emerging AI regulatory layer

While the two MDCG guidelines do not exhaustively address artificial intelligence (AI)-specific regulation, MDCG 2019-11 revision 1 expressly recognises that MDAI falls within the MDR and IVDR frameworks, and thus adheres to existing qualification and classification principles.

More recent MDCG communications highlight that AI software embedded in medical devices may be considered "high-risk AI systems" under the EU AI Act, with supplementary obligations for data quality, transparency, human oversight and continuous monitoring. The interpretation of rule 11 in the revised guidance is also expanded to cover software intended to prevent illness, bringing many predictive AI applications into class IIb or higher – indicating they will likely be subject to both MDR and the recently adopted AI Act's requirements in the future.

Osborne Clarke comment

The latest MDCG guidelines highlight a regulatory environment in the EU that is growing in depth and reach for software-based medical devices and diagnostics.

Online market places, platforms and those providing software or algorithms should consider at what point their activities make them economic operators under the currently revised MDR and IVDR, as this status brings a suite of conformity checks, transparency duties and incident reporting requirements. Manufacturers are expected to adopt detailed, explicit intended purposes, segment modular architectures accurately into medical and non-medical components and support every medical claim with clinical data and risk management.

The increasing intersection with evolving AI regulation and health-data interoperability frameworks demands integrated compliance strategies. This maturation requires early engagement and cross-disciplinary coordination between regulatory, clinical, cybersecurity and legal functions across sectors – including the retail and consumer sector and the technology, media and communications sector – to navigate the layered medtech regulatory environment efficiently.