BfArM Guidance on Fast-Track Process for Digital Health Applications: General Requirements – RegDesk

The new article provides an overview of the general requirements to be followed when filing submissions associated with digital health applications.

BfArM medical device regulations

Table of content

The German regulating authority in the sphere of healthcare products (BfArM – Federal Institute for Drugs and Medical Devices) has published a guidance document dedicated to the fast-track process for digital health applications (DiGA) intended to be used in Germany. 

The document provides an overview of the regulatory requirements set forth by SGBV, as well as additional recommendations and clarifications to be taken into consideration by medical device manufacturers (software developers) in order to ensure compliance thereto.

At the same time, provisions of the guidance are non-binding in their legal nature, the authority also reserves the right to introduce changes thereto, should such changes be reasonably necessary to reflect corresponding amendments to the underlying legislation.

DiGA, or digital health applications, are medical devices that are listed in a directory according to Section 139e SGB V

To be listed, these applications must meet stringent requirements to ensure their safety, functionality, and overall quality. 

The present guidance provides an overview of these requirements, how they are structured, and how they are assessed.

Requirements for Listing a DiGA

According to the document, the three core requirements must be met for a DiGA to be listed:

  1. Safety and Functionality: The DiGA must be safe and functional for its intended purpose. This is crucial since it is a medical device and any malfunction or failure could have serious health implications for the user.
  2. Data Protection and Security: Since many DiGA applications handle sensitive personal and medical data, it becomes vitally important to ensure that they have robust data protection and security mechanisms in place. These measures not only ensure the privacy and safety of the user’s data but also contribute to trust in the system.
  3. Quality, with an emphasis on Interoperability: The quality of the DiGA is vitally important. According to the document, the application should be interoperable, meaning it can work seamlessly with other devices or systems, ensuring efficiency and ease of use.

FDA Guidance on Distinguishing Medical Device Recalls from Enhancements: Key Concepts and Definitions

Assessment and Verification by BfArM

To be listed, the DiGA provider must prove to the BfArM that they meet all the above requirements.
The basis for this proof comprises checklists outlined in Annexes 1 and 2 of the DiGAV. If required, the BfArM can ask for additional evidence during the application review.
As part of the submission process, the BfArM also needs free access to the DiGA.

Despite BfArM’s assessment, the DiGA manufacturer remains responsible for ensuring that their application adheres to all legal, data protection, and security requirements. 

If any information provided during the application process is found to be false or outdated, there might be sanctions, which could include removal of the DiGA from the directory or monetary penalties.

Structure of the Checklists

The checklists provided in the DiGAV are designed to facilitate a thorough assessment of the DiGA’s compliance with requirements. These checklists are divided into two annexes:

Appendix 1 covers data protection and security.
This section ensures that the DiGA’s data handling and protection mechanisms are up to the current state of the art.
Manufacturers must consider the specific risks associated with their DiGA when selecting protective measures.

Appendix 2 focuses on interoperability, robustness, consumer protection, user-friendliness, quality of medical content, and patient safety.
Given that DiGA represents an evolving technology, the requirements in this annex can change, reflecting the innovation potential of DiGA.

For both appendices, criteria are verified using yes/no statements.

However, it is important to mention that not all criteria apply to every DiGA.

For those that don’t, a “not applicable” response can be given without any negative consequences, as long as it is justified adequately.

Safety and Functionality

As further explained by the authority, to prove safety and functionality, a DiGA manufacturer must present either a certificate of conformity/EC certificate from a notified body or a manufacturer’s declaration of conformity. 

Typically, the BfArM only verifies the formal legality of CE marking for this requirement.

Certification Constraints

While the certification is a crucial step, some manufacturers may face challenges in getting timely appointments due to high demand.

However, in accordance with the applicable regulatory requirements, no exceptions are allowed. 

A completed conformity assessment and a proven CE marking showcasing the DiGA’s marketability are mandatory for inclusion in the directory.


In summary, the guidance additionally emphasizes the importance of ensuring the safety, functionality, and quality of DiGAs given their potential impact on public health.

The rigorous process of verification and assessment is introduced to ensure that only compliant and high-quality applications make it to the directory, safeguarding users’ interests and health.

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.


Want to know more about our solutions? Speak to a RegDesk Expert today!