ENHANCING DIGITAL

HEALTH INNOVATION
IN THE EU WITH
EFFECTIVE INDUSTRIAL
STRATEGY POLICIES –
A FOCUS ON WEARABLE
MEDICAL DEVICES
Authors: Richard Rak, Paul Quinn
Editor: Bianca Ciui, Joint Research Centre

2024
Joint
Research
Centre
This publication is an External Study report prepared for the Joint Research Centre (JRC), the European Commission’s
science and knowledge service. It aims to provide evidence-based scientific support to the European policymaking process.
The contents of this publication do not necessarily reflect the position or opinion of the European Commission. Neither the
European Commission nor any person acting on behalf of the Commission is responsible for the use that might be made
of this publication. For information on the methodology and quality underlying the data used in this publication for which
the source is neither Eurostat nor other Commission services, users should contact the referenced source. The designations
employed and the presentation of material on the maps do not imply the expression of any opinion whatsoever on the part
of the European Union concerning the legal status of any country, territory, city or area or of its authorities, or concerning
the delimitation of its frontiers or boundaries.

Contact information
Name: Bianca Ciui
Address: European Commission, Rue du Champ de Mars 21, 1050 Brussels, Belgium
Email: [email protected]

EU Science Hub
https://joint-research-centre.ec.europa.eu

JRC138798

PDF ISBN 978-92-68-19839-1 doi:10.2760/88816 KJ-02-24-846-EN-N

Luxembourg: Publications Office of the European Union, 2024

© European Union, 2024

The reuse policy of the European Commission documents is implemented by the Commission Decision 2011/833/EU
of 12 December 2011 on the reuse of Commission documents (OJ L 330, 14.12.2011, p. 39). Unless otherwise noted,
the reuse of this document is authorised under the Creative Commons Attribution 4.0 International (CC BY 4.0) licence
(https://creativecommons.org/licenses/by/4.0/). This means that reuse is allowed provided appropriate credit is given and
any changes are indicated.

For any use or reproduction of photos or other material that is not owned by the European Union, permission must be sought
directly from the copyright holders. The European Union does not own the copyright in relation to the following elements:
– Page 82, Figure 2, source: Hermes, Riasanow, Clemens et al. (Ref. 402), licensed under CC BY 4.0
– Page 92, Figure 3, source: mHealth Belgium (Ref.466)
First and chapter cover pages illustrations: © European Union – Graphic design by Missing Element

Visual representation of the report has been prepared by professional graphic designers based on briefings provided;
these are intended to be indicative rather than fully comprehensive, with potential future use to easily demonstrate the
key messages of the report.

How to cite this report: European Commission, Joint Research Centre, Rak, R. and Quinn, P., Enhancing Digital Health Inno-
vation in the EU with Effective Industrial Strategy Policies – A Focus on Wearable Medical Devices, Ciui, B. (ed.), Publications
Office of the European Union, Luxembourg, 2024, https://data.europa.eu/doi/10.2760/88816, JRC138798.
 JRC EXTERNAL STUDY 1

Contents

Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.1 Background, significance and EU policy context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.2 Focus of the report: wearables in telemedicine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3 Objectives and methodological approach of the report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2. Technological aspects of wearable medical devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.1 Core enabling technologies and technical components of wearable medical devices . . . . . . . . . . . . . 16
2.2 Wearable medical devices as part of telemedicine systems and IoT networks . . . . . . . . . . . . . . . . . . . 17
2.3 Communications patterns of wearable medical devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.4 Functional-service roles in the ecosystem of wearable medical devices . . . . . . . . . . . . . . . . . . . . . . . . 19
2.5 Integration of other enabling technologies and techniques with wearable medical devices . . . . . . . 19
2.5.1 Integration of cloud and scalable distributed computing with wearable medical devices . . . 19
2.5.2 Integration of data science techniques (such as AI systems) with wearable medical devices20

3. EU regulatory framework applicable to wearable medical devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.1 Safety, performance and quality requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.1.1 EU product safety framework applicable to wearables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.1.2 The qualification of the physical hardware and interconnected software components of
a wearable as ‘medical device’ under the Medical Device Regulation . . . . . . . . . . . . . . . . . . . . 25
3.1.3 Risk classification rules for wearable medical devices under the Medical Device Regulation 34
3.1.4 Health, safety and fundamental rights requirements for AI-enabled wearable medical
devices under the AI Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.2 Cybersecurity and interoperability requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.2.1 Cybersecurity and wearable medical devices: background sketch . . . . . . . . . . . . . . . . . . . . . . . . 36
3.2.2 Cybersecurity requirements in EU product harmonisation legislations . . . . . . . . . . . . . . . . . . . . 38
3.2.3 Cybersecurity requirements in cybersecurity-specific EU legislations . . . . . . . . . . . . . . . . . . . . . 44
3.2.4 Cybersecurity requirements in EU legislations focusing on the use of data . . . . . . . . . . . . . . . 46
3.2.5 Interoperability requirements in EU legislations for wearable medical devices . . . . . . . . . . . . 49
3.3 Privacy, data protection and data governance requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.3.1 Privacy and data protection frameworks applicable to wearable medical devices (under
EU law): an overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.3.2 The scope of ‘personal data’ and ‘electronic health data’ in the context of using
wearable medical devices (under the General Data Protection Regulation and the
European Health Data Space) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.3.3 Rights of natural persons (data subjects) in relation to the primary use of personal
electronic health data concerning them using wearable medical devices (under the
General Data Protection Regulation and the European Health Data Space) . . . . . . . . . . . . . . . 59
3.3.4 Controllership when deploying wearable medical devices for primary use of personal
electronic health data (under the General Data Protection Regulation) . . . . . . . . . . . . . . . . . . . 64
3.3.5 The rights and obligations of users and data holders in accessing, using or making
available product data from wearable medical devices and related service data, and
the right of the user to share those data with third parties (under the Data Act) . . . . . . . . . . 65
2 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

3.3.6 Legal bases for processing personal electronic health data using wearable medical
devices for secondary use purposes, obligation of health data holders to make
available data from wearable medical devices for secondary use purposes, and the
related rights of natural persons (under the General Data Protection Regulation and the
European Health Data Space) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.4 Protection and governance of IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.4.1 IP rights relevant to wearable medical devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.4.2 Governance of IP rights when making available data from wearable medical devices
for secondary use purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3.5 Comparative regulatory outlook: US perspectives on wearable medical devices . . . . . . . . . . . . . . . . . 74
3.5.1 Privacy / data protection requirements in the US . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.5.2 Regulation of medical devices in the US . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
3.5.3 FDA’s initiative to foster the ‘Home Care Environment’ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

4. Competitiveness issues affecting the wearable medical device market in the EU . . . . . . . . . . . . . . . . . . 81

4.1 Market ecosystem: an overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

4.1.1 Researchers (research institutes and universities) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.1.2 Medical device companies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.1.3 Pharmaceutical companies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.1.4 Tech companies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.1.5 Healthcare providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.1.6 Patients (and their representatives) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.1.7 The market ecosystem of wearable medical devices: implications for policy-making . . . . . . 87
4.2 Value assessment and reimbursement frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.2.2 Factors influencing reimbursement of wearable medical devices . . . . . . . . . . . . . . . . . . . . . . . . 88
4.2.3 National value assessment and reimbursement schemes (with country examples) . . . . . . . . 90
4.2.4 Resolving reimbursement issues of wearable medical devices: initiatives and suggestions . 94
4.3 Technology transfers relating to wearable medical devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.3.1 Significance of technology transfers relating to wearable medical devices . . . . . . . . . . . . . . . 95
4.3.2 Policy measures for driving technology transfer in relation to wearable medical devices . . . 96
4.4 Human factors (digital health literacy and trust) and healthcare organisation . . . . . . . . . . . . . . . . . 101
4.5 Case studies: drivers and barriers affecting innovation and technology transfers in relation to
wearable medical devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
4.5.1 Manufacturer of wearable medical devices (I.): Philips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
4.5.2 Manufacturer of wearable medical devices (II.): ResMed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
4.5.3 University involved in technology transfers in relation to wearable medical devices:
Vrije Universiteit Brussel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
4.5.4 Deployer of wearable medical devices: European Society of Cardiology . . . . . . . . . . . . . . . . . 108
4.5.5 End users (patients’ perspectives) of wearable medical devices: EURORDIS – Rare
Diseases Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
 JRC EXTERNAL STUDY 3

Abstract

The report analyses trends, opportunities, challenges the technological aspects of wearable medical devices
and barriers affecting digital health, and specifically, in the context of IoT-enabled telemedicine systems.
the innovation, deployment and use of wearable It provides a cross-legislative analysis on how an
medical devices in the EU. The use of digital health emerging new EU regulatory framework (including
solutions along the patient pathway could drive the the MDR, AI Act, GDPR, EHDS, Data Act and Cyberse-
integration of clinical services and telemedicine to curity Act) may apply to wearable medical devices.
refine and enhance hybrid healthcare delivery models. The report also addresses key factors affecting the
In that context, wearable medical devices could play an competitiveness of the ecosystem of wearable med-
increasingly important role in enabling remote health ical devices in the EU, including problems posed by
promotion, diagnoses, monitoring and treatments. In heterogenous value assessment and reimbursement
turn, that could help to advance patient-centred care frameworks, as well as the significance of technology
and make health systems more efficient. Despite their transfers and human factors. The report concludes
potential, there are significant challenges and barri- with recommendations to adopt necessary policy
ers hindering the further development and uptake of measures and corrective legislative interventions in
wearable medical devices in the EU. The report covers order to help the ecosystem to thrive.
4 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Authors

Dr. Richard Rak, Ph.D.

Digital lawyer and innovation policy expert

Prof. Paul Quinn, Ph.D.

Professor of Law, Vrije Universiteit Brussel

Unless indicated otherwise, the views expressed in this report are purely those of the authors and may not
in any circumstances be regarded as stating an official position of the European Commission or any other
organisation. The report is intended for informational purposes and does not constitute legal advice.

Lead Study Coordinator and Editor: Bianca Ciui, Ph.D. (European Commission, DG Joint Research Centre,
B.6. Industrial Strategy, Skills and Technology Transfer)

Acknowledgements

The authors are grateful to the following for their coordination work, early reading of the report and feedback:

European Commission:

Alessandro Fazio (DG Joint Research Centre, B.6. Industrial Strategy, Skills and Technology Transfer)
Asuncion Fernandez-Carretero (Head of Unit, DG Joint Research Centre, B.6. Industrial Strategy, Skills and
Technology Transfer)
Claudius Benedict Griesinger (DG Joint Research Centre, F.2. Technologies for Health)
Antonio Puertas Gallardo (DG Joint Research Centre, F.7. Digital Health)
Amalia Munoz Pineiro (DG Joint Research Centre, F.7. Digital Health)
Mario Gabrielli Cossellu (DG SANTE, D.3. Medical Devices)
Eric Fribourg-Blanc (Chips Joint Undertaking)

The authors express their sincere gratitude to the following for sharing their insights as key stakeholders and
contributing to the preparation of case studies in this report:

European Society of Cardiology: Rubén Casado, Enrico Gianluca Caiani, Maria Luisa Ronconi
EURORDIS – Rare Diseases Europe: Jelena Malinina
Philips: Aleksandra Appelfeld, Roderick van Leerdam
ResMed: Justine Vandenbosch, Antoine Audry, Bruno Sicre, Nadia Bjorkquist, Jeff Armitstead
Vrije Universiteit Brussel (including UZ Brussel): Suzy Renckens, Thomas De Doncker, Tessa Braeckman,
Audrey Van Scharen, Pieter Cornu
 JRC EXTERNAL STUDY 5

Executive summary

This report is tasked with “Enhancing Digital Health embodied computing technologies (sensors or actu-
Innovation in the EU with Effective Industrial Strategy ators), in integration with accessory materials or
Policies” by analysing trends, opportunities, challenges medicinal substances, placed on the human body (as
and barriers that affect the innovation, deployment part of a body area network) to provide human-phys-
and use of wearable medical devices in the EU. The iological sensing and/or actuating capabilities.” The
report covers the following topics: report focuses on wearables that qualify as a ‘medical
device’, i.e. the physical hardware and interconnected
software components of the device are intended by its
Policy context: digital transformation in manufacturer to be used, alone or in combination, for
European health systems and the potential human beings for one or more of the specific medical
role of wearables purposes defined under the Medical Device Regulation
(MDR) to deliver telemedicine.
The health systems of EU Member States are facing
common challenges, including growing demand for
healthcare due to population ageing, rise of chronic Technological aspects of wearable medical
diseases and multi-morbidity; shortages and uneven devices
distribution of health professionals; inequities and
inequalities in access to healthcare; and increasing A wearable medical device consists of physical hard-
healthcare expenditures. To cope with unsustainable ware and interconnected (embedded or externally
trends and achieve system-wide changes, health functioning) software components. In a telemedicine
systems need to advance digitalisation and digital system, a wearable medical device functions as a
transformation. The EU and Member States should node in an IoT network that enables remote connection
adopt a mix of impactful policy measures to leverage between a patient (end user) and a healthcare provider.
the value of data and digital technologies, address A wearable medical device can allow “anytime-any-
barriers, facilitate the scalability of effective digital where” connectivity and is typically connected to a
health solutions, and develop a research- and inno- platform service, which provides computing resources
vation-friendly environment. The use of digital health for processing operations along the “cloud-to-device
solutions along the patient pathway could drive the continuum”. A wearable medical device may have
integration of clinical services and telemedicine (i.e. (embedded or externally functioning) data science (AI)
delivery of clinical/medical services at a distance) to capabilities. It can allow real-time and longitudinal
refine and enhance hybrid healthcare delivery models. data analyses (potentially in combination with data
In that context, wearables could play an increasingly from other sources) in the direct benefit of the patient
important role in enabling remote health promotion, or for secondary use (e.g. public health, health research
diagnoses, monitoring and treatments. In turn, that and innovation) purposes. While such advancements
could advance patient-centred care (by empowering are often enabled by collaboration between multiple
patients outside health institutions) and make health actors, their complex mesh of functional roles poses
systems more efficient (in terms of performance, challenges in clearly setting/allocating rights and obli-
costs and outcomes). However, despite their sig- gations in telemedicine systems.
nificant potential, there are several challenges and
barriers hindering the further development and uptake
of wearables in the EU. EU regulatory framework applicable to
wearable medical devices

Focus of the report: wearable medical devices There is a rapidly growing market for easy-to-access
in telemedicine and affordable wearables that can be used for a
variety of health-related (fitness, lifestyle, well-be-
The report defines ‘wearables’ as “Internet of Things ing etc.) purposes. Proper and consistent qualification
devices that possess connectivity, communications and risk classification are essential for ensuring the
and related data processing capabilities and utilise implementation of appropriate safety, performance
6 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

and quality requirements. Given the lack of certainty device users, and protection against any inference of
and awareness in this regulatory area, it would be sensitive information when personal data collected
useful to clarify in the MDR the conditions under which by wearable medical devices are anonymised (with
physical hardware and interconnected software com- residual risks).
ponents of a wearable qualify as a ‘medical device’,
and the application of related risk classification rules. As wearable medical devices provide data process-
In addition to that, there are uncertainties about com- ing functionalities, controllers must consider the
pliance requirements when a wearable medical device scope of personal data (concerning health) that they
qualifies as an ‘AI system’ under the AI Act, or which process and, as a consequence, what requirements
has a safety component that qualifies an AI system. are applicable under the GDPR. The practical chal-
For those cases, it would be important to have clarity lenge is that the increasing availability of potentially
about the exact interaction of (overlapping) require- complimentary data, together with ever-improving
ments under the MDR and the AI Act to eliminate computing prowess and consequent algorithmic power,
duplications and minimise additional burdens for are broadening the scope of personal data (concern-
conformity assessment procedures. ing health). Controllers must also ensure compliance
with other provisions of the GDPR, including inter alia
Medical devices (including wearable medical devices) the application of the rights of data subjects, which
must meet a broad range of cybersecurity require- may require considerable extra effort in the case of
ments. Whilst such requirements are essential inter wearable medical devices. Compliance obligations
alia to protect individuals from malicious attacks or are expected to be exacerbated with the introduction
theft of personal data, they pose compliance chal- of the concept of ‘electronic health data’ under the
lenges for manufacturers and healthcare providers. EHDS, which includes ‘personal’ and ‘non-personal’
One potential problem is that cybersecurity require- forms of electronic health data. Furthermore, there
ments for wearable medical devices are defined in are uncertainties about how rights provided to the
different legislative acts, including the MDR (or IVDR), data subject under the GDPR interact with rights pro-
the GDPR, the NIS2 Directive, the AI Act and the EHDS. vided to natural persons under the EHDS by virtue
Although those requirements are related and often of the fact that personal electronic health data con-
similar, they differ in subtle but important ways. Some cerning them is processed for primary use. Discerning
requirements refer to cybersecurity explicitly, whilst the subtle differences and complementarity between
others are more implicit. Their scope also differs, those rights and what they require in particular con-
which implies that wearable medical device manu- texts may pose significant challenges and potential
facturers must consider separate requirements for risks for stakeholders.
various device aspects. The EU Cybersecurity Act could
address some of those problems, as it provides for a The implementation of the GDPR’s rules regarding the
common cybersecurity scheme. However, it is unclear processing of data concerning health is fragmented
how it would interact with other legal frameworks, in the EU. For that reason, there is no clear answer
such as the GDPR or the MDR, which predate the to what the appropriate legal base combination is
Cybersecurity Act. It would be useful for the Medical for processing personal data (concerning health)
Device Coordination Group (MDCG) to issue new guid- using wearable medical devices. In general, there is a
ance on cybersecurity given that the existing guidance greater reliance on the ‘consent’ of the data subject in
predates the AI Act and the EHDS. the context of telemedicine. Another data processing
challenge stems from the growing number and vari-
In the context of wearable medical devices, it is impor- ety of actors involved in the deployment of wearable
tant to consider the overlaps and differences between medical devices in IoT-enabled telemedicine systems.
the ‘right to respect for private and family life’ and Increasingly complex ecosystems coupled with legis-
the ‘right to the protection of personal data’ under EU lative frictions make it challenging to determine who
law, as privacy protection covers circumstances that is the ‘controller’, ‘data holder’ and ‘health data holder’
personal data protection may not reach. This may be under the GDPR, Data Act and EHDS, and what are
the case, especially, in guaranteeing protection of the their respective obligations.
confidentiality of electronic communications of wear-
able medical devices, protection against the detection The Data Act ensures that the user has the right to
of the private environment of wearable medical access data generated by use of a wearable medical
 JRC EXTERNAL STUDY 7

device (as a connected product) or related service, and and in facilitating their uptake. This complex eco-
that the user can use the data, including by sharing system has been described as ‘non-linear’ in nature,
them with third parties of its choice. However, the which means that it is not feasible to simply apply
corresponding obligation of the data holder to make stimulus at one end and expect demand to be trans-
available vast amount of personal and non-personal mitted throughout. The development and production
data may generate risks due to the ambiguous inter- of wearable medical devices by manufacturers means
action of the Data Act with data protection and IP little if healthcare providers do not deploy them due to
laws. Similarly, the EHDS requires health data hold- various concerns. Similarly, the availability of effective
ers to make available data from (wearable) medical wearable medical devices means little if patients do
devices for secondary use purposes. However, that not know how to use them. To stimulate the wear-
may lead to implementation challenges and generate able medical device market, it would be important
significant risks, as the data categories for secondary to target each of these actors with appropriate (and
use are inconsistently defined in the EHDS and there complementary) policy measures. However, this is not
is uncertainty about the proper interaction of the obli- a simple matter given that policy initiatives are often
gations of (health) data holders under the EHDS and challenging to coordinate, requiring action at the EU,
other legislations. national and even regional levels.

The report also analyses intellectual property (IP) Certified wearable medical devices are typically
rights (including patents, utility model, copyright, more expensive to end users than wearables. For
database protection and trade secrets protection) this reason, the availability of a dedicated value
that are provided for researchers and innovators of assessment framework and reimbursement pathway
wearable medical devices under international and EU for digital medical devices would be a critical factor
law. The objective of IP protection is to provide rights in driving the uptake of wearable medical devices
to exclude certain third-party use of protected mate- in EU Member States. However, there is no single
rial or datasets. IP protection intends to strengthen or even dominant scheme and huge heterogeneity
incentives to invest resources in product development exists across the EU. There is also a lack of compre-
and marketing of new technologies. However, in as hensive research on how reimbursement for digital
much as IP protection operates through a right to health solutions function across the EU. Where there
exclude others, it may also inhibit competition and is no specialised pathway, approval for potential
innovation. For this reason, IP policies and laws should reimbursement needs to be secured through more
balance different rights and legitimate interests in generic pathways entailing extra costs and delays.
a positive-sum way that is suitable to facilitate the Some EU Member States (notably Belgium, Germany
development of patient-centric healthcare. In that and France) have recently developed schemes for
regard, a new requirement under the EHDS to make digital medical devices, which could allow the sharing
available electronic health data (inter alia from med- of best practices among Member States and lead to
ical devices) protected by IP rights, trade secrets and/ more cooperation in this area.
or covered by the regulatory data protection right
has been criticised for failing to provide adequate Technology transfer relating to wearable medical
and effective safeguards and control for health data devices plays a crucial role in driving innovation,
holders (and other rights holders). expanding market opportunities, improving cost-ef-
fectiveness, ensuring regulatory compliance and
fostering collaborations. The report proposes a mix
Competitiveness issues affecting the wearable of policy measures which could help stakeholders
medical device market in the EU to further benefit from technology transfers (either
as transferers or recipients of technology) with
The market ecosystem for wearable medical devices respect to the development and commercialisation
is complex and multi-faceted. Stakeholders include of wearable medical devices. Policy measures could
companies (encompassing large and small medical include facilitating multi-stakeholder collaborations
device manufacturers, as well as new entrants from (e.g. public–private, academic–industry), providing
the pharmaceutical and ICT sectors), healthcare pro- innovation and networking services, and developing
viders, researchers and patients. Each of them plays more effective funding schemes and reimbursement
an important role in the conception of new devices pathways. In addition to the fine-tuning of regulatory
8 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

frameworks (accompanied by responsible data stakeholders (manufacturers, health professionals,

governance and effective IP governance schemes), patients, academia) in the ecosystem of wearable
standardisation and interoperability need to be fur- medical devices. According to stakeholders, the most
ther facilitated. The modernisation of educational and significant barriers affecting the development and
training programs for health professionals, health pro- further uptake of wearable medical devices in the
curement and technology assessment professionals, EU are: the ambiguous and fragmented regulations;
and broader patient engagement would be important the lack of or disharmonised value assessment and
to increase skills, improve digital health literacy and reimbursement schemes; and the lack of specialised
build trust. The combination of top-down and bot- skills and digital health literacy. Focusing on those
tom-up approaches is important to drive the broader issues should be the starting point for developing
uptake of wearable medical devices in mutually ben- more effective industrial strategy and health policies
eficial ways. to support digital health innovation and the medical
technologies sector in the EU.
To supplement the research findings, the report incor-
porates case studies to showcase the insights of key
 JRC EXTERNAL STUDY 9

1. Introduction

1.1 Background, significance and EU digital health solutions, and develop a research- and
policy context innovation-friendly environment.6 Such policy inter-
ventions (or lack thereof) will determine whether
The health systems of EU Member States are under patients and European health systems will continue
significant pressure. Common challenges include: to have access to the most advanced solutions at the
growing demand for healthcare due to population same pace or faster than in other geographies. They
ageing, rise of chronic diseases and multi-morbidity1; will also determine whether the EU remains/becomes
shortages and uneven distribution of health profes- a global leader or a follower in clinical developments,
sionals (‘medical/health deserts’)2; inequities and medical discoveries and widespread deployment of
inequalities in access to healthcare3; and increasing state-of-the-art digital health solutions.
healthcare expenditures4. The COVID-19 public health
crisis exposed the vulnerabilities of European health The use of digital health solutions along the patient
systems and highlighted major shortcomings (e.g. pathway could drive the integration of clinical ser-
lack of workforce; lack of equipment and supply chain vices and telemedicine (i.e. delivery of clinical/medical
problems; lack of planning and crisis preparedness). services at a distance) to refine and enhance hybrid
To cope with unsustainable trends and achieve sys- healthcare delivery models. In that context, wearables
tem-wide changes, the widely shared view is that could play an important role in enabling remote health
health systems need to further advance digitisation, promotion, diagnoses, monitoring and treatments. In
digitalisation and digital transformation.5 Digital turn, that could advance patient-centred care (by
advancements could make European health systems empowering patients outside health institutions) and
more effective, accessible and resilient. make health systems more efficient (in terms of
performance, costs and outcomes). In the EU, remote
To fully exploit the potential of health digitalisation monitoring of chronic disease patients (one of the
and achieve a successful digital transformation in key application areas of wearables) has been esti-
healthcare, it is essential that the EU and Member mated to offer the (joint) biggest potential efficiency
States adopt a mix of impactful policy measures to gains among patient-facing digital health solutions.7
leverage the value of data and digital technologies, The COVID-19 lockdowns boosted telemedicine and,
address barriers, facilitate the scalability of effective among the verticals, healthcare has become the

1 Communication from the Commission on effective, accessible and resilient health systems, COM/2014/215 final, Brussels, 4 April 2014,
https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:52014DC0215.
2 World Health Organization, The health workforce crisis in Europe is no longer a looming threat – it is here and now. The Bucharest
Declaration charts a way forward, World Health Organization, Bucharest, 22 March 2023, https://www.who.int/europe/news/item/22-03-2023-
the-health-workforce-crisis-in-europe-is-no-longer-a-looming-threat---it-is-here-and-now.-the-bucharest-declaration-charts-a-way-forward.
(Note: ‘Medical deserts’ are areas where population healthcare needs are unmet partially or totally due to lack of adequate access or
improper quality of healthcare services caused by insufficient human resources in health or facilities, long waiting times, disproportionate
high costs of services or other socio-cultural barriers. The broader term ‘health deserts’ encompasses all dimensions of health—physical,
mental and social—and the services catering to them. See Brînzac, M. G., Kuhlmann, E., Dussault, G. et al., ‘Defining medical deserts—an
international consensus-building exercise’, European Journal of Public Health, Vol. 33, No. 5, 2023, pp. 785–788, https://doi.org/10.1093/
eurpub/ckad107.)
3 European Commission, Directorate-General for Health and Food Safety, State of health in the EU – Synthesis report 2023, Publications
Office of the European Union, Luxembourg, 2023, p. 17, https://data.europa.eu/doi/10.2875/458883.
4 Lorenzoni, L., Marino, A., Morgan, D. et al., Health Spending Projections to 2030: New results based on a revised OECD methodology,
OECD Health Working Papers No. 110, OECD Publishing, Paris, 2019, pp. 15–19, https://doi.org/10.1787/5667f23d-en.
5 See also OECD, Health in the 21st Century – Putting Data to Work for Stronger Health Systems, OECD Health Policy Studies, OECD
Publishing, Paris, 2019, p. 15, https://doi.org/10.1787/e3b23f8e-en. (Note: ‘digitisation’ means the conversion of analogue-physical
information into digital signals; ‘digitalisation’ involves the use of data and digital technologies to improve processes; ‘digital transformation’
refers to strategic and coordinated digitalisation efforts to change organisational operations, business models, workflows and user
interactions.)
6 DIGITALEUROPE, DIGITALEUROPE Executive Council for Health’s recommendations for EU digital health policy (2024-29), DIGITALEUROPE,
Brussels, 2024, p. 1, https://cdn.digitaleurope.org/uploads/2024/02/DIGITALEUROPE-recommendations-EU-digital-health-policy-2024-29-
policy-paper.pdf.
7 European Commission, Directorate-General for Communications Networks, Content and Technology, Shaping the digital transformation in
Europe, Publications Office of the European Union, Luxembourg, 2020, pp. 26–27, https://data.europa.eu/doi/10.2759/294260.
10 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

fastest-growing IoT market in the EU.8 Globally, the COVID certificate). The pandemic also led the EU to set
wearable medical devices market has grown rapidly new strategic policy directions in digital health, most
since 2010s and market growth is expected to accel- importantly to establish the European Health Data
erate at an estimated compound annual growth rate Space (EHDS), which aims to lay down common rules
(CAGR) of 25–30% by 2030.9 on the use of electronic health data (for primary or
secondary use purposes) and on the interoperability of
Despite their potential unique value in healthcare and electronic health record (EHR) systems and wellness
significant market growth, wearables per se have not applications.12 Despite such developments, there has
been brought into the spotlight in EU health poli- been mixed progress in realising the potential value of
cy-making, but have rather been considered as part of wearables and telemedicine in health policy-making
broader policy interventions. For instance, in its 2017 in the EU. For example, at national level, changes to
‘Mid-Term Review on the implementation of the Digi- the regulatory and reimbursement frameworks aimed
tal Single Market Strategy’, the Commission set out its at increasing the use of telemedicine solutions were
intention to take measures in the area of digital health conceived by several Member States as temporary
and care in three areas: (a) citizens’ secure access to measures linked to the COVID-19 emergency.13 At
and sharing of health data across borders; (b) better EU level, the Commission’s proposed rule on ‘tele-
data to advance research, disease prevention and medicine in the context of cross-border healthcare’
personalised health and care; and (c) digital tools (Article 8 of the EHDS proposal) was endorsed by the
for citizen empowerment and person-centred care.10. European Parliament, but Council refused to include
With a view to achieving the latter objective, the Com- that provision in the EHDS.14 There have been similar
mission mentioned in its 2018 ‘Communication on “missed opportunities” in the Commission’s health
enabling the digital transformation of health and care strategies (Europe’s Beating Cancer Plan [2021]; Com-
in the Digital Single Market; empowering citizens and munication on a comprehensive approach to mental
building a healthier society’ that wearables are one of health [2023]), as the strategies do not mention the
the digital tools which can facilitate health promotion potential benefits of wearables (and telemedicine)
and self-management of chronic conditions.11 in the respective health contexts. Considering that
there are many similar setbacks and shortcomings in
The COVID-19 crisis forced the adoption of emergency policy-making, it is important to map the barriers and
measures in EU health policy, including the develop- challenges that are hindering the further uptake of
ment and deployment of new digital health solutions wearables in the EU and analyse what could be done
(e.g. contact tracing and warning apps, EU Digital to incentivise their development and use.

8 See also Negreiro, M., The rise of digital health technologies during the pandemic, Briefing, European Parliamentary Research Service,
Brussels, 2021, https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/690548/EPRS_BRI(2021)690548_EN.pdf.
9 Cf. Fortune Business Insights, Wearable Medical Devices Market, Fortune Business Insights, Maharashtra, 2023, https://www.
fortunebusinessinsights.com/industry-reports/wearable-medical-devices-market-101070. Grand View Research, Wearable Medical Devices
Market Size & Share Report 2030, Grand View Research, San Fransisco, 2024, https://www.grandviewresearch.com/industry-analysis/
wearable-medical-devices-market.
10 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the
Committee of the Regions on the Mid-Term Review on the implementation of the Digital Single Market Strategy: A Connected Digital Single
Market for All, COM(2017) 228 final, Brussels, 10 May 2017, https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52017DC0228.
11 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee
and the Committee of the Regions on enabling the digital transformation of health and care in the Digital Single Market; empowering
citizens and building a healthier society, COM/2018/233 final, Brussels, 25 April 2018, https://eur-lex.europa.eu/legal-content/EN/
TXT/?uri=COM:2018:233:FIN.
12 Proposal for a Regulation on the European Health Data Space - Analysis of the final compromise text with a view to agreement, 18
March 2024 (henceforth: ‘EHDS compromise’), https://www.consilium.europa.eu/media/70909/st07553-en24.pdf see also https://eur-lex.
europa.eu/legal-content/EN/HIS/?uri=celex:52022PC0197.
13 European Commission, Directorate-General for Health and Food Safety, State of health in the EU – Companion report 2021, Publications
Office of the European Union, 2022, p. 25, https://data.europa.eu/doi/10.2875/835293.
14 Cf. Proposal for a Regulation on the European Health Data Space - Mandate for negotiations with the European Parliament, General
Secretariat of the Council, Brussels, 7 December 2023, https://data.consilium.europa.eu/doc/document/ST-16048-2023-REV-1/en/pdf,
Amendments adopted by the European Parliament on 13 December 2023 on the proposal for a regulation of the European Parliament
and of the Council on the European Health Data Space, Strasbourg, 13 December 2023, https://www.europarl.europa.eu/doceo/document/
TA-9-2023-0462_EN.html.
 JRC EXTERNAL STUDY 11

1.2 Focus of the report: wearables in flows can ensure constant medical attention, improve
telemedicine the quality of patient care, and increase efficiencies
by eliminating the need for health professionals to
The report focuses on wearables that qualify as actively engage in data collection.17 Wearables can
a ‘medical device’, i.e. the physical hardware and support preventive health, timely diagnoses, real-time
interconnected software elements of the device monitoring and more effective treatments through a
is intended by its manufacturer to be used, alone wide range of use cases.18 Wearables can be leveraged
or in combination, for human beings for one or to deliver digital health interventions through discrete
more of the specific medical purposes defined service applications addressing personal needs and
under Article 2(1) of Regulation (EU) 2017/745 health system challenges.19 As an important tool in
(Medical Device Regulation) to deliver telemedi- telemedicine, wearables can facilitate patient empow-
cine (i.e. clinical/medical services at a distance). erment and collaborative decision-making, which can
lead to improved patient outcomes and adherence.20
Wearables possess connectivity, communica- Wearables can also demonstrate the benefits of
tions and related data processing capabilities active participation in digital transition, increasing
(as Internet of Things, IoT devices) and utilise health equity and inclusivity.
embodied computing technologies (sensors or
actuators), in integration with accessory mate- Another potential value of wearables (especially
rials or medicinal substances, placed on the wearable medical devices) is their ability to collect
human body (as part of a body area network, data in the real patient environment (‘real-world data’,
BAN) to provide human-physiological (including RWD), such as PROMs (‘patient-reported outcome
biochemical and/or electrochemical) sensing measures’) or PREMs (‘patient-reported experience
and/or actuating capabilities. This implies that measures’).21 This can help to generate scientific
wearables function in proximity and develop relatively insights on patients’ health outcomes (‘real-world
stable cyber-physical or cyber-biological connections evidence’, RWE). Wearables can also enable the con-
with the human body.15 Although this study focuses duct of decentralised or hybrid clinical trials, clinical
on the telemedicine application areas of wearables, it studies or clinical investigations. The collection of
is important to point out that wearables can support eCOA (electronic clinical outcome assessment) or
the delivery of a broad range of healthcare services ePRO (electronic patient-reported outcomes) with the
in both clinical institutions and remote (non-clinical) use of wearables can help to save time and costs,
environments.16 The common feature of wearables is and improve data quality and patient experience.22
that they provide automated data flows enabling the This way, wearables can play an important role in
transmission of information on the health parame- the development of personalised medicine and the
ters of patients to health professionals. Those data patient’s virtual human twin (i.e. integrated multiscale,

15 Liu, X., Merritt, J., Tiscareno, K. K. et al., Shaping the Future of the Internet of Bodies: New challenges of technology governance, Briefing
Paper, 2020, World Economic Forum, Geneva, p. 7, https://www3.weforum.org/docs/WEF_IoB_briefing_paper_2020.pdf.
16 Dey, N., Ashour, A. S., Bhatt, C., ‘Internet of Things Driven Connected Healthcare’, in: Internet of Things and Big Data
Technologies for Next Generation Healthcare, edited by C. Bhatt, N. Dey, A. S. Ashour, Springer, Cham, 2017, pp. 3–12 at 7, https://doi.
org/10.1007/978-3-319-49736-5_1.
17 Kulkarni, A., Sathe, S., ‘Healthcare applications of the Internet of Things: A Review’, International Journal of Computer Science and
Information Technologies, Vol. 5 No. 5, 2014, pp. 6229–6232 at 6230, https://ijcsit.com/docs/Volume 5/vol5issue05/ijcsit2014050551.pdf.
18 See also Lu, L., Zhang J., Xie Y. et al., ‘Wearable Health Devices in Health Care: Narrative Systematic Review’, JMIR Mhealth Uhealth, Vol.
8 No. 11, 2020, e18907, https://doi.org/10.2196/18907.
19 See also World Health Organization, Classification of digital interventions, services and applications in health: A shared language to
describe the uses of digital technology for health, second edition, World Health Organization, Geneva, 2023, pp. 2–3, https://www.who.int/
publications/i/item/9789240081949.
20 Fitzpatrick, P. J., ‘Improving health literacy using the power of digital communications to achieve better health outcomes for patients and
practitioners’, Frontiers in Digital Health, Vol. 5, 1264780, 2023, pp. 1–13 at 9, https://doi.org/10.3389/fdgth.2023.1264780.
21 Kyriazakos, S., Pnevmatikakis, A., Cesario, A. et al., ‘Discovering Composite Lifestyle Biomarkers With Artificial Intelligence From Clinical
Studies to Enable Smart eHealth and Digital Therapeutic Services’, Frontiers in Digital Health, Vol. 3, 648190, 2021, https://doi.org/10.3389/
fdgth.2021.648190.
22 Climedo, Trials24, The Patient Perspective on Clinical Trials – What’s Going Well, What Needs to Change? Survey Results, Climedo,
Trials24, 2023, https://climedo.de/wp-content/uploads/2023/03/2023_Climedo-Patient-Perspective-on-Clinical-Trials.pdf.
12 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

multi-time and multi-discipline representation of RWE generated by wearables can even facilitate
quantitative human physiology and pathology).23 evidence-based public health decision-making, for
Furthermore, the collection of RWD with the use of example, as part of a toolbox to fight an epidemic or
wearables can create data feedback loops to improve address increased number of medical cases during a
future health product and service developments. severe heatwave.

Box 1
Classification of wearable medical devices
When a wearable is intended to be used by its manufacturer as a medical device, the device can be classified according
to its medical use purpose:
• prevention of disease;
• diagnosis of disease, an injury or handicap;
• monitoring of disease, an injury or handicap;
• treatment or alleviation of disease, an injury or handicap; or
• compensation for an injury or handicap.
Regarding the targeted set of conditions and scope of application, wearable medical devices may fall into two categories:24
• single-condition applications (i.e. targeting a specific disease, infirmity or health aspect, e.g. monitoring of glucose
level); or
• clustered-condition applications (i.e. targeting several diseases, conditions or health aspects, e.g. medication
management).
Wearable medical devices can also be classified based on the body parts on which they are worn on:25
• smart wrist-worn devices (e.g. smartwatch);
• smart head-mounted devices:
• smart headset (e.g. smart headband, smart sleep apnea mask);
• smart eyewear (e.g. smart glasses);
• smart ear device (hearable) (e.g. smart headphone);
• smart jewellery devices (e.g. smart ring, smart bracelet);
• e-textiles/fabrics:
• smart garments (e.g. smart vest);
• smart straps (e.g. smart chest strap, smart bandage for delivering medicine); or
• smart hand- or footwear (e.g. smart gloves, smart socks).
Although the umbrella term ‘wearables’ is used to refer to a broad range of externally body-affixed devices, there is
an increasingly wider spectrum of innovative IoT (connected) devices that utilise embodied computing technologies, in
integration with accessory materials or medicinal substances, but are not ‘worn’ by the end user (or it may be subject
to debate). Such (borderline) cases include:26
• body-internal devices (where a portion of the device resides inside the body or accesses the body through the skin
or an external body orifice, e.g. smart earplug); or
• body-melded devices (which meld the human body with a machine by injecting or implanting a brain–computer
interface to support cognitive abilities).

23 EDITH, Project, EDITH European Virtual Human Twin, n.d., https://www.edith-csa.eu/edith/. EDITH, Spot on a EDITH use case: The
innovative EPFL biosensing platform, EDITH European Virtual Human Twin, 5 February 2024, https://www.edith-csa.eu/2024/02/05/
spot-on-a-edith-use-case-the-innovative-biosensing-platform/.
24 Islam, S. M. R., Kwak, D., Kabir, M. H. et al., ‘The Internet of Things for Health Care: A Comprehensive Survey’, IEEE Access, Vol. 3, 2015, pp.
678–708 at 684–685, https://doi.org/10.1109/ACCESS.2015.2437951.
25 See also Seneviratne, S., Hu, Y., Nguyen, T. et al., ‘A Survey of Wearable Devices and Challenges’, IEEE Communications Surveys &
Tutorials, Vol. 19 No. 4, 2017, pp. 2573–2620 at 2574–2586 and 2600, https://doi.org/10.1109/COMST.2017.2731979. Iqbal, S. M. A.,
Mahgoub, I., Du, E. et al. ‘Advances in healthcare wearable devices’, npj Flexible Electronics, Vol. 5 No. 9, 2021, pp. 1–14 at 2, https://doi.
org/10.1038/s41528-021-00107-x.
26 See also Matwyshyn, A. M., ‘The Internet of Bodies’, William & Mary Law Review, Vol. 61 No. 1, 2019, pp. 77–168 at 103–115, https://
scholarship.law.wm.edu/cgi/viewcontent.cgi?article=3827&context=wmlr.
 JRC EXTERNAL STUDY 13

Under an alternative categorisation, further examples of such (borderline) cases include:27

• implantables (e.g. smart bionic limb);
• exoskeletons (e.g. cybernetic suit providing ergonomic structural support);
• embeddables (e.g. smart tattoo injected into the skin for real-time indication of blood glucose level);
• ingestibles (e.g. smart pills and other drug–device combinations for gastrointestinal diagnostics and therapy);
• nanorobots (e.g. smart functional nano-devices for pre-treatment analyses of ions, bacterial toxins, proteins, cells etc.);
• biofluidic devices (e.g. sweat- or tear-based devices for monitoring biomarkers, such as smart contact lenses); and
• non-invasive devices (e.g. smart health mirror for analysing skin or blood flow patterns).

Telemedicine is a sub-field of digital health that refers and efficiency of healthcare services and workflows;
to the use of information and communications tech- (3) ensuring equality in distribution of healthcare
nologies (ICT) to deliver clinical/medical services at a services; and (4) reducing costs.28 Telemedicine could
distance. In the case of wearables, ICT solutions enable become a force multiplier for health systems given
the transmission of data between patients (end users) its ability to scale healthcare services and expand
and healthcare providers (and/or other stakeholders in healthcare providers’ reach to underserved areas
the health ecosystem, such as researchers or health and vulnerable groups.29 The COVID-19 pandemic
data scientists), who are located at the communi- demonstrated that telemedicine can also function as
cation endpoints. In principle, the main benefits of a “safety net” while mitigating the devastating impact
telemedicine are associated with: (1) improving access of a public health crisis and is becoming an essential
to healthcare; (2) enhancing efficacy, quality, delivery tool in building more resilient health systems.30

Box 2
Definition of ‘telemedicine’ in relation to other digital health concepts
There is no universal definition of ‘telemedicine’. However, it is increasingly common that policy documents conceptualise
telemedicine and related umbrella concepts along the following lines:
eHealth refers to the provision of healthcare services using the Internet.31
Digital health covers the field of knowledge and practice associated with the development and use of health-related data
and digital technologies to improve health. Digital health expands the concept of eHealth to include digital consumers,
with a wider range of smart devices, connected equipment and digital therapeutics. It also encompasses other uses of
data and digital technologies for health, such as the Internet of Things, AI, big data and robotics, as well as predictive
and prescriptive analytics. Analytics can be used for health system improvement, public health preparedness, or health
research and innovation.32
mHealth refers to the provision of healthcare services supported by mobile devices, such as smartphones or wearables.33

27 See also Pedersen, I., Iliadis, A., ‘Introduction: Embodied Computing’, in: Embodied Computing: Wearables, Implantables,
Embeddables, Ingestibles, edited by I. Pedersen, A. Iliadis, MIT Press, Cambridge (USA), 2020, pp. ix–xxxix at xvi, https://doi.org/10.7551/
mitpress/11564.003.0002. Zhang, Y., Zhang, Y., Han, Y. et al., ‘Micro/Nanorobots for Medical Diagnosis and Disease Treatment’, Micromachines,
Vol. 13, 648, 2022, p. 1–19, https://doi.org/10.3390/mi13050648. Nan, X., Wang, X., Kang, T. et al., ‘Review of Flexible Wearable Sensor
Devices for Biomedical Application’, Micromachines Vol. 13, 1395, 2022, https://doi.org/10.3390/mi13091395.
28 Sood, S., Mbarika, V., Jugoo, S. et al., ‘What is telemedicine? A collection of 104 peer-reviewed perspectives and theoretical
underpinnings’, Telemedicine and eHealth, Vol. 13 No. 5, 2007, pp. 573–590 at 575, https://doi.org/10.1089/tmj.2006.0073.
29 Temesgen, Z. M., DeSimone, D. C., Mahmood, M. et al., ‘Health Care After the COVID-19 Pandemic and the Influence of Telemedicine’,
Mayo Clinic Proceedings, Vol. 95 No. 9, 2020, pp. S66–S68 at S66–S67, https://doi.org/10.1016/j.mayocp.2020.06.052.
30 Bhaskar, S., Bradley, S., Chattu, V. K. et al., ‘Telemedicine Across the Globe-Position Paper From the COVID-19 Pandemic Health System
Resilience PROGRAM (REPROGRAM) International Consortium (Part 1)’, Frontiers in Public Health, Vol. 8 No. 556720, 2020, pp. 1–15 at 11,
https://doi.org/10.3389/fpubh.2020.556720.
31 PwC, Market study on telemedicine, European Commission Directorate-General for Health and Food Safety, Brussels, 2018, p. 25,
https://health.ec.europa.eu/document/download/e8937f58-0bbc-4616-b515-08dacef8ae3e_en?filename=2018_provision_marketstudy_
telemedicine_en.pdf.
32 OECD, Health at a Glance 2023: OECD Indicators, OECD Publishing, Paris, 2023, p. 35, https://doi.org/10.1787/7a7afb35-en.
33 European Commission, Green Paper on mobile Health ("mHealth"), COM/2014/0219 final, Brussels, 10 April 2014, p. 3, https://eur-lex.
europa.eu/legal-content/EN/TXT/?uri=celex:52014DC0219.
14 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Telehealth refers to the use of ICT to promote health at a distance, including non-clinical/medical services.34
Telemedicine refers to the use of ICTs to deliver clinical/medical services at a distance.35

Like any other digital health tools, telemedicine solu- with the legal category of ‘medical device’. The report
tions can be well-used or misused. The results of a is based on interdisciplinary research combining legal
public consultation presented in the ‘EU initiative on and non-legal research methods with the aim of
a European Health Data Space (EHDS): Public Con- providing a critical and constructive analysis of the
sultation Factual Summary Report’ revealed public policy context. The report is structured in three parts
concerns about telehealth. Most respondents (65%) covering technological, legal and competitiveness
believed that telehealth (note: that it is a broader term issues. In addition to providing landscape analyses of
to ‘telemedicine’) entails additional risks for patients those issues, the report addresses specific challenges
and doctors, such as risks linked to data security, (e.g. stakeholders’ needs, legal uncertainties, incen-
misdiagnosis, unclear reimbursement systems, or tives) and makes recommendations, where relevant.
the depersonalisation of patient–doctor interactions. The scope of the discussion covers EU policy issues,
To mitigate/eliminate those risks and maximise their which are supplemented by international/compar-
potential benefits, telemedicine solutions need to ative/national perspectives to the extent that they
improve the quality of care and provide clear benefits shed light on developments which could be of inter-
for patients and healthcare providers. Telemedicine est for EU policy-making. The findings of the report
interventions are both technological and service are based primarily on desk research referring to a
innovations, allowing providers to rethink processes, wide range of sources (including legislation, case law,
procedures and services in line with healthcare work- soft law instruments, policy papers, books, articles in
ers, patients and communities’ needs. Successful scientific journals and conference proceedings). The
telemedicine services are tailored to specific settings report incorporates case studies (based on interviews)
and populations and evolve rapidly as patients and outlining the insights and recommendations of key
providers learn how to use them effectively.36 stakeholders, including manufacturers, deployers and
end users of wearable medical devices.

1.3 Objectives and methodological On 29 May 2024, the European Commission’s Joint
approach of the report Research Centre B6. Industrial Strategy, Skills, and
Technology Transfer Unit organised a validation work-
The objective of this report is to assess trends, shop in Brussels. The authors presented their research
opportunities, challenges and barriers that progress, which was followed by a roundtable discus-
impact the development (including technology sion involving experts of the European Commission
transfers), deployment, scalability and use of and stakeholders from the health ecosystem (repre-
wearable medical devices in the EU. senting patients, medical professionals, industry and
academia). The information in this report is based on
The report focuses on ‘wearable medical devices’ in the state of developments as of 30 June 2024.
order to link the widely used concept of ‘wearables’

34 OECD, The COVID-19 Pandemic and the Future of Telemedicine, OECD Health Policy Studies, OECD Publishing, Paris, 2023, p. 13, https://
doi.org/10.1787/ac8b0a27-en.
35 Ibid., cf. World Health Organization Global Observatory for eHealth, Telemedicine: opportunities and developments in Member States:
report on the second global survey on eHealth, World Health Organization, 2010, pp. 8–9, https://iris.who.int/handle/10665/44497.
36 Oliveira Hashiguchi, T., ‘Bringing health care to the patient: An overview of the use of telemedicine in OECD countries’, OECD Health
Working Papers, No. 116, OECD Publishing, Paris, 2020, p. 36 et seq. https://doi.org/10.1787/8e56ede7-en.
 Technological aspects of wearable medical devices

TELEMEDICINE SERVICE
Healthcare
Patient provider
FUNCTIONAL-SERVICE ROLES COMMUNICATION PATTERNS

Wearable medical device manufacturer

Device-to-Device

Network provider
Device-to-
E MEDICAL
Gateway

Platform provider BL
A

DE
Device-
WEAR

to-Cloud
VICE
Telemedicine service
developer
Back-End
Data-
Telemedicine service Sharing
provider

End user
Cloud and scalable
distributed computing

AI (Artificial
RFID intelligence)
(Radio Frequency
IDentification)
Sensor WBAN IoT network
(wireless
body area
network)

CORE ENABLING TECHNOLOGIES

16 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

2. Technological aspects of wearable medical devices

This chapter provides an overview of the technological medical devices are Internet of Things (IoT) devices,
drivers and components of wearable medical devices. also known as ‘Internet of Health Things’ (IoHT) or
Wearable medical devices are typically part of larger ‘Internet of Medical Things’ (IoMT). The Data Act
telemedicine systems that consist of various physical defines IoT devices as “[c]onnected products that
components, nodes and connections, which are oper- obtain, generate or collect, by means of their com-
ated by actors performing different functional-service ponents or operating systems, data concerning their
roles. That enlarging complexity makes it increasingly performance, use or environment and that are able
challenging to properly allocate responsibilities and to communicate those data via an electronic commu-
determine rights and obligations relating to the nications service, a physical connection, or on-device
deployment and use of wearable medical devices access”.37 The innovative feature of IoT is that ‘things’
in telemedicine systems. In addition, the chapter make themselves recognisable and obtain intelligence
explains that due to their resource-constraints, wear- by making or enabling context-related decisions due
able medical devices often require the integration of to their capability to communicate information about
other enabling technologies and techniques (such as themselves.38 IoT devices are enabled by RFID (Radio
cloud and scalable distributed computing, data science Frequency IDentification) technology. RFID systems
methods, AI models). The chapter also includes an are typically composed of three main components:
outlook on technological trends which are expected to RFID tags, a reader (also referred to as a transmitter/
shape the development of wearable medical devices receiver) and an application system (also known as
in the future. a data processing system, which can be a software
application or database).39 In a wearable medical
device, RFID tags can collect data about the human
2.1 Core enabling technologies body (and its environment) and can communicate that
and technical components of data to the reader.40
wearable medical devices In addition to their capabilities as IoT devices, wearable
Wearables (including wearable medical devices) medical devices have integrated smart transducers.
possess connectivity, communications and related In general, a transducer is either a sensor or actua-
data processing capabilities (as IoT devices) and tor depending on which direction information passes
utilise embodied computing technologies (sensors through the device: sensors detect the variations in
or actuators), in integration with accessory materi- input energy and convert those into a signal, while
als or medicinal substances, placed on the human actuators operate in the reverse direction.41 If the
body (as part of a body area network) to provide transducer of a wearable medical device is a sensor,
human-physiological (including biochemical and/or it can convert physical, chemical, thermal or biological
electrochemical) sensing and/or actuating capabilities. aspects of stimuli events into a measurable (electri-
Due to their Internet connectivity, communications cal) signal.42 A sensor can capture data by employing
and related data processing capabilities, wearable a pull-based approach (i.e. when the frequency of data

37 Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access
to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act), OJ L, 2023/2854, 22.12.2023, ELI:
https://eur-lex.europa.eu/eli/reg/2023/2854/oj (henceforth: ‘Data Act [Regulation (EU) 2023/2854]’), Recital (14).
38 Vermesan, O., Friess, P., Guillemin, P. et al., ‘Internet of Things Strategic Research and Innovation Agenda’, in: Internet of Things –
Converging Technologies for Smart Environments and Integrated Ecosystems, edited by O. Vermesan, P. Friess, River Publishers, Aalborg,
2013, pp. 7–142 at 8, https://www.internet-of-things-research.eu/pdf/Converging_Technologies_for_Smart_Environments_and_Integrated_
Ecosystems_IERC_Book_Open_Access_2013.pdf.
39 Jia, X., Feng, Q., Fan, T. et al., ‘RFID technology and its applications in Internet of Things (IoT)’, 2nd International Conference on
Consumer Electronics, Communications and Networks (CECNet), Yichang, 21–23 April 2012, pp. 1282–1285 at 1283, https://doi.org/10.1109/
CECNet.2012.6201508.
40 Fan, K., Jiang, W., Li, H. et al. ‘Lightweight RFID Protocol for Medical Privacy Protection in IoT’, IEEE Transactions on Industrial Informatics,
Vol. 14 No. 4, 2018, pp. 1656–1665 at 1656, https://doi.org/10.1109/TII.2018.2794996.
41 Fraden, J., Handbook of Modern Sensors: Physics, Designs, and Applications, Fifth Edition, Cham, Springer, 2015, p. 3, https://link.springer.
com/chapter/10.1007/978-3-319-19303-8_1.
42 Naresh, V., Lee, N., ‘A Review on Biosensors and Recent Development of Nanostructured Materials-Enabled Biosensors’, Sensors, Vol. 21
No. 4, 1109, 2021, p. 3, https://doi.org/10.3390/s21041109.
 JRC EXTERNAL STUDY 17

collection is determined by the user) or a push-based conceptual model of an IoT network that enables
approach (i.e. when sensors transmit data between the functioning of a wearable medical device in a
the sensor node and the IoT base station upon the telemedicine system encompasses the following
fulfilment of a certain condition, such as deviating connections:45
health values).
• a wireless body area network (WBAN) consisting
Regarding their technical components and configu- of one or more wearable medical devices and a
rations, wearable medical devices consist of physical central node (e.g. smartphone);
hardware and interconnected (embedded or exter- • short-range data transmissions between the
nally functioning) software components. For the wearable medical device(s) and the central node;
management of resources, some wearable medical • long-range data transmissions between the cen-
devices have their own operating systems, while other tral node and the application service; and
wearable medical devices require interconnected • the application service.
companion apps running on an externally located
smartphone.43 Some wearable medical devices do International and European technical standardi-
not support Internet connectivity directly, but they sation organisations,46 as well as scholars, have
may support Bluetooth or other short-range wireless defined several conceptual models (also known as
communications technologies that enable connection reference models or reference architectures) for
to smartphones or other connected devices. IoT-enabled system architectures47, eHealth system
architectures48, and IoT-enabled telemedicine system
architectures49. The sheer number of models indicates
2.2 Wearable medical devices as part that there are multiple ways to conceptualise such
of telemedicine systems and IoT systems. A possible conceptualisation of an IoT-ena-
bled telemedicine network encompasses the following
networks components:50
Technologically, a wearable medical device deployed
in a telemedicine context is a component of an IoT • wearable medical device;
network that enables remote connection between a • gateway (typically a smartphone), which inter-
patient (end user) and the healthcare provider.44 A connects the wearable medical device(s) with

43 Commission Staff Working Document Accompanying the Document ‘Report from the Commission to the Council and the European
Parliament: Final report - Sector inquiry into consumer Internet of Things, COM(2022) 19 final’, SWD(2022) 10 final, Brussels, 20 January
2022, para. 53, https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=SWD:2022:10:FIN.
44 Rodrigues, J. J. P. C., De Rezende Segundo, D. B., Junqueira, H. A. et al., ‘Enabling Technologies for the Internet of Health Things’, IEEE
Access, Vol. 6, 2018, pp. 13129–13141 at 13130, https://doi.org/10.1109/ACCESS.2017.2789329.
45 Baker, S. B., Xiang, W., Atkinson, I., ‘Internet of Things for Smart Healthcare: Technologies, Challenges, and Opportunities’, IEEE Access, Vol.
5, 2017, pp. 26521–26544 at 26523–26524, https://doi.org/10.1109/ACCESS.2017.2775180.
46 Note: Globally-aligned standardisation is essential to ensure accuracy, consistency and availability of data across product lines, as well
as to accurately monitor the impact of wearable medical devices and understand future projections for demand. However, it is important to
point out that the legitimacy of standards is often questioned by stakeholders due to the lack of transparency in how they are developed and
their lack of accessibility when they are placed behind a paywall.
47 International Telecommunication Union, Overview of the Internet of things. Recommendation ITU-T Y.4000/Y.2060 (06/2012),
International Telecommunication Union, Geneva, 2012, p. 1, https://www.itu.int/rec/T-REC-Y.2060-201206-I. International Organization for
Standardization, International Electrotechnical Commission, ISO/IEC 30141:2018(en) Internet of Things (loT) — Reference Architecture,
International Organization for Standardization, Geneva, 2018, paras. 8–10, https://www.iso.org/obp/ui/#iso:std:iso-iec:30141:ed-1:v1:en.
IEEE Standards Association, IEEE 2413-2019 - IEEE Standard for an Architectural Framework for the Internet of Things (IoT), IEEE Standards
Association, Piscataway, 2019, https://standards.ieee.org/ieee/2413/6226.
48 European Telecommunications Standards Institute, ETSI TR 102 764 V1.1.1 (2009-02): eHEALTH; Architecture; Analysis of user
service models, technologies and applications supporting eHealth, Technical Report, European Telecommunications Standards Institute,
Sophia Antipolis, 2009, https://www.etsi.org/deliver/etsi_tr/102700_102799/102764/01.01.01_60/tr_102764v010101p.pdf. European
Telecommunications Standards Institute, ETSI TR 103 477 V1.2.1 (2020-08): eHEALTH; Standardization use cases for eHealth, Technical
Report, European Telecommunications Standards Institute, Sophia Antipolis, 2020, https://www.etsi.org/deliver/etsi_tr/103400_103499/10347
7/01.02.01_60/tr_103477v010201p.pdf.
49 Catarinucci, L., Donno, D. D., Mainetti, L. et al., ‘An IoT-Aware Architecture for Smart Healthcare Systems’, IEEE Internet of Things Journal,
Vol. 2 No. 6, 2015, pp. 515–526 at 517, https://doi.org/10.1109/JIOT.2015.2417684. Azimi, I., Rahmani, A. M., Liljeberg, P. et al., ‘Internet of
things for remote elderly monitoring: a study from user-centered perspective’, Journal of Ambient Intelligence and Humanized Computing, Vol.
8, 2017, pp. 273–289 at 275–276, https://doi.org/10.1007/s12652-016-0387-y.
50 See also International Telecommunication Union, Requirements of the network for the Internet of things. Recommendation ITU-T Y.4113
(09/2016), International Telecommunication Union, Geneva, 2016, pp. 3–4, https://www.itu.int/rec/T-REC-Y.4113-201609-I/en.
18 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

the core network and performs the necessary communications where small data packets of
translation between the protocols used in the information are conveyed between devices with
core network and those used by the device(s); relatively low data rate requirements. An example
• wireless body area network (WBAN), which is a is the connection between Body Area Network
network for the wearable medical device(s) and (BAN) devices, such as a cadence sensor (as a
gateways realised through local area connec- wearable medical device) and a heart rate mon-
tions, typically using short-range communications itor (IoT medical device).
technologies; • In the device-to-gateway (also known as
• access network, which connects the wearable device-to-application layer gateway, ALG) com-
medical device(s) and the gateway to the core munications model, the wearable medical device
network (typically by fibre optics or wireless connects through an ALG service as a conduit
technologies); to reach a cloud or other scalable distributed
• core network, which is a portion of the delivery computing service. This means that there is an
system composed of networks, equipment and application software operating on a local gateway
infrastructures, and connects the service provider device, which acts as an intermediary between
domain with the access network; the wearable medical device and the cloud (or
• IoT platform, which is a technical infrastructure other scalable distributed) computing service,
that provides integration of the abovementioned and provides security and other functionalities,
generic and specific capabilities (in conjunction such as local authentication and authorisation,
with capabilities of the core network), and can and data or protocol translation. Since most
be connected with one or more IoT application wearable medical devices do not have the ability
servers; and to connect directly to a cloud (or other scalable
• IoT application server, which runs applications distributed) computing service, they usually rely
and communicates with the wearable medi- on a companion app or the software of a home
cal device(s), gateway(s) and the IoT platform ‘hub’ device. In those cases, the smartphone or
directly or via the core network in order to deliver home hub device serves as the local gateway
application services. between the wearable medical device and the
cloud (or other scalable distributed) computing
service.
2.3 Communications patterns of • In the device-to-cloud communications model,
wearable medical devices the wearable medical device connects directly
to a cloud service (as the application service
Data communications in IoT networks and telemed- provider) to exchange data and control message
icine systems construed around wearable medical traffic. This innovative communications model
devices follow general communication patters (which could accelerate the deployment of secure IoT
have peculiar characteristics and are combinable):51 solutions in telemedicine at previously unachiev-
able speeds.52
• The device-to-device communications model • The back-end data-sharing communications
refers to two or more IoT devices that directly model refers to a communication architecture
connect and communicate with one another, that enables users to export and analyse data
rather than through an intermediary application generated by wearable medical devices in a cloud
server. Device-to-device wireless networks allow service (in combination with data obtained from
wearable medical devices adhering to a par- other sources). This architecture also enables
ticular communications protocol (e.g. Bluetooth, the aggregation and analysis of data streams
Z-Wave, Zigbee) to exchange data with other IoT obtained from multiple wearable medical devices.
devices. This model is common in short-range Moreover, this architecture enables users to grant

51 See also Tschofenig, H., Arkko, J., Thaler, D. et al., ‘Architectural Considerations in Smart Object Networking’, Internet Architecture Board,
2015, https://www.rfc-editor.org/rfc/rfc7452.txt. Rose, K., Eldridge, S., Chapin, L., ‘The Internet of Things: an Overview. Understanding the Issues
and Challenges of a More Connected World’, Internet Society, 2015, pp. 18–23, https://www.internetsociety.org/wp-content/uploads/2017/08/
ISOC-IoT-Overview-20151221-en.pdf.
52 See also IoT Business News, ‘World’s first IoT ‘device-to-cloud’ solution announced’, IoT Business News, 27 November 2019, https://
iotbusinessnews.com/2019/11/27/50213-worlds-first-iot-device-to-cloud-solution-announced.
 JRC EXTERNAL STUDY 19

permission to third parties to access data col- service providers, including data storage, other
lected by their wearable medical device(s) and data processing and/or device management
may facilitate data portability needs. Effective capabilities, and specific support for different
back-end data-sharing architectures can break types of applications.
down traditional data silo barriers by allowing • IoT-enabled telemedicine service developer, who
users to move personal electronic health data utilises capabilities and resources provided by the
concerning them when they switch between wearable medical device manufacturer, network
service providers. The implementation of the provider and platform provider to design and
back-end data-sharing model requires either a develop an IoT-enabled telemedicine service for
federated cloud service or a cloud-based appli- application users, which includes the implemen-
cations programming interface (API) to ensure tation, testing and integration of services with
the interoperability of data collected by wearable the platform.
medical devices. • IoT-enabled telemedicine application service
provider, who manages and operates the IoT-en-
abled telemedicine service.
2.4 Functional-service roles in the • Wearable medical device and IoT-enabled tele-
ecosystem of wearable medical medicine application user, i.e. the end-user of a
wearable medical device (i.e. the patient).
devices
When setting/allocating rights and obligations, it is
important to consider the various actors and their 2.5 Integration of other enabling
functional-service roles who are responsible for the technologies and techniques with
design, development, connection, deployment, oper-
ation and use of wearable medical devices. Each
wearable medical devices
actor may have at least one functional-service role,
but there may be overlaps if one or more actor(s) 2.5.1 Integration of cloud and scalable
have multiple roles (e.g. in case the wearable medical distributed computing with wearable
device manufacturer and the telemedicine application medical devices
service developer is the same entity). In general, the The evolution of IoT-enabled telemedicine systems
ecosystem of wearable medical devices is composed enabling the functioning of wearable medical devices
of the following functional-service roles:53 is catalysed by network infrastructure developments
and availability of computing resources. In terms
• Wearable medical device manufacturer, who of advancements in infrastructure, the develop-
is responsible for manufacturing and providing ment of 5G networks can provide agile connectivity
a wearable medical device that is capable of with higher performance through enhanced Mobile
transmitting data collected by the device to the Broadband (eMBB), ultra-reliable low latency commu-
application service provider and network provider nications (URLLC), and ubiquitous access services.54
according to the service logic. 5G can enable the widespread use of IoT-enabled
• Network provider, who performs activities relat- telemedicine services, while facilitating their ad hoc
ing to the access and integration of resources orchestration. Regarding the availability of computing
provided by other providers, the support and resources, cloud computing can emancipate wearable
control of the IoT capabilities of the underlying medical devices from their computational constraints.
infrastructure, and the offering of IoT capabili- It can enable centralised, accelerated and secure
ties, including network capabilities and resource processing of data, possibly with the application of
exposure to other providers. data science methods (such as AI models). However,
• Platform provider, who provides integration the proliferation and heterogeneity of IoT devices
capabilities and open interfaces for application (including wearable medical devices), together with

53 See also International Telecommunication Union, Overview of the Internet of things. Recommendation ITU-T Y.4000/Y.2060 (06/2012),
supra note 47, Appendix I. International Organization for Standardization, International Electrotechnical Commission, ISO/IEC 30141:2018(en)
Internet of Things (loT) — Reference Architecture, supra note 47, para. 10.5.
54 Latif, S., Qadir, J., Farooq, S. et al., ‘How 5G Wireless (and Concomitant Technologies) Will Revolutionize Healthcare?’, Future Internet, Vol.
9 No. 93, 2017, pp. 1–24 at 19–20, https://www.mdpi.com/1999-5903/9/4/93.
20 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

significant growth in data and traffic, have led to the to the edge of the network (in contrast to fog
view that conventional, centralised cloud-based data computing, which is hierarchical and enables a
centres may not be future-proof to support rapidly wider range of functionalities). The ‘edge’ is the
developing IoT systems and applications.55 Instead, first ‘hop’ from the end-device (wearable medical
there is an emerging technological trend to shift device), such as the Wi-Fi access point or the
computing power and resources along the “cloud- gateway (smartphone).
to-device continuum” towards the endpoints (edge) • Mist computing is a lightweight form of fog and
of the network (i.e. closer to the wearable medical edge computing that resides directly within the
device) to better cope with performance, availability, network constellations at the edge of the network.
reliability, manageability and cost requirements.56 • Dew computing is computing at the extreme edge
(in the wearable medical devices themselves).
The development of more scalable, distributed and It is an embeddable extension of the comput-
adaptive computational concepts aims to extend the ing capabilities of the device, independent of
capabilities of cloud computing.57 Cloud and other connectivity.
scalable distributed computing concepts can be clas- • Fluid computing is an architectural principle
sified according to their location and distance from whose infrastructural abstraction provides an
the device level (i.e. the wearable medical device) and end-to-end mechanism that seamlessly provides,
the core network (i.e. Internet backbone).58 The main deploys, manages and monitors applications,
computing concepts are as follows:59 regardless of whether the underlying resource
is provided by cloud, fog, edge, mist or dew
• Cloud computing enables network access to a computing.
scalable and elastic pool of shareable physical
or virtual resources with self-service provisioning 2.5.2 Integration of data science techniques
and administration on-demand. (such as AI systems) with wearable
• Fog computing bridges the gap between cen- medical devices
tralised (cloud) services and end-devices (e.g. Given that wearable medical devices can enable the
wearable medical devices) by enabling comput- large-scale collection of data in real-time, it is essen-
ing, storage, networking and data management tial to ensure that there are appropriate resources
to take place in physical or virtual network (fog) and applications to process those big data sets.60 ‘Big
nodes along the cloud-to-device continuum (pref- data’ refers not only to the large quantity of data, but
erably in the close vicinity of end-devices) as data it is a concept that describes the collection, storage,
traverses to the cloud. management, analysis and visualisation of extensive
• Edge computing encompasses various com- datasets with heterogeneous characteristics, where
puting concepts in which computing is limited data processing is characterised by scale (volume),

55 Giannoutakis, K. M., Spanopoulos-Karalexidis, M., Papadopoulos, C. K. F. et al., ‘Next Generation Cloud Architecture’, in: Embodied
Computing: Wearables, Implantables, Embeddables, Ingestibles, edited by P. T. Lynn, J. Mooney, B. Lee et al., Palgrave Macmillan, Cham, 2020,
pp. 23–39 at 31, https://doi.org/10.1007/978-3-030-41110-7_2.
56 Skala, K., Davidović, D., Afgan, E. et al., ‘Scalable Distributed Computing Hierarchy: Cloud, Fog and Dew Computing’, Open Journal of
Cloud Computing, Vol. 2 No. 1, 2015, pp. 16–24 at 18, https://doi.org/10.19210/1002.2.1.16.
57 Iorga, M., Feldman, L., Barton, R. et al., Fog Computing Conceptual Model – Recommendations of the National Institute of Standards and
Technology, NIST Special Publication 500-325, U.S. Department of Commerce, National Institute of Standards and Technology, Washington,
2018, p. 1, https://doi.org/10.6028/NIST.SP.500-325.
58 Yousefpour, A., Fung, C., Nguyen, T. et al., ‘All one needs to know about fog computing and related edge computing paradigms: A
complete survey’, Journal of Systems Architecture, Vol. 98, 2019, pp. 289–330 at 289–298, 302, https://doi.org/10.1016/j.sysarc.2019.02.009.
59 See also Beregi, R., Pedone, G., Mezgár, I., ‘A novel fluid architecture for cyber-physical production systems’, International Journal of
Computer Integrated Manufacturing, Vol. 32 No. 4–5, 2019, pp. 340–351 at 340–347, https://doi.org/10.1080/0951192X.2019.1571239.
International Telecommunication Union, Information technology – Cloud computing – Overview and vocabulary. Recommendation Y.3500
(08/14), International Telecommunication Union, Geneva, 2014, pp. 4–7, https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-Y.3500-
201408-I!!PDF-E&type=items. Vermesan, O., Coppola, M., Nava, M. D. et al., ‘New Waves of IoT Technologies Research – Transcending
Intelligence and Senses at the Edge to Create Multi Experience Environments’ in: Internet of Things – The Call of the Edge: Everything
Intelligent Everywhere, edited by O. Vermesan, J. Bacquet, River Publishers, Gistrup, 2020, pp. 17– 184 at 71–86, https://doi.org/10.13052/
rp-9788770221955.
60 Anmulwar, S., Gupta, A. K., Derawi, M., ‘Challenges of IoT in Healthcare’, in: IoT and ICT for Healthcare Applications, edited by N. Gupta, S.
Paiva, Springer, Cham, 2020, pp. 11–20 at 13–14, https://doi.org/10.1007/978-3-030-42934-8_2.
 JRC EXTERNAL STUDY 21

diversity (variety) and high speed (velocity).61 ‘Big technology (i.e. artificial neural network architecture,
data in health’ encompasses consolidated data as a specific type of ML algorithms with multiple
obtained from existing fragmented data sources hidden layers) to handle large and complex data-
for the purposes of understanding, forecasting and sets.66 ‘Artificial intelligence’ (AI) refers to the ability
improving personal health status and health system of a system of algorithms to infer information from
performance.62 machine-generated and/or human-related (structured,
semi-structured or unstructured) data, for explicit or
Raw, unstructured or semi-structured big data, such implicit objectives, with the purpose of generating out-
as those collected by wearable medical devices, can puts (such as predictions, content, recommendations
be transformed into ‘smart data’ (i.e. structured, accu- or decisions) that influence the physical and/or virtual
rate and agile datasets) with the application of data environments with which the system interacts.67 AI is
science methods, which can add credibility (veracity) essentially a “moving target” that is pursued through
and relevance (value) to make data ‘actionable’.63 the implementation of data mining and ML/AML
Data science is a multifaceted discipline that uti- techniques. The novelty of AI is the ability to perform
lises statistics and data analytic methods, processes reasoning, planning, learning, communication or per-
and algorithms to extract and visualise information ception tasks without a human having to programme
from data. Data science applies specific algorithms every step of the computing process.68
to extract patterns from data (‘data mining’), while
machine learning algorithms can automate the data When an IoT-enabled telemedicine system integrates
mining process.64 an AI system, then that AI system can interact with the
human body and its environment through a wearable
By explanation of relevant terms, programming medical device. In other words, in an integrated IoT-
manages rote tasks; ‘machine learning’ (ML) enables and AI-enabled telemedicine system, the AI system can
computers to learn how to best perform those rote extend the capabilities of a wearable medical device,
tasks; and ‘automated machine learning’ (AML) can and vice versa. The use of AI for the purpose of extract-
enable computers to learn how to optimise the out- ing medical knowledge from (raw) data collected by
come of learning how to perform these rote actions.65 wearable medical devices (in combination with data
Within the ML sphere, ‘deep learning’ has gained a obtained from other health data domains) has huge
lot of attention, which uses deep neural network potential to transform the delivery of healthcare.69 AI

61 International Telecommunication Union, Big data – Cloud computing based requirements and capabilities. Recommendation Y.3600
(11/2015), International Telecommunication Union, Geneva, 2015, p. 2, https://www.itu.int/rec/T-REC-Y.3600/en.
62 Csizmadia, I., Láng, R., Kis, M., ‘D5.1 - Report on policy action on innovative use of big data in health’, Information note: WP5 Innovative
Use of Health data (v. 0.3) (2 February 2020), 17th eHealth Network meeting (June 2020), eHAction: Joint Action to support the eHealth
Network, p. 12, http://ehaction.eu/wp-content/uploads/2020/08/03.06.2020_eHN-adopted_eHAction-D5.1-Report-on-policy-action-on-
innovative-use-of-big-data-in-health_v0.3-1.pdf.
63 See also Luengo, J., García-Gil, D., Ramírez-Gallego, S. et al., Big Data Preprocessing: Enabling Smart Data, Springer, Cham, 2020, p. 45,
https://doi.org/10.1007/978-3-030-39105-8.
64 Mayo, M., ‘The Data Science Puzzle, Revisited’, KDnuggets, 20 January 2017, https://www.kdnuggets.com/2017/01/data-science-puzzle-
revisited.html.
65 Mayo, M., ‘The Current State of Automated Machine Learning’, KDnuggets, 18 January 2017, https://www.kdnuggets.com/2017/01/
current-state-automated-machine-learning.html.
66 Hoyt, R., Muenchen, R. ’Artificial Intelligence’, in: Introduction to Biomedical Data Science, edited by R. Hoyt, R. Muenchen, Informatics
Education, Pensacola, 2019, pp. 191–214 at 191.
67 See also OECD, ‘Scoping the OECD AI principles: Deliberations of the Expert Group on Artificial Intelligence at the OECD (AIGO)’, OECD
Digital Economy Papers, No. 291, OECD, Paris, 2019, pp. 6 et seq, https://doi.org/10.1787/d62f618a-en. Regulation (EU) 2024/1689 of the
European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations
(EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU,
(EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act), OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/2024/1689/oj
(henceforth: ‘AI Act [Regulation (EU) 2024/1689]’), Recital (12), Article 3(1).
68 European Commission, Joint Research Centre, Samoili, S., López Cobo, M., Delipetrev, B. et al., AI Watch. Defining Artificial Intelligence
2.0 – Towards an operational definition and taxonomy for the AI landscape, JRC Technical Reports, Publications Office of the European Union,
Luxembourg, 2021, p. 23, https://data.europa.eu/doi/10.2760/019901.
69 Raeesi Vanani, I., Amirhosseini, M., ‘IoT-Based Diseases Prediction and Diagnosis System for Healthcare’, in: Internet of Things for
Healthcare Technologies, edited by C. Chakraborty, A. Banerjee, M. Kolekar et al., Springer, Singapore, 2021, pp. 21–48 at 29–30, https://doi.
org/10.1007/978-981-15-4112-4_2.
22 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

is set to play an important role in the management of With a view to future technological advancements,
patients’ health outside clinical settings.70 The results there is a promise to allocate data processing per-
of an EU survey support this expectation, indicating formed by AI systems from the cloud level closer
that healthcare organisations/start-ups are using or to the edge of the network.75 Ultimately, as the
are planning to use or develop AI primarily for patient deployment of AI system moves closer to the edge
monitoring.71 This outlook includes the uptake of an and becomes embedded into IoT devices (known as
increasingly diverse range of direct-to-consumer ‘Artificial Intelligence of Things’ or ‘AIoT’, or ‘TinyML’),
AI-enabled wearable medical devices.72 AI could also wearable medical devices with such capabilities could
transform evidence-based medicine (i.e. the use of gain intelligence by acquiring the capabilities to per-
available best evidence in making health-related deci- form self-driven analytics and act autonomously.76
sions about patients’ health) to improve diagnostics, Developers can achieve this breakthrough through the
predict outcomes and provide personalised healthcare further development of micro-processing solutions
through the analyses of real-world data (RWD) col- and with the optimisation of how neural networks
lected by wearable medical devices.73 However, there use the memory of wearable medical devices.77 The
are concerns that AI could foster the growth of “black significance of AIoT/TinyML solutions is that they may
box medicine”, where health-related decision-making contribute to the further development of intelligent
and data processing become increasingly opaque, healthcare management systems with their capa-
while the outputs of the AI system are probabilistic bilities to enhance human–technology interactions,
and sometimes inscrutable.74 strengthen the security of wearable medical devices
and improve the accuracy of data collection and
analytics.78

70 See also World Health Organization, Ethics and Governance of Artificial Intelligence for Health: WHO Guidance, World Health
Organization, Geneva, 2021, p. 9, https://apps.who.int/iris/rest/bitstreams/1352854/retrieve. European Commission, Directorate-General for
Health and Food Safety, Lupiáñez-Villanueva, F., Gunderson, L., Vitiello, S. et al., Study on Health Data, Digital Health and Artificial Intelligence
in Healthcare, Publications Office of the European Union, Luxembourg, 2022, pp. 90–91, https://data.europa.eu/doi/10.2875/702007.
71 European Commission, Directorate-General for Communications Networks, Content and Technology, PwC, Study on eHealth,
Interoperability of Health Data and Artificial Intelligence for Health and Care in the European Union – Lot 2: Artificial Intelligence for health and
care in the EU, Final Study Report, Publications Office of the European Union, Luxembourg, 2021, pp. 39–45, https://ec.europa.eu/newsroom/
dae/redirection/document/80948.
72 Gerke, S., ‘Health AI for Good Rather Than Evil? The Need for a New Regulatory Framework for AI-Based Medical
Devices’, Yale Journal of Health Policy, Law, and Ethics, No. 20 Vol. 2, 2021, pp. 432–512 at 444, https://yaleconnect.yale.edu/
get_file?pid=fd7fce9fbc17724a4b17d7f1ce4581a33c87d962fbbae12115c3217cdb56240.
73 Panesar, A., Machine Learning and AI for Healthcare Big Data for Improved Health Outcomes, Apress, New York, 2019, pp. 12, 262.
https://link.springer.com/book/10.1007/978-1-4842-3799-1.
74 European Commission, Directorate-General for Health and Food Safety, Lupiáñez-Villanueva, F., Gunderson, L., Vitiello, S. et al., supra
note 70, pp. 88–89.
75 Greco, L., Percannella, G., Ritrovato, P., ‘Trends in IoT based solutions for health care: Moving AI to the edge’, Pattern Recognition Letters,
Vol. 135, 2020, pp. 346–353 at 347, https://doi.org/10.1016/j.patrec.2020.05.016.
76 See also Shamim, M. Z., Parayangat, M., Thafasal Ijyas, V. P. et al., ‘Distributed Intelligent Networks: Convergence of 5G, AI, and IoT’,
in: Enabling Technologies for Next Generation Wireless Communications, edited by M. Usman, M/ Wajid, M. D. Ansari, CRC Press, Boca Raton,
2021, pp. 137–148 at 138, https://doi.org/10.1201/9781003003472.
77 See also Noone, G., ‘Putting AI in IoT chips? It’s a question of memory’, Tech Monitor, 10 February 2022, https://techmonitor.ai/
technology/ai-and-automation/tinyml-putting-ai-in-iot-chips-a-question-of-memory.
78 See also Upadhyay, D., Sharma, S., ‘Convergence of Artificial Intelligence of Things: Concepts, Designing, and Applications’, in: Towards
Smart World: Homes to Cities Using Internet of Things, edited by L. Sharma, CRC Press, Boca Raton, 2020, pp. 119–142 at 133–135, https://
doi.org/10.1201/9781003056751.
EU regulatory framework applicable to wearable medical devices

INTERNATIONAL AND EU PRIMARY LAW

(e.g. international IP treaties, EU Charter of Fundamental Rights)

EU SECONDARY LAW

Safety, Cybersecurity Interoperability Privacy, data Protection and

performance, requirements requirements protection and governance of
and quality data governance IP rights
requirements requirements

Lex generalis Product MDR, GDPR, IP legislations

(General Product harmonisation GDPR, ePrivacy Directive, (e.g. Database
Safety Regulation legislations EHDS Data Act, Directive,
[GPSR]) (MDR, GPSR, AI Act) EHDS Trade Secrets
Directive)
Lex specialis Cybersecurity-specific
(Medical Device legislations Other
Regulation [MDR], (Cybersecurity Act, legislations
AI Act) NIS2 Directive) affecting
governance
Data-specific legislations of IP rights
(General Data Protection Regulation [GDPR], (e.g. Data Act,
Data Governance Act, EHDS)
Data Act,
European Health Data Space Regulation [EHDS])

NATIONAL (MEMBER STATE) LEGISLATIONS

(e.g. national laws on organisation and delivery of health services, such as reimbursement)
24 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

3. EU regulatory framework applicable to wearable medical

devices
This chapter analyses some of the most relevant reg- 3.1 Safety, performance and quality
ulatory requirements that manufacturers are likely requirements
to be confronted with when they attempt to bring a
wearable medical device to the market in the EU. The 3.1.1 EU product safety framework applicable
analysis also addresses the compliance obligations of to wearables
controllers and (health) data holders relating to the Safety, performance and quality aspects of wearables
use of wearable medical devices for data processing are key factors in building trust and enhancing their
purposes, and the corresponding rights of natural adoption. However, the question of whether (or not)
persons (data subjects, patients). The following any safety, performance and quality legal regime
requirements are highlighted: applies to wearables under EU law and, if yes, which
one, is a grey area ridden with legal uncertainty. This
• product safety rules – based on the qualification uncertainty stems from the ambivalent legal status
of the physical hardware and interconnected of wearables between the highly regulated domain
software components of a wearable as a ‘medi- of ‘medical devices’ and the less regulated sphere of
cal device’ (Chapter 3.1); ‘wellness applications’ (digital consumer health prod-
• cybersecurity and interoperability rules – deriv- ucts).79 It is often challenging to determine the proper
ing from a broad range of EU legal frameworks qualification of wearables under those legal regimes,
providing for product- or data processing-related as the requirements do not clearly reflect technolog-
cybersecurity and interoperability requirements ical reality, such as the fact that a wearable is the
(Chapter 3.2); interconnection of physical hardware and intangible
• privacy, data protection and data governance software. At the same time, this legal uncertainty is
rules – regulating the lawfulness of data process- affecting a growing number of stakeholders, as there
ing by use of wearable medical devices, and the is a rapidly growing market for easy-to-access and
exercise of the related rights of natural persons affordable wearables, which can be used for a variety
(Chapter 3.3); of health-related, fitness, lifestyle, wellbeing etc., pur-
• IP (intellectual property) rules – providing rights poses. The COVID-19 public health crisis boosted the
to exclude certain third-party use of materials growth of the market. According to the Commission,
or datasets relating to wearable medical devices in 2022, there were cc. 5,000-20,000 medical devices
that are protected by IP rights (Chapter 3.4); on the EU market capable of processing personal data,
but there were significantly more, cc. 100,000 well-
The following sections address salient aspects of these ness applications on the EU market, which did not fall
frameworks and analyse them in terms of how they under the category of ‘medical device’.80
may have an effect (as barriers or enablers) on the
development and further uptake of wearable medi- Based on Article 169(1) of the Treaty on the Func-
cal devices. The chapter also provides a comparative tioning of the European Union (TFEU)81, Regulation
analysis on how some of the key legal requirements (EU) 2023/988 on general product safety (General
are regulated in the US (Chapter 3.5). Product Safety Regulation, ‘GPSR’) lays down
essential general rules (lex generalis) on the safety
of products placed or made available on the Union

79 See also Lucivero, F., Prainsack, B., ‘The lifestylisation of healthcare? ‘Consumer genomics’ and mobile health as technologies for healthy
lifestyle’, Applied & Translational Genomics, Vol. 4, 2015, pp. 44–49 at 47, https://doi.org/10.1016/j.atg.2015.02.001. Purtova, N. ‘eHealth
Spare Parts as a Service: Modular eHealth Solutions and Medical Device Reform’, European Journal of Health Law, Vol. 24, 2017, pp. 463–486
at 469, https://doi.org/10.1163/15718093-12341430.
80 Commission Staff Working Document Impact Assessment Report Accompanying the Document ‘Proposal for a Regulation of the
European Parliament and of the Council on the European Health Data Space, COM(2022) 197 final - SEC(2022) 196 final - SWD(2022)
130 final - SWD(2022) 132 final’, SWD(2022) 131 final, Strasbourg, 3 May 2022, https://eur-lex.europa.eu/legal-content/EN/
TXT/?uri=CELEX%3A52022SC0131.
81 Consolidated version of the Treaty on the Functioning of the European Union, OJ C 115, 9.5.2008, pp. 47–388, ELI: https://data.europa.
eu/eli/treaty/tfeu_2008/oj.
 JRC EXTERNAL STUDY 25

market to ensure the health and safety of consum- and interconnected software components of a wear-
ers.82 According to Recital (8) of the GPSR, “the general able as a ‘medical device’ (under the MDR), as well
product safety requirement and related provisions as the specificities of a wearable medical device that
should apply to consumer products covered by Union provides capabilities as an ‘AI system’ (according to
harmonisation legislation when certain types of risks the AI Act).
are not covered by that Union harmonisation legisla-
tion.” In other words, the GPSR functions as a ‘safety Note that if a wearable (and its components) does
net’ legislation complementing Union harmonisation not qualify as a ‘medical device’ under the MDR, it
legislation. Given that the definition of ‘product’ under may nonetheless qualify as a ‘wellness application’
Article 3(1) of the GPSR encompasses “any item, under the Regulation on the European Health Data
whether or not it is interconnected to other items”, it Space, ‘EHDS’) and may be subject to its mandatory
allows the flexibility to cover any physical hardware labeling scheme if the manufacturer claims interoper-
and interconnected software which constitutes a ability of the wellness application with the harmonised
‘wearable’, if those items (and their intended purpose components of electronic health record (EHR) systems
and capabilities) are not covered by Union harmonisa- (and therefore compliance with the essential require-
tion legislation. That ensures that all wearables must ments laid down in Annex II of the EHDS and related
meet an appropriate level of safety, performance and common specifications).86 However, it would be impor-
quality, which, in turn, can foster consumer trust and tant to make the borderline between medical devices
facilitate market acceptance. and wellness applications clearer. The definition of
a ‘wellness application’ under the EHDS refers to a
The horizontal and sectoral Union harmonisation leg- broad (and arguably ambivalent) intended purpose of
islations that are especially relevant in determining “delivery of care for other purposes than the provision
the safety, quality and performance requirements of healthcare”, which does not clearly supplement the
for the physical hardware and interconnected soft- concept of “medical purpose” that the MDR’s definition
ware components of a wearable are Regulation (EU) of ‘medical device’ is based on. Moreover, the defini-
2017/745 on medical devices83 (Medical Device tion of ‘wellness application’ under the EHDS does not
Regulation, ‘MDR’), Regulation (EU) 2017/746 on reflect accurately the fact that it can be used either
in vitro diagnostic medical devices84 (In Vitro Diag- as a stand-alone software or in combination with a
nostic Medical Devices Regulation, ‘IVDR’), and physical accessory (e.g. when an app is intended to
Regulation (EU) 2024/1689 on artificial intelligence be used in combination with a hardware device that
(‘AI Act’)85. Those legislative acts all follow the logic provides sensor or actuator functionalities).87
of the New Legislative Framework (NLF), i.e. the EU’s
approach to ensure that a range of products comply 3.1.2 The qualification of the physical hardware
with the applicable legislation when they are made and interconnected software components
available on the Union market through conformity of a wearable as ‘medical device’ under
assessment procedure(s) or EU declaration of con- the Medical Device Regulation
formity. The following sections outline the factors that Based on Articles 114 and 168(4)(c) of the TFEU, the
determine the qualification of the physical hardware MDR sets high standards of quality and safety for

82 Regulation (EU) 2023/988 of the European Parliament and of the Council of 10 May 2023 on general product safety, amending
Regulation (EU) No 1025/2012 of the European Parliament and of the Council and Directive (EU) 2020/1828 of the European Parliament
and the Council, and repealing Directive 2001/95/EC of the European Parliament and of the Council and Council Directive 87/357/EEC, OJ L
135, 23.5.2023, pp. 1–51, ELI: https://eur-lex.europa.eu/eli/reg/2023/988/oj (henceforth: ‘General Product Safety Regulation [Regulation (EU)
2023/988]’).
83 Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive
2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/
EEC, OJ L 117, 5.5.2017, pp. 1–175, ELI: http://data.europa.eu/eli/reg/2017/745/oj (henceforth: ‘Medical Device Regulation [Regulation (EU)
2017/745]’).
84 Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices
and repealing Directive 98/79/EC and Commission Decision 2010/227/EU, OJ L 117, 5.5.2017, pp. 176–332, ELI: http://data.europa.eu/eli/
reg/2017/746/oj (henceforth: ‘In Vitro Diagnostics Regulation [Regulation (EU) 2017/746]’).
85 AI Act [Regulation (EU) 2024/1689], supra note 67.
86 EHDS compromise, supra note 12.
87 See also DIGITALEUROPE, European Health Data Space (EHDS): key issues to address in trilogues, DIGITALEUROPE, Brussels, 22
December 2023, pp. 12–13, https://cdn.digitaleurope.org/uploads/2024/01/EHDS-trilogues-DIGITALEUROPE-position-paper-1.pdf.
26 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

medical devices and harmonises rules for the placing a ‘medical device’ is defined in the MDR by reference
on the market and putting into service of medical to its:
devices and their accessories on the Union market,
which allows them to benefit from the principle of • physical presentation (“any instrument, appa-
free movement of goods. Some of the key advantages ratus, appliance, software, implant, reagent,
of making a wearable available on the market as a material or other article”);
medical device is that the manufacturer may affix a • use (“for human beings”);
CE marking of conformity to indicate that the wear- • purpose (“one or more specific medical pur-
able medical device is in conformity with the MDR poses”); and
and other applicable Union harmonisation legislation • means of achieving its principal intended action
providing for its affixing [Article 20 MDR]. The manu- or mode of action (“which does not achieve its
facturer may also list the wearable medical device in principal intended action by pharmacological,
the European database on medical devices (Eudamed) immunological or metabolic means, in or on the
[Article 33 MDR]. This ensures transparency, which, human body, but which may be assisted in its
in turn, can facilitate trust among the public. It also function by such means”).88
provides information on the corresponding certificates
issued by notified bodies, the relevant economic oper- Due to advancements in digital health solutions, there
ators, as well as the unique identification of devices are increasing number of cases where this definition
within the internal market and their traceability. In would require further clarifications (or refinement).
addition, the manufacturer may be entitled to include For example:
its wearable medical device in a national registry,
which some Member States have established for the • A wearable medical device typically functions
purpose of listing digital health applications that are as part of an IoT network and telemedicine
validated, CE-marked as medical devices, and eligible system, often in integration with other enabling
for reimbursement by the patient’s health insurance. technologies and computing solutions (e.g. cloud
and scalable distributed computing, data science
The growing number of borderline cases relating to techniques) (see chapters 2.2 and 2.5). That
the qualification assessment of the physical hard- technological complexity makes it challenging to
ware and interconnected software components of properly delimit the ‘physical presentation’ and
a wearable (and consequential safety, performance essential components of a wearable medical
and quality requirements) are related to the (dubi- device, i.e. the physical hardware and intercon-
ous) interpretation and application of the definition nected software components that are necessary
of ‘medical device’ under the MDR. Article 2(1) of to the functioning of a wearable intended by the
the MDR provides that “‘medical device’ means any manufacturer to be used for one or more medical
instrument, apparatus, appliance, software, implant, purposes.
reagent, material or other article intended by the • The interpretation of the ‘means of achieving its
manufacturer to be used, alone or in combination, principal intended action or mode of action’ is
for human beings for one or more [...] specific medical unclear due to the blurring of the line between
purposes” listed in the indents of this provision, and ‘medical devices’ and ‘medicinal products’,
“which does not achieve its principal intended action demonstrated by the increasing number of market
by pharmacological, immunological or metabolic authorisation applications for drug–device combi-
means, in or on the human body, but which may be nations (DDCs).89 An example of such a borderline
assisted in its function by such means.” Accordingly, case is an ingestible sensor that communicates
medication adherence to a compatible wearable

88 Laboratoires Lyocentre v Lääkealan turvallisuus– ja kehittämiskeskus, Sosiaali– ja terveysalan lupa– ja valvontavirasto (C-109/12),
Opinion of Advocate General Sharpston, 30 May 2013, Court Reports – Court of Justice, ECLI:EU:C:2013:353, para. 38, https://curia.europa.eu/
juris/liste.jsf?num=C-109/12.
89 Medicines and Healthcare products Regulatory Agency, BioIndustry Association, The Eighth Joint BIA/MHRA Conference – Collaborative
Working in the UK, Driving Innovation Forward, Medicines and Healthcare products Regulatory Agency, BioIndustry Association, London, 5 July
2018, p. 18, https://www.biaregulatoryconference.org/static/uploaded/2ceb87ee-bd78-4549-94bff0655fffa5b6.pdf.
 JRC EXTERNAL STUDY 27

sensor (patch).90 A similar case may arise from • prevention of disease (e.g. it may qualify as a
the qualification assessment of a smart bandage medical device, if it claims that its output, such as
that monitors and treats chronic wounds.91 Annex prescribing interaction alerts using patient-spe-
IX, point 5.2 et seq. of the MDR prescribes that cific data, can directly prevent one or more
“where a device incorporates a substance, which, specific diseases; but it may not qualify as such,
if used separately, may be considered a medic- if it only provides tips or advice on health pro-
inal product”, the medicinal products authority motion, or claims to prevent injury or handicap);
must verify the quality, safety and usefulness • diagnosis of disease, an injury or handicap (e.g.
of the substance. However, there is a lack of it may qualify as a medical device, if it claims
clarity about the rule when they cannot be used that the data entered by the user or generated
separately. by the sensor of the wearable medical device
are supplied for detecting, diagnosing, or to
In principle, the most important threshold of whether allow direct diagnosing, such as in the case of
a specific product (e.g. a wearable or its compo- a symptom-checker using an AI-powered inter-
nent) qualifies as a ‘medical device’ (and whether face; however, it may not qualify as such, if it
the requirements of the MDR apply) is the ‘intended only offers signposts or reference information
purpose’ of the manufacturer.92 This means that the independent of the likelihood of possible medical
manufacturer itself has the initial power to decide conditions);
whether that product is a medical device. The ‘intended • monitoring of disease, an injury or handicap (e.g.
purpose’ of the manufacturer can be broken down into it may qualify as a medical device, if it claims
two set of requirements, which the following sections that the data entered by the user or generated
analyse in-depth: by the sensor of the wearable medical device can
monitor the progress or severity of a specific dis-
• the ‘objective’ requirement of ‘one or more ease, an injury or handicap in order to affect the
specific medical purposes’ (objective medical treatment of an individual; however, a manually
functions) that a product should fulfil; and updated log of symptoms used when consulting
• the ‘subjective’ requirement of the manufactur- with the patient’s doctor will not qualify as such,
er’s ‘intended purpose’ (subjective intention) that nor will monitoring for sport or fitness purposes,
the product should be used for human beings for such as the heart rate of an athlete, unless the
medical purposes.93 intention is to investigate their physiological
processes);
3.1.2.1 Objective ‘medical purpose’ of a • treatment or alleviation of disease, an injury
wearable medical device or handicap (e.g. it may qualify as a medical
With reference to Article 2(1) of the MDR, the objective device, if it claims that it provides data that can
requirement of a physical hardware or interconnected be used to enable treatment to be performed, or
software component of a wearable to qualify as a its output can be used to treat, reduce symptoms
‘medical device’ is that it is “intended by the manufac- or severity of a disease, injury or handicap; but
turer to be used for one or more [...] specific medical it may not qualify as such, if it is intended to
purposes” (i.e. objective medical functions). This may simply provide tips or advice, to remind users to
encompass one or more of the following medical pur- take medicine, or to treat non-medical “lifestyle”
pose(s) (supplemented with indicative examples of the conditions, such as non-specific stress);
possible scope/borderline of each purpose): • compensation for an injury or handicap (e.g. it
may qualify as a medical device, if it claims that

90 Qualification opinion on ingestible sensor system for medication adherence as biomarker for measuring patient adherence
to medication in clinical trials (EMA/CHMP/SAWP/513571/2015), 15 February 2016, European Medicines Agency Committee
for Medicinal Products for Human Use, London, https://www.ema.europa.eu/documents/regulatory-procedural-guideline/
qualification-opinion-ingestible-sensor-system-medication-adherence-biomarker-measuring-patient_en.pdf.
91 Sani, E. S., Xu, C., Wang, C. et al., ‘A stretchable wireless wearable bioelectronic system for multiplexed monitoring and combination
treatment of infected chronic wounds’, Science Advances, Vol. 9 No. 12, 2023, eadf7388, https://doi.org/10.1126/sciadv.adf7388.
92 See also Quinn, P., ‘The EU commission’s risky choice for a non-risk-based strategy on assessment of medical devices’, Computer Law &
Security Review, Vol. 33 No. 3, 2017, pp. 361–370, https://doi.org/10.1016/j.clsr.2017.03.019.
93 Sheppard, M. K., ‘EU Medical Device Legislation and the Safety Implications for App Users’, in: Legal Issues of Mobile Apps: A Practical
Guide, edited by I. Iglezakis, Kluwer Law International, Alphen aan den Rijn, 2020, Chapter 6 at §6.02.
28 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

its sensors, output or software can compensate a medical purpose, such as sending alerts about
for a specific injury or handicap, such as if it is patient-specific medical condition parameters);
smart eyeglasses intended to magnify text specif- • a database without internal language/macros/
ically for people with visual impairment; however, scripting;
it may not qualify as such, if it is intended for • a multipurpose product (e.g. word processing or
general use, but can also be used to compensate spreadsheet software that runs on a smartwatch,
for an injury or handicap, such as if it is intended unless if it has a specific intended medical pur-
to magnify text, but there is no mention of visual pose and uses macros/functions/programming
impairment in the manufacturer’s claims); language); or
• investigation, replacement or modification of the • software enabling data retrieval by “simple
anatomy or of a physiological process (but, for search” library functions (unless the data is
example, a wearable providing educational infor- modified or its representation is altered for an
mation on anatomy or physiological processes intended medical purpose).
would not qualify as a medical device); and/or
• control or support of conception (e.g. it may qual- Regarding the competence of interpreting the above-
ify as a medical device, if it claims to be directly mentioned aspects of the qualification assessment,
capable of making pregnancy more likely or pre- Recital (8) of the MDR states that it is first and
vent pregnancy; but it may not qualify as such, if foremost “the responsibility of the Member States
it simply replaces a written diary/log to track or to decide on a case-by-case basis whether or not a
display data about a woman’s menstrual cycle). specific product falls within the scope of the [MDR]”
(and IVDR). However, “[i]n order to ensure consistent
If the physical hardware or interconnected software qualification decisions [...] across all Member States,
component of a wearable does not perform any of the particularly with regard to borderline cases, the Com-
abovementioned functions, then it does not qualify mission [is] allowed to, on its own initiative or at the
as a ‘medical device’. This is the case, in particular, duly substantiated request of a Member State, having
if the wearable only has or performs one or more of consulted the Medical Device Coordination Group
the following functions (supplemented with indicative (‘MDCG’), decide on a case-by-case basis whether or
examples of the possible scope/borderline of certain not a specific product, category or group of products
purposes):94 falls within the scope of the [MDR]” (and IVDR). As
a supplementary rule, Article 1(3) of the MDR adds
• monitoring of general fitness, general health or that: “[d]evices with both a medical and a non-medical
general well-being; intended purpose shall fulfil cumulatively the require-
• patient medical education; ments applicable to devices with an intended medical
• professional medical education; purpose and those applicable to devices without an
• administration of healthcare; intended medical purpose.”
• provision of merely reference information to sup-
port medical decision-making (unless it is a decision 3.1.2.2 Subjective ‘intended purpose’ of the
support software component of a wearable med- manufacturer of a wearable medical
ical device that applies automatic reasoning by device
combining general medical information databases Article 2(12) of the MDR defines ‘intended purpose’
and algorithms with patient-specific data by use as “the use for which a device is intended accord-
of an algorithm or a more complex series of cal- ing to the data supplied by the manufacturer on the
culations to interpret or interpolate data, e.g. dose label, in the instructions for use or in promotional or
calculation, time of treatment or future risk of sales materials or statements and as specified by the
disease, and the healthcare professional does not manufacturer in the clinical evaluation”. The ‘intended
review the ‘raw data’); purpose’ must describe the intent of the manufacturer
• information systems enabling storage, archival or as objectively as possible, that is, the manufacturer is
transmission of electronic health data (unless the obliged to formulate its intended purpose in a clear,
system has a specific function that contributes to precise and unambiguous way in order to preclude

94 See also Medical Device Coordination Group, Guidance on Qualification and Classification of Software in Regulation (EU) 2017/745 –
MDR and Regulation (EU) 2017/746 – IVDR (MDCG 2019-11), 11 October 2019, pp. 6–7, 19–23, https://ec.europa.eu/health/sites/default/files/
md_sector/docs/md_mdcg_2019_11_guidance_qualification_classification_software_en.pdf (henceforth: ‘MDCG 2019-11’).
 JRC EXTERNAL STUDY 29

different interpretations and without acting arbi- intention manifested in publicly disseminated docu-
trarily to circumvent the (perhaps unfavourable) mentation and materials issued by the manufacturer,
qualification. The intended purpose should describe one could argue that the ‘intended purpose’ should
the intended medical use—not the specific product also encompass the manufacturer’s indirect intention.
features or specifications of an anticipated product.95 If the ‘intended purpose’ were limited purely to what is
As this requirement has led to confusion in the past, provided as information to the public, then this might
it is worth pointing out that the MDCG has clarified allow a manufacturer to circumvent the MDR by not
that ‘intended use’ should be considered to have the specifying hidden features or risks of a device, such as
same meaning as ‘intended purpose’.96 disguised data processing operations or the likelihood
and severity of certain data security or cybersecurity
The intended purpose of the manufacturer is deci- risks. In such cases, the significance of considering the
sive not only in the qualification of a specific product, manufacturer’s indirect intention is that it would cover
but it is also the basis for applying the classifica- the manufacturer’s awareness about what a wearable
tion rules established in Annex VIII of the MDR for medical device (especially its software) is capable of,
determining the risk class of a wearable medical and how it functions in practice. If we accept the need
device, as outlined under Article 51(1) of the MDR. to consider both a manufacturer’s direct and indirect
The risk classification then determines the conformity intention, then the following sources may be suitable
assessment route for the device, including the clini- for discerning the manufacturer’s direct intention:99
cal data required to demonstrate conformity with the
relevant safety and performance requirements. In the • information from marketing materials (e.g. man-
device description, the ‘intended purpose’ of a device ufacturer’s publicly claimed intended purpose);
should include the following (non-exhaustive list of) • information from internal documentation (e.g.
elements: exact medical indications (if applicable); technical documentation); or
the disease or condition to be treated, managed or • informal information sources (e.g. interview with
diagnosed; patient populations; intended users (e.g. a representative of the manufacturer).
healthcare professionals / laypersons); repeat appli-
cations; precautions required by the manufacturer; as In addition to those, sources for discerning the man-
well as any contraindications.97 The intended purpose ufacturer’s indirect intention could be:
helps to identify the clinical data that is relevant to
the device, while the depth and extent of the clinical • data-gathering practices (e.g. if software collects
evaluation depend on the intended purpose (as well data that are relevant to fulfil a medical purpose);
as on the classification, risks of the device and the • data analysis (e.g. if software requires the anal-
manufacturer’s claims in respect of the device). If a ysis of personal and/or non-personal electronic
manufacturer provides instructions for use of wear- health data to achieve results that resemble or
able medical devices in electronic form, it must also fulfil a medical purpose); or
comply with the conditions laid down by Commission • functional specifications (e.g. if software is
Regulation (EU) No 207/2012.98 designed and made to function as a medical
device with the aim of either substituting or
Considering that the definition of ‘intended purpose’ replacing existing medical devices without being
under Article 2(12) of the MDR refers only to the direct one itself).

95 Wyler, J., ‘The intended purpose – or, what does your medical device do?’, Decomplix, 4 February 2020, https://decomplix.com/
intended-purpose-medical-device.
96 Medical Device Coordination Group, Regulation (EU) 2017/745: Clinical evidence needed for medical devices previously CE marked under
Directives 93/42/EEC or 90/385/EEC. A guide for manufacturers and notified bodies (MDCG 2020-6), 23 April 2020, 6 [section 1.2], https://
health.ec.europa.eu/document/download/a6d29444-b5d5-4afb-8024-10be85256aa7_en.
97 See also European Commission, Clinical Investigation: A Guide for Manufacturers and Notified Bodies under Directives 93/42/EEC or
90/385/EEC – Guidelines on Medical Devices (MEDDEV 2.7/1 revision 4), June 2016, 35 [appendix A3.], http://www.ec.europa.eu/DocsRoom/
documents/17522/attachments/1/translations/en/renditions/native.
98 Commission Regulation (EU) No 207/2012 of 9 March 2012 on electronic instructions for use of medical devices, OJ L 72, 10.3.2012,
pp. 28–31, ELI: http://data.europa.eu/eli/reg/2012/207/oj.
99 Ludvigsen, K., Nagaraja, S., Daly, A., ‘When Is Software a Medical Device? Understanding and Determining the “Intention” and
Requirements for Software as a Medical Device in European Union Law’, European Journal of Risk Regulation, Vol. 13 No. 1, 2021, pp. 1–16 at
12–13, https://doi.org/10.1017/err.2021.45.
30 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

3.1.2.3 The ‘intended medical purpose’ criteria Opinion was that: “[e]ven if the information provided
in the CJEU’s case law by the manufacturer is the key factor in determining
The proper interpretation of the ‘intended medical whether a product is intended to be used for a med-
purpose’ criteria was part of a question referred for ical purpose, any product which, by its very nature, is
a preliminary ruling of the CJEU in Brain Products.100 clearly intended to be used solely for a purpose of a
The national proceedings before a German court con- medical nature will have to be regarded as a medical
cerned a dispute about the qualification of a product device, even if the manufacturer does not describe it
(‘ActiveTwo’) which could record electrical signals as such.”105 Indeed, it is important to ensure that the
from the human body intended for the investigation of subjective intention of a device manufacturer serves
a physiological process. The question was whether the as a trigger for the application of the appropriate
product qualifies as a medical device even though the safety, quality and performance legal regime, and
manufacturer explicitly did not intend it for medical that a simple disclaimer stating that a device is not
use, and hence its marketing without a CE marking of intended for medical purposes should not release the
conformity was prohibited. According to the Opinion of device manufacturer of certain legal obligations.106 As
Advocate General Mengozzi, many factors support a regards the objective functions of the device, the AG
systematic and/or teleological approach (over a literal Opinion wrote: “[t]hat reference to the manufacturer’s
interpretation) in interpreting the relevant provisions intention is not of itself decisive here, because the
of the MDD.101 The AG Opinion explained that ‘[a] reference is to the intention that the product should be
ccording to the teleological and systematic approach, used for human beings and not that it should be used
only products which are intended to have a medical for human beings for medical purposes.”107
use are covered by the [MDD].’102 (Although the MDR
repealed the MDD, due to their similar wordings, the In terms of the legal approach used to interpret the
judicial reasoning remains relevant to the MDR.) MDD, the CJEU agreed with the AG Opinion that: “it
is necessary to consider not only its wording but also
The Opinion of AG Mengozzi endorsed the above- the context in which it occurs and the objectives pur-
mentioned necessity to distinguish between the sued by the rules of which it is part”.108 Regarding the
objective and subjective aspects of the manufactur- interpretation of the ‘intended purpose’, the CJEU held
er’s intended purpose. In this regard, the AG Opinion that “[a]s regards software, the legislature [...] made
emphasised that “[i]t is important [...] to bear in mind unequivocally clear that in order for it to fall within the
that the manufacturer’s intention as regards the scope of [the MDD] it is not sufficient that it be used
use of a given product is not immaterial and that in a medical context, but that it is also necessary that
categorisation under the [MDD] cannot be based on the intended purpose, defined by the manufacturer,
objective factors only.”103 The AG Opinion added that is specifically medical.”109 “Furthermore, nothing [...]
the “[MDD] contains various references to the manu- indicates that the legislature intended that a wider
facturer’s intended use of a product. This reveals that, scope should apply for ‘non-software devices’ than
far from being irrelevant, that ‘subjective’ element for ‘software’.”110 Regarding the legal considerations
must in fact be taken into account in interpreting the that underpin the distinction between medical devices
applicable provisions.”104 The conclusion of the AG and non-medical goods in the healthcare sector, the

100 Brain Products GmbH v. BioSemi VOF and Others (C-219/11), Judgment of the Court (Third Chamber), 22 November 2012, Court Reports
– Court of Justice, ECLI:EU:C:2012:742, para. 24, https://curia.europa.eu/juris/liste.jsf?num=C-219/11.
101 Brain Products GmbH v. BioSemi VOF and Others (C-219/11), Opinion of Advocate General Mengozzi, 15 May 2012, Court Reports –
Court of Justice, ECLI:EU:C:2012:299, para. 23, https://curia.europa.eu/juris/liste.jsf?num=C-219/11.
102 Ibid., para. 30.
103 Ibid., para. 42.
104 Ibid., para. 40.
105 Ibid., para. 63.
106 Purtova, supra note 79, 473.
107 Brain Products GmbH v. BioSemi VOF and Others, Opinion of Advocate General Mengozzi, supra note 101, para. 42.
108 Brain Products GmbH v. BioSemi VOF and Others, Judgment of the Court (Third Chamber), supra note 100, para. 13.
109 Ibid., para. 17.
110 Ibid., para. 19.
 JRC EXTERNAL STUDY 31

CJEU explained that: “in the field of medical devices under the MDR, it is important to mention what factors
account must be taken not only of the protection are not decisive in this qualification assessment. First,
of health, but also of the requirements of the free the risk of harm to patients, users or any other person
movement of goods.”111 “It follows that [the MDD] affected by the use of the software within health-
may have the effect of limiting the free movement care, including possible malfunctions, is not a legal
of medical devices, by providing for an obligation for criterion for determining whether software qualifies
certification and CE marking in respect of those prod- as a medical device.117 Second, Recital (19) of the
ucts only where such a limitation is necessary for the MDR provides that: “[t]he qualification of software,
protection of public health. Therefore, in situations in either as a device or an accessory, is independent of
which a product is not conceived by its manufacturer the software’s location or the type of interconnection
to be used for medical purposes, its certification as a between the software and a device.” In relation to
medical device cannot be required. That is the case, this, the MDCG 2019-11 elaborates that: “[t]he type
in particular, of many sports goods which enable the of interconnection between the MDSW and the device
functioning of certain organs in the human body to (e.g. embedded systems, wires, Wi-Fi, Bluetooth) does
be measured without any medical use. If such articles not affect the qualification of the software as a device
were to be classified as medical devices, they would under the MDR (e.g. whether the software is incor-
be subject to a certification procedure without any porated in a device or is at a different location).”118
justification for that requirement.”112 What follows from this is that the type of intercon-
nection between a software and physical hardware
3.1.2.4 Specific requirements for the software components of a wearable medical device bears no
component of wearable medical devices relevance for the qualification assessment of that
and the CJEU’s related case law software. Moreover, the qualification of a software is
Although the MDR regulates the qualification of independent of where that interconnected software
software falling within its scope, it provides neither operates along the cloud-to-device continuum. This
a definition, nor detailed qualification criteria for point is important to highlight also with consideration
software.113 The MDCG provided clarifications in this to the potential integration of an AI system with a
regard in its ‘Guidance on Qualification and Classifica- wearable medical device.
tion of Software in Regulation (EU) 2017/745 – MDR
and Regulation (EU) 2017/746 – IVDR’ (‘MDCG 2019- To qualify as a MDSW, a software must decisively
11’).114 The MDCG 2019-11 defines ‘software’ “as a meet the criteria laid down in the definition of a ‘med-
set of instructions that processes input data and cre- ical device’ under Article 2(1) of the MDR. The MDCG
ates output data.”115 The same guidance also provides 2019-11 explains that MDSW can be placed on the
a definition specifically for ‘medical device software’ market in two different ways:
(‘MDSW’): “software that is intended to be used, alone
or in combination, for a purpose as specified in the • as a medical device (or in vitro diagnostic medical
definition of a ‘medical device’ in the [MDR] or in [the device) in its own right; or
IVDR].”116 • as an integral component or part of a hardware
device.
Before addressing factors determining the quali-
fication of software interconnected with physical The first case is often referred to as ‘software as
hardware components of a wearable medical device a medical device’ (‘SaMD’), while the second case is

111 Ibid., para. 27.

112 Ibid., para. 29–31.
113 See also DIGITALEUROPE, Reflection Paper on regulatory frameworks for digital health technologies in Europe, DIGITALEUROPE, Brussels,
2019, https://cdn.digitaleurope.org/uploads/2019/04/DIGITALEUROPE-Reflection-on-regulatory-frameworks-for-digital-health-technologies-in-
Europe-.pdf.
114 MDCG 2019-11, supra note 94, pp. 6–7, 19–23.
115 Ibid., p. 5.
116 Ibid., p. 6.
117 Ibid., p. 7.
118 Ibid., p. 16.
32 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

labelled as ‘software in a medical device’ (‘SiMD’).119 medical device) and a physical hardware worn on
The significance of the qualification of MDSW based the human body, such as a smart jewellery (an
on this scheme lies in the different regulatory proce- accessory for a medical device) should be consid-
dures that a particular MDSW must undergo. By having ered a ‘system’, if they are placed on the market
its own intended medical purpose (and therefore, together. Another example would be that a com-
fulfilling the definition of a ‘medical device’) alone plex software structure (and multiple correlated
(in its own right), SaMD must undergo a conformity applications) may consist of both medical device
assessment procedure that takes into consideration and non-medical device software modules. In
the qualification, classification and intended purpose that regard, the MDCG 2019-11 explains that:
of the MDSW. In this case, the physical hardware “[i]f the modules which are subject to the [MDR]
components of a wearable medical device (that are are intended for use in combination with other
interconnected with the MDSW) must undergo a sepa- modules of the whole software structure, other
rate conformity assessment procedure, if they satisfy devices or equipment, the whole combination,
the definition of a ‘medical device’ on their own right. including the connection system, must be safe
By contrast, SiMD must undergo a single conformity and must not impair the specified performances
assessment procedure wholly (i.e. the combination of of the modules which are subject to the [MDR].”120
the MDSW and the physical hardware components, • If software drives or influences the physical
which the MDSW is an integral component or part of). hardware components of a wearable and has or
performs a medical purpose or creates informa-
In addition to the foregoing distinction outlining the tion on its own for one or more of the medical
two major configurations in which MDSW can be purposes described in the definition of a ‘medical
placed on the market, there are further atypical cases: device’, then it qualifies as a MDSW.121 In that
case, it functions as either an integral part or
• Software can be intended by the manufacturer component of the physical hardware, or as an
to be used as an ‘accessory for a medical device’ accessory for a medical device.
(as defined by Article 2(2) of the MDR) to enable
a medical device to fulfil its intended function. Regarding related case law, the assessment of
For example, if a mobile app is the only way of the qualification of a drug prescription assistance
interacting with a wearable medical device, then software (‘ICCA’) was part of a question referred
it may be an accessory for that device. In that for preliminary ruling by the CJEU in Snitem.122 The
case, although the software (the mobile app) national proceedings before the French Conseil d’État
would not qualify as a ‘medical device’, it would (Administrative Supreme Court) concerned a dispute
be referred to as a ‘device’ under the MDR, and about whether the ICCA software, which permits the
thus, all corresponding provisions would apply. use of data concerning patients to help a doctor issue
In other words, a software that is an ‘accessory the patient’s prescription and bears the CE marking,
for a medical device’ must be treated, for the qualifies as a medical device, even if it does not itself
purposes of the MDR, as a medical device in its act in or on the human body. According to the Opinion
own right. of Advocate General Campos Sánchez-Bordona: “in
• Software can also be provided as part of a view of the fact that [...] the ICCA software bears the
‘system’ (‘kit’) or as a ‘module’ in the system. CE marking (as a result of which it is freely placed
For example, the interconnection and/or combi- on the market in [...] Member States), that software
nation of a smartwatch (that is not a medical benefits from the presumption of conformity with
device), a MDSW running on the smartwatch (a [the MDD]. Accordingly, it is for the [disputing party]

119 International Medical Device Regulators Forum, Software as a Medical Device (SaMD): Key Definitions, IMDRF/SaMD WG/N10FINAL:2013,
9 December 2013, p. 4, https://www.imdrf.org/sites/default/files/docs/imdrf/final/technical/imdrf-tech-131209-samd-key-definitions-140901.
pdf.
120 MDCG 2019-11, supra note 94, p. 18.
121 Ibid., pp. 7–8.
122 Syndicat national de l’industrie des technologies médicales (Snitem), Philips France v Premier ministre, Ministre des Affaires sociales et
de la Santé (C-329/16), Judgment of the Court (Fourth Chamber), 7 December 2017, Court Reports – Court of Justice, ECLI:EU:C:2017:947,
https://curia.europa.eu/juris/liste.jsf?num=C-329/16.
 JRC EXTERNAL STUDY 33

to rebut that presumption”.123 However, the AG Opin- provides that a medical device must be intended by
ion found that “[t]he fact [...] that the ICCA software the manufacturer for use in humans for the purposes
does not itself act in or on the human body does not [enumerated in the definition].”130 The CJEU repeated
preclude its classification as a medical device.”124 The the reasoning of the AG Opinion that: “[i]n the present
definition of medical device “does not require direct case, software that cross-references patient-specific
action by the device but rather ‘assistance’ with the data with the drugs that the doctor is contemplating
principal action”.125 prescribing, and is thus able to provide the doctor,
in an automated manner, with an analysis [...] for
On the assessment of whether a software serves a the purpose of prevention, monitoring, treatment
medical function, the AG Opinion explained that: “if or alleviation of a disease, [...] pursues a specifically
the software does not perform an action on data or medical objective, making it a medical device within
that action is limited to storage, archival, communica- the meaning of [the MDD].”131 “That is not the case,
tion, simple search or lossless compression, it cannot however, for software that, while intended for use in
be classified as a medical device. A contrario, if the a medical context, has the sole purpose of archiving,
software creates or modifies medical information to collecting and transmitting data, like patient medical
assist the healthcare professional with the use of that data storage software, the function of which is limited
information, it might be a medical device.”126 In the to indicating to the doctor [...] the name of the generic
referred case, the AG Opinion found that “[u]sing data drug associated with the one he plans to prescribe, or
collected about the patient (which may come from [...] the contraindications mentioned by the manufac-
other systems and appliances to which that patient is turer of that drug in its instructions for use.”132
connected), and with the assistance of its calculation
engines, the [ICCA] software automatically converts In Snitem, the CJEU held that: “as regards the condition
that data into useful information for the health profes- relating to the action resulting from the objective pur-
sional while at the same time suggesting the correct sued”, “it should be noted that although that provision
doses of drugs.”127 “[T]he ICCA software go beyond provides that the main action of the medical device
mere administrative functions, such as the storage ‘in or on the human body’, it does not require such
and archival of data, and allow it to be classified as a device to act directly in or on the human body.”133
a medical device.”128 “Thus, it does not matter whether, in order to be clas-
sified as a medical device, software acts directly or
In this case, the CJEU held that: “[i]t is expressly indirectly on the human body, the essential point being
apparent from [the definition of ‘medical device’ in the that its purpose is specifically one of those” referred
MDD] that software constitutes a medical device [...] to in the definition of a ‘medical device.’134 It follows
where it satisfies the two cumulative conditions which that “software, of which at least one of the functions
must be met by any device of that nature, relating makes it possible to use patient-specific data [...] is, in
respectively to the objective pursued and the action respect of that function, a medical device, within the
resulting therefrom.”129 “As regards, first, the objective meaning of [the definition of ‘medical device’ in the
pursued, [the definition of ‘medical device’ in the MDD] MDD], even if such software does not act directly in or

123 Syndicat national de l’industrie des technologies médicales (Snitem), Philips France v Premier ministre, Ministre des Affaires sociales
et de la Santé (C-329/16), Opinion of Advocate General Campos Sánchez-Bordona, 28 June 2017, Court Reports – Court of Justice,
ECLI:EU:C:2017:501, para. 41, https://curia.europa.eu/juris/liste.jsf?num=C-329/16.
124 Ibid., para. 69.
125 Ibid., para. 70.
126 Ibid., para. 57.
127 Ibid., para. 64.
128 Ibid., para. 66.
129 Snitem, Judgment of the Court (Fourth Chamber), supra note 122, para. 22.
130 Ibid., para. 23.
131 Ibid., para. 25.
132 Ibid., para. 26.
133 Ibid., para. 27–28.
134 Ibid., para. 32.
34 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

on the human body.”135 “In respect of medical software documentation available during a certain period to
comprising both modules that meet the definition of the notified bodies for inspection [Article 52(7) MDR].
the term ‘medical device’ and others that do not meet
it and that are not accessories within the meaning As a supplementary rule to the foregoing provisions,
of [the definition of ‘accessory for a medical device’ the MDR ensures that the compliance of devices
provided by the MDD], only the former fall within the with widely accepted soft law instruments demon-
scope of the directive and must be marked CE.”136 strate conformity. On one hand, “devices that are in
conformity with the relevant harmonised standards
3.1.3 Risk classification rules for wearable [...] shall be presumed to be in conformity with the
medical devices under the Medical Device requirements of [the MDR] covered by those standards
Regulation or parts thereof” [Article 8(1) MDR]. Alternatively, “[d]
Manufacturers (and health institutions) must comply evices that are in conformity with the [common spec-
with the MDR in each step of the regulatory process ifications (CS) adopted by the Commission] shall be
(in both commercial and in-house use cases): from presumed to be in conformity with the requirements
early-stage considerations through design and devel- of [the MDR] covered by those CS or the relevant parts
opment, and regulatory submission, to post-market of those CS” [Article 9(2) MDR].
(post-product release) surveillance.137 The classi-
fication rules of the MDR determine the applicable The risk class applicable to the physical hardware and
provisions of the MDR for each step of this process. interconnected software components of a wearable
Article 51(1) of the MDR sets forth that “[d]evices shall medical device that fall under the scope of the MDR
be divided into classes I, IIa, IIb and III, taking into are determined by the implementation rules set forth
account the intended purpose of the devices and their under Chapter II of Annex VIII and by the classification
inherent risks. Classification shall be carried out in rules laid down in Chapter III of Annex VIII of the MDR.
accordance with Annex VIII.” Implementing Rule 3.1 of Annex VIII provides that: “[a]
pplication of the classification rules shall be governed
For class IIa (‘medium risk’), class IIb (‘medium-high by the intended purpose of the devices.” Implementing
risk’) and class III (‘high risk’) devices, as a general rule, Rule 3.2 of Annex VIII states that “[i]f the device in
manufacturers are subject to a conformity assessment question is intended to be used in combination with
procedure in which a notified body ascertains and cer- another device, the classification rules shall apply
tifies whether a device fulfils the relevant provisions separately to each of the devices. Accessories for a
of the MDR [Articles 52(3)–(6) MDR]. Depending on the medical device shall be classified in their own right
classification and the manufacturer’s intention, there separately from the device with which they are used.”
are three types of conformity assessment procedures Implementing Rule 3.3 of Annex VIII clarifies the
[Annexes IX–XI MDR]: regime applicable to MDSW driving or influencing the
use of a physical hardware component of a wearable
• conformity assessment based on a quality man- device, as well as the regime applicable to independent
agement system and on assessment of technical MDSW: “[s]oftware, which drives a device or influences
documentation; the use of a device, shall fall within the same class
• conformity assessment based on type examina- as the device. If the software is independent of any
tion; and/or other device, it shall be classified in its own right.”
• conformity assessment based on product con- This rule is an orientation for determining the correct
formity verification. (minimum) classification of software placed on the
market in combination with the physical hardware
For class I (‘low risk’) devices, as a general rule, the component of a wearable. Therefore, MDSW must be
manufacturer alone is responsible for declaring the classified in its own right, based on the intended pur-
conformity of its product by issuing the EU declara- pose achieved, if it achieves its own intended purpose
tion of conformity and making all relevant technical and also drives or influences the use of a physical

135 Ibid., para. 34.

136 Ibid., para. 36.
137 Beckers, R., Kwade, Z., Zanca, F., ‘The EU medical device regulation: Implications for artificial intelligence-based medical device software
in medical physics’, Physica Medica, Vol. 83, 2021, pp. 1–8 at 2 et seq., https://doi.org/10.1016/j.ejmp.2021.02.011.
 JRC EXTERNAL STUDY 35

hardware component of a wearable intended for a information to take decisions with diagnosis or ther-
medical purpose. However, in that case, the risk class apeutic purposes, the guidance does not fix the crux
shall not be lower than the risk class of the physical of the problem.
hardware device.138 Finally, Implementing Rule 3.5 of
Annex VIII adds to these that: “[i]f several rules, or if, 3.1.4 Health, safety and fundamental rights
within the same rule, several sub-rules, apply to the requirements for AI-enabled wearable
same device based on the device's intended purpose, medical devices under the AI Act
the strictest rule and sub-rule resulting in the higher As discussed above, a wearable medical device may
classification shall apply.” integrate data science (AI) capabilities (see chapter
2.5.2). As Recital (12) of the AI Act142 explains, an AI
With reference to the definition provided by Article system can be used on a stand-alone basis or as a
2(4) of the MDR, both the physical hardware and component of a product (such as a wearable med-
interconnected software components of a wearable ical device), irrespective of whether that system is
medical device must be classified as ‘active devices’. physically integrated into the product (embedded) or
Therefore, Implementing Rules 10 to 13 of Annex serves the functionality of the product without being
VIII are applicable thereof. MDSW must be classified integrated therein (non-embedded). However, in prac-
according to Implementing Rule 11. However, Imple- tice, it can be challenging to delimit which software
menting Rule 11 of Annex VIII of the MDR has received (and possibly hardware) components of a wearable
criticism on the ground that it leaves little room for medical device may be relevant to the definition of
MDSW to be classified as class I. In the previous an ‘AI system’ under Article 3(1) of the AI Act, and
regulatory framework (under the MDD), the advan- where that AI system exerts its influence regarding its
tage of a class I device was that it enabled many interaction with the human body and its environment.
start-ups and university spin-offs to ship innovative
MDSW without having to undergo often expensive and If a wearable medical device integrates the capabili-
slow conformity assessment procedures, to involve ties of an AI system, then in determining the applicable
a notified body and establish a certified quality requirements of the AI Act, a follow-up question is
management system.139 Under the MDR, MDSW are whether that AI system is a fixed-purpose AI system
generally classified higher than before. Critics argue or a general-purpose AI system (such as a large gen-
that this “upgrading” may hinder the innovation activ- erative AI model). The latter could be relevant, for
ities of smaller manufacturers.140 Furthermore, the example, in the case of smart eyeglasses that incor-
classification of MDSW does not necessarily mirror porate AR (augmented reality), blending the virtual
their risk. The problem is that Implementing Rule 11 realm with real-world surroundings.143 As the AI Act
only considers the severity (e.g. “might lead to death”) follows a risk-based approach, another determinative
or duration (e.g. “irreversible”) of potential harms, but factor is what risk category that AI system falls in, and
it does not take into account the probabilities of the whether it may entail any prohibited practices under
risk occurring.141 Although Annex III of MDCG 2019-11 Article 5 of the AI Act.144 With reference to Article 6(1)
presents an indicative orientation on the appropriate of the AI Act, if:
risk class applicable to MDSW intended to provide

138 MDCG 2019-11, supra note 94, p. 12.

139 Eidel, O., ‘MDR Class 1 Devices: Do They Exist (as software)?’, Open Regulatory, 31 August 2021, https://openregulatory.com/
do-software-mdr-class-1-devices-exist.
140 Johner, C., ‘MDR Classification Rule 11 for Medical Device Software’, Johner Institute, 22 July 2017, https://www.johner-institute.com/
articles/regulatory-affairs/and-more/mdr-rule-11-software.
141 Ibid.
142 AI Act [Regulation (EU) 2024/1689], supra note 67.
143 Khandelwal, C. P., ‘How generative AI is revolutionising the wearables industry’, Financial Express, 26 June 2024, https://www.
financialexpress.com/business/industry-how-generative-ai-is-revolutionising-the-wearables-industry-3534974/.
144 Note that the AI Act’s focus solely on risk without considering potential public benefits has been criticised, see Prainsack, B., Forgó, N.,
‘New AI regulation in the EU seeks to reduce risk without assessing public benefit’, Nature Medicine, Vol. 30, 2024, pp. 1235–1237, https://
doi.org/10.1038/s41591-024-02874-2. On possible challenges of developing standards fit for the AI Act, see Pouget, H., Zuhdi, R., ‘AI and
Product Safety Standards Under the EU AI Act’, Carnegie Endowment for International Peace, 5 March 2024, https://carnegieendowment.org/
research/2024/03/ai-and-product-safety-standards-under-the-eu-ai-act?lang=en.
36 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

• the AI system is intended to be used as a safety 3.2 Cybersecurity and interoperability

component of a wearable medical device, or requirements
• the AI system is itself the (software component)
of a wearable medical device covered by the Depending on their intended purpose, wearable med-
MDR/IVDR and must undergo a third-party con- ical devices may process (e.g. collect, store, transmit)
formity assessment (i.e. it qualifies as a class IIa large amounts of data, much of it of a personal
device or higher under the MDR/IVDR), nature. They also often have critical functions that
rely on secure forms of connectivity. However, the vul-
then that qualifies as a ‘high-risk AI system’ under nerability of wearable medical devices to tampering
the AI Act and must fulfil all relevant health, safety and other forms of hacking could result in potentially
and fundamental rights requirements (including dangerous incidents. For this reason, manufacturers
conformity assessment; technical documentation; of wearable medical devices must comply with strin-
data governance; transparency; human oversight; gent cybersecurity requirements. The following section
accuracy, robustness and cybersecurity; risk man- provides an overview of the regulatory framework
agement system; quality management system; logs relevant to the cybersecurity of medical devices in
and record-keeping; corrective action; registration; and the EU. The relevant legislations in this area are varied
post-market monitoring). In case the (software com- and span several domains, including some which are
ponent) of a wearable medical device is classified as well-established while others have been adopted but
a class I device under the MDR, then the AI system is are not applicable yet. Manufacturers who intend to
only subject to transparency obligations under Article design and place wearable medical devices on the EU
50 of the AI Act. market must consider a broad range of cybersecurity
requirements provided under different legislative
For the manufacturer of a wearable medical device instruments. Discerning adherence to each of these
and/or provider of an AI system, possible challenges may be problematic for manufacturers.
may stem from uncertainties regarding the interac-
tion between the AI Act and the MDR. Although Article 3.2.1 Cybersecurity and wearable medical
8(2) of the AI Act aims “to ensure consistency, avoid devices: background sketch
duplication and minimise additional burdens” in con- Given its broad scope, cybersecurity spans numerous
formity assessment procedures, it is not clear what policy domains, but it lacks a universally accepted
the integration of “necessary testing and reporting definition. Conceptually, it ranges from narrowly
processes, information and documentation” provided focusing on technical aspects to embracing a holistic
according to the MDR would entail in terms of satis- approach that incorporates technical, legal and soci-
fying specific requirements under the AI Act. Another etal dimensions. Papakonstantinou proposes two main
challenge relates to the experiences learnt in the early categories: cybersecurity as praxis and cybersecurity
implementation of the MDR, as conformity assess- as a state.145 ‘Cybersecurity as praxis’ encompasses
ment procedures may be hindered by the lack of all actions and measures aimed at achieving cyber-
cross-disciplinary expertise in notified bodies estab- security goals, involving diverse actors implementing
lished pursuant to the MDR and the AI Act. As this a range of security measures, including technical
issue may (further) slow down conformity assessment and legal safeguards. ‘Cybersecurity as a state’, on
procedures, lead to fragmentated interpretations and the other hand, refers to the attainment of a secure
increase risks (and associated costs), it is important environment where individuals and entities can expect
to ensure coordination at EU level (by the AI Office protection from cyber threats. This differentiation
and the MDCG). is crucial, as it underscores the need to safeguard
not only information systems but also the rights and
security of individuals and organisations.

EU legislative instruments relevant to the cybersecu-

rity requirements of wearable medical devices span

145 Papakonstantinou, V., ‘Cybersecurity as Praxis and as a State: The EU Law Path Towards Acknowledgement of a New Right to
Cybersecurity?’ Computer Law & Security Review, Vol. 44, 2022, https://doi.org/10.1016/j.clsr.2022.105653.
 JRC EXTERNAL STUDY 37

various domains and can be broken down into three also for the network and information systems in
main categories (Figure 1): which wearable medical devices function in)151:

• product harmonisation legislation (see chapter ̊ Cybersecurity Act152;f

3.2.2) (which are aligned with or follow the logic ̊ Network Information System 2 Directive
of the New Legislative Framework, NLF)146: (‘NIS2 Directive’)153 (which repeals the NIS
Directive);
̊ Medical Device Regulation (‘MDR’)147;
̊ In Vitro Diagnostic Medical Device Regu- • data-specific legislation (see chapter 3.2.4)
lation (‘IVDR’)148; (which include data processing and data govern-
̊ General Product Safety Regulation ance-related cybersecurity requirements):
(‘GPSR’)149 as a ‘safety net’ legislation for
products or risks not regulated in other EU ̊ General Data Protection Regulation
legislation; (‘GDPR’)154;
̊ AI Act150, if a wearable medical device has a ̊ Data Governance Act (‘DGA’)155 with indirect
component that is an ‘AI system’; implications; and
̊ Data Act156;
• cybersecurity-specific legislation (see chapter ̊ European Health Data Space (‘EHDS’)157.
3.2.3) (which include cybersecurity requirements

146 Note: in principle, the Radio Equipment Directive (‘RED’) no longer applies to cybersecurity risks of wearable medical devices, see Chapter
3.2.2.3.
147 Medical Device Regulation [Regulation (EU) 2017/745], supra note 83.
148 In Vitro Diagnostics Regulation [Regulation (EU) 2017/746], supra note 84.
149 General Product Safety Regulation [Regulation (EU) 2023/988], supra note 82.
150 AI Act [Regulation (EU) 2024/1689], supra note 67.
151 Note: as the Cyber Resilience Act excludes medical devices and in vitro diagnostic medical devices from its scope of application, it is
not considered further in this report, see Regulation (EU) 2024/… of the European Parliament and of the Council on horizontal cybersecurity
requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU)
2020/1828 (Cyber Resilience Act) (position of the European Parliament adopted at first reading on 12 March 2024, awaiting Council's 1st
reading position), ELI: https://eur-lex.europa.eu/legal-content/EN/HIS/?uri=celex:52022PC0454, Recital (25) and Article 2(2)(a)–(b).
152 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for
Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013
(Cybersecurity Act), OJ L 151, 7.6.2019, pp. 15–69, ELI: http://data.europa.eu/eli/reg/2019/881/oj (henceforth: ‘Cybersecurity Act [Regulation
(EU) 2019/881]’).
153 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common
level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU)
2016/1148 (NIS 2 Directive), OJ L 333, 27.12.2022, pp. 80–152, ELI: http://data.europa.eu/eli/dir/2022/2555/oj (henceforth: ‘NIS2 Directive
[Directive (EU) 2022/2555]’).
154 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation), OJ L 119, 4.5.2016, pp. 1–88, ELI: http://data.europa.eu/eli/reg/2016/679/oj (henceforth: ‘General Data Protection [Regulation (EU)
2016/679]’).
155 Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending
Regulation (EU) 2018/1724 (Data Governance Act) http://data.europa.eu/eli/reg/2022/868/oj (henceforth: ‘Data Governance Act [Regulation
(EU) 2022/868]’).
156 Data Act (Regulation (EU) 2023/2854), supra note 37.
157 EHDS compromise, supra note 12. Note that the provisions of Chapter III of the EHDS (and relevant annexes) providing rules on
electronic health record (EHR) systems and products claiming interoperability with the harmonised components of EHR systems could also be
classified under ‘cybersecurity requirements in EU product harmonisation legislations’.
38 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Data-specific
legislation
GDPR
Data Governance Act
Data Act
EHDS

Product harmonisation Cybersecurity-specific

legislation MDR/IVDR legislation
Cybersecurity Act
GPSR
NIS2 Directive
AI Act

Source: adapted (revised and updated) based on Biasin, Yaşar and Kamenjašević158

Figure 1: EU cybersecurity requirements (directly/indirectly) relevant to wearable medical devices

3.2.2 Cybersecurity requirements in EU product common safety and health concerns relating to the
harmonisation legislations use of such products. The MDR focuses on the obliga-
The following sectoral and horizontal EU legislation are tions of manufacturers, i.e. a natural or legal person
aligned with or follow the logic of the New Legislative who manufacturers or fully refurbishes a device or
Framework (NLF). These legislations aim to improve has a device designed, manufactured or fully refur-
the internal market for products (including for wear- bished, and markets that device under its name or
able medical devices and their components) through trademark.161 Some of those obligations are linked to
conformity assessment and market surveillance to the requirement of ensuring cybersecurity (which, as
ensure that products placed on the EU market meet mentioned, is challenging itself to define).162
high safety (including cybersecurity), performance and
quality requirements. (i) What does the MDR require in terms of cybersecurity?

3.2.2.1 Medical Device Regulation and In Vitro Whilst the main body of the MDR does not explic-
Diagnostics Regulation itly mention the term ‘cybersecurity’, it does outline
The Medical Device Regulation (MDR)159 and the In essential cybersecurity-related requirements that a
Vitro Diagnostics Regulation (IVDR)160 stipulate safety, manufacturer must adhere to in the design, develop-
performance and quality requirements that manufac- ment and marketing of a (wearable) medical device.163
turers must adhere to when placing on the market Annex I of the MDR stipulates that a medical device
and putting into service wearable medical devices shall perform as intended, be suitable for its purpose,
and their accessories in the EU (see also chapter 3.1). be safe and effective, and any risks which may be
The MDR sets high standards in order to address associated with its use must be weighed against the

158 Biasin, E., Yaşar, B., Kamenjašević, E., ‘New Cybersecurity Requirements for Medical Devices in the EU: The Forthcoming European
Health Data Space, Data Act, and Artificial Intelligence Act’, Law, Technology and Humans’, Vol. 5 No. 5, 2023, pp. 43–58 at 45 https://doi.
org/10.5204/lthj.3068. A similar representation is put forward in Ludvigsen, K. R., ‘The Role of Cybersecurity in Medical Devices Regulation:
Future Considerations and Solutions Symposium: Regulatory Futures and Medical Devices’, Law, Technology and Humans, Vol. 5 No. 2, 2023,
p. 68, https://doi.org/10.5204/lthj.3080.
159 Medical Device Regulation [Regulation (EU) 2017/745], supra note 83.
160 In Vitro Diagnostics Regulation [Regulation (EU) 2017/746], supra note 84. Note that the requirements of the MDR are applicable
mutatis mutandis to the IVDR.
161 Medical Device Regulation [Regulation (EU) 2017/745], supra note 83, Article 2(30).
162 For further discussion on the challenges of defining the concept of ‘cybersecurity’ in the EU’s legislative approach see Papakonstantinou,
supra note 145.
163 Article 5(1) of the MDR mandates manufacturers to ensure compliance with the requirements of the MDR when the device is duly
supplied and properly installed, maintained and used in accordance with its intended purpose. Article 5(2) requires medical devices to meet
general safety and performance requirements (including cybersecurity-related provisions) set out in Annex I, taking into account the intended
purpose specified by the manufacturer.
 JRC EXTERNAL STUDY 39

benefits to the patient.164 Manufacturers are obliged access, must be established. Regarding device infor-
to establish, implement, and document a risk man- mation, manufacturers must disclose residual risks,
agement system, including risk control measures provide immediate attention warnings on labels, and
conforming to safety principles and technological for electronic programmable systems, specify hard-
advancements.165 If the device is intended for use ware, IT network characteristics and security measures
in combination with other devices or equipment, the necessary for intended software operation.170
whole combination, including the connection system,
must maintain safety and performance standards (ii) Guidance from the Medical Device Coordination
without compromising device specifications.166 Addi- Group (MDCG)
tionally, a (wearable) medical device shall be designed
and manufactured to mitigate risks associated with The abovementioned requirements are further
the interaction between software and the IT environ- detailed in the Guidance on Cybersecurity for Medical
ment within which it operates and interacts, and shall Devices (‘MDCG 2019-16 rev. 1 guidance’) issued by
ensure safe and reliable interoperability and compat- the Medical Device Coordination Group (MDCG),171
ibility when used with other devices or products.167 which provides manufacturers (and other relevant
actors) guidance to meet pre-market and post-market
Electronic programmable systems, including the soft- obligations under the MDR.172 Despite its non-binding
ware component of wearable medical devices, must nature, the guidance plays an important role in speci-
ensure repeatability, reliability, and performance fying cybersecurity-related provisions under the MDR,
according to their intended use, with measures to especially considering that the relevant provisions
reduce risks and performance impairment.168 Man- are implicitly and not explicitly linked to the notion
ufacturers are also required to develop devices of cybersecurity. The MDCG 2019-16 rev. 1 guidance
according to current technological standards, respect- provides a useful overview of the diverse activities
ing development life cycle principles, risk management that the manufacturer needs to carry out when man-
(including information security), and verification/ aging cybersecurity across the entire life cycle of a
validation processes.169 Minimum requirements for (wearable) medical device (Table 1).
hardware, IT network characteristics, and security
measures, including protection against unauthorised

164 Medical Device Regulation [Regulation (EU) 2017/745], supra note 83, Annex I, General requirement 1.
165 Ibid., Annex I, General requirements 3–4.
166 Ibid., Annex I, General requirement 14.
167 Ibid.
168 Ibid., Annex I, General requirement 17.
169 Cf. Ludvigsen, supra note 158 at 63: “A potential issue across the EU's medical device cybersecurity framework generally is its use of,
and reference to, security standards; for example, ISO 14155:2011. The problem is not the use of security standards per se; it is the fact
that most of them are developed by private actors, such as the International Organization for Standardization (ISO), who allow usage of the
standard for a fee. Arguably, this creates an unnecessary barrier to the adequate protection of the health and safety of device users, as small
or medium-sized enterprises will not necessarily have the resources to access the standards”.
170 Medical Device Regulation [Regulation (EU) 2017/745], supra note 83, Annex I, requirement 23.
171 “The Medical Device Coordination Group (MDCG) deals with key issues from the medical devices sector, from Notified Body
oversight or standardization to market surveillance, passing by international matters, new technologies and clinical investigation. Its
expertise originates from its division in 13 subgroups, which respectively provide advice and draft guidance on their expertise field. The
members of the subgroups are appointed by the Member States for a duration of 3 years. Stakeholders / European based associations
participate in the meetings following applications to dedicated calls for expression of interest” [see https://health.ec.europa.eu/
medical-devices-dialogue-between-interested-parties/medical-device-coordination-group-working-groups_en.]
172 Medical Device Coordination Group, Guidance on Cybersecurity for medical devices (MDCG 2019-16 rev. 1), December 2019, https://
health.ec.europa.eu/document/download/b23b362f-8a56-434c-922a-5b3ca4d0a7a1_en?filename=md_cybersecurity_en.pdf (henceforth:
‘MDCG 2019-16 rev. 1’).
40 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Table 1: Cybersecurity requirements across the life cycle of (wearable) medical devices according to the MDR/IVDR

Pre-market activities Post-market activities

Secure design (Annex I)
Risk management (Annex I) Risk management (Annex I)
Establish risk control measures (Annex I) Modify risk control measures / corrective actions /
patches (Annex I)
Validation, verification, risk assessment, benefit Validation, verification, risk assessment, benefit–risk
risk analysis (Annex I) analysis (Annex I)
Technical documentation (Annexes II and III) Maintain and update a post-market surveillance plan and
post-market surveillance system (Articles 83 and 84)
Conformity assessment (Article 52) Trend reporting (Article 88)
Establish a post-market surveillance plan and Analysis of serious incidents (Article 89)
post‑market surveillance system (Articles 83
and 84)
Clinical evaluation process (Chapter VI) Post-market surveillance report (Article 85)
Periodic safety update report (Article 86)
Update technical documentation (Annexes II and III)
Inform the electronic system on vigilance (Article 92)
Source: adopted based on MDCG 2019-16 rev. 1, supra note 172, pp. 7–8.

The analysis of all the activities would be beyond by the stakeholders concerned.173 Furthermore, the
the scope of this report, but what is clear is that MDCG 2019-16 rev. 1 guidance does not cover cyber-
the MDR’s requirements to ensure cybersecurity is a security-related concepts and requirements provided
complex process, which places considerable demands under the Cybersecurity Act (‘CSA’) (discussed in
on device manufacturers. When assessing those, it is Chapter 3.2.3.1) and the AI Act (discussed in Chapter
important to point out that the requirements of the 3.2.2.4), which were adopted after the MDR. Similarly,
MDR need to be considered in supplement to further the MDCG 2019-16 rev. 1 guidance overlooks the
cybersecurity requirements outlined in this section applicability of the Radio Equipment Directive (RED)
(pursuant to other relevant legislations). (discussed in Chapter 3.2.2.3), which has implications
for cybersecurity provisions in the context of the
(iii) Limitations of the MDCG 2019-16 rev. 1 guidance MDR.174 As a result, there is uncertainty about what
the MDR itself expects in this area and how analogous
The MDR does not define or explicitly refer to the its requirements are with other legislation.
terms ‘cybersecurity’, ‘security-by-design’, or ‘secu-
rity-by-default’. The MDCG 2019-16 rev. 1 guidance While the MDCG 2019-16 rev. 1 guidance empha-
only explains the conceptual link between ‘safety’ and sises the importance of recognising the roles and
‘security’ as they relate to risks, and it provides an expectations of all stakeholders in ensuring a secured
outline of the MDR’s provisions relating to IT security, environment for the benefit of patients’ safety, it falls
information security and operation security. Leaving short to elaborate on how the joint responsibility of
such terms theoretical and undefined hinders the prac- stakeholders is affected by other legislations (such
tical implementation of cybersecurity requirements as the GDPR, the NIS2 Directive and the CSA). This

173 Biasin, E., Kamenjasevic, B., ‘Cybersecurity of Medical Devices: Regulatory Challenges in the EU’, in: ‘The Future of Medical Device
Regulation: Innovation and Protection’, edited by I. G. Cohen et. al., Cambridge University Press, Cambridge, 2022, p. 56, https://doi.
org/10.1017/9781108975452.
174 Ibid., p. 57.
 JRC EXTERNAL STUDY 41

lack of legal interaction poses challenges for stake- respectively, in order to ensure that changes intro-
holders in navigating different pieces of legislation duced in the product do not jeopardise its safety.”
divergent in scope and applicability. For this reason, Article 6(1)(g) of the GPSR sets forth that cybersecurity
Biasin and Kamenjasvic have recommended a more aspects shall be “taken into account” when assessing
holistic approach when specifying the meaning of whether a product is a safe product, in particular
‘joint responsibility’, as this could help to apply the “when required by the nature of the product, the
relevant aspects of horizontal legislation.175 Given appropriate cybersecurity features necessary to pro-
that the MDCG 2019-16 rev. 1 guidance is outdated, tect the product against external influences, including
its possible revision (considering the CSA and the AI malicious third parties, where such an influence might
Act, as well as the problems discussed here and in a have an impact on the safety of the product, includ-
number of academic papers) could improve its clarity ing the possible loss of interconnection”. Although the
and achieve a more coherent cybersecurity regulatory MDR does not mention explicitly the requirement to
framework for (wearable) medical devices. ensure such cybersecurity features, it is commonly
understood that Article I of the MDR provides for
3.2.2.2 General Product Safety Regulation corresponding obligations in this area, evidenced by
The General Product Safety Regulation (‘GPSR’) aims the MDCG 2019-16 rev. 1 guidance (discussed under
to ensure the health and safety of consumers and the Chapter 3.2.2.1). Hence, the conformity assessment
functioning of the internal market as regards products procedure of the MDR should cover the cybersecurity
intended for consumers.176 As mentioned, it functions requirements of the GSPR.
as a ‘safety net’ legislation for product safety require-
ments. According to Article 2(1), the GPSR is intended The GPSR is an example of the proliferation of cyber-
to apply: “to products that are placed or made avail- security requirements in EU law. On one side, it is
able on the market insofar as there are no specific useful that the GPSR adds minimum cybersecurity
provisions with the same objective under Union law requirements for ICT products (which the CSA did
which regulate the safety of the products concerned”. not include). The scope of the GPSR may also extend
The same article adds that: “[w]here products are sub- to the ‘provider of an online marketplace’ when an
ject to specific safety requirements imposed by Union intermediary service using an online interface allows
law, [the GPSR] applies only to those aspects and risks patients to conclude distance contracts with traders
or categories of risks which are not covered by those for the sale of wearable medical devices.177 However,
requirements.” In the context of wearable medical the parallel requirements also bring some uncertain-
devices, the MDR (and the AI Act if a wearable medical ties. For example, it is unclear whether the interaction
device has an AI system component) provide “specific between the ‘safety’ and (cyber)’security’ aspects of a
provisions” in relation to the GPSR. Consequently, the wearable medical device should be interpreted in the
GPSR only applies if the MDR and the AI Act do not same way under the GPSR as it is interpreted under
set forth specific provisions with the same objective. the MDCG 2019-16 rev. 1 guidance. There is also
uncertainty under the GPSR about the cybersecurity
Regarding cybersecurity, Recital (26) of the GPSR features that manufacturers are responsible for when
clarifies that “[s]pecific cybersecurity risks affecting a wearable medical device (and its hardware/software
the safety of consumers, as well as protocols and components, which qualify as an individual ‘product’
certifications, can be dealt with by sectoral legislation. under Article 3(1) of the GPSR) are integrated into
However, it should be ensured that, in cases where larger ICT systems. For this reason, the GPSR could
such sectoral legislation does not apply, the relevant clarify that its requirements are limited to assessing
economic operators and national authorities take the impact of products that are intended to be used
into consideration risks linked to new technologies, together (similarly to the logic of the MDR).
when designing the products and assessing them

175 Ibid., pp. 56–57.

176 General Product Safety Regulation [Regulation (EU) 2023/988], supra note 82, Recital (4).
177 See also Reuschlaw, ‘Does the Product Safety Regulation apply to medical devices?’, Reuschlaw, 11 June 2023, https://www.reuschlaw.
de/en/news/does-the-product-safety-regulation-apply-to-medical-devices/.
42 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

3.2.2.3 Radio Equipment Directive • radio equipment does not harm the network or
In principle, the Radio Equipment Directive (‘RED’)178 its functioning nor misuse network resources,
is no longer applicable to the cybersecurity aspects thereby causing an unacceptable degradation of
of wearable medical devices, but it is important to be service [Article 3(3)(e)];
aware of how its applicability has changed. • radio equipment incorporates safeguards to
ensure that the personal data and privacy of the
According to Article 2(1) of the RED, a ‘radio equip- user and of the subscriber are protected [Article
ment’ is defined as “an electrical or electronic product, 3(3)(f)]; and
which intentionally emits and/or receives radio waves • radio equipment supports certain features ensur-
for the purpose of radio communication and/or radi- ing protection from fraud [Article 3(3)(g)].
odetermination, or an electrical or electronic product
which must be completed with an accessory, such as Each of those essential requirements are implicitly
antenna, so as to intentionally emit and/or receive linked to the notion of ‘cybersecurity’. Until recently,
radio waves for the purpose of radio communication manufacturers of wearable medical devices had to
and/or radiodetermination”. Given that wearable med- comply with those essential requirements. This was
ical devices have a connectivity module (such as Wi‑Fi, revoked by Article 2(1) of Commission Delegated
Bluetooth, 4G/5G or RFID) that fall under the defini- Regulation (EU) 2022/30, which exempts products
tion of ‘radio equipment’, the RED generally applies falling under the MDR/IVDR (including wearable med-
to wearable medical devices.179 The RED is concerned ical devices) from having to comply with the essential
with guaranteeing consistent radio communication, requirements set out under Articles 3(3)(e)–(f) of
whilst taking into account the impact of other poten- RED.181 However, other provisions of the RED continue
tially connected devices. However, compliance with to apply to wearable medical devices. In general, the
the RED whilst going through the MDR conformity clarification of the interaction between RED and the
assessment procedure has been described as “not a MDR/IVDR on cybersecurity requirements seems to
straightforward” process, with careful coordination have brought more clarity and simplicity in the area.182
being critical.180
3.2.2.4 Artificial Intelligence Act
Concerning cybersecurity, Article 3(3) of the RED As mentioned, it can be challenging to determine, in
requires a radio equipment to be constructed so that practice, whether a wearable medical device has an ‘AI
it complies with essential requirements, including that: system’ component and how the requirements (includ-
ing the cybersecurity requirements) defined under the
AI Act183 interact with corresponding requirements

178 Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member
States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC, OJ L 153, 22.5.2014, pp.
62–106, ELI: https://eur-lex.europa.eu/eli/dir/2014/53/oj.
179 See also Klessascheck, M., ‘Radio Equipment Directive (RED) for networked medical devices’, Johner Institute, 2 February 2024, https://
blog.johner-institute.com/regulatory-affairs/radio-equipment-directive-red/.
180 “The addition of a radio in a medical device has implications for both the risk management and for what to look for during testing – the
appliance’s performance criteria. Careful planning of the testing of a medical product with radio is required, so that all relevant functions are
monitored simultaneously and adequately, not to have first to test the compliance with MDD and afterwards test again to ensure compliance
with RED” (see Steensen, J., ‘Approval of medical devices with radio’, Force Technology, 2019, https://forcetechnology.com/en/articles/
medical-devices-with-radio-approval-emc).
181 Commission Delegated Regulation (EU) 2022/30 of 29 October 2021 supplementing Directive 2014/53/EU of the European Parliament
and of the Council with regard to the application of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of that
Directive, OJ L 7, 12.1.2022, pp. 6–10, ELI: http://data.europa.eu/eli/reg_del/2022/30/oj, Article 2(1).
182 Concerns about how to interpret compliance with parallel applicable provisions on cybersecurity under both the MDR and the RED
were previously raised in Biasin, Yaşar, Kamenjašević, supra note 158. It seems that those concerns have been alleviated by Article 2(1) of
Commission Delegated Regulation 2022/30. But note that there are essential requirements (e.g. Article 3(3)(i) of the RED requiring that “radio
equipment supports certain features in order to ensure that software can only be loaded into the radio equipment where the compliance of
the combination of the radio equipment and software has been demonstrated”), which arguably also fall under the concept of ‘cybersecurity’,
but have not been exempted by Article 2(1) of Commission Delegated Regulation (EU) 2022/30, whereas they may be considered as
cybersecurity requirements under the MDR, cf. Medical Device Regulation [Regulation (EU) 2017/745], supra note 83, Annex I, General
requirement 14.
183 AI Act [Regulation (EU) 2024/1689], supra note 67.
 JRC EXTERNAL STUDY 43

under the MDR.184 Hence, guidance is needed to clarify There are two ways to ensure conformity with the
the interaction between the AI Act and the MDR “to abovementioned requirements: the provider of the AI
ensure consistency, avoid duplication and minimise system may voluntarily rely on harmonised standards
additional burdens”, as stated by Article 8(2) of the (which provide a presumption of conformity with the
AI Act (see Chapter 3.1.4). requirements of the AI Act) or demonstrate conformity
without relying on the harmonised standards.187
In general, cybersecurity plays a crucial role in ensur-
ing that AI systems are resilient against attempts to While Article 15 of the AI Act requires high-risk AI sys-
alter their use, behaviour, performance or compromise tems to achieve and maintain an appropriate level of
their security properties by malicious third parties cybersecurity resilience, the practical understanding
exploiting the system’s vulnerabilities. Cyberattacks of cybersecurity is elucidated through concrete organ-
against AI systems can leverage AI-specific assets, isational and technical solutions, wherein providers of
such as training data sets (e.g. data poisoning) or AI systems must select and implement appropriate
trained models (e.g. adversarial attacks or mem- measures based on risk factors and specific circum-
bership inference), or exploit vulnerabilities in the AI stances. However, the AI Act lacks a clear definition of
system’s digital assets or the underlying ICT infra- cybersecurity and hence a clear link between cyber-
structure.185 For that reason, Article 15(1) of the Al security and the protection of individual rights, i.e.
Act stipulates cybersecurity requirements for high-risk linkage of cybersecurity directly to its beneficiaries
AI systems, which “shall be designed and developed (e.g. users of a high-risk AI system integrated into
in such a way that they achieve an appropriate level a wearable medical device). In particular, the AI Act
of accuracy, robustness, and cybersecurity, and that does not make explicit reference to the Cybersecurity
they perform consistently in those respects through- Act's definition of ‘cybersecurity’ (Article 2(1) of the
out their lifecycle.” Operationally, Article 15 of the AI Cybersecurity Act) and, unlike Article 32 of the GDPR,
Act requires demonstration of conformity with the it does not provide further guidance in determining
following requirements to ensure cybersecurity:186 the appropriateness of certain measures.188

• high-risk AI systems shall be designed to be Another challenge relates to the potential alignment
resilient against attempts to alter their use, between the AI Act and Cybersecurity Act regarding
behaviour, and performance and to compromise a possible path towards mutual recognition of cer-
their security properties by malicious third parties tifications. Article 42(2) of the AI Act provides that:
exploiting their vulnerabilities; “[h]igh-risk AI systems that have been certified or
• organisational and technical solutions shall be for which a statement of conformity has been issued
implemented to address those goals; under a cybersecurity scheme pursuant to [the Cyber-
• a cybersecurity risk assessment shall be carried security Act] […] shall be presumed to comply with the
out for high-risk AI systems; and cybersecurity requirements set out in Article 15 of this
• technical solutions shall be appropriate to the Regulation in so far as the cybersecurity certificate or
relevant circumstances and risks. statement of conformity or parts thereof cover those
requirements.” However, it may lead to uncertainties
that the two regulations do not align when looking at

184 For a discussion on the increasing role of AI in wearables see Yetisen, A., Martinez-Hurtado J., Ünal, B., et al., ‘Wearables in Medicine’,
Advanced Materials, Vol. 30, No. 16, 2018, pp. 1–26, https://doi.org/10.1002/adma.201706910; Nahavandi, D., Roohallah Alizadehsani, R.,
Khosravi, A. et al., ‘Application of Artificial Intelligence in Wearable Devices: Opportunities and Challenges’, Computer Methods and Programs in
Biomedicine, Vol. 213, No. 106541, 2022, https://doi.org/10.1016/j.cmpb.2021.106541.
185 AI Act [Regulation (EU) 2024/1689], supra note 67, Recital (76).
186 European Commission, Joint Research Centre, Soler Garrido, J., Fano Yela, D., Panigutti, C. et al., Analysis of the preliminary AI
standardisation work plan in support of the AI Act, Publications Office of the European Union, Luxembourg, 2023, p. 15, https://data.europa.eu/
doi/10.2760/5847.
187 European Commission, Joint Research Centre, Junklewitz, H., Hamon, R., André, A. et al., Cybersecurity of artificial intelligence in the AI Act
– Guiding principles to address the cybersecurity requirement for high-risk AI systems, Publications Office of the European Union, Luxembourg,
2023, p. 7, https://data.europa.eu/doi/10.2760/271009.
188 Biasin, Yaşar, Kamenjašević, supra note 158, pp. 50–51.
44 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

the level of detail in the obligations addressing cyber- given that other EU legislative frameworks (e.g. MDR,
security and there are several differences between the AI Act) implicitly/explicitly refer to the notion of cyber-
relevant certification mechanisms.189 security without defining it precisely.194 The definition
under the CSA could arguably reduce uncertainties
3.2.3 Cybersecurity requirements in that stem from multiple EU legislative frameworks
cybersecurity-specific EU legislations on cybersecurity requirements and facilitate a
Cybersecurity-specific EU legislations set common common understanding of cybersecurity. However,
rules to achieve a high level of cybersecurity and as mentioned in relation to the AI Act, the lack of
cyber resilience in the EU. These legislations have cross-reference to the definition under the CSA may
implications for the cybersecurity requirements of lead to uncertainties (see Chapter 3.2.2.4).
wearable medical devices as well as the network and
information systems in which they function in. Second, the CSA provides for a method of certification
that allows demonstration of compliance with spe-
3.2.3.1 Cybersecurity Act cific security requirements laid down in a European
The Cybersecurity Act (‘CSA’)190 establishes a unified cybersecurity certification scheme (CSA certification
framework across the EU for certifying the cybersecu- scheme). According to Article 56(1) of the CSA, “ICT
rity of ICT products, services and processes pursuant products, ICT services and ICT processes that have
to European cybersecurity certification schemes. Its been certified under a European cybersecurity cer-
primary goal is to bolster cybersecurity protection tification scheme […] shall be presumed to comply
within the EU while allowing manufacturers and ser- with the requirements of such scheme”. The CSA
vice providers to utilise a single, universally recognised certification is, in principle, voluntary. However, this
certificate throughout the region.191 Previously, various does not mean that it is not useful considering that
EU Member States had their own national cybersecu- the CSA certification can also be used to demonstrate
rity certification regulations, leading to discrepancies compliance with specific EU or national legislations
in standards and hindering the seamless flow of ICT (which may even make CSA certification compulso-
products and services within the EU.192 The Cyberse- ry).195 Regarding its potential relevance for wearable
curity Act aims to replace certification schemes based medical devices, the AI Act and the NIS2 Directive
at the national level with a pan-EU approach. Under both lay down that CSA certification is a method to
Article 58 of the Cybersecurity Act, each EU Member demonstrate compliance with their own respective
State must designate at least one National Cyberse- requirements on cybersecurity.196
curity Certification Authority (NCCA).
The ability to demonstrate compliance with the cyber-
The CSA is relevant to cybersecurity requirements security requirements of multiple legal frameworks
of (wearable) medical devices for two main reasons. that apply in parallel represents an important legisla-
First, in EU legislation, the CSA provides the most rel- tive innovation that will serve to reduce confusion and
evant definition on ‘cybersecurity’.193 This is important duplication of efforts. Whilst this policy goal should

189 Casarosa, F., ‘Cybersecurity Certification of Artificial Intelligence: A Missed Opportunity to Coordinate between the Artificial
Intelligence Act and the Cybersecurity Act’, International Cybersecurity Law Review, Vol. 3, 2022, pp. 115–130, https://doi.org/10.1365/
s43439-021-00043-6.
190 Cybersecurity Act [Regulation (EU) 2019/881], supra note 152.
191 Kohler, C., ‘The EU Cybersecurity Act and European Standards: An Introduction to the Role of European Standardization’, International
Cybersecurity Law Review, Vol. 1, 2020, pp. 7-12, https://doi.org/10.1365/s43439-020-00008-1.
192 Mitrakas, A., ‘The Emerging EU Framework on Cybersecurity Certification’, Datenschutz Und Datensicherheit, Vol. 42, 2018, pp. 411–414,
https://doi.org/10.1007/s11623-018-0969-2.
193 Article 2(1) of the Cybersecurity Act [Regulation (EU) 2019/881], supra note 152, states that: ‘cybersecurity’ “means the activities
necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats”.
194 See also Biasin, Yaşar, Kamenjašević, supra note 158.
195 Article 54(4) of the Cybersecurity Act [Regulation (EU) 2019/881], supra note 152, states that: “[i]n the absence of harmonised Union
law, Member State law may also provide that a European cybersecurity certification scheme may be used for establishing the presumption of
conformity with legal requirements”.
196 Ibid, Article 54(3) states that: “[w]here a specific Union legal act so provides, a certificate or an EU statement of conformity issued
under a European cybersecurity certification scheme may be used to demonstrate the presumption of conformity with requirements of that
legal act.” See also AI Act [Regulation (EU) 2024/1689], Article 42(2), discussed under Chapter 3.2.2.4 and NIS2 Directive [Directive (EU)
2022/2555], Article 24(1), discussed under Chapter 3.2.3.2.
 JRC EXTERNAL STUDY 45

be applauded, it should be noted that in the area of In principle, the NIS2 Directive applies to public or
(wearable) medical devices, the potential unification private medium-sized and large entities operating
(i.e. in terms of an avenue for cybersecurity certifi- in ‘sectors of high criticality’ (defined in Annex I) or
cation) has not been fully rounded off. Although the ‘other critical sectors’ (defined in Annex II). The NIS2
AI Act (which prescribes cybersecurity requirements Directive classifies healthcare providers and entities
for wearable medical devices when they have an AI that manufacture medical devices considered to be
system component) foresees the possibility to invoke critical during a public health emergency in the sector
the CSA certification scheme, the MDR/IVDR do not of high criticality, while entities manufacturing (wear-
provide such a legal avenue (yet). This means however able) medical devices fall within other critical sectors.
that whilst wearable medical device manufactures Those ‘essential’ and ‘important’ entities are required
have the certainty that they can demonstrate cyber- (by national transposition laws) to “take appropriate
security compliance with the AI Act through the CSA and proportionate technical, operational and organi-
certification route, they do not have this for (possibly) sational measures to manage the risks posed to the
equivalent requirements under the MDR. Manufac- security of network and information systems which
tures may invoke the CSA certification process to those entities use for their operations or for the pro-
demonstrate compliance, but there is no formal guar- vision of their services, and to prevent or minimise
antee that notified bodies (responsible for conformity the impact of incidents on recipients of their services
assessment under the MDR) would recognise that. It and on other services” [Article 21(1) NIS2 Directive].199
can be hoped that a revision of the MDR/IVDR will
remedy this issue by explicitly referring to the CSA As part of those measures, the NIS2 Directive pre-
certification scheme. scribes risk management, requiring entities to assess
and mitigate cybersecurity risks effectively.200 In par-
3.2.3.2 NIS2 Directive ticular, the relevant entities are required to carry out
The NIS2 (Network and Information Security) Direc- risk assessments of critical supply chains and report
tive197 aims to counter increased cybersecurity threats any significant cyber incidents to national authorities
and ensure the resilience of critical infrastructure [Articles 21(3) and 23(1) NIS2 Directive].201 The NIS2
and essential services across the EU, with a view Directive also aims to facilitate cybersecurity informa-
to improving the functioning of the internal market. tion-sharing arrangements [Article 29 NIS2 Directive]
It establishes rules for harmonised cybersecurity and improve collective response capabilities to cyber
requirements that Member States are required to threats. Such cooperation can help manufacturers
transpose into their national laws. Building on the ini- and deployers of wearable medical devices to comply
tial NIS Directive (Directive (EU) 2016/1148), the NIS2 with cyber security requirements. Furthermore, the
requires Member States to strengthen cybersecurity NIS2 Directive aims to enhance the EU’s cybersecu-
capabilities and introduce cybersecurity risk-man- rity posture by fostering innovation and collaboration
agement measures and reporting in critical sectors, in cybersecurity research and development.202 It
along with rules on cooperation, information sharing, encourages the adoption of internationally recognised
supervision and enforcement.198 standards and best practices, promoting interoperabil-
ity and compatibility across Member States. National
competent authorities are designated to oversee

197 NIS2 Directive [Directive (EU) 2022/2555], supra note 153.

198 See also Sievers, T., ‘Proposal for a NIS Directive 2.0: Companies Covered by the Extended Scope of Application and Their Obligations’,
International Cybersecurity Law Review, Vol. 2, 2021, pp. 223–231, https://doi.org/10.1365/s43439-021-00033-8.
199 Article 21(2) of the NIS2 Directive specifies that, in meeting this requirement, cybersecurity measures should at a minimum include:
risk analysis and information system security policies; incident handling (prevention, detection, and response to incidents); business continuity
and crisis management; supply chain security including security-related aspects concerning the relationships between each entity and its
suppliers or service providers such as providers of data storage and processing services or managed security services; security in network
and information systems acquisition, development and maintenance, including vulnerability handling and disclosure; policies and procedures
(testing and auditing) to assess the effectiveness of cybersecurity risk management measures; and the use of cryptography and encryption.
200 See also Ferguson, D.D.S., ‘The Outcome Efficacy of the Entity Risk Management Requirements of the NIS 2 Directive’, International
Cybersecurity Law Review, Vol. 4, 2023, pp. 371–386, https://doi.org/10.1365/s43439-023-00097-8.
201 See also Eckhardt, P., Kotovskaia, A., ‘The EU’s Cybersecurity Framework: The Interplay between the Cyber Resilience Act and the NIS 2
Directive’, International Cybersecurity Law Review, Vol. 4, 2023, pp. 147–164, https://doi.org/10.1365/s43439-023-00084-z.
202 See also Gruber, A., Ségur-Cabanac, N., ‘Necessary or Premature? The NIS 2 Directive from the Perspective of the Telecommunications
Sector’, International Cybersecurity Law Review, Vol. 2, 2021, pp. 223–243, https://doi.org/10.1365/s43439-021-00035-6.
46 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

compliance and enforce regulatory measures, foster- the GDPR does not explicitly invoke the concept of
ing a harmonised approach to cybersecurity within the cybersecurity, the regulation mandates requirements
EU. Overall, the NIS2 Directive represents a significant that are implicitly linked to it.204 Despite the fact that
step towards strengthening cybersecurity resilience the word ‘cybersecurity’ is not mentioned explicitly
across the EU, fostering collaboration, and enhancing in the regulation, some authors have gone as far to
the protection of critical infrastructure and essential claim that “cybersecurity is at the core of data protec-
services in the digital age. tion and there is a heavy emphasis on the application
of encryption and state of the art technology within
Although the NIS2 Directive does not regulate directly the articles of the GDPR”.205 Although it is beyond the
the cybersecurity requirements of (wearable) medical scope of this work to analyse every provision within
devices, it aims to ensure the security and resilience the GDPR that is relevant to the concept of cyberse-
of the broader ecosystem. It addresses not only enti- curity, some measures are particularly noteworthy. Its
ties that manufacture wearable medical devices, but most relevant provision is Article 32(1) which states
also entities that deploy them (typically healthcare that:
providers), as well as entities that operate the network
and information systems that enable the functioning “[t]aking into account the state of the art, the costs
of wearable medical devices. This can strengthen the of implementation and the nature, scope, context and
cyber resilience of (wearable) medical devices and purposes of processing as well as the risk of varying
their supporting systems and infrastructure. likelihood and severity for the rights and freedoms of
natural persons, the controller and the processor shall
3.2.4 Cybersecurity requirements in EU implement appropriate technical and organisational
legislations focusing on the use of data measures to ensure a level of security appropriate
The third category of relevant EU cybersecurity to the risk…”.
requirements are enshrined in EU legislations which
regulate and govern the use of data. These include Article 32(1) of the GDPR also stipulates specify
horizontal data legislations, notably the GDPR (reg- security measures that meet the requirement of
ulating security requirements for the processing of ‘appropriate technical and organisational measures’.
personal data), the Data Governance Act and the Data Several of those are likely to be relevant for con-
Act (both providing common security requirements trollers (and processors) that use wearable medical
in the data economy and common European data devices to process personal data. The article requires
spaces). In addition to those, the European Health controllers (and processors) to guarantee inter alia:206
Data Space (EHDS) constitutes a complementary layer
of sectoral data legislation, which regulates security • the pseudonymisation and encryption of personal
requirements relating to the primary/secondary use data;
of electronic health data, as well as for electronic • the ability to ensure the ongoing confidentiality,
health record (EHR) systems and products claiming integrity, availability and resilience of processing
interoperability with the harmonised components of systems and services;
EHR systems. • the ability to restore the availability and access
to personal data in a timely manner in the event
3.2.4.1 General Data Protection Regulation of a physical or technical incident;
The General Data Protection Regulation (‘GDPR’)203 • a process for regularly testing, assessing and
sets forth requirements for the secure processing of evaluating the effectiveness of technical and
personal data, emphasising the importance of main- organisational measures for ensuring the security
taining data integrity and confidentiality. Although of the processing.

203 General Data Protection [Regulation (EU) 2016/679], supra note 154.
204 Krystlik, J., ‘With GDPR, Preparation Is Everything’, Computer Fraud & Security, Vol. 2017, No. 6, pp. 5–8, 2017, https://doi.org/10.1016/
S1361-3723(17)30050-7.
205 See also Gobeo, G., Fowler, C., Buchanan W. J., GDPR and Cyber Security for Business Information Systems, River Publishers, New York,
2022, https://doi.org/10.1201/9781003338253.
206 General Data Protection [Regulation (EU) 2016/679], supra note 154, Articles 32(1)(a)–(d).
 JRC EXTERNAL STUDY 47

Controllers (and processors) should also take into may be outside the category of data controller or
account the risks presented by accidental or unlawful processor. This means that a resort to other frame-
destruction, loss, alteration, unauthorised disclosure works and schemes has to be made when intending to
of, or access to personal data that is being processed certify devices, systems or personnel for data protec-
[Article 32(2) GDPR]. In case of a breach of security tion compliance. If an [.] actor (as a data controller or
leading to the accidental or unlawful destruction, loss, process) wishes to certify its personal data processing
alteration, unauthorised disclosure of, or access to, operations as well as its products, devices or sys-
personal data transmitted, stored or otherwise pro- tems (as a manufacturer or provider), then the GDPR
cessed, the GDPR requires the reporting of a ‘personal certification scheme will not be sufficient. A parallel
data breach’ [Articles 4(12) and 33 GDPR].207 Noti- certification scheme must be utilised that accommo-
fication is required when such a breach is “likely to dates product, service and process certification.”
result in a risk to the rights and freedoms of natural
persons”. For this reason, Nwankwo et al. suggest that the cer-
tification method foreseen under the CSA could have
The requirement to ensure compliance with cybersecu- utility in this regard. Indeed, practical and coordinated
rity-related provisions under the GDPR are applicable steps could contribute to reducing barriers (such as
whenever controllers deploy wearable medical devices duplications or misalignments) in certifications, which
to process personal data. As they apply in parallel to would decrease compliance costs for manufacturers
cybersecurity requirements under other EU legisla- (controllers) seeking to deploy wearable medical
tions (discussed above and under), this may increase device for the processing of personal data.
compliance challenges associated with the necessity
to comply with a number of parallel frameworks in 3.2.4.2 Data Governance Act
the area of cybersecurity.208 Although Article 42 of the The Data Governance Act210 (‘DGA’) aims to make
GDPR recognises the possibility of using certification available more data held by public sector bodies211
mechanisms to demonstrate compliance with various and lays down a harmonised framework for data
aspects of the regulation (including the requirements governance, data intermediation and data altruism
under Article 32), progress in this area has been slow, (i.e. the voluntary sharing of data) in order to facilitate
with only a few certification schemes having been access to, sharing and reuse of data across areas,
formally approved (e.g. Europrivacy, GDPR-CARPA). including in the health sector. The DGA aims to foster
the availability of data for use in the EU by enhancing
Manufacturers or deployers of wearable medical data-sharing mechanisms and by increasing trust in
devices that process personal data may encounter data intermediaries (as trusted parties organising data
further limitations with the type of certification envis- sharing).212 It intends to encourage innovation and
aged in the GDPR. As Nwankwo et. al. explain:209 “the competition in the digital single market by reducing
GDPR certification scheme under Article 42 has some barriers to data sharing and enhancing cooperation
limitations: it envisages that only data ‘processing among public and private entities.
operations’ can be certified as opposed to certifica-
tion of devices and personnel. Secondly, the scheme The DGA has limited implications to cybersecurity
is addressed to data controllers and processors as requirements concerning use of data by wearable
opposed to manufacturers and service providers who medical devices, mostly exerting its effect in indirect

207 European Data Protection Board, Guidelines 9/2022 on personal data breach notification under GDPR (v. 2), 28 March 2023, https://www.
edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf.
208 See also Biasin, Yaşar, Kamenjašević, supra note 158.
209 Nwankwo, I., Stauch, M., Radoglou-Grammatikis, P, et al., ‘Data Protection and Cybersecurity Certification Activities and Schemes in the
Energy Sector’, Electronics, Vol. 11, No. 6, 2022, pp. 965–983 at 969, https://doi.org/10.3390/electronics11060965.
210 Data Governance Act [Regulation (EU) 2022/868], supra note 155.
211 Article 2(11) of the Data Governance Act [Regulation (EU) 2022/868], supra note 155, defines ‘public sector bodies’ as “the State,
regional or local authorities, bodies governed by public law or associations formed by one or more such authorities or one or more such bodies
governed by public law”.
212 See also Von Ditfurth, L., Lienemann, G., ‘The Data Governance Act: – Promoting or Restricting Data Intermediaries?’, Competition and
Regulation in Network Industries, Vol. 23, No. 4, 2022, pp. 270–295, https://doi.org/10.1177/17835917221141324.
48 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

ways. In particular, the DGA functions as lex generalis Although the Data Act requires protection of personal
to the EHDS.213 On cybersecurity issues, the relevance data, privacy and confidentiality of communications
of the DGA is that it defines the elements and purpose and integrity of terminal equipment (pursuant to the
of a ‘secure processing environment’ (SPE) (Article GDPR and the ePrivacy Directive), it does not elabo-
2(20) of DGA). SPEs are the physical or virtual envi- rate on what security principles are applicable when
ronment and organisational means that health data making data accessible to a user or third parties.
access bodies provide or supervise to permit access
to electronic health data for secondary use (either In exceptional circumstances, if the data holder (as
by permitting access to data from wearable medical trade secret holder) is able to demonstrate, in accord-
devices or by permitting data access for the purpose ance with Article 4(8) of the Data Act, that it is “highly
of developing a wearable medical device) (pursuant to likely to suffer serious economic damage from the
Chapter IV of the EHDS). SPEs could also be relevant disclosure of trade secrets, despite the technical and
where recognised data altruism organisations process organisational measures taken by the user”, that data
personal electronic health data that are voluntarily holder may refuse on a case-by-case basis a request
shared from wearable medical devices on the basis for access to the specific data in question. In that case,
of the consent of data subjects (pursuant to Art. 2(16) the data holder must duly substantiate its refusal in
and Chapter IV of the DGA and Art. 50(3a) of the writing without undue delay to the user or to the third
EHDS).214 party and notify the competent authority. Recital (31)
of the Data Act mentions that a “possible negative
3.2.4.3 Data Act impact on cybersecurity can be taken into account
The Data Act215 is a cross-sector regulation that lays in that context.” Consequently, a data holder (e.g.
down harmonised rules on data sharing between healthcare provider) of data generated by a wearable
businesses (B2B), business to consumers (B2C), and medical device may refuse a request of access if it
business to governments (B2G). The B2C and B2B duly substantiates that making accessible data from
data sharing rules set forth requirements to make a wearable medical device is likely to have negative
accessible connected product data and related service impact on cybersecurity.
data to users and third parties (see Chapter 3.3.6),
while the B2G data sharing rules foresee an obligation 3.2.4.4 European Health Data Space
to make data available from data holders to public The European Health Data Space (‘EHDS’)216 functions
sector bodies or Union institutions, agencies or bodies as a complementary regulation to the GDPR, the Data
where there is “an exceptional need” to use those data Governance Act and the Data Act, furnishing more
to perform a task in the public interest. detailed regulations tailored to the healthcare sector,
with implications for the cybersecurity requirements
With regard to Recital (14) of the Data Act, wearable of wearable medical devices. The rules of the EHDS
medical devices (as “medical and health devices”) on primary and secondary use of electronic health
fall within the scope of the regulation, as they are data provide safeguards for the security of electronic
connected (IoT) devices (see Chapter 2.1). From a health data. For example, as part of those safeguards,
cybersecurity perspective, the Data Act requires that the EHDS sets forth that health data access bodies
connected products (including wearable medical provide or supervise ‘secure processing environ-
devices) are designed and manufactured, and related ments’ (SPEs) (defined under the DGA) (see Chapter
services are designed and provided, in such a manner 3.2.4.2) to permit access to electronic health data for
that product data and related service data, including secondary use (either by permitting access to data
the relevant metadata necessary to interpret and use from wearable medical devices or by permitting data
those data, including for the purpose of retrieving, access for the purpose of developing a wearable
using or sharing them, are always securely accessi- medical device). The value of SPEs is that they pro-
ble to a user [Articles 3(1) Data Act] or third parties. vide means to minimise the risk of the unauthorised

213 Cf. Data Governance Act [Regulation (EU) 2022/868], supra note 155, Recital 3 and EHDS compromise, supra note 12, Article 1(4).
214 Cf. Data Governance Act [Regulation (EU) 2022/868], supra note 155, Article 2(16), Chapter IV and EHDS compromise, supra note 12,
Article 50(3a).
215 Data Act (Regulation (EU) 2023/2854), supra note 37.
216 EHDS compromise, supra note 12.
 JRC EXTERNAL STUDY 49

reading, copying, modification or removal of electronic (data generated by) medical devices. In some cases,
health data hosted in the SPE through state-of-the-art those requirements are specified under the broad
technical and organisational measures. SPEs can also concept of cybersecurity (e.g. under the MDR), while in
ensure compliance and monitor security measures to other cases they are presented as being conceptually
mitigate potential security threats. different (e.g. under the GDPR or the EHDS). As with
cybersecurity requirements, interoperability require-
The EHDS also sets common rules to improve the ments are specified in a range of legal (and other
functioning of the single market for certain digital normative) sources and may apply in parallel to each
health products. By reference to the rules under Chap- other. Some of those (e.g. the MDR or the EHDS) may
ter III of the EHDS, the manufacturer of a wearable be intended to apply specifically to medical devices,
medical device that claims interoperability of that whilst others (e.g. the GDPR) apply with a horizontal
wearable medical device with the ‘harmonised com- effect. The requirements, whilst being largely similar,
ponents’217 of EHR systems must prove compliance often address different aspects of interoperability.
with the essential requirements laid down in Annex Some of them are highlighted below.
II of the EHDS and related common specifications.
However, due to intra-legislative inconsistencies, it is 3.2.5.1 Medical Device Regulation
not clear whether that compliance obligation should Under the Medical Device Regulation (MDR)220, inter-
be demonstrated with regard to only interoperability operability requirements are generally perceived as
requirements, or whether the obligation also extends falling within the broad suite of requirements related
to security (and logging) requirements.218 The rele- to cybersecurity. The MDCG 2019-16 rev. 1 guid-
vance of this problem is that there is a lack of clarity ance refers to interoperability and compatibility with
on whether the manufacturer of a wearable medical other devices and products as part of the minimum
device is required to consider additional security (and IT security requirements.221 The guidance points to
logging) requirements under Section 3 of Annex II Rule 14.5 of Annex I of the MDR which states that:
of the EHDS and any related common specifications “[d]evices that are intended to be operated together
adopted pursuant to Chapter III of the EHDS. This deci- with other devices or products shall be designed and
sion may have a knock-on effect on how wearable manufactured in such a way that the interoperability
medical devices are designed, for instance, whether and compatibility are reliable and safe.”
manufacturers are required to install a logging system
that records remote access to data generated by a In terms of the operating environment for (wearable)
wearable medical device (i.e. a logging system that medical devices, the MDCG 2019-16 rev. 1 guidance
records all instances when data from a wearable outlines further requirements, such as that “the oper-
medical device is transmitted to an authorised health ating environment should support patching without
professional or into the EHR of the patient). compromising interoperability/compatibility”. These
issues are likely to be important for wearable manufac-
3.2.5 Interoperability requirements in EU turers. It also states that: “[e]lements of the operating
legislations for wearable medical devices environment interacting with (e.g. other devices) or
The lack of medical device interoperability has been required for the operation of medical devices (e.g. OS)
identified as a major problem in the healthcare sector, should ensure interoperability and shall not impair
with many devices effectively producing islands of data the specified performance of the medical device”222 In
that cannot be easily integrated.219 For that reason, demonstrating compliance with those requirements,
EU legislations aim to facilitate the interoperability of the IT security of the operating environment shall be

217 See ibid.: ‘European interoperability component for EHR systems’ and ‘European logging component for EHR systems’.
218 Cf. EHDS compromise, supra note 12, Article 14(3) requires demonstration of compliance with Section 2 of Annex II (only interoperability
requirements); Article 23(6) refers to common specifications covering interoperability and security requirements of medical devices; while
Annex II states that the essential requirements laid down in that Annex shall apply mutatis mutandis to medical devices.
219 Gowda, V., Schulzrinne, V., Miller, B., ‘The Case for Medical Device Interoperability’, JAMA Health Forum, Vol. 3 No. 1, e214313, 2022,
https://doi.org/10.1001/jamahealthforum.2021.4313.
220 Medical Device Regulation [Regulation (EU) 2017/745], supra note 83.
221 MDCG 2019-16 rev. 1, supra note 172, p. 5.
222 Ibid., p. 22.
50 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

clearly documented in the instructions for use and and infrastructures).227 The EHDS also creates new
may refer to best practice security standards. avenues for the integration of data from (wearable)
medical devices into EHRs, notably when data gener-
3.2.5.2 General Data Protection Regulation ated by a wearable medical device falls into one of the
The General Data Protection Regulation (‘GDPR’)223 ‘priority categories of personal electronic health data
makes little direct reference to interoperability for primary use’ (for which registration is mandatory)
requirements. One important exception is the ‘right and by allowing natural persons (patients) to insert/
to data portability’ outlined under Article 20 of the upload data from their wearable medical device into
GDPR.224 In outlining that right, Recital 68 of the GDPR their EHR (see also Chapter 3.3.3.2). This is some-
explains the following: thing which the manufacturers should consider when
designing their devices. Ensuring the potential inter-
“To further strengthen the control over his or her own operability of data generated from wearable medical
data, where the processing of personal data is carried devices is essential in allowing those requirements/
out by automated means, the data subject should also rights to be met.
be allowed to receive personal data concerning him
or her which he or she has provided to a controller in Furthermore, the manufacturer of a wearable medical
a structured, commonly used, machine-readable and device that claims interoperability of the wearable
interoperable format, and to transmit it to another medical device with the ‘harmonised components’228 of
controller. Data controllers should be encouraged EHR systems must prove compliance with the essen-
to develop interoperable formats that enable data tial requirements laid down in Annex II of the EHDS
portability.” and related common specifications (see also Chapter
3.2.4.4). From the perspective of EHR vendors, Annex II
However, the form and scope of interoperability states that: “[t]he harmonised components of an EHR
requirements that the GDPR impose are both limit- system that is intended to be operated together with
ed.225 The requirement for a ‘machine-readable’ and other products, including medical devices, shall be
‘interoperable’ format does not equate to a right to designed and manufactured in such a way that inter-
have interoperability guaranteed. Instead, it equates operability and compatibility are reliable and secure,
to a requirement to provide data in a way that will and personal electronic health data can be shared
make interoperability possible. This may entail fur- between the device and the EHR system in relation to
ther steps by a potential controller on behalf of the those two components.” With regard to those comple-
data subject. Additionally, another limitation of the mentary requirements, the EHDS is likely to incentivise
right to data portability under the GDPR is that it only different types of economic operators (e.g. medical
applies when personal data is processed on the basis device manufacturers, EHR vendors) to ensure inter-
of consent or to fulfil a contract (see also Chapters operability. For manufacturers of wearable medical
3.3.2.4 and 3.3.3.1). devices, interoperability with EHR systems could also
make their devices more attractive on the market for
3.2.5.3 European Health Data Space healthcare procurers, providers and patients. However,
The European Health Data Space (‘EHDS’)226 aims there is uncertainty about the conditions under which
to enhance interoperability in digital health in sev- a manufacturer may/should claim that its wearable
eral ways (e.g. European Electronic Health Record medical device is ‘interoperable’ with (one or more)
Exchange Format; cross-border identification mech- EHR systems and about the appropriate application
anism; interoperability of health data sets, catalogues

223 General Data Protection [Regulation (EU) 2016/679], supra note 154.
224 See also Quinn, P., ‘Is the GDPR and Its Right to Data Portability a Major Enabler of Citizen Science?’, Global Jurist, Vol. 18 No. 2, 2018,
https://doi.org/10.1515/gj-2018-0021.
225 See also Li, W., Quinn, P., ‘The European Health Data Space: An expanded right to data portability?’, Computer Law & Security Review, Vol.
52, No. 105913, pp. 1 –13, 2024, https://doi.org/10.1016/j.clsr.2023.105913.
226 EHDS compromise, supra note 12.
227 See also Terzis, P., OE Santamaria Echeverria, E., ‘Interoperability and Governance in the European Health Data Space Regulation’,
Medical Law International, Vol. 23 No. 4, 2023, pp. 368–376, https://doi.org/10.1177/09685332231165692.
228 EHDS compromise, supra note 12: ‘European interoperability component for EHR systems’ and ‘European logging component for EHR
systems’.
 JRC EXTERNAL STUDY 51

of the requirements under Annex II of the EHDS that to informational self-determination’, which is an
it would entail for manufacturers. aspect of the ‘right to personality’, and which
stems from the framework right (“mother-right”)
of human dignity.
3.3 Privacy, data protection and data • The ‘right to the protection of personal data’ can
governance requirements be considered an independent right based on the
argument that although it overlaps with the ‘right
Wearable medical devices are often deployed (by to privacy’ (since they both ensure informational
healthcare providers or researchers) to process and data privacy), data protection serves certain
personal (electronic health) data concerning the “non-intimacy-oriented” purposes (e.g. data qual-
individual (patient / data subject / end user). Wear- ity, security and accountability requirements) that
able medical devices also perform operations on privacy does not, and vice versa.
non-personal (electronic health) data. Those personal
(electronic health) data processing and other opera- EU law is best reflected by the last model. Article 8 of
tions on non-personal (electronic health) data invoke the Charter of Fundamental Rights of the European
a broad range of legal requirements depending on the Union (‘Charter’) establishes the ‘right to the protec-
data type and the context involved. Discerning which tion of personal data’, which sits alongside the ‘right
frameworks apply and implementing their respective to respect for private and family life’ under Article
(sometimes unclear or even conflicting) requirements 7 of the Charter.230 Article 8 of the Charter pursues
may pose a significant compliance challenge for three objectives: to impose obligations on those who
controllers, processors, (health) data holders, man- process personal data; to grant rights to individuals in
ufacturers and other relevant entities. The following relation to the processing of personal data concern-
section discusses EU legislative frameworks that are ing them; and to ensure independent supervision of
relevant in these contexts and their implications to compliance with the regulatory requirements. Those
economic operators and individuals. objectives are set forth in detail under the GDPR, which
protects personal data, i.e. any information relating
3.3.1 Privacy and data protection frameworks to an identified or identifiable natural person (‘data
applicable to wearable medical devices subject’). The EHDS intends to build upon the rights
(under EU law): an overview of data subjects under the GDPR by complementing
In the context of wearable medical devices, it is cru- some of them as applied to personal electronic health
cial to consider the differences between the ‘right to data concerning natural persons (such as users of
respect for private life’ (privacy) and the ‘right to the wearable medical devices). The EHDS states that it is
protection of personal data’ (data protection). On the “without prejudice to other Union legal acts regarding
bases of international and EU human rights law (and access to, sharing of or secondary use of electronic
related case law), the interaction of the two rights can health data, or requirements related to the processing
be broadly conceptualised in the following ways:229 of data in relation to electronic health data”, although
there are arguably frictions with other relevant leg-
• Data protection is a one of the facets of the islations which may leave considerable room for
“umbrella” ‘right to privacy’ based on the argu- interpretation.231
ment that all elements of data protection are
justified by privacy concerns. On the other hand, Article 7 of the Charter on the ‘right
• The two rights are separate but complementary to respect for private and family life’ corresponds to
rights, both deriving from the individual’s ‘right the rights guaranteed by Article 8 of the European

229 See also Lynskey, O., The Foundations of EU Data Protection Law, Oxford University Press, Oxford, 2015, pp. 91–106. Fuster, G.,
Hijmans, H., ‘The EU rights to privacy and personal data protection: 20 years in 10 questions’, 2019, https://cris.vub.be/ws/portalfiles/
portal/45839230/20190513.Working_Paper_Gonza_lez_Fuster_Hijmans_3_.pdf.
230 Charter of Fundamental Rights of the European Union, OJ C 326, 26.10.2012, pp. 391–407, ELI: http://data.europa.eu/eli/treaty/
char_2012/oj.
231 See also European Association of Urology, European Respiratory Society, Biomedical Alliance in Europe et
al., Stakeholder coalition calls for legislative refinement of the EHDS, 4 December 2023, https://uroweb.org/news/
stakeholder-coalition-calls-for-legislative-refinement-of-the-ehds.
52 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Convention on Human Rights (and related extensive For example, a wearable medical device’s separate
case law).232 With regard to the subject matter, the sig- measurements of heart rate and respiration can in
nificance of Article 7 of the Charter is that it provides combination reveal not only a user’s exercise routine,
protection against unlawful interferences with privacy but also drug or alcohol use, each of which produces
in circumstances which data protection may not cover. unique biometric signatures.237
By supplementing Article 7 of the Charter, the ePrivacy
Directive protects private life and the confidentiality In addition to the abovementioned legal frameworks,
of communications, including by way of conditions on the Data Act238 is also relevant to the subject matter,
any personal and non-personal data storing in, and as it ensures that users of a connected product (such
access from, terminal equipment (such as a weara- as a wearable medical device) or related service in
ble medical device).233 In combination, Article 7 of the the Union can access the data generated by the use
Charter and the ePrivacy Directive guarantee protec- of that connected product or related service and that
tion against the “detection” of the home, work or other those users can use the data, including by sharing
environment of wearable medical device users, confi- them with third parties of their choice. According to
dentiality of electronic communications (and related Recital (7), the Data Act “complements and is without
metadata) in telemedicine systems, and protection prejudice to Union law on the protection of personal
against receiving any unsolicited communications data and privacy”, in particular the GDPR and the
via wearable medical devices. Similarly, the ‘right to ePrivacy Directive.
privacy’ may provide protection in relation to the pro-
cessing of intrinsically privacy-sensitive data collected 3.3.2 The scope of ‘personal data’ and
by wearable medical devices, which, if anonymised, ‘electronic health data’ in the context of
might escape the reach of data protection.234 That using wearable medical devices (under
protection is particularly relevant considering that the General Data Protection Regulation
data processing using wearable medical devices is and the European Health Data Space)
often a chain of operations including pervasive data Stakeholders in the ecosystem of wearable medical
collection (possibly with multiple sensors), linkage of devices (including manufacturers, healthcare provid-
datasets, and application of data science methods (as ers, end users) (see also Chapters 2.4 and 4.1) have to
part of big data analytics). Thereby, the data process- consider several overlapping but different data cate-
ing system may generate additional privacy risks by gories and related legal definitions that may apply to
allowing the possibility to draw potentially invasive the data that they process/use. Each of those require
inferences about the individual.235 This phenomenon is the application of specific legal requirements and
known as ‘sensor fusion’, whereby data from different confer different rights and obligations. Relevant data
sensors or devices are combined to derive or infer a categories include the general concept of ‘personal
resulting set of information which has greater value data’ [Article 4(1) GDPR] and its subset category of
than if either sensor or device were used separately.236 ‘special categories of personal data’ (or ‘sensitive

232 Explanations relating to the Charter of Fundamental Rights, OJ C 303, 14.12.2007, pp. 17–35 at 20, https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=uriserv:OJ.C_.2007.303.01.0017.01.ENG.
233 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and
the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002,
pp. 37–47, ELI: http://data.europa.eu/eli/dir/2002/58/oj. See also Article 29 Data Protection Working Party, Opinion 8/2014 on the on Recent
Developments on the Internet of Things (WP 223), 16 September 2014, p. 14 [para. 4.1], https://ec.europa.eu/justice/article-29/documentation/
opinion-recommendation/files/2014/wp223_en.pdf.
234 See also Gellert, R., Gutwirth, S., ‘The legal construction of privacy and data protection’, Computer Law & Security Review, Vol. 29 No. 5,
2013, pp. 522–530 at 526–527, https://doi.org/10.1016/j.clsr.2013.07.005.
235 See also Raij, A., Ghosh, A., Kumar, S. et al., ‘Privacy risks emerging from the adoption of innocuous wearable sensors in the mobile
environment’, CHI ‘11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Vancouver, 7 May 2011, pp. 11–20
at 11, https://doi.org/10.1145/1978942.1978945. Wachter, S., ‘The GDPR and the Internet of Things: a three-step transparency model’, Law,
Innovation and Technology, Vol. 10 No. 2, 2018, pp. 266–294 at 267, https://doi.org/10.1080/17579961.2018.1527479.
236 Article 29 Data Protection Working Party, Opinion 8/2014 on the on Recent Developments on the Internet of Things (WP 223), supra
note 233, pp. 7–8 [para. 2.3]. Peppet, S. R., ‘Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security &
Consent’ Texas Law Review, Vol. 93, 2014, pp. 85–176 at 93, https://texaslawreview.org/wp-content/uploads/2015/08/Peppet-93-1.pdf.
237 Natarajan, A., Parate, A., Gaiser, E. et al., ‘Detecting cocaine use with wearable electrocardiogram sensors’, in: UbiComp '13: Proceedings
of The 2013 ACM International Joint Conference on Pervasive and Ubiquitous Computing, edited by Santini, S., Mattern, F., Zurich, 8–12
September 2013, pp. 123–132, https://dl.acm.org/doi/10.1145/2493432.2493496.
238 Data Act (Regulation (EU) 2023/2854), supra note 37.
 JRC EXTERNAL STUDY 53

data’) [Article 9(1) GDPR].239 In addition, the European of personal data (see Chapters 3.3.3 and 3.3.6), data
Health Data Space (EHDS) introduces the concept of protection principles are respected, and the rights of
‘electronic health data’, including ‘personal electronic the data subject are guaranteed.
health data’ and ‘non-personal electronic health
data’.240 The following sections discuss the challenges Whether data qualifies as ‘personal data’ may depend
relating to discerning the contours of their scope in the on the context in which it is used in.244 For example,
context of data processing/use by wearable medical an IP address might not be considered personal data
devices. in isolation, but if it is linked with other information
that identifies an individual, then it becomes personal
3.3.2.1 ‘Personal data’ under the General Data data.245 As discussed below, when deciding if personal
Protection Regulation data is being generated from a wearable medical
‘Personal data’ encompasses “any information relat- device, it is often necessary to look at the broader
ing to an identified or identifiable natural person”, data processing context, not only a particular dataset
known as the ‘data subject’ [Article 4(1) GDPR]. With in isolation. Given the broad definition of ‘personal
regard to the data processing functionalities of wear- data’, data (including administrative or metadata)
able medical devices, it is important to be aware that generated by wearable medical devices in telemedi-
the concept of ‘personal data’ goes beyond data that cine contexts will typically qualify as ‘personal data’
is intuitively perceived as personal in nature. Personal under the GDPR.
data includes not only data with obvious identifiers
like names and addresses, but also covers any data 3.3.2.2 ‘Special categories of personal data’
that can directly or indirectly241 identify an individ- (‘sensitive data’) under the General
ual (including, as discussed below, where a certain Data Protection Regulation
degree of complex computer-processing allows data The GDPR determines ‘special categories of personal
to be linked to an individual).242 Personal data can data’ (also known as ‘sensitive data’).246. The concept
be anything that pertains to an individual, whether of ‘sensitive data’ is a cornerstone of data protection
it relates to their characteristics, behaviour, prefer- law, as its processing carries increased risks.247 Those
ences or interactions. It is this generality that gives risks are often perceived in terms of an elevated
the GDPR potentially such a broad scope of application probability of discrimination (or related harms) to vul-
and explains why the definition of ‘personal data’ is of nerable groups in society.248 For this reason, the GDPR
such importance; if personal data is in scope, the GDPR sets a higher burden for the processing of sensitive
is applicable to data processing by wearable medi- data (compared to other forms of personal data).
cal devices, if not, the regulation does not apply.243
If the GDPR is applicable, then the controller must According to Article 9(1) of the GDPR, ‘special catego-
ensure that there is a legal basis for the processing ries of personal data’ include “personal data revealing

239 General Data Protection [Regulation (EU) 2016/679], supra note 154.
240 EHDS compromise, supra note 12, Article 2(2)(c).
241 This includes information that either directly identifies a person or could be used, in conjunction with other data, to identify them. Direct
identifiers may include names, ID numbers or specific physical traits. Indirect identifiers could be factors like location data, IP address or
online identifiers [see General Data Protection [Regulation (EU) 2016/679], supra note 154, Recital (30)].
242 See also Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques (WP 216), 10 April 2014, p. 6, https://
ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf.
243 See also Quinn, P., ‘The Anonymisation of Research Data—A Pyric Victory for Privacy That Should Not Be Pushed Too Hard by the EU
Data Protection Framework?’, European Journal of Health Law, Vol. 24 No. 4, 2017, pp. 347–367, https://brill.com/view/journals/ejhl/24/4/
article-p347_347.xml.
244 Article 29 Data Protection Working Party, Opinion 4/2007 on the concept of personal data (WP 136), 20 June 2007, p. 13, https://
ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf.
245 Patrick Breyer v. Bundesrepublik Deutschland (C‑582/14), Judgment of the Court (Second Chamber), 19 October 2016, Court Reports –
Court of Justice, ECLI:EU:C:2016:779, paras. 37 et seq., https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62014CJ0582.
246 The GDPR generally uses the term ‘special categories of personal data’, which equates to the term ‘sensitive data‘, see General Data
Protection [Regulation (EU) 2016/679], supra note 154, Recital (10). This report also uses the terms interchangeably.
247 See also Tikkinen-Piri, C., Rohunen, A., Markkula, J., ‘EU General Data Protection Regulation: Changes and Implications for Personal Data
Collecting Companies’, Computer Law & Security Review, Vol. 34 No. 1, 2018, pp. 134–153, https://doi.org/10.1016/j.clsr.2017.05.015.
248 See also Quinn, P., Malgieri, G., ‘The Difficulty of Defining Sensitive Data – The Concept of Sensitive Data in the EU Data Protection
Framework’, The German Law Journal, Vol. 22 No. 8, 2022, pp. 1583–1612, https://doi.org/10.1017/glj.2021.79.
54 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

racial or ethnic origin, [.] the processing of genetic example, the concept covers not only information
data, biometric data for the purpose of uniquely iden- about an individual’s existing illness, but also extends
tifying a natural person, data concerning health or to probabilistic predictions made about an individual’s
data concerning a natural person’s sex life or sexual future illness or when data is used to demonstrate
orientation”. In the case of wearable medical devices, that an individual is ‘healthy’.
‘data concerning health’, and in certain cases, ‘biomet-
ric data’ and ‘genetic data’ are the most relevant data In an attempt to establish a clear criterion to define
types. Discerning the boundaries of the data types that when personal data qualifies as health data [correctly:
constitute ‘sensitive data’ is critical, as the process- ‘data concerning health’] in apps and devices”, the
ing of those types of personal data categories invoke Article 29 Working Party (predecessor of the European
stricter requirements than of personal data that is not Data Protection Board) outlined three scenarios:254
of a sensitive nature. For example, the processing of
sensitive data entails an obligation to carry out a data • The data are inherently/clearly medical data. (It
protection impact assessment (DPIA) (if data process- encompasses data about the physical or mental
ing is performed on a large scale) [Articles 35(1) and health status of a data subject generated in a
35(3) GDPR]249 and to appoint a data protection officer professional medical context, including data
(DPO) [Article 37(1)(c) GDPR].250 However, the appli- related to contacts with patients and their diag-
cation of those additional requirements often poses nosis and/or treatment by healthcare providers,
compliance challenges for controllers in the health- and any related information on diseases, disa-
care sector, especially for smaller organisations with bilities, medical history and clinical treatment. It
less resources.251 also includes data generated by devices or apps
used in this context, irrespective of whether they
‘Personal data concerning health’ (often referred to, qualify as a ‘medical device’.)
inaccurately, as ‘health data’)252 presents peculiar • The data are raw sensor data that can be used in
challenges within the realm of ‘special categories itself or in combination with other data to draw
of personal data’. Article 4(15) of the GDPR defines a conclusion about the actual health status or
‘data concerning health’ as “personal data related to health risk of a person. (There is a demonstrable
the physical or mental health of a natural person, relationship between the raw dataset and the
including the provision of health care services, which capacity to determine a health aspect (health
reveal information about his or her health status”. It is status or health risk) of a person based on the
important to emphasise that the scope of ‘data con- raw data itself or on the data in combination with
cerning health’ can go far beyond traditional forms of data from other sources.)
‘medical data’ and may cover any data that can give • Conclusions are drawn about a person’s health
an indication of an identified or identifiable natural status or health risk (irrespective of whether
person’s ‘health status’.253 ‘Data concerning health’ these conclusions are accurate or inaccurate,
may encompass a vast array of data, contingent upon legitimate or illegitimate, or otherwise adequate
the extent and accuracy of information disclosed, or inadequate).
which are linked to an individual’s health status. For

249 See also Kloza, D., Van Dijk, N., Casiraghi, S. et al., ‘Towards a Method for Data Protection Impact Assessment: Making Sense of GDPR
Requirements’, Brussels Laboratory for Data Protection & Privacy Impact Assessments (d.pia.lab) Policy Brief, Vol. 1, 2019, pp. 1–8, https://doi.
org/10.31228/osf.io/es8bm; Korff, D., ‘GDPR Requirements on Data Protection Impact Assessments & Methodologies for DPIAs’, SSRN, 2020,
pp. 1 –25, https://dx.doi.org/10.2139/ssrn.3656234.
250 See also Gaeta, M., ‘Hard Law and Soft Law on Data Protection: What a DPO Should Know to Better Perform His or Her Tasks’, European
Journal of Privacy Law & Technologies, Vol. 2, 2019, pp. 61–78, https://universitypress.unisob.na.it/ojs/index.php/ejplt/article/view/1069/313.
251 Clarke, N., Vale, G., Reeves, E.P. et al., ‘GDPR: An Impediment to Research?’, Irish Journal of Medical Science, Vol. 188, 2019, pp. 1129–
1135, https://doi.org/10.1007/s11845-019-01980-2.
252 Note that due to the new concept of ‘electronic health data’ under the EHDS, the correct use of terminology is particularly important, as
it is unclear what scope of data would the term ‘health data’ refer to.
253 Cf. General Data Protection [Regulation (EU) 2016/679], supra note 154, Recital (35) states: “Personal data concerning health should
include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or
mental health status of the data subject. […]”.
254 Article 29 Data Protection Working Party, Letter from the ART 29 WP to the European Commission, DG CONNECT on mHealth,
Annex – health data in apps and devices, 5 February 2015, pp. 2–5, https://ec.europa.eu/justice/article-29/documentation/other-document/
files/2015/20150205_letter_art29wp_ec_health_data_after_plenary_annex_en.pdf.
 JRC EXTERNAL STUDY 55

All of these data types may be relevant for per- due to their proximity to health-related inferences.
sonal data processing by wearable medical devices. Some data may directly describe health status (e.g.
However, in practice, it is increasingly challenging to medical diagnosis), while others, such as biometric
apply this test. In the case of IoT-enabled wearable data (e.g. height/weight) or lifestyle patterns (e.g.
medical devices, a vast array of data may fall within sleep schedules) may indirectly relate to an individ-
the scope of ‘raw sensor data’. (Note that there are ual’s health status. In borderline cases, it is useful to
also significant uncertainties as to what qualifies as consider that the degree of sensitivity is not binary
‘raw data’.) At the same time, the ability to extract but exists along a spectrum.
specific insights from interconnected data through big
data analyses is significantly improving. Technologi- Computational distance refers to the level of scientific,
cal advancements can help to amalgamate disparate economic and technological effort required to derive
data sources and enable to draw conclusions about or infer sensitive data from seemingly non-sensitive
an individual’s health status. The pervasive integration information. For example, the computational distance
of IoT devices and linkage of data sources in digital between an individual’s long-term dietary habits or
health systems may further blur the lines of what stress levels (collected by a wearable medical device)
data qualifies as ‘personal data’ and ‘data concerning and their health status is relatively small. Due to
health’.255 advancements in computational capacity, analytics
power and potentially more complimentary data avail-
In essence, the abovementioned test encompasses able, the ability/likelihood to draw conclusions of a
the following key indicators: (a) intrinsic sensitivity of sensitive nature from data that might not appear to
a certain information; (b) ease of inferring sensitive be sensitive is growing. For this reason, it is important
data from other information; and (c) health use pur- to consider that the potential benefits and risks of the
pose.256 Those indicators can help to answer whether proliferation of personal data (collected by wearable
data processed by a wearable medical device reaches medical devices, with potential linkage to other data
the ‘degree of revelation’ (mentioned under Recital sources) are increasing, which necessitates increased
(35) and Article 4(15) of the GDPR) required to fall attention by all parties.
under the scope of ‘data concerning health’. The test
could be rephrased/simplified to two key variables:257 In the case of wearable medical devices, the fact that
a wearable is a medical device (i.e. it is intended to
• the intrinsic sensitivity (a static variable) of per- be used by its manufacturer for one or more medical
sonal data; and purposes) invokes that, in principle, sensitive data
• the computational distance/capacity required (a (concerning health) is being processed (and therefore
dynamic variable) between some kind of data that the more stringent requirements apply under
and purely data concerning health. the GDPR). If a wearable medical device generates
personal-sensitive data and non-personal data
The intrinsic sensitivity of personal data is contingent encompassing mixed and inextricably linked data-
upon its content. Data pertaining to health, such as sets, the entire data should be considered sensitive
blood pressure readings by wearable medical devices, personal data. The GDPR does not allow a controller
is inherently sensitive. Conversely, data collected by to artificially divide datasets (in relation to the same
a wearable medical device about the data subject’s data processing purpose) to render it not to be of a
daily habits, such as food consumption or exercise, or personal or sensitive nature.258 In such cases, it would
environmental factors, such as air pollution, may not not be possible to assume the “good motives” of a
be inherently sensitive but could be deemed sensitive controller to keep datasets separate to prevent them

255 See also Quinn, Malgieri, supra note 248.

256 See also Taka, A-M., ‘A deep dive into dynamic data flows, wearable devices, and the concept of health data’, International Data Privacy
Law, Vol. 13 No. 2, 2023, pp. 124–140 at , https://doi.org/10.1093/idpl/ipad007.
257 Malgieri, G., Comandé, G., ‘Sensitive-by-distance: quasi-health data in the algorithmic era’, Information & Communications Technology
Law, Vol. 26 No. 3, 2017, pp. 229–249 at 238–239, https://doi.org/10.1080/13600834.2017.1335468.
258 Quinn, P., 'Research under the GDPR – a Level Playing Field for Public and Private Sector Research?’, Life Sciences, Society and Policy, Vol.
17 No. 14, 2021, pp. 1–33, https://doi.org/10.1186/s40504-021-00111-z.
56 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

from being classified as personal and/or sensitive in Regulation (EU) 2016/679, processed in an elec-
nature.259 If that presumption were correct, it would tronic form”; and
allow controllers to escape more stringent require- • ‘non-personal electronic health data’, which
ments under the GDPR and allow them to conduct a means “electronic health data other than per-
broader range of activities with certain datasets (such sonal electronic health data, encompassing
as selling specific datasets to commercially interested both data that has been anonymised so that it
third parties).260 A controller may only claim that a no longer relates to an identified or identifiable
dataset generated by a wearable medical device is natural person and data that has never related
distinct if there is a separate legal bases for its pro- to a data subject.”
cessing or if the dataset is outside its control in a way
in which it cannot legally determine the purposes and The definition of ‘personal electronic health data’
means of processing. covers a broader scope of data than the definition
(and related interpretations) of ‘data concerning
3.3.2.3 The new notion of ‘electronic health health’ under the GDPR. Most importantly, it includes
data’ in the European Health Data ‘genetic data’ due to the potential that such data could
Space play in advancing healthcare, such as personalised
One of the fundamental issues in the European Health and precision medicine by use of wearable medical
Data Space (‘EHDS’)261 is how it defines the contours devices.264 However, from a data protection perspec-
of ‘electronic health data’ and how it delineates tive, due to uncertainties and growing ‘grey areas’, it is
its subsets. Those legal questions have significant not obvious when data falls under the scope of ‘data
implications for determining the obligations of actors concerning health’ (see Chapter 3.3.2.2) or ‘genetic
processing/using data by wearable medical devices data’.265 For this reason, it would be useful to provide
(and on the corresponding rights of natural per- more clarity about the application of those notions in
sons), as well as for how legal requirements under the context of the EHDS.
the EHDS interact with other horizontal and sectoral
legislations.262 The definition of ‘non-personal electronic health data’
is an expansive new concept, which attempts to define
According to the EHDS, the notion of ‘electronic health the boundary of the scope of data that falls under
data’ consists of two data categories (subsets):263 the larger scope of ‘electronic health data’ without
qualifying as ‘personal electronic health data’. In
• ‘personal electronic health data’, which means this regard, the EDPB and the EDPS underlined that
“data concerning health and genetic data as the distinction between categories of personal and
defined in Article 4, points (13) and (15), of non-personal data is difficult to apply in practice.266
The healthcare ecosystem has called for legal clarity

259 Similar logic applies in the case of anonymisation, which requires a combination of technical and organisational measures to ensure
that the “means reasonably likely to be used” by the controller (and third parties) do not allow identification of a natural person, cf. Article 29
Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques (WP 216), supra note 242, p. 9.
260 See also Sharon, T., ‘The Googlization of Health Research: From Disruptive Innovation to Disruptive Ethics’, Personalized Medicine, Vol. 13
No. 6, 2016, pp. 563–574, https://doi.org/10.2217/pme-2016-0057; Parvinen, P., Pöyry, E., Gustafsson, R. et al., ‘Advancing Data Monetization
and the Creation of Data-Based Business Models’, Communications of the Association for Information Systems, Vol. 47, 2020, pp. 25–49,
https://doi.org/10.17705/1cais.04702.
261 EHDS compromise, supra note 12.
262 See also Pecchia, L., Maccaro, A., Matarrese, M. et al., ‘Artificial Intelligence, Data Protection and Medical Device Regulations:
Squaring the Circle with a Historical Perspective in Europe’, Health and Technology, Vol 14, 2024, pp. 663–670, https://doi.org/10.1007/
s12553-024-00878-z.
263 EHDS compromise, supra note 12, Articles 2(2)(a)–2(2)(c).
264 See also Ghazizadeh, E., Naseri, Z., Deigner, H-P et al., ‘Approaches of wearable and implantable biosensor towards of developing in
precision medicine’, Frontiers in Medicine, Vol. 11 No. 1390634, 2024, pp. 1–21, https://doi.org/10.3389/fmed.2024.1390634.
265 Rak, R., ‘Anonymisation, pseudonymisation and secure processing environments relating to the secondary use of electronic health data in
the European Health Data Space (EHDS)’, European Journal of Risk Regulation, 2024, pp. 1-11, https://doi.org/10.1017/err.2024.67.
266 European Data Protection Board, European Data Protection Supervisor, EDPB-EDPS Joint Opinion 03/2022 on the Proposal for
a Regulation on the European Health Data Space, 12 July 2022, p. 13 [para. 41], https://www.edpb.europa.eu/system/files/2022-07/
edpb_edps_jointopinion_202203_europeanhealthdataspace_en.pdf.
 JRC EXTERNAL STUDY 57

in the EHDS to clearly delineate what data falls under The processing of personal data (concerning health)
the scope of ‘electronic health data’, in addition to using wearable medical devices for primary use is
‘personal electronic health data’.267 The authors of this lawful only if and to the extent that:
report have also expressed criticism of this concept in
separate papers. Li and Quinn wrote that: “[non-per- • at least one of the legal bases set forth under
sonal electronic health data] would seemingly cover Article 6(1) of the GDPR applies; and
all data related to medical devices used in patient • at least one of the legal bases set forth under
care as well as data concerning the functioning of the Article 9(2) of the GDPR applies, which provides
organisation itself.”268 Rak explains that: “[t]he most exemption to the general prohibition on process-
significant problem with this definition is that it does ing special categories of personal data declared
not clarify what is the link with the health status of under Article 9(1) of the GDPR.
natural persons or other healthcare-related infor-
mation. It could generate uncertainty that the cases Although the GDPR harmonises the rules permitting
covered by the phrase ‘data that has never related to legitimate exemptions to the general prohibition of
a data subject’ relies on the assumption that there is processing data concerning health, Article 9(4) of the
some kind of threshold between non-personal data GDPR allows Member States to “maintain or introduce
and non-personal electronic health data.”269 further conditions, including limitations, with regard
to the processing of [...] data concerning health.”
3.3.2.4 Legal bases for processing personal Therefore, data protection rules in relation to the
data using wearable medical devices processing of data concerning health using wearable
for primary use purposes (under the medical devices may vary country-by-country. In some
General Data Protection Regulation) Member States, where the organisation of the health
The ‘primary use of personal (electronic health) data’ system is decentralised, the legislation of subnational
refers to the processing of personal data concern- entities may add an extra layer of complexity to this.
ing a natural person for the purpose of providing Moreover, it is important to point out that, in addition
healthcare services to assess, maintain or restore the to satisfying the legal bases for processing data con-
state of health of that natural person, including the cerning health under EU and national data protection
prescription, dispensation and provision of medicinal laws, a healthcare provider or researcher may have
products and medical devices, as well as for relevant to obtain the patient’s consent under national medical
social, administrative or reimbursement services.270 law to deploy a wearable medical device.
To process personal data with the use of a wearable
medical device, the controller needs to ensure that A study commissioned by the European Commission
a valid legal base exists under the GDPR. Wearable on the ‘Assessment of the EU Member States’ rules on
medical devices may process a broad range of per- health data in the light of GDPR’ examined the legal
sonal data which would not necessarily fall under the bases used to legitimate the processing of data con-
scope of ‘special categories of personal data’ (such cerning health in Member States based on a survey
as the name, data of birth or email address of the completed by national level expert correspondents.271
data subject). However, as the datasets and process- As regards data processing by a controller for the pur-
ing operations (including their means and purpose) pose of providing healthcare to the data subject in a
are typically intrinsically linked in this context, they “traditional” in-person healthcare setting (such as a
should be considered part of the same processing doctor’s surgery or a clinical institution), the most fre-
activity and, therefore, subject to the ‘stricter’ legal quently invoked legal bases (cited by national expert
regime applicable for the processing of data concern- correspondents) are Article 6(1)(c) (“compliance with
ing health (see Chapter 3.3.2.2). a legal obligation”) in conjunction with Article 9(2)(h)

267 European Association of Urology, European Respiratory Society, Biomedical Alliance in Europe et al., supra note 231.
268 Li, Quinn, supra note 225, p. 7.
269 Rak, supra note 265.
270 See also EHDS compromise, supra note 12, Articles 2(2)(d).
271 European Commission, Consumers, Health, Agriculture and Food Executive Agency, Hansen, J., Wilson, P., Verhoeven, E. et al., Assessment
of the EU Member States’ rules on health data in the light of GDPR, Publications Office of the European Union, Luxembourg, 2021, pp. 27 et
seq., https://data.europa.eu/doi/10.2818/546193.
58 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

(“provision of health or care”). By contrast, the most subject is offered control and is offered a genuine
common legal bases for processing app or device-de- choice with regard to accepting or declining the terms
rived data in healthcare are Article 6(1)(a) (“consent”) offered.272 As long as a processing activity lasts, the
in conjunction with Article 9(2)(a) (“consent”) (cited by controller must be able to prove that the data subject
correspondents from 18 Member States, of whom 13 has consented. For example, in an online context, it
mentioned this as the sole legal base combination). would not be sufficient to merely refer to a correct
configuration of the respective website. Instead, the
Considering the variety of legal bases invoked, there controller should retain information on the session in
is no clear answer to what the appropriate legal base which the data subject expressed consent, together
combination is for processing personal data (concern- with documentation of the consent workflow at the
ing health) using wearable medical devices. Overall, time of the session, and a copy of the information
the results of the survey indicate that as we move that the controller presented to the data subject at
from in-person healthcare settings to telemedicine that time.273
solutions, there is a greater reliance on the ‘consent’
of the data subject and less frequent references Considering that certain wearable medical devices can
to the ‘necessity’ to process personal data for the be deployed for multiple use purposes, the controller
purpose of providing healthcare services. However, of may need to seek consent from data subjects from
the results also show that there is significant legal time to time. However, there are different data pro-
fragmentation across the EU in this domain, and that tection and data governance rules between Member
the legal bases may differ case-by-case depending States concerning consent requirements for the pro-
on the national regulatory framework and the cir- cessing of data concerning health. A possible solution
cumstances. For example, the legal bases may differ could be the implementation of a ‘dynamic consent’
depending on whether the data subject (patient) uses mechanism, which is an interactive, personalised com-
a wearable medical device upon the recommendation munications interface that allows data subjects to give
or on prescription of a health professional. In the latter or revoke consent in light of changing circumstances
case, the health system-specific data protection rules (e.g. processing purposes, device functionalities).274
(described above) may lead one Member State (or However, the downside of this approach is that reg-
subnational entity) to require the consent of the data ular requests may entail a reduction in the attention
subject as the legal basis, while another to incline data subjects give to such requests (a phenomenon
towards a legal obligation (necessity) to record the known as “consent fatigue”), which may result in data
data subject’s interactions with the healthcare system subjects approving consent requests without really
(e.g. for the purposes of preventive medicine, medi- analysing them in detail.275
cal diagnosis or treatment using wearable medical
devices, or for ensuring high standards of quality and Article 7(3) of the GDPR prescribes that the data sub-
safety of wearable medical devices). ject shall have the right to withdraw his or her consent
at any time, and that it shall be as easy to withdraw
When a controller intends to rely on the data subject’s as to give consent. The EDPB noted that when the
consent for processing data concerning health using a controller obtains the data subject’s consent through
wearable medical device, it should take into account a service-specific user interface (e.g. the interface of
the ‘Guidelines 05/2020 on consent under Regulation a wearable medical device), the data subject must
2016/679’ in which the EDPB interpreted the imple- be able to withdraw consent via the same electronic
mentation of the GDPR’s consent mechanism in an interface, because switching to another interface for
online environment. The EDPB reminded that consent the sole reason of withdrawing consent would require
can only be an appropriate lawful basis if a data undue effort.276 In case the data subject withdraws

272 European Data Protection Board, Guidelines 05/2020 on consent under Regulation 2016/679 (v. 1.1), 4 May 2020, p. 5 [para. 3], https://
www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf.
273 Ibid., pp. 22 –23 [paras. 107–108].
274 Kaye, J., Whitley, E. A., Lund, D. et al., ‘Dynamic consent: a patient interface for twenty-first century research networks’, European Journal
of Human Genetics, Vol. 23, 2015, pp. 141–146 at 142, https://doi.org/10.1038/ejhg.2014.71.
275 Quinn, P., Habbig, A. K., Mantovani, E. et al., ‘The Data Protection and Medical Device Frameworks — Obstacles to the Deployment of
mHealth across Europe?’, European Journal of Health Law, Vol. 20, 2015, pp. 185–204 at 203, https://doi.org/10.1163/15718093-12341267.
276 European Data Protection Board, Guidelines 05/2020 on consent under Regulation 2016/679, supra note 272, pp. 23–24 [para. 114].
 JRC EXTERNAL STUDY 59

their consent, and the controller intends to continue either the controller or the processor is established
to process the personal data on another legal basis, in the EU, while the targeting criterion implies that
they cannot silently migrate from consent (which is the data subject using the wearable medical device
withdrawn) to that other legal basis. The controller should be physically present in the EU.279
must notify the data subject about any change in
the legal basis for processing in accordance with the 3.3.3 Rights of natural persons (data subjects)
transparency and information requirements under in relation to the primary use of personal
Articles 12 and 13 of the GDPR. In case the processing electronic health data concerning them
activity ends, proof of consent should be kept to the using wearable medical devices (under
extent strictly necessary for compliance with a legal the General Data Protection Regulation
obligation, for reasons of public interest in the area and the European Health Data Space)
of public health, or for the establishment, exercise or
defence of legal claims, in accordance with Articles 3.3.3.1 Rights of the data subject under the
17(1)(b) and 17(3) of the GDPR. If there is no other General Data Protection Regulation
legal basis justifying the processing (e.g. further stor- Given that wearable medical devices are used typically
age) of personal data, the controller must delete it. to process personal data, it is relevant to assess how
the rights of data subjects impact their use. Under
Finally, the proper determination of the legal bases Chapter III of the General Data Protection Regulation
for processing personal data concerning health using (‘GDPR’),280 the rights of the data subject encompass
wearable medical devices may be challenging due to a range of entitlements granted to individuals/nat-
the ‘anytime-anywhere connectivity’ of such devices ural persons regarding the processing of personal
and the ubiquitous nature of data flows within an data concerning them. Those rights are designed to
IoT-enabled telemedicine system. The healthcare empower the data subject to exercise control over per-
provider (as controller or processor) and the patient sonal data obtained directly or indirectly from them,
(as data subject) are physically in different places, and to certain extent (and ambiguously) over related
and other actors are also often involved in the data ascribed (e.g. inferred, derived) personal data.281 The
processing, such as a data analysis service provider data subject can exercise those rights against the
(acting as joint controller or processor). Data pro- controller (healthcare providers, researchers etc.)
cessing activities may take place across different (see also Chapter 3.3.4). In the case of personal data
jurisdictions: either within the EU/EEA (e.g. between processing by use of a wearable medical device, the
Member States), or between the EU/EEA and third rights of the data subject allow patients not only to
countries or international organisations.277 The GDPR have more autonomy over personal data processing,
is applicable to the processing of personal data to but also to reduce the risks that personal data con-
the extent that the processing activities are related cerning them is used improperly.282 The rights of the
to either the ‘establishment’ criterion under Article data subject (and related requirements) collectively
3(1) or the ‘targeting’ criterion under Article 3(2), or serve to promote informational self-determination,
by virtue of public international law according to Arti- transparency, fairness and accountability in the pro-
cle 3(3).278 The establishment criterion requires that cessing of personal data, fostering trust between

277 Rak, R., ‘International Transfers of Data Concerning Health After Schrems II: A Need for Sector-Specific Legal Avenues and
Supplementary Measures’, in: The Application of EU Law Beyond Its Borders, CLEER Papers 2022/3, edited by F. Casolari, M. Gatti, T.M.C. Asser
Institute, The Hague, 2022, pp. 187–206 at 187, https://www.asser.nl/media/795814/cleer_022-03_web_final.pdf.
278 European Data Protection Board, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (v. 2.1), 12 November 2019, p. 4,
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf.
279 A closely related issue is the jurisdictional rule for cross-border healthcare provided or prescribed in a Member State other than the
Member State of affiliation. Article 4(1)(a) of Directive 2011/24/EU on the application of patients’ rights in cross-border healthcare [Directive
2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare,
OJ L 88, 4.4.2011, pp. 45–65. ELI: https://data.europa.eu/eli/dir/2011/24/oj] sets forth that cross-border healthcare shall be provided
in accordance with the legislation of the Member State of treatment. According to Article 3(d) of Directive 2011/24/EU, “in the case of
telemedicine, healthcare is considered to be provided in the Member State where the healthcare provider is established”.
280 General Data Protection [Regulation (EU) 2016/679], supra note 154.
281 Custers, B., Vrabec, H., ‘Tell me something new: data subject rights applied to inferred data and profiles’, Computer Law & Security
Review, Vol. 52 No. 105956, 2024, pp. 1–14, https://doi.org/10.1016/j.clsr.2024.105956.
282 Mone, V., Shakhlo, F., ‘Health Data on the Go: Navigating Privacy Concerns with Wearable Technologies’, Legal Information Management,
Vol.23 No. 3, 2023, pp. 179–188, https://doi.org/10.1017/S1472669623000427.
60 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

individuals (patients) and organisations (healthcare and ensuring that medical decisions based on
providers). data from wearable medical device are reliable
and effective.286
Where personal data concerning the data subject is • Right to erasure [Article 17 GDPR]: The right
processed by use of a wearable medical device, the to erasure (also known as the ‘right to be for-
rights of the data subject may apply in the following gotten’) allows a data subject to have personal
ways under the GDPR: data concerning them erased and no longer pro-
cessed where the personal data are no longer
• Right to access [Article 15 GDPR]: A data sub- necessary in relation to the purpose for which
ject has the right of access to personal data (e.g. they are collected by a wearable medical device,
human-physiological parameters, physical activ- or where a data subject has withdrawn their
ity levels) that are processed (collected, analysed, consent or objects to the processing of personal
stored etc.) concerning them, and to exercise that data concerning them.287 A data subject may
right easily and at reasonable intervals, in order exercise the right to erasure if they no longer
to be aware of, and verify, the lawfulness of the wish for certain personal data to be retained,
processing.283 This empowers patients to monitor such as after discontinuing the use of a wearable
their health status, understand the data being medical device. This right strengthens patients’
collected about them (including the logic involved control over their health information, and ensures
in any automatic personal data processing), and respect for the principles of data minimisation,
verify the accuracy of the information stored on purpose limitation and storage limitation. In
the device or associated platforms.284 The con- principle, the right to erasure extends to per-
troller must be able to provide remote access to sonal data generated by the wearable medical
a secure system with direct access to personal device as well as to personal data inferred by
data concerning the data subject and should use the device itself or interconnected systems. The
all reasonable measures to verify the identity of right to erasure should also be guaranteed across
a data subject who requests access. However, the backup systems (although this requirement may
right of access should not adversely affect the entail major challenges for organisations).288 The
rights or freedoms of others, including IP rights right to erasure (similarly to other rights of the
(such as the copyright protecting the software).285 data subject) may be restricted on the grounds
• Right to rectification [Article 16 GDPR]: A data of public health [Article 23(1)(e) GDPR]. This has
subject may rely on their right to rectification different implications for the use of wearables in
to correct any inaccuracies in the processing of medical and wellness contexts. Whilst the exer-
personal data (concerning their health status) cise of the right of erasure is absolute in wellness
generated by the wearable medical device. For contexts, national medical laws may restrict the
instance, if the device registers a clearly incor- right, for example, for a limited time period if
rect health parameter or misinterprets a physical data availability is deemed necessary to ensure
activity, the data subject can request correction delivery of safe and quality healthcare. While
to ensure that their health datasets reflect accu- this is a legitimate objective, in practice, such a
rate information. This is crucial for maintaining restriction may disincentivise some patients from
the integrity of personal data concerning health using wearable medical devices (i.e. knowing

283 See also General Data Protection [Regulation (EU) 2016/679], supra note 154, Recital (63); European Data Protection Board,
Guidelines 01/2022 on data subject rights - Right of access, 18 January 2022, https://www.edpb.europa.eu/system/files/2023-04/
edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf.
284 See also Alharbi, R., Almagwashi, H., ‘The Privacy Requirements for Wearable IoT Devices in Healthcare Domain’, 7th International
Conference on Future Internet of Things and Cloud Workshops (FiCloudW), Istanbul, 26–28 August 2019, pp. 18–25, https://doi.org/10.1109/
FiCloudW.2019.00017.
285 See also General Data Protection [Regulation (EU) 2016/679], supra note 154, Recital (63).
286 See also Gkotsopoulou, G., Quinn P., ‘Data Protection and Privacy Issues of the Internet of Things’, in Internet of Things, Threats,
Landscape, and Countermeasures, edited by S. Shiaeles, N. Kolokotronis, Taylor and Francis, Oxford, 2021 pp. 1–46, https://doi.
org/10.1201/9781003006152.
287 See also General Data Protection [Regulation (EU) 2016/679], supra note 154, Recital (65).
288 Politou. E., Michota, A., Alepis, E. et al., ‘Backups and the Right to Be Forgotten in the GDPR: An Uneasy Relationship’, Computer Law &
Security Review, Vol. 34 No. 6, 2018, pp. 1247–1257, https://doi.org/10.1016/j.clsr.2018.08.006.
 JRC EXTERNAL STUDY 61

that they will not be able to have personal data contract to which the data subject is party). This
erased). limitation may exclude the exercise of the right to
• Right to restrict processing [Article 18 GDPR]: data portability, for example, when data process-
In certain circumstances, a data subject may ing by a wearable medical device is necessary
request a restriction of the processing of personal for the purposes of preventive or occupational
data by a wearable medical device. For example, medicine. The second is that the right to data
a data subject may contest the accuracy of health portability does not apply to ‘inferred data’ or
measurements by the device. Or if a wearable ‘derived data’ (see also Chapter 3.3.5).290 This
medical device causes an injury or personal data limitation of the right could be problematic given
breach and the controller no longer needs the that it might be in the interest of the data subject
personal data for the purposes of the process- to be able to request the transmission of medical
ing, the data subject may require the controller insights drawn from the analysis of personal data
to keep the datasets for the establishment of a concerning them, which were generated by the
legal claim. In general, the right to restrict pro- use of a wearable medical device.
cessing allows patients to have greater control • Right to object [Article 21 GDPR]: The right to
over how their health information is processed object to the processing of personal data has
and ensures that processing activities align with limited implications in the context of wearable
their preferences or consent. medical devices given that the right may only
• Right to data portability [Article 20 GDPR]: apply if the legal basis for processing is Article
The right to data portability ensures that a data 6(1)(e) (“performance of a task carried out in the
subject has the right to receive personal data public interest…”) or Article 6(1)(f) (“legitimate
concerning them, which has been provided to the interests pursued by the controller or by a third
controller by use of a wearable medical device, in party…”) of the GDPR. The latter could be rele-
a structured, commonly used and machine-read- vant, for example, to ensure information security
able format, and have the right to transmit those or for statistical purposes.291 The right to object
personal data to another controller. Where tech- may also apply in relation to any direct market-
nically feasible, the data subject should have the ing activities. Furthermore, if personal data are
right to have personal data transmitted directly processed for scientific research or statistical
from one controller to another, but this does purposes pursuant to Article 89(1), a data subject
not create an obligation for the controllers to has the right to object to processing of personal
adopt or maintain processing systems which are data concerning them, unless the processing is
technically compatible.289 The right to data porta- necessary for the performance of a task carried
bility allows patients to switch between different out for reasons of public interest [Article 21(6)
wearable medical devices or healthcare providers GDPR]. This resonates with the right to opt-out
while retaining the continuity of their remotely from the processing of personal electronic health
conducted health measurements. This empow- data for secondary use under the EHDS (see also
ers patients with greater flexibility and choice Chapter 3.3.6).
in managing their health information. However, • Safeguards against automated individual
the right to data portability under the GDPR has decision-making [Article 22 GDPR]: The data
some important limitations. The first is that it subject of a wearable medical device benefits
only applies to a limited range of legal bases: if from safeguards against automated individ-
the processing is based either on consent or the ual decision-making, ensuring that decisions
processing is necessary for the performance of a affecting their health and well-being are not

289 See also General Data Protection [Regulation (EU) 2016/679], supra note 154, Recital (68).
290 Article 29 Data Protection Working Party, Guidelines on the right to data portability (rev. 01), 5 April 2017, pp. 9–10, https://ec.europa.eu/
newsroom/article29/items/611233 [endorsed by the European Data Protection Board, 25 May 2018].
291 See also Article 29 Data Protection Working Party, Opinion 06/2014 on the notion of legitimate interests of the data controller under
Article 7 of Directive 95/46/EC (WP 217), 9 April 2014, p. 25, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/
files/2014/wp217_en.pdf; Ienca, M., Malgieri, G., ‘Mental Data Protection and the GDPR’, Journal of Law and the Biosciences, Vol. 9 No. 1,
2022, pp. 1–19 at 14, https://doi.org/10.1093/jlb/lsac006.
62 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

based solely on algorithms or machine learning laid down in the GDPR of natural persons in relation
models.292 Human oversight and intervention are to the primary use of personal electronic health data
necessary to ensure the fairness, accountability concerning them. The EHDS also aims to support a
and accuracy of decisions provided by wearable coherent application of those rights as applied to
medical devices. This safeguard also protects electronic health data.296 However, uncertainties per-
patients from potentially harmful consequences sist about the proper application of those rights due
arising from automated processes.293 to legislative misalignments (with the corresponding
rights under the GDPR and the Data Act), inconsisten-
Despite some limitations, the rights of data subjects cies (e.g. regarding the use of the notions of ‘personal
under the GDPR provide important guarantees for electronic health data’ and ‘electronic health data’),
patients to allow the processing of personal data con- and lack of technical specifications (e.g. how digital
cerning them by use of a wearable medical device. health solutions, including wearable medical devices,
Respect for and facilitating the exercise of those rights should interface with electronic health data access
can increase the trust, empowerment and confidence services and health professional access services).
of patients to use wearable medical devices. This can Those uncertainties may pose conceptual challenges
be an important incentive when a healthcare provider to ensure compliance and consistent application of
recommends a patient to use a wearable medical the rules, especially for health data holders (acting
device. For this reason, it is important to educate in their capacity as controllers). To mitigate poten-
health professionals and researchers about the exist- tial problems, the Commission’s implementing act
ence of such rights and their proper, context-specific (foreseen by the EHDS) on the requirements for the
applications. This knowledge is necessary to provide technical implementation of the rights of natural per-
comprehensive information to patients on data pro- sons in relation to primary use of personal electronic
tection issues. However, it is also important to consider health data should provide guidance and consider
that data protection issues may, in practice, function the processing of personal electronic health data by
as a barrier to the uptake of new digital health solu- use of wearable medical devices as a potential use
tions, such as wearable medical devices. The obligation case where clarifications would be needed. It would
to meet the requirements of the GDPR (and related be also useful to carry out an assessment on how
authoritative decisions and guidance, as well as the envisaged changes may affect the data subject’s
other regulatory requirements) can be a significant rights and related risks.297
compliance (legal, administrative, technical, security,
financial) challenge for controllers. Those complexities Where personal electronic health data concerning
may lead to potential extra workload and may deter the natural person is processed by use of a wearable
health professionals from recommending the use of medical device, the rights of the natural person may
wearable medical devices (see also Chapter 4.1.7).294 apply in the following ways under the EHDS:

3.3.3.2 Rights of natural persons in relation • ‘Right of natural persons to access their
to primary use of personal electronic personal electronic health data’: The scope
health data in the European Health of this complementary right and the conditions
Data Space for exercising it differ from the ‘right to access’
In principle, Chapter II of the European Health Data under Article 15 of the GDPR. The ‘right of natural
Space (‘EHDS’)295 specifies and complements the rights persons to access personal electronic health data’

292 See also Article 29 Data Protection Working Party, Guidelines on Automated individual decision-making and Profiling for the purposes
of Regulation 2016/679 (WP 251rev.01), 3 October 2017 (as last revised and adopted on 6 February 2018), https://ec.europa.eu/newsroom/
article29/redirection/document/49826.
293 See also Quinn, Malgieri, supra note 248.
294 See also Fairbrother, P., Ure, J., Hanley., H. et al., ‘Telemonitoring for Chronic Heart Failure: The Views of Patients and Healthcare
Professionals – a Qualitative Study’, Journal of Clinical Nursing, Vol. 23 No. 1-2, 2013, pp. 132–144 https://doi.org/10.1111/jocn.12137.
295 EHDS compromise, supra note 12.
296 Cimina, V., 'The Proposal for a European Health Data Space: Between Pursued Objectives and Data Protection Challenges', ERA Forum,
Vol. 24, 2023, pp. 343–359 at 345, https://doi.org/10.1007/s12027-023-00764-7.
297 European Data Protection Board, European Data Protection Supervisor, EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a
Regulation on the European Health Data Space, supra note 266, p. 15 [para. 49].
 JRC EXTERNAL STUDY 63

under the EHDS is limited to the categories of data • ‘Right to data portability for natural per-
falling within the ‘priority categories of personal sons’: The ‘right to data portability for natural
electronic health data for primary use’ and reg- persons’ under the EHDS is an “enhanced vision”
istered in an EHR system; it can be exercised via in healthcare of what constitutes the ‘right to
an electronic health data access service;298 and data portability’ under Article 20 of the GDPR.302
requires an immediate answer (unless it is harmful In contrast to the ‘right of data portability’ out-
for the safety of the natural person or unethical).299 lined in the GDPR, the EHDS provides a ‘right to
This right may have limited application in the pres- data portability’ with regard to a wider spectrum
ent context, such as when data from a wearable of legal bases.303 However, there is uncertainty
medical device is registered in an EHR system. about whether the ‘right to data portability’ under
• ‘Right of natural persons to insert informa- the EHDS would also cover inferred and derived
tion in their own EHR’: Natural persons (or their data, because the EHDS defines the right in rela-
representatives) have the ‘right to insert informa- tion to all electronic health data. For this reason,
tion in their own electronic health record (EHR)’ discerning the contours of the ‘right to data
through electronic health data access services portability’ under the EHDS could be a burden
or applications linked to those services. However, in terms of both analysis (of where and when it
there is a lack of clarity about what applications applies) and the necessary procedures to comply
could be linked to electronic health data access with it. The potential uncertainties that stem from
services (for example, whether an application this may affect all stakeholders (manufacturers,
functioning as a component of or interconnected healthcare providers, patients etc.) likewise in the
with a wearable medical device would qual- ecosystem of wearable medical devices.
ify as such). It is also unclear whether natural • ‘Right to restrict access’: In certain cases,
persons may insert information automatically natural persons may not want to allow access
into their EHR (e.g. by applying a ‘pull-based’ or to some parts of personal electronic health data
‘push-based’ command from a wearable medi- concerning them, while enabling access to other
cal device). In principle, the objective of this new parts.304 The ‘right to restrict access’ under the
right would be to empower patients and support EHDS specifies that it is applicable only to per-
self-care and prevention.300 At the same time, the sonal electronic health data that is subject to the
EHDS acknowledges that patient-inserted data ‘right of natural persons to access their personal
“may not be as reliable as electronic health data electronic health data’ (described above). For the
entered and verified by health professionals and abovementioned reasons, it is unclear whether
does not have the same clinical or legal value as the ‘right to restrict access’ is relevant to data
information provided by a health professional.”301 generated by wearable medical devices (or
• ‘Right of natural persons to rectification’: whether it only applies to “selective data shar-
Similarly to the ‘right of natural persons to access ing” performed via electronic health data access
their personal electronic health data’, the ‘right of services). If the ‘right to restrict access’ is directly
natural persons to rectification’ under the EHDS applicable to personal electronic health data gen-
may only be exercised via an electronic health erated by use of wearable medical devices, then
data access service. Hence, this right may only it could be particularly relevant given the intrin-
have indirect implications to data processing by sically privacy-sensitive nature of such devices
a wearable medical device.

298 See also EHDS compromise, supra note 12, Recital (15b): The obligation to establish one or more ‘electronic health data access services’
rests on Member States. Such services are intended to be provided as an online patient portal, via a mobile application or other means, at
national or regional level, or by healthcare providers. However, given the overly broad definition of ‘electronic health data access service’
under Article 2, even a wearable medical device (or its software component) may arguably fall into its scope.
299 Ibid. Recitals (8)–(9).
300 Fåhraeus, D., Reichel, J., Slokenberga, S., ‘The European Health Data Space: Challenges and Opportunities’, Sieps European Policy
Analysis, 2epa, 2024, pp. 1–20, https://su.diva-portal.org/smash/get/diva2:1842096/FULLTEXT01.pdf.
301 EHDS compromise, supra note 12, Recital (10).
302 See also Li, Quinn, supra note 225.
303 Cf. EHDS compromise, supra note 12, Recital (15b).
304 Ibid., Recital (13).
64 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

(which can inter alia be tasked with monitoring data provided by wearable medical devices in EHRs.306
patients around the clock and in home settings). However, this will depend on significant investments
• ‘Right to obtain information on accessing into new procedures and infrastructures.307 The new
data’: Natural persons have the right to obtain rights could also strengthen individuals’ control over
information, including through automatic noti- personal electronic health data concerning them. How-
fications, on any access to personal electronic ever, their application in the context of data processing
health data through the health professional by wearable medical devices may pose compliance
access service. It appears that this right refers challenges (and therefore, risks for natural persons)
only to personal electronic health data registered due to the abovementioned legal uncertainties.
in EHRs.305 Hence, this right may only apply when
personal electronic health data provided by use 3.3.4 Controllership when deploying wearable
of wearable medical devices is registered in the medical devices for primary use of
natural persons’s EHR. personal electronic health data (under the
• ‘Right of natural person to opt out in pri- General Data Protection Regulation)
mary use’: Similarly to the previous right, this The increasing number and variety of actors involved
right only applies if personal electronic health in the deployment of wearable medical devices as
data provided by use of a wearable medical part of IoT networks and telemedicine systems and
device is registered in the natural person’s EHR. their complex mesh of functional roles makes it
challenging to properly allocate legal responsibilities
In addition to the rights of the natural person, the EHDS among entities engaged in the processing of personal
adds that “where they process data in an electronic data (concerning health). According to Article 4(7) of
format, health professionals should have access to the GDPR, the controller “alone or jointly with others,
the relevant and necessary personal electronic health determines the purposes and means of the processing
data of natural persons under their treatment, through of personal data”. “It is apparent from that definition
the health professional access services” to at least the that the processing of personal data may consist in
priority categories of personal electronic health data one or a number of operations, each of which relates
for primary use. Given that this rule appears to refer to one of the different stages that the processing of
to access to EHRs, it only has indirect relevance for personal data may involve.”308 However, the definition
wearable medical devices. does not require that the controller must have access
to the processed personal data.309 Instead, what
Overall, the new rights of natural persons in relation matters is that the controller should have influence
to primary use of personal electronic health data in over the processing of personal data by virtue of an
the EHDS may have a mixed impact on actors associ- exercise of decision-making power (based on factual,
ated with data processing by use of wearable medical rather than formal analysis).310 In a specific processing
devices. The rules could facilitate the interoperabil- operation, the controller is the actor that determines
ity of wearable medical device with EHR systems the purpose (“why”) the processing takes place (i.e. “to
to allow the recording of personal electronic health what end” or “what for”), and by what means (“how”)

305 Ibid., Recital (12a).

306 See also Assenza, G., Fioravanti, C., Guarino, S. et al., ‘New Perspectives on Wearable Devices and Electronic Health Record Systems’,
2020 IEEE International Workshop on Metrology for Industry 4.0 & IoT, Rome, 3–5 June 2020, pp. 740–745, https://doi.org/10.1109/MetroInd4.
0IoT48571.2020.9138170.
307 See also Marcus, J.S., Martens, B., Carugati, C. et al., ‘The European Health Data Space’, Study requested by the Industry, Research and
Energy (ITRE) committee, Directorate-General for Internal Policies, European Parliament, Luxembourg, 2022, p. 20, https://www.europarl.
europa.eu/RegData/etudes/STUD/2022/740054/IPOL_STU(2022)740054_EN.pdf; Gronden, J., Veenbrink, M., ‘EHDS and Free Movement
of Patients: What EU Intervention Is Needed?’, European Journal of Health Law, Vol. 31 No. 3, 2024, pp. 249–284 at 258,, https://doi.
org/10.1163/15718093-bja10125.
308 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV (C-40/17), Judgment of the Court (Second Chamber), 29 July 2019, Court
Reports – General Court, ECLI:EU:C:2019:629, para. 72, https://curia.europa.eu/juris/liste.jsf?num=C-40/17.
309 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, Judgment of the
Court (Grand Chamber) (C-210/16), 5 June 2018, Court Reports – Court of Justice, ECLI:EU:C:2018:388, para. 38, https://curia.europa.eu/juris/
liste.jsf?num=C-210/16.
310 European Data Protection Board, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 10
[paras. 19–20], https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf.
 JRC EXTERNAL STUDY 65

this objective shall be achieved.311 The controller is In case of joint controllership, the joint participation
always the responsible actor for making decisions on in the determination of the purpose and means of
the purpose of the processing, but regarding the deter- data processing requires a common decision taken
mination of the means, a distinction needs to be made by two or more entities, or a result from converging
between ‘essential’ and ‘non-essential’ means.312 The decisions by two or more entities.314 However, the use
‘essential means’ are closely linked to the purpose and of a common data processing system or infrastruc-
the scope of the processing, and are usually reserved ture does not necessarily lead to a joint controllership
to the controller including, for example, the type of between entities. This would be the case when the
personal data processed; the duration of the process- processing operations are separable and one party
ing; the categories of recipients; and the categories of performs certain operations without intervention from
data subjects. By contrast, the ‘non-essential means’ the other, or the provider is a processor in the absence
concern the practical aspects of implementation, such of any purpose of its own.315 For example, several enti-
as the choice of a particular hardware or software, or ties involved in a health research project consortium
the exact security measures, which may be left to a may use wearable medical devices to collect data
processor to decide on. from data subjects in their respective environment
and “feed” this data into a common data platform
The following examples demonstrate how the defi- hosted by one of the entities. In that case, the entities
nition of ‘controller’ and its application could lead to involved would qualify as joint controllers for the data
allocation of responsibilities between various actors processing that is performed on the common plat-
when deploying wearable medical devices:313 form (because they decide together the purpose and
the means of the processing), but each entity would
• If a device manufacturer develops or modifies the qualify as an independent controller for any other
operating system of a wearable medical device or processing performed outside the common platform
installs software determining its overall function- for their own purposes.316
ality (such as the frequency of data collection,
or when and to whom data are transmitted, and 3.3.5 The rights and obligations of users
for which purpose), then the device manufacturer and data holders in accessing, using
would qualify as controller. or making available product data from
• If an IoT data platform that hosts data generated wearable medical devices and related
using wearable medical devices, for example, to service data, and the right of the user to
centralise and simplify certain aspects of data share those data with third parties (under
management, then that platform service provider the Data Act)
may also qualify as a controller, if the develop- The Data Act ensures that users of a connected prod-
ment of platform services involves the processing uct (such as a wearable medical device) or related
of personal data for its own defined purposes. service (such as services that transmit commands to
• If the use of a wearable medical device (or one of the wearable medical device and are able to have
its advanced features) requires the installation of an impact on its action or behaviour) in the Union
a third-party application (following the obtainment have the right to access, in a timely manner, the data
of the consent of the user as data subject), the generated by the use of that connected product or
application developer may become (independent related service and that those users can use the data,
or joint) controller, if it is able to access personal including by sharing them with third parties of their
data concerning the user of that device. choice. With reference to Article 1(5) of the Data Act,

311 Ibid., p. 13 [para. 33].

312 Ibid., p. 14 [para. 38].
313 See also Article 29 Data Protection Working Party, Opinion 8/2014 on the on Recent Developments on the Internet of Things (WP 223),
supra note 233 pp. 11–13 [paras. 3.3.1–3.3.4]. European Commission, Consumers, Health, Agriculture and Food Executive Agency, Hansen, J.,
Wilson, P., Verhoeven, E. et al., supra note 271, pp. 36–37.
314 European Data Protection Board, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, supra note 310, p. 18
[para. 51].
315 Ibid., p. 20 [para. 66].
316 Ibid., p. 21 [para. 66].
66 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

the aforementioned rights of users under Articles 4 assigning values or insights from the data, in particular
and 5 of the Data Act are without prejudice to and by means of proprietary, complex algorithms, including
complement the right of access and the right to data those that are a part of proprietary software, should
portability of data subjects under the GDPR. However, not be considered to fall within the scope of this Reg-
a key difference between the two regulations is that ulation and consequently should not be subject to the
the rights of users under the Data Act apply to all obligation of a data holder to make it available to
(personal and non-personal) data, whereas the corre- a user or a data recipient, unless otherwise agreed
sponding rights of data subject under the GDPR apply between the user and the data holder.” Although the
only to personal data. When personal and non-per- exclusion of ‘inferred data’ and ‘derived data’ under
sonal data are simultaneously generated by wearable the Data Act is consistent with the Article 29 Data
medical devices and inextricably linked within a data- Protection Working Party’s interpretation of Article 20
set, it may require the application of data protection of the GDPR (on the right to data portability) (which
law to entire datasets for which it is not possible to was endorsed by the EDPB),318 the exclusion of such
distinguish between different types of data. However, data is in conflict with the EDPB’s interpretation of
the indistinctive references to personal and non-per- Article 15 of the GDPR (on the right of access), which
sonal data may lead to conflicting obligations that an requires controllers to provide data subjects access to
addressee cannot fulfil at the same time.317 provided, observed, inferred and derived data.319

Similar uncertainty concerns the types of data that According to the format of ‘data generated by the use
data holders must make available under the Data of a connected product or related service’, Recital (15)
Act. According to the ways in which data originates, a of the Data Act explains that it should include:
wearable medical device may generate the following
types of data: • data recorded intentionally or data which result
indirectly from the user’s action, such as data
• actively ‘provided data’ (e.g. answers to a ques- about the connected product’s environment or
tionnaire that appears on the user interface of a interactions (including data on the use of a con-
wearable medical device); nected product generated by a user interface or
• passively ‘observed data’ (e.g. sensing of physio- via a related service, as well as data generated by
logical aspects of the human body, activity logs, the connected product or related service during
environmental data, location data); times of inaction by the user);
• ‘inferred data’ (e.g. pattern recognition and clas- • raw data (“data points that are automatically
sification of health condition); generated without any further form of processing
• ‘derived data’ (e.g. results of a health assessment leading to substantial modification of the data”);
or a personalisation or recommendation process). • pre-processed data (“which have been processed
to make them understandable and useable”); and
Recital (35) of the Data Act explains that “[t]his Regula- • relevant metadata (“to make the data useable”).
tion grants users the right to access and make available
to a third party any product data or related service However, it is important to point out that the obliga-
data, irrespective of their nature as personal data, of tion of data holders to make available vast amount of
the distinction between actively provided or passively such data entails significant challenges (such as the
observed data, and irrespective of the legal basis of economic costs and environmental impact of storing
processing.” However, Recital (15) of the Data Act adds large quantity of raw data). In the case of wearable
that “information inferred or derived from such data, medical devices, this may be amplified by potential
which is the outcome of additional investments into risks to the security of devices (and the safety of

317 European Data Protection Board, European Data Protection Supervisor, EDPB-EDPS Joint Opinion 2/2022 on the Proposal of the
European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act), 4 May 2022, p. 12 [para. 38],
https://www.edpb.europa.eu/system/files/2022-05/edpb-edps_joint_opinion_22022_on_data_act_proposal_en.pdf. See also Drexl, J., Banda,
C., Otero, B. G. et al., Position Statement of the Max Planck Institute for Innovation and Competition of 25 May 2022 on the Commission’s
Proposal of 23 February 2022 for a Regulation on harmonised rules on fair access to and use of data (Data Act), Max Planck Institute for
Innovation and Competition, Munich, 2022, p. 105 et seq. [paras. 291 et seq.], https://pure.mpg.de/rest/items/item_3388757/component/
file_3395639/content.
318 Article 29 Data Protection Working Party, Guidelines on the right to data portability (rev. 01), supra note 290, pp. 9–10.
319 European Data Protection Board, Guidelines 01/2022 on data subject rights - Right of access, supra note 283, pp. 32–33 [para. 97].
 JRC EXTERNAL STUDY 67

users) and to the IP rights of data holders (or other is unclear how those data categories would
rights holders) through the exposure of confidential or interact with the data categories defined under
proprietary datasets and underlying algorithms. the GDPR (e.g. ‘personal data’, ‘data concerning
health’) or the Data Act (‘data generated by the
3.3.6 Legal bases for processing personal use of a connected product or related service’),
electronic health data using wearable and related interpretations. For example, there
medical devices for secondary use is uncertainty about the proper relation between
purposes, obligation of health data ‘data concerning health’ under the GDPR (which
holders to make available data from is regarded as ‘personal electronic health data’
wearable medical devices for secondary under the EHDS) and ‘other health data’ from
use purposes, and the related rights of medical devices. Similarly, there is uncertainty
natural persons (under the General Data about the exact condition under which ‘data
Protection Regulation and the European generated by the use of a connected product or
Health Data Space) related service’ becomes ‘related to health’ (as a
The ‘secondary use of (personal) electronic health criterion for falling under the scope of ‘electronic
data’ refers to the processing of such data for lawful health data’ under the EHDS). Wearable medical
purposes other than the initial purposes for which they devices may generate a variety of data (such as
were collected or produced (i.e. not directly for the data relating to hardware status, battery levels,
benefit of the data subject). The EHDS requires health malfunctions, data transmissions, version control,
data holders to make “electronic data available for security functions or the location of the product)
secondary use”, including: where there is arguably no clear ‘demonstrable
relationship’ between the data and the capac-
• ‘automatically generated personal electronic ity to determine the health aspect of a natural
health data, through medical devices’320; and person. Furthermore, the legal requirement under
• ‘other health data from medical devices’.321 the EHDS for health data holders to make avail-
able all such data for secondary use purposes
The scaling up of the secondary use of such data poses security risks for all parties concerned.
through a harmonised data governance framework • It also entails risks that health data holders must
and safeguards (e.g. data permit scheme, secure pro- make available both personal and non-personal
cessing environments, data minimisation) could bring data from wearable medical devices without
wide-ranging benefits to healthcare-related activities adequate and effective safeguards.323 Those
in the EU, including scientific research ensuring high risks could have been mitigated in the legisla-
levels of quality and safety of wearable medical tive process (without undermining the effective
devices (including their development and innovation, attainment of the policy objectives of the EHDS)
or the training, testing and evaluating of algorithms by adding a condition that health data holders
in wearable medical devices) [EHDS compromise text, should make available only personal electronic
Articles 34(1)(e)]. health data generated (or obtained) by the use
of a (wearable) medical device once the data is
However, the unclear phrasing of data categories for collected by data repositories/platforms (such as
secondary use entails significant risks and implemen- the Kanta data platform in Finland or registries
tation challenges: for medical devices).
• In addition to the shortcomings that stem from
• The use of terminology in the referenced provi- the unclear definition of ‘electronic health data’,
sions of the EHDS is inconsistent (cf. ‘electronic the definition of ‘health data holder’ under the
data’, ‘automatically generated personal elec- EHDS is ambiguous and lacks consistency, for
tronic health data’, ‘other health data’).322 It example, with the definition of ‘data holder’ under

320 EHDS compromise, supra note 12, Article 33(1)(f).

321 EHDS compromise, supra note 12, Article 33(1)(k).
322 See also European Association of Urology, European Respiratory Society, Biomedical Alliance in Europe et al., supra note 231; Rak, supra
note 265.
323 DIGITALEUROPE, European Health Data Space (EHDS): key issues to address in trilogues, supra note 87, p. 6.
68 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

the Data Act. For this reason, it is unclear who researchers and innovators in their trial-and-error
bears the responsibility to make data available efforts while attempting to advance research and inno-
from wearable medical devices for secondary use. vation (R&I) over time. Such incentives are essential
According to the EHDS, in the case of ‘personal in the development of medical technologies due to
electronic health data’, this is the obligation of the considerable financial and technical resources and
the (joint) controller. In the case of ‘non-personal new knowledge required.325 Considering that wearable
electronic health data’, this is the obligation of medical devices are often expensive to develop but
the entity who has “the ability to make available relatively cheap to reproduce, IP protection makes their
[.] non-personal electronic health data, through development and marketing sustainable. IP protection
control of the technical design of a product and is also crucial in corporate valuation, especially for ear-
related services.” However, the entity that gen- ly-stage companies seeking to secure funding through
erates non-personal electronic health data in venture capital or private equity investment, which can
relation to the use of a wearable medical device facilitate further innovation.326 However, in as much
(e.g. healthcare provider as application provider) is as IP protection operates through a right to exclude
not necessarily the entity that controls the tech- others, it may also inhibit competition (and innovation).
nical design of the product and related services For this reason, IP policies and laws need to balance
(e.g. SaaS provider).324 Furthermore, it is important rights and legitimate interests in a positive-sum way
to point out that, in contrast to the definition of that is beneficial for the advancement of patient-cen-
‘data holder’ under the Data Act, the definition tric healthcare.327
of ‘health data holder’ under the EHDS does not
account for ‘contractually agreed’ cases. This may 3.4.1 IP rights relevant to wearable medical
cause implementation problems, for example, devices
when data is analysed (inferred) by the software In addition to internationally recognised principles of IP
component of a wearable medical device using law (e.g. Articles 7 and 8 of the TRIPS Agreement328),
the proprietary algorithms of a third party. each IP right is subject to specific rules, reflecting its
• Chapter 3.4.2 addresses further risks relating to distinct policy purposes, different subject matter and
the management of data from wearable medical economic effects. Differences are apparent in the scope
devices that is subject to IP rights. of protected subject matter, the scope of rights, the
duration of protection, and the nature of exceptions
and other safeguards for third-party interests, as well
3.4 Protection and governance of IP as in how each right can be enforced. The following
provides an overview of the different types of IP rights
The objective of IP (intellectual property) protection and their relevance to wearable medical devices:329
is to provide rights to exclude certain third-party
use of protected material or datasets. IP protection • Patent: A patent can be granted for any inven-
intends to strengthen incentives to invest resources in tion, in all fields of technology, provided that
product development and marketing of new technol- they are new (not part of the state-of-the-art),
ogies. IP protection is an incentive that compensates involve an inventive (non-obvious) step, and are

324 Ibid., p. 5.
325 World Health Organization, World Intellectual Property Organization, World Trade Organization, Promoting Access to Medical
Technologies and Innovation – Intersections between public health, intellectual property and trade, Second Edition, World Health
Organization, World Intellectual Property Organization, World Trade Organization, Geneva, 2020, pp. 63–64, https://iris.who.int/bitstream/
handle/10665/333552/9789240008267-eng.pdf?sequence=1.
326 Chip Law Group, Chintalapoodi, P., ‘How Intellectual Property Law is Impacting the Healthcare Industry’, Lexology, 21 March 2023, https://
www.lexology.com/library/detail.aspx?g=080d5c38-8773-4b13-a434-710c618bb135.
327 See also Meskó, B., Dhunnoo, P., ‘The Intellectual Property Journey Of Patients’ Digital Health Data’, The Medical Futurist, 22 August
2023, https://medicalfuturist.com/the-intellectual-property-journey-of-patients-digital-health-data/.
328 Marrakesh Agreement Establishing the World Trade Organization (Marrakesh, 15 April 1994), Annex 1C: Agreement on Trade-Related
Aspects of Intellectual Property Rights (amended through the Protocol of 6 December 2005 that entered into force on 23 January 2017)
(henceforth: ‘TRIPS Agreement’), https://www.wto.org/english/docs_e/legal_e/31bis_trips_01_e.htm.
329 See also European Commission, Executive Agency for Small and Medium-sized Enterprises, Your guide to IP in Europe, Publications
Office of the European Union, Luxembourg, 2019, https://data.europa.eu/doi/10.2826/94924. Stark, A., ‘Protecting your digital health’,
Managing IP, 15 October 2020, https://www.managingip.com/article/2a5cxnmoiyww9ziwukq9s/protecting-your-digital-health. Carter, S.,
‘The Ultimate IP Guide for MedTech Companies: All Your Questions Answered’, The Intellectual Property Works, 20 June 2023, https://
theintellectualpropertyworks.co.uk/the-ultimate-ip-guide-for-medtech-companies-all-your-questions-answered/.
 JRC EXTERNAL STUDY 69

susceptible of industrial application.330 However, While wearable medical devices often include
methods for treatment of the human body by parts that can be patented, such as chemical,
surgery or therapy and diagnostic methods prac- electrical, or mechanical components,334 pro-
tised on the human body, in particular substances tecting technology-based components can pose
or compositions, cannot be patented.331 A patent challenges due to their intangible and complex
holder enjoys the exclusive right to prevent third nature.335 An invention related to a wearable
parties from commercially exploiting their inven- medical device is patentable as long as it solves
tion for a limited time (20 years). In return, the a technical problem in a novel and non-obvi-
patent holder must disclose the invention to the ous manner. A patent can protect a novel and
public in its patent application. Patents can be inventive product (such as a physical hardware
obtained according to the following ways: component), as well as novel and inventive pro-
cesses. Such novel and inventive products or
̊ A national patent can be obtained upon processes are known as ‘computer-implemented
registration at a national patent office and inventions’ (CII).336 In the case of CII, software
protection is granted only in the territory which does not solve a technical problem in a
where the patent is registered. novel and non-obvious manner cannot be pat-
̊ A ‘European patent’ can be obtained for all ented. However, a process comprising a series
the European Patent Convention (EPC) con- of steps to solve a technical problem, may be
tracting states by filing a patent application worthy of patent protection, even if the process
to the European Patent Office under the rules is carried out using software (e.g. the software
and procedures laid down in the EPC. A Euro- of a wearable medical device instructs its sensor
pean patent is a “bundle” of national patents to monitor biophysiological parameters of the
that must be validated at the national patent human body in a novel way). In addition to copy-
offices of the countries selected by the appli- right protection for software programs, a patent
cant for it to be effective. may be obtainable for the technical process the
̊ A ‘European patent with unitary effect’ means software is designed to carry out.337 Together,
a European patent which benefits from uni- copyright and patents can serve as complemen-
tary effect (simultaneously, without the need tary tools for inventors of CII to protect their
for national validation) in the participating investments and build a competitive advantage.
Member States by virtue of Regulation (EU)
No 1257/2012.332 • Utility model: Also referred to as a “petty
̊ An international patent can be obtained for patent”, a utility model is an exclusive right
all the Patent Cooperation Treaty contract- granted for an invention, which allows its owner
ing states by filing a patent application to to prevent others from commercially using the
the World Intellectual Property Organization protected invention, without their authorisation,
(WIPO).333 The applicant may obtain a “bundle” for a limited period (typically 7 to 10 years). The
of national patents whose granting remains requirements for acquiring a utility model are
under the control of the relevant national or less stringent than those of patents: while the
regional patent offices. requirement of novelty is always to be met, it is

330 Convention on the Grant of European Patents (European Patent Convention) (5 October 1973, as revised by the Act revising Article 63
EPC of 17 December 1991 and the Act revising the EPC of 29 November 2000), Article 52, https://www.epo.org/en/legal/epc/2020/a52.html.
331 European Patent Convention, ibid., Article 53(c). TRIPS Agreement, supra note 328, Article 27(3)(a).
332 Regulation (EU) No 1257/2012 of the European Parliament and of the Council of 17 December 2012 implementing enhanced
cooperation in the area of the creation of unitary patent protection, OJ L 361, 31.12.2012, pp. 1–8, ELI: http://data.europa.eu/eli/
reg/2012/1257/oj.
333 Patent Cooperation Treaty (Washington, 19 June 1970, as in force from 1 April 2002), https://www.wipo.int/pct/en/texts/articles/atoc.html.
334 See also Burnton, C., Boukarroum, R., ‘Medical devices – managing the complexities of multidisciplinary IP’, FPA Patents, 22 May 2023,
https://www.fpapatents.com/news-insights/insights/medical-devices-managing-the-complexities-of-multidisciplinary-ip/.
335 World Intellectual Property Organization, The Digital Health Revolution: Leveraging Intellectual Property for Equitable Access and
Innovation, World Intellectual Property Organization, 4 August 2023, https://www.wipo.int/policy/en/news/global_health/2023/news_0011.html.
336 European Patent Office (EPO), Hardware and software, EPO, n.d., https://www.epo.org/en/news-events/in-focus/ict/hardware-and-software.
337 Ibid.
70 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

enough that the invention has a limited inventive constitute intellectual creations” (but the
step. This type of protection exists in 14 Member “protection does not extend to the data or the
States, but there is no European or international material itself and is without prejudice to any
utility model protection. copyright subsisting in the data or material
contained in the compilation”); or
• Copyright: Copyright (or author’s right) denotes ̊ the sui generis database right, provided by
the right that creators have over their original Article 7(1) of the Database Directive (as a
literary, scientific and artistic works. In the case right granted exclusively under EU law without
of wearable medical devices, such creative an equivalent right under international law), if
works may cover computer programs (software) the maker of a database can demonstrate that
(including source code, object code, graphic user “there has been qualitatively and/or quantita-
interfaces), databases (compilations of data), tively a substantial investment in either the
as well as instructional manuals or marketing obtaining, verification or presentation of the
materials (to the extent they are expressed as contents to prevent extraction and/or re-uti-
an original work). In principle, copyright is territo- lization of the whole or of a substantial part,
rial and national in scope. However, international evaluated qualitatively and/or quantitatively,
treaties, such as the WIPO Copyright Treaty of the contents of that database.”
(WCT)338 agreed under the Berne Convention339,
guarantee protection of works and the rights of In terms of their differences, copyright protec-
their authors in contracting states, including EU tion can be conferred based on the structure of
Member States. The Berne Convention grants a database, while the sui generis database right
authors a series of rights which can be classi- protects the content of a database. Copyright
fied into two categories: economic rights (which protection grants the author of a database the
enable right holders to exclusively control the use exclusive right to carry out or to authorise its
of their works and be remunerated for their use, reproduction, adaptation, distribution or commu-
by selling them or licensing them to others, and nication for 70 years from the creation of the
which are harmonised at EU level), and moral work. On the other hand, the sui generis database
rights (which are not harmonised at EU level). right grants the maker of the database the right
In the EU, copyright protection is obtained auto- to prevent the extraction and/or re-utilisation of
matically from the moment when the work is the contents of the database, as defined by Arti-
created. Some countries allow for the voluntary cle 7(2) of the Database Directive, for 15 years
registration or deposit of works protected by cop- from the compilation of the database.
yright, which can be useful can be useful in some
situations (e.g. to solve disputes over ownership Since its adoption, the transformation of the tech-
or creation; to facilitate financial transactions). nological and economic landscape has tested the
applicability of the Database Directive. For exam-
• Database protection: Article 1(2) of the ple, the potential volume of data that wearable
Database Directive defines a ‘database’ as “a medical devices can collect raises the question
collection of independent works, data or other of whether the resulting compilations of big data
materials arranged in a systematic or methodical would fall under the sui generis database right.
way and individually accessible by electronic or According to the 2018 Evaluation of the Database
other means.”340 A database can be protected by: Directive, the sui generis database right does not
cover sensor- or machine-generated databases,
̊ copyright, provided by Article 5 of the WCT, if because such databases do not meet the condi-
“the selection or arrangement of their contents tion of ‘substantial investment’.341 This argument

338 WIPO Copyright Treaty (Geneva, 20 December 1996), https://www.wipo.int/wipolex/en/text/295166#P56_5626.

339 Berne Convention for the Protection of Literary and Artistic Works (Paris, 9 September 1886, as amended on 28 September 1979),
https://www.wipo.int/wipolex/en/text/283698.
340 Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, OJ L 77,
27.3.1996, pp. 20–28, ELI: http://data.europa.eu/eli/dir/1996/9/oj.
341 Commission Staff Working Document ‘Evaluation of Directive 96/9/EC on the legal protection of databases, SWD(2018) 147 final’,
SWD(2018) 146 final, 25 April 2018, p. 35, https://ec.europa.eu/newsroom/dae/redirection/document/51764.
 JRC EXTERNAL STUDY 71

is based on the ECJ’s judgments in the British • Regulatory data protection: Under EU phar-
Horseracing and the Fixtures Marketing cases in maceutical legislation, regulatory data protection
which the court held that only investments into (not to be confused with ‘data protection’) is a
‘obtaining’ the contents of a database (i.e. seeking limited period during which the marketing-au-
out existing independent material to commercial- thorisation holder benefits from the exclusive
ise a database) are relevant for the ‘substantiality’ rights to pre-clinical and clinical trials data sub-
threshold, whereas investments into the ‘creation’ mitted for obtaining a marketing authorisation
of material are irrelevant.342 Based on that argu- to prove the safety and efficacy of a medicinal
ment, compilations of big data would generally product. From the perspective of originator
classify as ‘spin-off databases’, i.e. by-products entities, the right to regulatory data protection
of the company’s central activity for which data provides an important incentive to invest in the
would not be ‘obtained’, but ‘created’.343 development of new medicinal products and the
necessary clinical trials. Reliance on their data by
However, due to digital transformation, business competing entities would be considered unfair,
models are changing and the economic impor- because subsequent market entrants would not
tance of what may appear to be a “by-product” have to invest in costly clinical trials (including
of a business activity today may become the core failed trials). In addition, originator entities value
of a business model tomorrow. According to an the relative certainty of data exclusivity when
industrial survey, the collection and verification of compared with the increased uncertainty that
data for database content require substantially applies in relation to the validity or scope of a
more investment than the actual production of patent, which, in turn, may increase uncertainty
databases.344 These changes question the exclu- with respect to the ability to temporarily exclude
sion of sensor- and machine-generated data competitors.347 However, as there are competing
from the sui generis database right. Regarding public interests to ensure earlier access to certain
the potential integration of AI systems with medicinal products, the way in which regulatory
wearable medical devices, another emerging data protection is protected is a controversial
issue is that investments in the development topic in the debate about public health and IP.
and the implementation of the AI system could
meet the ‘substantial’ threshold.345 Finally, there For (wearable) medical devices, there exist no
is an increasing challenge of allocating relevant similar explicitly defined data exclusivity period
investments to specific parties in distributed to protect the pre-clinical and clinical investi-
IoT-enabled telemedicine networks (see also gations data of manufacturers. Nevertheless,
Chapter 2.4). This may have repercussions on manufacturers may enjoy protection against
the verification of ‘substantial investment’ to unfair competition or unfair commercial use, as
establish legal protection, as well as on properly well as protection of undisclosed information
determining the maker of a database.346 pursuant to Article 39 of the TRIPS Agreement

342 The British Horseracing Board Ltd and Others v William Hill Organization Ltd. (C-203/02), Judgment of the Court (Grand Chamber), 9
November 2004, European Court Reports 2004 I-10415, EU:C:2004:695, paras. 31–42, https://curia.europa.eu/juris/liste.jsf?num=C-203/02.
Fixtures Marketing Ltd v Organismos prognostikon agonon podosfairou AE (OPAP) (C-444/02), Judgment of the Court (Grand Chamber), 9
November 2004, European Court Reports 2004 I-10549, EU:C:2004:697, paras. 40–53, https://curia.europa.eu/juris/liste.jsf?num=C-444/02.
Fixtures Marketing v Oy Veikkaus AB (C-46/02), Judgment of the Court (Grand Chamber), 9 November 2004, European Court Reports 2004
I-10365, EU:C:2004:694, paras. 34–49, https://curia.europa.eu/juris/liste.jsf?num=C-46/02; Fixtures Marketing v Svenska Spel AB (C-338/02),
Judgment of the Court (Grand Chamber), 9 November 2004, European Court Reports 2004 I-10497, EU:C:2004:696, paras. 24–37, https://
curia.europa.eu/juris/liste.jsf?num=C-338/02.
343 European Commission, Directorate-General for Communications Networks, Content and Technology, Karanikolova, K., Chicot, J., Gkogka,
A. et al., Study in support of the evaluation of Directive 96/9/EC on the legal protection of databases – Final report, Publications Office of the
European Union, Luxembourg, 2018, https://data.europa.eu/doi/10.2759/04895.
344 Commission Staff Working Document ‘Evaluation of Directive 96/9/EC on the legal protection of databases, SWD(2018) 147 final’, supra
note 341, p. 36.
345 European Commission, Directorate-General for Communications Networks, Content and Technology, Hartmann, C., Allan, J., Hugenholtz,
P. et al., Trends and developments in artificial intelligence: challenges to the intellectual property rights framework – Final report, Publications
Office of the European Union, Luxembourg, 2020, p. 93. https://data.europa.eu/doi/10.2759/683128.
346 European Commission, Directorate-General for Communications Networks, Content and Technology, Maier, N., De Michiel, F., Peter, V., et
al., Study to support an impact assessment for the review of the database directive – Final report, Publications Office of the European Union,
Luxembourg, 2022, p. 42. https://data.europa.eu/doi/10.2759/647387.
347 World Health Organization, World Intellectual Property Organization, World Trade Organization, supra note 325, p. 80.
72 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

and Article 10bis of the Paris Convention for the formalities. However, ‘reasonable measures’ to
Protection of Industrial Property.348 keep them secret may include the secure stor-
age of confidential information or conclusion of
• Trade secrets protection: Article 2(1) of Direc- non-disclosure agreements (NDAs) or clauses.
tive (EU) 2016/943 (Trade Secrets Directive)349
defines trade secrets, in line with Article 39(2) While there is a traditional view that patents and
of the TRIPS Agreement, as information which trade secrets protection are alternatives, they
meets all of the following requirements: can operate in a complementary manner.350 For
early-stage medtech companies seeking invest-
̊ it is secret in the sense that it is not, as a body ment, patent protection might be preferable, as
or in the precise configuration and assembly a trade secret’s value is often more difficult to
of its components, generally known among or quantify. Trade secrets are also much harder to
readily accessible to persons within the circles enforce than patents and reverse engineering
that normally deal with the kind of information by competitors may reduce the value of trade
in question; secrets. Nevertheless, given the rapid evolution
̊ it has commercial value because it is secret; of technology and the high threshold for obtain-
and ing patent protection, trade secrets are being
̊ it has been subject to reasonable steps under increasingly used to protect digital health inno-
the circumstances, by the person lawfully in vation.351 For example, trade secrets can be used
control of the information, to keep it secret. to protect algorithms, such as the training data of
an AI system integrated into a wearable medical
Recital (14) of the Trade Secrets Directive device. However, critics point out that trade secret
explains that the “definition should [.] cover protection does not encourage ‘socially beneficial
know-how, business information and technologi- public disclosure’ (as opposed to patents) and
cal information where there is both a legitimate secrecy can have a stifling effect on competition,
interest in keeping them confidential and a along with the restrictions that trade secrets law
legitimate expectation that such confidentiality places on employee mobility.352
will be preserved. Furthermore, such know-how
or information should have a commercial value, • In addition to the abovementioned rights, other
whether actual or potential. Such know-how or IP rights relevant to wearable medical devices
information should be considered to have a com- may include:
mercial value, for example, where its unlawful
acquisition, use or disclosure is likely to harm the ̊ industrial design (an individual and new
interests of the person lawfully controlling it, in outward appearance of a wearable medical
that it undermines that person’s scientific and device);
technical potential, business or financial interests, ̊ trademark (a distinct sign in relation to
strategic positions or ability to compete.” A trade a specific wearable medical device or its
secret holder can be any natural or legal person manufacturer);
(e.g. company, university, research institute). ̊ domain name (the website of the manufac-
A trade secret can be protected for an unlim- turer of a wearable medical device).
ited time and does not require administrative

348 Paris Convention for the Protection of Industrial Property (Paris, 20 March 1883, as amended on 28 September 1979), https://www.wipo.
int/wipolex/en/text/288514.
349 Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and
business information (trade secrets) against their unlawful acquisition, use and disclosure, OJ L 157, 15.6.2016, pp. 1–18, ELI: http://data.
europa.eu/eli/dir/2016/943/oj.
350 Aplin, T., Liddicoat, J., Discussion Paper on the Interplay between Patents and Trade Secrets in Medical Technologies, WIPO, October 2023,
pp. 16–28, https://www.wipo.int/edocs/mdocs/scp/en/wipo_ip_covid_ge_2_22/wipo_ip_covid_ge_2_22_paper.pdf.
351 Mayana, R. F., Ramli, A. M., Santika, T., ‘The Role of Intellectual Property in the Development of Digital Health System – Lesson Learned
from the Pandemic’, in: Proceedings of the 2nd International Conference on Law and Human Rights 2021 (ICLHR 2021) – Restructuring Law
and Human Rights in New-Normal Society, edited by Irawaty, R., Ramadita, M., Fitriyani, Atlantic Press, online, 3–6 May 2021, pp. 416–424 at
419, https://www.atlantis-press.com/article/125963856.pdf.
352 Aplin, Liddicoat, supra note 350, p. 21.
 JRC EXTERNAL STUDY 73

3.4.2 Governance of IP rights when making of a trade secret to the extent that it is required or
available data from wearable medical allowed by Union or national law, the obligation under
devices for secondary use purposes the EHDS to make available electronic health data
The EHDS requires electronic health data protected subject to trade secrets protection may arguably
by intellectual property rights, trade secrets and/or empty the essence of the right. Furthermore, health
covered by the regulatory data protection right to data access bodies are not in the position to be always
be made available for secondary use. For example, aware of what is an ‘appropriate’ measure, and risks
this implies that electronic health data collected by may be amplified by the possibility that different
a wearable medical device that is systematically health data access bodies have different interpreta-
arranged and analysed by proprietary algorithms tions of such a measure. In a worst-case scenario, the
and is subject to copyright, database protection and/ (unintended) disclosure of electronic health data that
or trade secrets protection must be made available reveals an innovation direction may cause damages
for secondary use by the health data holder. In such to a wearable medical device manufacturer, while the
cases, “health data holders shall inform the health (unintended) disclosure of electronic health data that
data access body of and identify any electronic health reveals a security measure may generate cybersecu-
data containing content or information protected by rity and/or data protection risks.
intellectual property rights, or trade secrets and/or
covered by the regulatory data protection right” and Although the EHDS and the Data Act pursue different
the “health data access bodies shall take all specific objectives, the EHDS states that it is “without preju-
appropriate and proportionate measures, including dice to” the Data Act “regarding access to, sharing of
legal, organisational, and technical ones, they deem or secondary use of electronic health data, or require-
necessary to preserve the protection of intellectual ments related to the processing of data in relation to
property rights, trade secrets and/or the regulatory electronic health data.” For this reason, it is not clear
data protection right”.353 how the trade secrets protection rules under the Data
Act would apply in the context of the EHDS.355 For
This IP governance scheme has been criticised by example, the Data Act enables the data holder (as a
industry for not providing adequate and effective trade secret holder) to refuse, withhold or suspend the
control and safeguards to health data holders (rights sharing of data. Article 4(7) of the Data Act specifies
holders) and may undermine existing legal protec- that: “[w]here there is no agreement on the necessary
tion and incentives that are vital for researchers and measures referred to in [Article 4(6)], or if the user
innovators.354 The IP governance scheme under the fails to implement the measures agreed pursuant to
EHDS is arguably in conflict with the abovementioned [Article 4(6)] or undermines the confidentiality of the
international treaties (cf. Article 39 of the TRIPS trade secrets, the data holder may withhold or, as the
Agreement, Article 10bis of the Paris Convention for case may be, suspend the sharing of data identified
the Protection of Industrial Property and Article 5 of as trade secrets.” Article 4(8) adds that: “[i]n excep-
the WIPO Copyright Treaty) and, in certain cases, may tional circumstances, where the data holder who is
arguably constitute an unnecessary and disproportion- a trade secret holder is able to demonstrate that it
ate limitation of the ‘right to property’ and ‘freedom to is highly likely to suffer serious economic damage
conduct a business’ guaranteed under Articles 16 and from the disclosure of trade secrets, despite the
17 of the Charter of Fundamental Rights of the Euro- technical and organisational measures taken by the
pean Union and the constitutions of Member States. user pursuant to [Article 4(6)], that data holder may
The IP governance scheme under the EHDS may also refuse on a case-by-case basis a request for access to
lead to uncertainties about its proper interaction with the specific data in question.” In addition to ensuring
relevant rules under other EU legal acts, such as the a certain degree of control for data holders, Article
sui generis database right provided under Article 7(1) 6(2) of the Data Act sets forth prohibited purposes of
of the Database Directive. Regarding trade secrets making available data that the EHDS does not cover.
protection, although Article 3(2) of the Trade Secrets For example, the Data Act prohibits to use data to
Directive permits the acquisition, use or disclosure develop competing products; to derive insights about

353 EHDS compromise text, supra note 12, Article 33a.

354 DIGITALEUROPE, European Health Data Space (EHDS): key issues to address in trilogues, supra note 87, pp. 8–9.
355 Ibid., p. 9.
74 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

the economic situation, assets and production meth- was of such general application. This is not the case
ods of or use by the data holder; or to use data in a in other jurisdictions: for example, the US does not
manner that adversely impacts the security of the have a general data protection framework at the
product or related service(s). federal level.357 However, it does have some specific
frameworks that may be applicable in the context of
Industry has claimed that the abovementioned legal wearable medical devices. At the federal level, the
uncertainties and lack of safeguards for IP rights hold- Health Insurance Portability and Accountabil-
ers may disrupt European health ecosystems, set back ity Act (‘HIPAA’) sets the standard for protecting
health R&I in the EU, weaken the global competitive- sensitive patient data. Unlike the EU’s GDPR, which is
ness and resilience of the EU’s health and life sciences of application to (almost) all forms of personal data
sector, and hinder access for patients and providers processing, HIPAA is relatively narrow in scope. Since
to state-of-the-art healthcare innovations.356 This per- the introduction of the ‘privacy rule’ in 2000, it applies
ception of the regulatory environment may increase to the use of health data for healthcare purposes
costs of developing and marketing wearable medical (and some related contexts).358 But it does not apply
devices in the EU. Although this problem may primarily to the processing of personal data (including health
affect manufacturers of wearable medical devices data) outside those contexts, such as the domain of
(who may have to calculate with increased legal costs well-being, where the intention is not to administer
and may find difficulties in securing long-term invest- healthcare.359
ments due to uncertainties about IP protection), it may
have a knock-on effect on pricing, procurement and As regards the use of wearable medical devices,
accessibility of wearable medical devices in the EU. HIPAA regulations play a crucial role in safeguarding
users’ health information.360 However, the application
of HIPAA to those devices presents unique challenges
3.5 Comparative regulatory outlook: and considerations, especially in the context of bring-
US perspectives on wearable ing such products to market. Wearable medical devices
that are designed explicitly for diagnosing or treating
medical devices health conditions fall squarely within the realm of
HIPAA oversight. This means that manufacturers must
3.5.1 Privacy / data protection requirements in implement robust security measures to protect users’
the US data, including encryption, access controls, and data
One interesting area of comparison can be made in breach protocols. Where it applies, HIPAA is an addi-
the area of privacy / data protection. The EU’s data tional regulatory burden for healthcare providers that
protection regime was a novelty, in part, because it use such devices.361 Additionally, they must adhere

356 Ibid., p. 8.
357 Perumal, V., ‘The Future of U.S. Data Privacy: Lessons from the GDPR and State Legislation Notes’, Notre Dame Journal of International
& Comparative Law, Vol.12 No. 1, 2022, https://scholarship.law.nd.edu/ndjicl/vol12/iss1/7.
358 See also Szalados, J.E., ‘Medical Records and Confidentiality: Evolving Liability Issues Inherent in the Electronic Health Record, HIPAA,
and Cybersecurity’, in: The Medical-Legal Aspects of Acute Care Medicine: A Resource for Clinicians, Administrators, and Risk Managers, edited
by J.E. Szalados, Springer International Publishing, Cham, 2021, pp. 315–342, https://doi.org/10.1007/978-3-030-68570-6_13. HIPPA applies
to covered entities: “(1) a health plan; (2) a health care clearinghouse; or (3) a health care provider who transmits any health information in
electronic form in connection with a transaction”. ‘Healthcare provider’ means “a provider of services (as defined in section 1861(u) of the
Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other
person or organization who furnishes, bills, or is paid for health care in the normal course of business.” ‘Health care’ means “care, services, or
supplies related to the health of an individual. Health care includes, but is not limited to, the following: (1) preventive, diagnostic, therapeutic,
rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental
condition, or functional status, of an individual or that affects the structure or function of the body; and (2) sale or dispensing of a drug,
device, equipment, or other item in accordance with a prescription.” ‘Health information’ means “any information, whether oral or recorded
in any form or medium, that (a) is created or received by a health care provider, health plan, public health authority, employer, life insurer,
school or university, or health care clearinghouse; and (b) relates to the past, present, or future physical or mental health or condition of an
individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to individual.”
359 Bui, J., ‘Lack of Privacy Regulations in the Fitness and Health Mobile App Industry: Assessing the Health Insurance Portability and
Accountability Act (HIPPAA) for Meeting the Needs of User Data Collection’, Intellectual Property and Technology Law Journal, Vol. 21 No. 1,
2016, pp. 1–20, https://heinonline.org/HOL/LandingPage?handle=hein.journals/iprop21&div=5&id=&page=.
360 Fiedler, B.A., ‘Chapter 18 - Challenges of New Technology: Securing Medical Devices and Their Software for HIPPA Compliance’, in:
Managing Medical Devices Within a Regulatory Framework, edited by B.A. Fiedler, Elsevier, Amsterdam, 2017, pp. 315–329. https://doi.
org/10.1016/B978-0-12-804179-6.00018-6.
361 See also Szalados, supra note 358.
 JRC EXTERNAL STUDY 75

to strict guidelines regarding data storage, sharing requires ongoing investment in research and devel-
and access. Wearable medical devices often involve opment, as well as resources for regular audits and
direct interaction with healthcare providers. Therefore, compliance assessments.
they must also ensure interoperability with existing
healthcare systems while maintaining compliance The “HIPAA/non-HIPAA” division in relation to weara-
with HIPAA requirements. That can pose challenges in bles is something that is conceptually different from
terms of data integration and compatibility, as well as the situation that the GDPR provides for in the EU.
ensuring seamless communication between devices This is because HIPAA is not of general application to
and electronic health record (EHR) systems.362 personal health data in the same way as the GDPR
is. The former concerns contextual application. Hence,
On the other hand, well-being wearables, such as fit- it does not apply to well-being products used for
ness trackers, may also collect personal health data, non-medical purposes, even if they generate health
but do not fall under the scope of HIPAA. Those devices data that may be of a sensitive nature. This means
are typically used for general wellness purposes rather that devices that are strictly well-being in nature do
than medical diagnosis or treatment. As a result, they not have to meet the stringent requirements that
may not be subject to the same stringent regulations HIPAA sets. For those manufacturers, the non-appli-
as medical devices.363 However, manufacturers of cation means one less (important) barrier to market
well-being wearables still have a responsibility to pro- entry. However, for potential ‘new market entrants’ in
tect users’ privacy and data security. This may include the wearable medical devices market (such as tech
the application of other regulatory frameworks at companies), the dividing line is stark if they intend to
both the federal364 and state level.365 move from well-being to medical application modes
(see also Chapter 4.1.4). This is because they will have
The role of intention (i.e. whether there is a medical to comply with all relevant HIPAA provisions. This,
purpose or not) is important given that HIPAA com- therefore, represents a major step up in terms of the
pliance requires significant investment in technology, regulatory burden. By contrast, this is not the case
infrastructure and expertise (similarly to the GDPR). in the EU given that economic actors in the well-be-
Manufacturers must implement robust security ing sector have to comply with the GPDR’s rules on
measures and privacy policies from the design phase sensitive data if they process data concerning health
onwards (similar to the concept of privacy-by-design (which is likely to be the case given the breadth of
in the GDPR), which can increase development costs the definition of ‘data concerning health’) (see also
and time to market.366 However, in practice, small or Chapter 3.3.2.2). For new market entrants in the EU,
start-up companies may often struggle to meet those who want to make the transition from well-being to
requirements, stifling innovation and competition in medical applications, the transition (in terms of adher-
the wearable medical device market. Moreover, the ence to data protection law) does not entail significant
dynamic nature of technology and healthcare pre- changes.
sents ongoing challenges for maintaining HIPAA
compliance. As wearable medical devices evolve and These differences do not entail that the EU’s data
new features are added, manufacturers must con- protection framework fosters innovation of wearable
tinually assess and update their security protocols medical devices more effectively than the US does.
to address emerging threats and vulnerabilities. This It is important to bear in mind that some start-ups/

362 Dinh-Le, C., Chuang, R., Chokshi, S. et al., ‘Wearable Health Technology and Electronic Health Record Integration: Scoping Review and
Future Directions’, JMIR mHealth and uHealth, Vol. 7 No. 9, 2018, e12861, https://doi.org/10.2196/12861.
363 Papandrea, P., ‘Addressing the HIPAA-Potamus Sized Gap in Wearable Technology Regulation Note’, Minnesota Law Review, Vol. 104 No.
2, 2019, pp. 1095–1132, https://scholarship.law.umn.edu/mlr/3246; Arnow, G., ‘Apple Watch-Ing You: Why Wearable Technology Should Be
Federally Regulated’, Loyola of Los Angeles Law Review, Vol. 49 No. 3, 2016, pp. 607–34, https://digitalcommons.lmu.edu/llr/vol49/iss3/2/.
364 This may include the application of the Electronic Communications Privacy Act and the Stored Wire Electronic Communications Act which
are commonly referred together as the Electronic Communications Privacy Act (ECPA) of 1986. Whilst the ECPA may lay down some important
privacy and security requirements for wearables, it does not stop those managing wearable-generated data from handing it to third parties
(in the way HIPAA would). See also Langley, M., ‘Hide Your Health: Addressing the New Privacy Problem of Consumer Wearables’, Georgetown
Law Journal, 2014, pp. 1641–1660. https://heinonline.org/HOL/LandingPage?handle=hein.journals/glj103&div=50&id=&page=.
365 See also Kitain, J., ‘Beware of Wearables: Protecting Privacy in a Data-Collecting World’, Drexel Law Review, Vol. 9 No.1, 2017, pp. 1–30,
https://drexel.edu/~/media/Files/law/law%20review/v9-1/Kitain.ashx.
366 See also Newman, T., Kreick, J., ‘The Impact of HIPAA (and Other Federal Law) on Wearable Technology’, SMU Science and Technology
Law Review, Vol. 19 No. 4, 2015, pp. 429–454, https://scholar.smu.edu/cgi/viewcontent.cgi?article=1027&context=scitech.
76 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

SMEs may first develop their activities in the well-be- EU’s MDR. Whilst under the previous framework (i.e.
ing sector first, and only if they are successful, make MDD), many wearables would have been classed as
an attempt to break into the medical device market. Class I, this has changed with the MDR. Annex VIII of
For those companies, the lack of HIPAA application the MDR states that: “software intended to monitor
may be important, as it is often perceived as a layer of physiological processes is classified as class IIa, except
regulation that is burdensome.367 They are therefore if it is intended for monitoring of vital physiological
often more enthusiastic about potential innovation parameters, where the nature of variations of those
in the well-being market than the healthcare market. parameters is such that it could result in immediate
This is not the case for similar companies in the EU, as danger to the patient, in which case it is classified as
they have to comply with the GDPR’s rules on sensitive class IIb.” The consequences of this are significant.
data, even if they intend to limit themselves only to Most importantly, moving from Class I to Class II under
the well-being sector. the MDR means that the option of self-certification is
typically no longer available. Instead, manufacturers
3.5.2 Regulation of medical devices in the US in the EU have to undergo a full conformity assess-
Market entry for wearable medical devices in the US ment with a notified bodied. During that process, a full
and the EU is governed by distinct regulatory frame- quality management system (QMS) audit is carried
works, each presenting their own challenges and out and the technical documentation of a prospective
opportunities.368 Understanding those differences is medical device is fully analysed.371
crucial for companies looking to navigate markets
effectively. The following part focuses on some fac- By contrast, Class II devices (including many wear-
tors to present key distinctions between how medical ables) in the US often have a less onerous option
devices and wearables are subject to regulatory available.372 Manufacturers of wearables may be able
requirements in the US. to take advantage of what is known as the ‘510(k)
premarket approval’.373 Under this route, the device
3.5.2.1 Differences in classification and manufacturers can claim ‘substantial equivalence’ to
consequent approval procedures in another device. The 510(k) pathway is often chosen
the US by manufacturers due to its relative speed and lower
In the US, the regulatory authority for medical devices cost compared to the complete process of getting a
is the Food and Drug Administration (FDA).369 The FDA ‘de novo’ device certified. Such a process is permitted
classifies medical devices into three categories—Class when it can be demonstrated that a new device is
I, Class II, and Class III—based on the level of risk they substantially equivalent to a legally marketed device
pose to patients. Wearable devices often fall under already available on the market, known as a ‘predicate
Class II, which includes devices like medical monitors device’.374 The comparison aims to show that the new
or diagnostic tools.370 At first glance, this looks similar device has similar intended use, technological charac-
to the situation in the EU, however, there are some teristics and performance as the predicate device. The
important differences. Some of those appear to have FDA reviews the 510(k) application to assess whether
been accentuated by changes brought about by the the new device meets the necessary safety and

367 See also Sorenson, C., Kanavos, P., ‘Medical Technology Procurement in Europe: A Cross-Country Comparison of Current Practice and
Policy’, Health Policy, Vol. 100 No. 1, 2011, pp. 43–50, https://doi.org/10.1016/j.healthpol.2010.08.001.
368 Kramer, D.B., Xu, S., Kesselheim, A.S., ‘Regulation of Medical Devices in the United States and European Union’, New England Journal of
Medcine, Vol. 366 No. 9, 2012, https://doi.org/10.1056/NEJMhle1113918.
369 FDA’s legal authority to regulate both medical devices and electronic radiation-emitting products is the Federal Food Drug & Cosmetic
Act (FD&C Act) see https://www.fda.gov/regulatory-information/laws-enforced-fda/federal-food-drug-and-cosmetic-act-fdc-act.
370 Under the FDA guidance, there is only one type of ‘Class II’, unlike the EU MDR, which classifies ‘Class IIa’ and ‘Class IIb’ medical devices.
371 Piwowarczyk vel Dabrowski, M., Sandkuhl, K., ‘Towards a Management System for Regulative Compliance of Information-Intensive
Medical Devices’, in: Human Centred Intelligent Systems, edited by A. Zimmermann, R.C. Howlett, L. Jain, Springer, Singapore, 2022, pp.
205–215, https://doi.org/10.1007/978-981-19-3455-1_16.
372 Hill, R., ‘Smart Wearables: The Overlooked and Underrated Essential Worker Notes’, William & Mary Law Review, Vol. 64 No. 5, 2023, pp.
1583–1615, https://scholarship.law.wm.edu/wmlr/vol64/iss5/7.
373 Brönneke, J.B., Müller, J., Mouratis, K. et. al., ‘Regulatory, Legal, and Market Aspects of Smart Wearables for Cardiac Monitoring’, Sensors,
Vol. 21 No. 14, 2021, 4937, https://doi.org/10.3390/s21144937.
374 DeNoncour, M., ‘Healthcare Technology Regulation in the US’, in: HealthTech – Law and Regulation, edited by J. Madir, Edward Elgar
Publishing, Cheltenham, 2020, pp. 80–113, https://doi.org/10.4337/9781839104909.00014.
 JRC EXTERNAL STUDY 77

effectiveness standards. If the FDA determines that Whilst the EU does not have a direct equivalent to
the new device is substantially equivalent to the pred- the 510(k) or ‘substantial equivalence’ route, the MDR
icate device and meets all regulatory requirements, does allow manufacturers seeking certification to
it grants clearance for the device to be marketed and claim ‘clinical equivalence’ to a pre-existing device.379
sold in the US. Whilst the 510(k) route still requires Establishing clinical equivalence against a similar
substantial documentation to demonstrate substan- device allows manufacturers to use existing clinical
tial equivalence to a legally marketed predicate device data to evaluate the device’s safety and effectiveness,
(which can still be a barrier to entry for smaller com- removing the need for an in-depth clinical investiga-
panies)375 it is a less burdensome route than a ‘de tion.380 Doing so reduces (but does not remove) the
novo’ application which must be made when there is intensity of the administrative burden on manufactur-
no predicate device available. ers. The MDR foresees however a narrower definition
of the concept than what the FDA uses. The former
The approach adopted by the FDA (in recognising a only allows the concept of clinical equivalence to
concept of ‘substantial equivalence’) can be contrasted be recognised when a device is expected to deliver
with the EU, which recognises a concept of ‘clinical a similar critical performance in terms of ‘expected
equivalence’. Though they may sound similar, there clinical effect’, ‘similar intended purpose’ and ‘similar
are some important variations in these requirements. duration of use’.381 In addition, other aspects, such as
While the FDA typically requires clinical data only for the intended target group (disease severity, demo-
higher-risk devices or those without a ‘predicate’, the graphics), the type of use on or in the body and the
MDR generally mandates clinical evaluations for all environment the device should be used within should
devices, regardless of risk class.376 This can pose a be similar. It should also be intended to be used on a
significant barrier to market entry for wearable device similar population and by similar types of healthcare
manufacturers, as conducting clinical studies can be professional.
costly and time-consuming. Again, this is not always
required in the US to get marketing authorisation by The FDA concept of ‘substantial equivalence’ is
the FDA. This is for example the case when a 510k thus somewhat broader than the concept of ‘clini-
procedure is used as outlined above.377 This effectively cal equivalence’ recognised under the EU’s MDR.382
means that a number of wearable applications will In essence, the former is more concerned with the
not have to gather and present significant amounts of functional parameters of the device, whereas the
clinical evidence in order to gain approval.378 In effect, latter also takes into account how it is intended to be
this lowers the regulatory burden compared to similar used by health professionals and on which types of
procedures in the EU. patients. To achieve substantial equivalence, the FDA
is mostly concerned with aspects, such as ‘intended

375 Yeng, P., Yang, B., Wolthusen, S., ‘Legal Requirements toward Enhancing the Security of Medical Devices’, International Journal of
Advanced Computer Science and Applications, Vol. 11 No. 11, 2020, https://doi.org/10.14569/IJACSA.2020.0111181.
376 For an overview of when and what type of clinical evidence is required under the MDR see also: Smirthwaite, A., Clinical evaluation under
EU MDR, British Standards Institution, London, 2021, https://www.bsigroup.com/globalassets/localfiles/en-gb/medical-devices/whitepapers/
clinical-evaluation-white-paper/clinical-evaluation-under-eu-mdr.pdf.
377 The FDA does not require clinical data in most 510(k)s. However, if clinical data are necessary to demonstrate substantial equivalence,
the clinical study must comply with the IDE, IRB, and human subject protection (informed consent and additional safeguards for children
in research) regulations. See section 520(g) of the act and 21 CFR Parts 812, 56 and 50. See also U.S. Department of Health and Human
Services, Food and Drug Administration, Information Sheet Guidance For IRBs, Clinical Investigators, and Sponsors - Frequently Asked
Questions About Medical Devices, Silver Spring, 2006, https://www.fda.gov/files/about%20fda/published/Frequently-Asked-Questions-About-
Medical-Devices---Information-Sheet.pdf.
378 Some authors have expressed concerns that lower quality devices may be able to pass through this process. See also Izmailova, E.,
McLean, I.L., Bhatia, G. et al., ‘Evaluation of Wearable Digital Devices in a Phase I Clinical Trial’, Clinical and Translational Science, Vol. 12 No. 3,
2019, pp. 247–256, https://doi.org/10.1111/cts.12602.
379 See also Medical Device Coordination Group, Clinical Evaluation – Equivalence: A guide for manufacturers and notified bodies (MDCG
2020-5), April 2020, https://health.ec.europa.eu/system/files/2020-09/md_mdcg_2020_5_guidance_clinical_evaluation_equivalence_en_0.
pdf.
380 Redberg., R.F., Dhruva, S.S., ‘Moving From Substantial Equivalence to Substantial Improvement for 510(k) Devices’, JAMA, Vol 322 No. 10,
2019, pp. 927–928, https://doi.org/10.1001/jama.2019.10191.
381 See also Medical Device Regulation [Regulation (EU) 2017/745], supra note 83, Annex XIV, Part A.
382 Fink, M., Akra, B., ‘Comparison of the International Regulations for Medical Devices–USA versus Europe’, Injury, Vol. 54, 2023, https://doi.
org/10.1016/j.injury.2023.110908.
78 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

use’, ‘design’, ‘energy transfer, ‘performance’, ‘safety’, 3.5.2.2 Post-market surveillance in the US
‘effectiveness’, ‘labelling’ ‘biocompatibility and other Another key distinction lies in the post-market sur-
characteristics.383 veillance and vigilance requirements.386 Under the
MDR, manufacturers must establish and maintain
In short, the process is more difficult under the systems for monitoring the performance and safety
MDR than under the FDA’s regime. Under the MDR, of their medical devices throughout its lifecycle.387
manufacturers must provide more data and must This includes processes for reporting adverse events
actively demonstrate equivalence in a wider variety and implementing corrective actions. While simi-
of domains.384 In addition, manufacturers claiming lar requirements exist in the US, the approach and
equivalence to pre-existing devices must demon- documentation standards may differ, necessitating
strate a legal relationship with the manufacturer additional efforts for companies operating in both
of that device which allows access to the necessary markets. For the majority of medical devices in the US,
data to demonstrate equivalence. As Fink and Akra it is necessary to only perform general post-market
explain, under the MDR: “[a] manufacturer who wants activities. These may include collecting feedback from
to claim equivalence to a device from a competitor physicians or accessing the MAUDE database.388
must demonstrate to the Notified Body that both
organizations have a contract allowing them to share By contrast, under the MDR, the EU has made the
details and enabling the manufacturer to have full requirements for post-market surveillance stricter.389
access to the other device’s technical and clinical The manufacturers of medical devices must “actively
documentation.”385 and systematically collect post-market data and gen-
erate specific reports (Periodic Safety Update Report
This difference may have important ramifications PSUR) on an annual or biennial basis, depending
for the wearable medical device market in the EU. In on the risk class.”390 In the case of devices that are
particular, the MDR makes it more difficult for a com- approved based on ‘clinical equivalence’, manufactur-
petitive device to enter the market (given they must ers must carry out a ‘post-market clinical follow-up’
have access to sufficient data and must demonstrate (PMCF) activity.
equivalence in such a broad manner). This could be a
major disincentive in the EU for new market entrants, Once again, these differences could be considered
in particular SMEs. It may also disincentivise manu- to represent an extra burden for potential medical
facturers from releasing new versions of their device, device manufactures (including of wearable medical
which whilst broadly similar, do not meet the strict devices)391 in the EU. Compared to their counterparts
definition envisaged under the MDR. In the US, those in the US, they are more likely to experience a pro-
burdens are lower under the broader form of equiva- longed administrative burden, even after a device has
lence recognised by the FDA. been placed on the market. This requirement could
be particularly onerous for SMEs or new market

383 U.S. Code of Federal Regulations, Title 21 (1 April 2024), Chapter I, Subchapter H, Part 807, subpart E, section-807.87, https://www.ecfr.
gov/current/title-21/chapter-I/subchapter-H/part-807/subpart-E/section-807.87.
384 Manita, A.D., Vikram, A.C.R., Prabodh, C.S., ‘Regulation and Clinical Investigation of Medical Device in the European Union’, Applied Clinical
Research, Clinical Trials and Regulatory Affairs, Vol. 6 No. 3, 2019, pp. 163–181, https://doi.org/10.2174/2213476X06666190821095407.
385 Fink, Akra, supra note 382.
386 See also: Badnjević, A., Pokvić, L.G., Deumić, A. et al. ‘Post-Market Surveillance of Medical Devices: A Review’, Technology and Health Care,
Vol. 30, No. 6, pp. 1315–1329, https://doi.org/10.3233/THC-220284.
387 See also Harer, J., ‘Post-Market Surveillance and Vigilance on the European Market’, in: Medical Devices and In Vitro Diagnostics:
Requirements in Europe, edited by C. Baumgartner, J. Harer, J. Schröttner, Springer, Cham, 2023, pp. 585–623, https://doi.
org/10.1007/978-3-031-22091-3_22.
388 This is regulated by the FD&C Act Section 522, and all ongoing post-market studies in the US are listed in the ‘522 Post-market
Surveillance Studies Database, see U.S. Department of Health and Human Services, Food and Drug Administration, FDA 522 Postmarket
Surveillance Studies Database, https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPMA/pss.cfm.
389 Lewis., A., Valla V., Charitou P., ‘Digital Health Technologies for Medical Devices – Real World Evidence Collection – Challenges and
Solutions Towards Clinical Evidence’, International Journal of Digital Health, Vol 2 No. 1:8, 2022, pp. 1–18, https://doi.org/10.29337/ijdh.49.
390 Fink, Akra, supra note 382, p. 4.
391 Nantume, A., Shah, S., Cauvel, T., ‘Developing Medical Technologies for Low-Resource Settings: Lessons From a Wireless Wearable Vital
Signs Monitor–neoGuard’, Frontiers in Digital Health, Vol. 3, No. 730951, 2021, pp. 1–9, https://doi.org/10.3389/fdgth.2021.730951.
 JRC EXTERNAL STUDY 79

entrants given that they may not have either the without much difficulty (as is also the case in Europe).
in-house capacity or the experience of conducting In the medical device sector, however, it is generally
such exercises. not possible to integrate a range of devices into a
“customisable suite”.393 This affects inter alia the
3.5.3 FDA’s initiative to foster the ‘Home Care deployment of wearable medical devices.
Environment’
An important development in the US (and another dif- Brückner et. al. argue that the FDA has realised that it
ference to the EU) is that the FDA has announced an is not the role of the regulator to sit back and allow the
initiative to foster the adoption of digital technology development of technology “in a laissez faire manner”.
in the ‘home care environment’. This initiative was Rather, it has to take steps to facilitate the adoption
born out of a recognition that, without help, such tech- of technologies for which there is a clear need, but for
nologies face many (and sometimes insurmountable which a number of interlocking barriers exist to their
barriers to adoption). According to Brückner et. al., “[m] development.394 An example of this is the launching
arket forces, as shaped by current regulations, are of a recent ‘Care at Home’ initiative, launched by the
leading to digital health tools developed and operat- FDA’s Centre for Devices and Radiological Health.
ing in islands rather than enabling integrated digital According to the FDA director, there is a clear need
care.”392 This produces a range of medical devices for such a holistic initiative: “[i]f you think about device
that end up operating in isolation rather than together development, like sensors, if you do it one at a time,
in a coordinated fashion (as one would expect in you'll never put a whole suite together into something
out-of-hospital or in-home care). that fits together in the [home] environment. [The FDA
is] working on a strategy on how to create regulatory
The FDA initiative (which has no equivalent EU ver- pathways to help make that happen”395
sion) stems from the need that healthcare, and digital
healthcare in particular, represent sectors that can be As it stands, there is a lack of information about the
defined inter alia by a high level of inertia. Despite specificities of this new strategy, but it seems that
the wave of enthusiasm for homebased digital tech- the FDA intends not only to influence the design of
nologies fostered during the COVID-19 pandemic, the devices, but also that of homes in general, trying
follow-up wave of development and adoption has not to influence their design in a way that would allow
materialised. The FDA seems to have realised that the development of homecare suites. One key policy
this is not the fault of individual business practices, consideration behind this could be to address equity
reimbursement policies or legislative initiatives, but issues affecting access to healthcare for patients from
rather the absence of a holistic approach to boost certain socio-economic backgrounds.396 If the FDA’s
adoption of all these devices. The situation with plan will be successful, then the creation of custo-
regard to medical devices can be contrasted with misable ‘home care environment’ suites could be a
well-being or other consumer technology where it is model that European health systems may consider
possible to integrate various technological elements replicating.

392 Brückner, S., Brightwell, C., Gilbert, S., ‘FDA launches health care at home initiative to drive equity in digital medical care’, npj Digital
Medicine, Vol. 7, No. 204, 2024, pp. 1–3, https://doi.org/10.1038/s41746-024-01198-2.
393 Mathias, R., McCulloch, P., Chalkidou, A. et al. ‘How can regulation and reimbursement better accommodate flexible suites of digital
health technologies?’ npj Digital Medicine, Vol. 7, No. 170, 2024, pp. 1–3, https://doi.org/10.1038/s41746-024-01156-y.
394 Brückner, Brightwell, Gilbert, supra note 392.
395 Al-Faruque, F., Califf: New systems needed for bringing rare disease treatments, at-home devices to market, Regulatory Focus, 15
February 2024, https://www.raps.org/news-and-articles/news-articles/2024/2/califf-new-systems-needed-for-bringing-rare-diseas.
396 Brückner, Brightwell, Gilbert, supra note 392.
 Competitiveness issues affecting the
wearable medical device market in the EU

OLOGY TRANSFER
T E CH N S

Innovation and Regulation,

networking standardisation and
services interoperability
Funding and IP rights
financing protection

Collaboration (Re)skilling

KET ECOSYS
Researchers R Healthcare
TE
MA

providers
M

Digital
Value health
assessment literacy
schemes
ORS
Industry Patients Trust
Health
technology
AC T

assessment
VA

Healthcare
NF

organisation
LU

Health system
MA
EA

funding
HU

models
SS
ES
SM

Negotiations with
T manufacturers
EN

Patients’
AN accessibility
D
RE
IM
BU
RS
EM
ENT
 JRC EXTERNAL STUDY 81

4. Competitiveness issues affecting the wearable medical

device market in the EU
The marketplace for medical devices is notoriously devices in healthcare’, ‘Internet of Medical Things’,
complex, which affects the innovation and marketing ‘wellness applications’). Moreover, the literature often
of wearable medical devices in the EU. This chapter does not make any distinction between medical and
of the report outlines various competitiveness fac- non-medical purposes, or only covers non-medical
tors (in addition to the regulatory issues discussed in (wellness) applications.398 Where research is available
the previous chapter) which affect the sector and its on wearable medical devices, it usually focuses on
actors. These factors include: particular types of devices, wearable medical devices
targeting specific conditions399 or on broader themes,
• an overview of the market dynamics in the eco- such as digital health technologies400 (see also Chap-
system (chapter 4.1); ter 1.2).
• an analysis of value assessment and reimburse-
ment frameworks (chapter 4.2); The following groups of economic actors and stake-
• possible policy measures to facilitate technology holders are relevant in the ecosystem of wearable
transfers (section 4.3); medical devices (note that the categories do not form
• human factors affecting the uptake of medical monolithic groups and may overlap in certain cases):
device wearables (section 4.4);
• case studies based on interviews conducted with • researchers;
relevant key stakeholders (section 4.5). • medical device companies;
• pharmaceutical companies;
• tech companies;
4.1 Market ecosystem: an overview • healthcare providers;
• patients; and
Although research studies have not focused specifi- • regulators and other “interface” actors (e.g. reim-
cally on economic actors and stakeholders in relation bursement decision-makers).401
to the ecosystem of wearable medical devices, the
broader digital health ecosystem, the medical device It is important to add that the ecosystem of weara-
sector and wearables en masse are subject to regular ble medical devices is part of the much larger digital
analyses.397 However, it is often challenging to compare health ecosystem, where there are further functional
those analyses due to the inconsistent use of termi- roles, value streams and market dynamics (Figure 2).
nology in the field (such as ‘wearables’, ‘connected

397 See e.g. de Jongh, T., Oomens., I., Izsák, K., Strategic Value Chain Report of Smart Health, Technopolis Group, Brighton, 2019
(commissioned by the Strategic Forum on Important Projects of Common European Interest) (not available online), report supporting: Strategic
Forum for Important Projects of Common European Commission, Strengthening Strategic Value Chains for a future-ready EU Industry - report
of the Strategic Forum for Important Projects of Common European Interest, European Commission, Brussels, 2019.
398 See also Huhn, S., Axt, M., Gunga, H. et al., ‘The Impact of Wearable Technologies in Health Research: Scoping Review’, JMIR mHealth and
uHealth, Vol 10 No. 1, 2021, e34384, https://doi.org/10.2196/34384.
399 See e.g. Leclercq, C., Witt, H., Hindricks, G. et al., ‘Wearables, Telemedicine, and Artificial Intelligence’ in: Arrhythmias and Heart Failure:
Proceedings of the European Society of Cardiology Cardiovascular Round Table', EP Europace, Vol. 24 No. 9, 2022, pp. 1372–1383, https://doi.
org/10.1093/europace/euac052 (as an example of research on cardiac monitoring wearable devices).
400 See e.g. Farahani, B., Firouzi, F., Chakrabarty, K., ‘Healthcare IoT’, in: Intelligent Internet of Things: From Device to Fog and Cloud, edited by
F. Firouzi, K. Chakrabarty, S. Nassif, Springer, Cham, 2020, pp. 515–545, https://doi.org/10.1007/978-3-030-30367-9_11.
401 de Jongh, Oomens, Izsák, supra note 397 identify a category of Influential “interface” actors, who are able to shape the dynamics of
interactions among the groups listed above. This category may include payers (e.g. national health systems, insurance companies), policy-
makers and regulators. Those actors are not in the scope of this analysis, but reimbursement issues are discussed under Chapter 4.2.
82 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Source: Hermes, Riasanow, Clemens et al.402

Figure 2: Representation of the digital health ecosystem

4.1.1 Researchers (research institutes and detectors.403 In Belgium, imec covers the entire value
universities) chain as an innovation hub: from research to the
Researchers are important across the life cycle of implementation of market-ready solutions and entre-
wearable medical devices, including the development preneurship programs, specialising in nanoelectronics
and design (product conceptualisation, proof-of-con- and digital technologies (including wearables).404
cept), testing (clinical investigation) and post-market
(evidence analysis) phases. Researchers may hold dif- Universities are also active in scientific research on
ferent legal status, any may be affiliated with public, new wearables and are seeking ways to facilitate
private or public–private-funded organisations. Key technology transfers to the digital health market (for
(distinctly research) organisations include research case study of Vrije Universiteit Brussel, see Chapter
and technology institutes, which play a pivotal role in 4.5.3). Typically, university researchers are involved
the innovation of digital health technologies: pioneer- in the development and design of wearables or when
ing the development of foundational digital health wearable medical devices are deployed for scientific
solutions, collaborating with hospitals (e.g. testing new research purposes (in a university hospital or labora-
solutions), and bridging the gap between research and tory). Successful research projects may lead to the
industry. For example, in France, CEA-LETI is active on creation of spin-offs.405
research in wearable electronics and medical imaging

402 Hermes, S., Riasanow, T., Clemons, E. et al., ‘The Digital Transformation of the Healthcare Industry: Exploring the Rise of Emerging
Platform Ecosystems and Their Influence on the Role of Patients’, Business Research, Vol. 13, 2020, pp. 1033-1066 at 1060, https://doi.
org/10.1007/s40685-020-00125-x.
403 See also CEA-Leti, ‘CEA-Leti Announces EU Project to Mimic Multi-Timescale Processing of Biological Neural Systems’, CEA Leti, 20
April 2021, https://www.cea.fr/cea-tech/leti/Pages/actualites/Communique%20de%20presse/CEA-Leti-Announces-EU-Project-to-Mimic--Multi-
Timescale-Processing-of-Biological-Neural-Systems.aspx.
404 See also imec, ‘Technology for wearable pain and stress monitoring devices’, imec, n.d., https://www.imec-int.com/en/expertise/
health-technologies/pain-and-stress-monitoring.
405 See e.g. Brophy, K., Davies, S., Olenik, S. et al., ‘The future of wearable technologies’, Briefing Paper 6, Imperial College London, London,
2021, pp. 14–15, https://doi.org/10.25561/88893.
 JRC EXTERNAL STUDY 83

4.1.2 Medical device companies consumer electronics (for case study of Philips, see
According to a MedTech Europe survey (2024),406 there Chapter 4.5.1).410 Biotronik (Germany) uses telemon-
are more than 37,000 medical technology companies itoring in cardiac rhythm management to provide
in Europe, employing around 880,000 people (pro- healthcare providers up-to-date information on
portionately, the highest number of employees are implant patients. Fresenius (Germany) is driving inno-
in Ireland, Switzerland, Austria, Germany, Denmark). vation to provide IoT-enabled home dialysis solutions
The highest number of companies are based in Ger- for patients.411 Sonova (Switzerland) specialises in
many, followed by Italy, the UK, Poland and Sweden. hearing aids, cochlear implants, and wireless commu-
Small and medium-sized companies (SMEs) make nication devices compatible with their hearing aids.412
up around 90% of the medical technology industry, Siemens Healthineers (Germany) provides solutions to
the majority of which employs less than 50 people. enable the integration of data from wearable medical
Medical device companies contribute significantly to devices into hospital information systems. Regarding
R&D investments and international trade (exports) in market dynamics, it is important to emphasise that
the EU. Since the COVID-19 crisis, there are significant international market expansions and cooperation have
efforts in the sector to realise the potential benefits become widespread (mostly cross-Atlantic, in both
of telemedicine and facilitate the use of patient aids, directions), which can facilitate technology transfers
including wearable medical devices. Some of the more in the sector.413 As part of this market transformation,
established areas of application (market segments) several US‑headquartered companies have set foot
of wearable medical devices are hearing support in the EU market, including Medtronic (partly based
(hearables),407 cardiology-related conditions,408 and in Ireland), Abbott, Dexcom, Stryker and ResMed (for
epilepsy control.409 case study of ResMed, see Chapter 4.5.2).

4.1.2.1 Large medical device companies 4.1.2.2 Start-up / SME medical device
Manufacturers of wearable medical devices in the EU companies
include large multinational companies and SMEs (see Much is made of the disruptive power of start-ups
also Chapter 4.1.2.2). Large European-headquartered and fast-growing SMEs in digital health.414 However,
companies include Philips (Netherlands), which has the medical device market is considered difficult to
shifted its focus to become an integrated healthcare enter.415 Start-ups should be well-prepared before
solutions provider rather than solely a producer of they embark on such an attempt and expect to face

406 MedTech Europe, ‘Facts & Figures 2024’, MedTech Europe, Brussels, 2024, https://www.medtecheurope.org/wp-content/uploads/2024/07/
medtech-europes-facts-figures-2024.pdf.
407 Laplante-Lévesque, A., Dimakopoulos, N., Papagrigoriou, P. et al., ‘First Market Analysis and Exploitation Report’, Deliverable 8.4,
Evidenced based management of hearing impairments: Public health policy making based on fusing big data analytics and simulation
(EVOTION), H2020 project (GA no.: 72752), 2019, https://h2020evotion.eu/wp-content/uploads/delightful-downloads/2017/11/727521-
EVOTION-D8.4-FIRST-MARKET-ANALYSIS-REPORT.pdf.
408 Duncker, D., Ding, W.Y., Etheridge, S. et al., ‘Smart Wearables for Cardiac Monitoring—Real-World Use beyond Atrial Fibrillation’, Sensors,
Vol. 21 No. 7, 2021, 2539, https://doi.org/10.3390/s21072539.
409 Ong, J.S., Wong, S.N., Arulsamy, A. et al., ‘Medical Technology: A Systematic Review on Medical Devices Utilized for Epilepsy Prediction and
Management’, Current Neuropharmacology, Vol 20 No. 5, 2022, pp. 950–964 https://doi.org/10.2174/1570159X19666211108153001.
410 Mocker, M., Ross, J., ‘Digital Transformation at Royal Philips’, in: 39th International Conference on Information Systems (ICIS 2018):
Bridging the Internet of people, data and things, San Francisco, 13–16 December 2018, pp. 2695–2711, https://www.proceedings.com/
content/047/047764webtoc.pdf.
411 Boucher, M., ‘How Connected Medical Devices Will Revolutionize Healthcare’, PTC, 13 May 2024, https://www.ptc.com/en/blogs/iiot/
an-overview-of-connected-medical-devices.
412 Sonova has contributed to the Stanford Wearable Electronics Initiative (eWear), a pioneering university–industry program in the US that
enables corporations to work with researchers on the development of new wearables, see https://wearable.su.domains/about.
413 Dunn, J., Runge, R., Snyder, M., ‘Wearables and the Medical Revolution’, Personalized Medicine, Vol. 15 No. 5, 2018, pp. 429–448 https://
doi.org/10.2217/pme-2018-0044.
414 Cozzolino, A., Geiger, S., ‘Ecosystem Disruption and Regulatory Positioning: Entry Strategies of Digital Health Startup Orchestrators and
Complementors’, Research Policy, Vol. 53, No. 2, 2024, 104913, https://doi.org/10.1016/j.respol.2023.104913.
415 Zajki-Zechmeister, T.,‘A Regulatory Guide for Medical Device Start-Ups in Europe: Challenges and Pitfalls’, in: Medical Devices and
In Vitro Diagnostics: Requirements in Europe, edited by C. Baumgartner, J. Harer, J. Schröttner, Springer, Cham, 2022, pp. 1–25 https://doi.
org/10.1007/978-3-030-98743-5_3-1.
84 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

competition from both large and smaller companies.416 often due to challenges to gain market traction, it is
As Casselman et. al. explain: “despite its ability to drive common that they seek cooperation with larger man-
innovation, competition can cause less resilient start- ufacturers. A healthy degree of cooperation within
ups to fall apart before they have a chance to market the sector can help to facilitate technology transfer
their products. The competition for talent alone allows and drive innovation and the application of wearable
wealthier companies to scoop up essential person- medical devices in mutually beneficial ways.
nel from smaller companies, and in the process get
a hold of their trade secrets and abilities to create 4.1.3 Pharmaceutical companies
new technologies.”417 However, de Jongh et. al. point Although most pharmaceutical companies have for
out that there is an important role for SMEs in the long not been involved in medical device manufac-
ecosystem of wearable medical devices:418 “New-born turing, this situation is changing inter alia due to new
digital healthcare companies are also the developers opportunities brought by wearable medical devices
of a next generation of medical devices that are digi- to run hybrid/decentralised clinical trials and to gen-
tally empowered and connected. For instance, several erate real-world evidence.420 Several pharmaceutical
start-ups are involved in developing wireless-enabled companies have shown interest in becoming involved
wearable technology devices that measure data such in this process: either as becoming manufacturers
as the heart rate, quality of sleep, steps climbed, and themselves or by acquiring/collaborating with existing
other personal metrics.” manufacturers or ICT solutions providers. Examples
among large European-headquartered companies
A common environment for start-ups to be created is include Bayer (Germany),421 Boehringer Ingelheim
in the milieu of university-based research (see also (Germany),422 Merck (Germany),423 Roche (Switzer-
Chapter 4.1.1). There, researchers may attempt to land),424 and UCB (Belgium).425
establish a spin-off to market promising products.
Such entities face similar challenges as other start- 4.1.4 Tech companies
ups, but may be able to benefit from access to a pool A new group of actors are becoming increasingly
of relevant expertise and support for commercialisa- active in the ecosystem of wearable medical devices:
tion by the technology transfer units of universities.419 companies that, in the past, were focused primarily
When SMEs reach a certain degree of maturity, then, on consumer electronics and/or ICT services.426 As

416 See also Sen, S., ‘Creation of an Wearable Startup: From a Laboratory Incubator to a Revenue Generating Business’, in: Proceedings of
the IEEE/ACM 42nd International Conference on Software Engineering Workshops (ICSEW), Seoul, 27 June 2020 – 19 July 2020, pp. 623–626,
https://doi.org/10.1145/3387940.3392226.
417 Casselman, J., Onopa, N., Khansa, L., ‘Wearable Healthcare: Lessons from the Past and a Peek into the Future’, Telematics and
Informatics, Vol. 34, No. 7, 2017, pp. 1011–1023, https://doi.org/10.1016/j.tele.2017.04.011.
418 de Jongh, Oomens, Izsák, supra note 397, p. 9.
419 See also Schwartz, J., ‘U of Nottingham start-up develops world’s first wearable device for treating Tourette’s Syndrome’, Tech Transfer
Central, 27 March 2024, https://techtransfercentral.com/2024/03/27/u-of-nottingham-start-up-develops-worlds-first-wearable-device-for-
treating-tourettes/.
420 See also Izmailova, E., Wagner, J., Perakslis, E., ‘Wearable Devices in Clinical Trials: Hype and Hypothesis’, Clinical Pharmacology
& Therapeutics, Vol. 104 No. 1, 2017, pp. 42–52, https://doi.org/10.1002/cpt.966. Warner, J.J., Crook, H.L., Whelan, K.M. et al. ‘Improving
Cardiovascular Drug and Device Development and Evidence Through Patient-Centered Research and Clinical Trials’, Circulation: Cardiovascular
Quality and Outcomes, Vol. 13 No. 7, 2020, https://doi.org/10.1161/CIRCOUTCOMES.120.006606. Greiwe, J., Nyenhuis, S., ‘Wearable
Technology and How This Can Be Implemented into Clinical Practice’, Current Allergy and Asthma Reports, Vol. 20 No. 36, 2020, https://doi.
org/10.1007/s11882-020-00927-3. Kasoju, N., Remya, N.S., Sasi, R. et al., ‘Digital Health: Trends, Opportunities and Challenges in Medical
Devices, Pharma and Bio-Technology’, CSI Transactions, Vol. 11, 2023, pp. 1–30, https://doi.org/10.1007/s40012-023-00380-3. Hardman,
T., Aitchison, R., Scaife, R. et al., ‘The Future of Clinical Trials and Drug Development: 2050’, Drugs in Context, Vol. 12, 2023, https://doi.
org/10.7573/dic.2023-2-2.
421 See also Bayer, ‘Bayer and Samsung take action against sleep disturbances associated with menopause’, Bayer, 3 June 2024, https://
www.bayer.com/media/en-us/bayer-and-samsung-take-action-against-sleep-disturbances-associated-with-menopause/.
422 See also Taylor, P., ‘Roche, Boehringer tap biosensor firms for patient studies’, pharmaphorum, 26 January 2023, https://pharmaphorum.
com/news/roche-boehringer-tap-biosensor-firms-for-patient-studies.
423 See also Landi, H., ‘Merck taps Evidation to use apps, wearables to detect early stages of Alzheimer's’, FierceHealthcare, 22 July 2021,
https://www.fiercehealthcare.com/digital-health/intermountain-health-story-health-expanding-virtual-heart-failure-management-program.
424 See also Cale, H., ‘Roche introduces AI-powered diabetes tracker to predict blood sugar highs and lows’, FierceHealthcare, 8 March 2024,
https://www.fiercebiotech.com/medtech/roche-introduces-ai-powered-diabetes-tracker-predict-blood-sugar-highs-and-lows.
425 See also Niculae, I., ‘Piloting wearable sensor technologies for clinical trials’, UCB, 30 May 2022, https://www.ucb.com/Our-Science/
magazine/detail/article/Piloting-wearable-sensor-technologies-for-clinical-trials.
426 See also de Jongh, Oomens, Izsák, supra note 397, p. 6.
 JRC EXTERNAL STUDY 85

it stands, tech companies are one of the (if not the limited examples of BigTech companies having wear-
most) influential drivers of the digital health market ables certified as medical devices.432 As Cangardel
(primarily linked to their capabilities in AI development and Volgina explain (writing primarily about the US
and related market expectations).427 The expertise market):433 “consumer health companies moving into
of tech companies in mobile technologies, big data the medical device space will need to account for sev-
management and the development of associated eral years of evidence planning and gathering ahead
business models has gradually led to their increased of FDA submission. They will also need to consider
involvement in digital health. Their assets, network the risks of the device and whether there is a pred-
effects and experience can help them to understand icate on the market. Finally, they will need to confer
patients’ and healthcare providers’ needs more accu- with regulatory experts to discuss considerations for
rately, while advanced analytics can enable them to clearance.” Consequently, the role of tech companies
deepen this understanding.428 Tech companies have in the ecosystem of wearable medical devices is likely
also sought to form partnerships with digital health to remain complementary. Although partnerships can
ventures. This has contributed to an emerging number allow to harness resources and capabilities, the reg-
of partnerships (though significantly less partnerships ulatory rigor and complexity of the medical device
exist to date in Europe than in the US or the Asia-Pa- domain require a specialised approach attuned to the
cific region).429 unique nuances of the field.

As the widespread use of mobile devices has facil- 4.1.5 Healthcare providers
itated the “consumerisation of healthcare”, tech Health professionals and healthcare providers have
companies (including some of the BigTech companies) a key role (and arguably the biggest potential) in the
have entered into the wearables market and contrib- further uptake of wearable medical devices.434 Their
uted to its fast-growth.430 However, the wearables role is inter alia important in their capacity, compe-
(and related applications) developed by tech compa- tence and willingness to:435
nies have largely been intended for wellness, fitness
or lifestyle purposes. Although there is potential for • cooperate in clinical investigations relating to
such devices to be further developed and certified wearable medical devices;
for a medical purpose, it has been challenging for • procure and deploy clinically validated wearable
tech companies to move from the less regulated well- medical devices; and
ness domain to the more regulated medical device • recommend or prescribe wearable medical
domain.431 Despite their vast resources, there are devices to patients.

427 Ince, M., ‘AI and Big Tech Are Leading the Charge in Digital Health Market in 2024’, Research 2 Guidance, 2024, https://
research2guidance.com/ai-and-big-tech-are-leading-the-charge-in-digital-health-market-in-2024/.
428 Thomason, J., ‘Big Tech, Big Data and the New World of Digital Health’, Global Health Journal, Special issue on Intelligent Medicine Leads
the New Development of Human Health, Vol. 5 No. 4, 2021, pp. 165–168, https://doi.org/10.1016/j.glohj.2021.11.003.
429 Galen Growth, ‘Is Big Tech Important to Digital Health Innovation?’, Galen Growth, 7 June 2024, https://galengrowth.com/
is-big-tech-important-to-digital-health-innovation/.
430 See also Erkılıç, C.E., Yalçın, E., ‘Evaluation of the Wearable Technology Market within the Scope of Digital Health Technologies’, Gazi
İktisat ve İşletme Dergisi, Vol. 6 No. 3, 2020, pp. 310–323 at 317, https://doi.org/10.30855/gjeb.2020.6.3.006.
431 See also Cangardel, K., Volgina, D., ‘The Convergence of Consumer Wearables & Medical Devices, Part 3: Opportunities
for Consumer Wearables Manufacturers’, A Blog for Blue Matter, 21 November 2023, https://bluematterconsulting.com/
convergence-of-consumer-wearables-medical-devices-part-3/.
432 For example, the Apple Watch 4 has two FDA-cleared functionalities “One is an advanced method of monitoring the heart called
an electrocardiogram (EKG), and the other is the Watch’s ability to detect and notify the user of an irregular heart rhythm” (see https://
www.theverge.com/2018/9/13/17855006/apple-watch-series-4-ekg-fda-approved-vs-cleared-meaning-safe). “Similar wearables, such as
the FitBit, Garmin Watch, and Google Pixel Watch have also subsequently received FDA-cleared AFib detection and monitoring features.
Apple has partnered with Rune Labs to offer an additional FDA-cleared feature for Parkinson’s Disease monitoring via the StrivePD app,
which uses Apple’s Movement Disorder API to track tremors and dyskinesia, or uncontrolled, involuntary body movement” (see: https://
bluematterconsulting.com/convergence-consumer-wearables-medical-devices-part-1/).
433 Cangardel, Volgina, supra note 431.
434 See also Dahlhausen, F., Zinner, M., Bieske, L. et al. ‘There’s an app for that, but nobody’s using it: Insights on improving patient access
and adherence to digital therapeutics in Germany’, DIGITAL HEALTH, Vol. 8, 2022, pp. 1–12, https://doi.org/10.1177/20552076221104672.
435 See also DeVore, A.D., Wosik, J., Hernandez, A.F., ‘The Future of Wearables in Heart Failure Patients’, JACC: Heart Failure, Vol. 7 No. 11,
2019, pp. 922–932, https://doi.org/10.1016/j.jchf.2019.08.008.
86 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Demand on the side of healthcare providers is impor- deploying digital medical devices in the healthcare
tant for the development and uptake of medical system.
devices.436 Health professionals (similarly to patients)
need to be able to trust the wearable medical device 4.1.6 Patients (and their representatives)
that they recommend or prescribe (for case study of The further uptake of wearable medical devices also
European Society of Cardiology, see Chapter 4.5.4). depends on patients (and their representatives), as:
This entails not only having a positive assessment of
the clinical efficacy of a wearable medical device, but • they can signal demand (i.e. express interest
also the resources and preparedness to provide con- through interactions with health professionals,
tinuous practical support for patients once a decision researchers or manufacturers, and indicate the
to use a wearable medical device has been made. likelihood of acceptance and user preferences);
However, health professionals are often concerned and
that the adoption of wearable medical devices in their • they can participate in or provide feedback to
practice may lead to extra demands in terms of their research or clinical investigations relating to
(often already stretched) workload.437 wearable medical devices.

Regarding the barriers, Ferguson et. al. explains that: Market demand can be expressed in several ways,
“most studies [on wearables] reported the low effi- such as during doctor’s visits, clinical studies, surveys,
ciency of such devices owing to technical problems co‑creation, contacting manufacturers etc.440 The
or management issues. For example, some studies ‘quantified self and patient empowerment’ move-
reported that doctors were not involved in the project ment has also been an important driver of demand.441
and they did not know how to use the monitoring However, given that there are significant differences
system, or owing to infrastructure issues, wireless in digital health literacy, there is a need for further
data did not transfer properly.”438 To facilitate trust, research into the needs, preferences and attitudes
knowledge sharing, technical support and feedback of patients towards wearables and wearable medical
loops, it would be important to establish more insti- devices.442 Patient organisations could play a role
tutionalised forms of cooperation between healthcare in this process (for case study of EURORDIS – Rare
providers and other actors (manufacturers, patient Diseases Europe, see Chapter 4.5.5). This knowledge
organisations). Another potential problem is to offset could help inter alia manufacturers (as suppliers) to
any (additional) costs that are incurred by the use accurately assess what types of devices are needed
of wearable medical devices.439 For this reason, it and where improvements need to be made. The need
would be essential to create funding and reimburse- to pay close attention to patient expectations, demand
ment mechanisms that consider the particularities of and feedback has been signalled as something that

436 See also Banerjee, S., Hemphill, T., Longstreet, P., ‘Wearable Devices and Healthcare: Data Sharing and Privacy’, The Information Society,
Vol. 34, No. 1, 2018, pp. 49–57, https://doi.org/10.1080/01972243.2017.1391912.
437 Fairbrother, P., Ure, J., Hanley., H. et al., supra note 294.
438 Ferguson. C., Hickman, L.D., Turkmani, S. et al., ‘”Wearables Only Work on Patients That Wear Them”: Barriers and Facilitators to the
Adoption of Wearable Cardiac Monitoring Technologies’, Cardiovascular Digital Health Journal, Vol. 2 No. 2, 2021, pp. 137–147, https://doi.
org/10.1016/j.cvdhj.2021.02.001. See also Middlemass, J., Vos, J., Siriwardena, A.N., ‘Perceptions on Use of Home Telemonitoring in Patients
with Long Term Conditions – Concordance with the Health Information Technology Acceptance Model: A Qualitative Collective Case Study’,
BMC Medical Informatics and Decision Making, Vol. 17, No. 19, 2017, pp. 1–13, https://doi.org/10.1186/s12911-017-0486-5; Bratan, T., Clarke,
M., Jones, R., ‘Evaluation of the Practical Feasibility and Acceptability of Home Monitoring in Residential Homes’, Journal of Telemedicine and
Telecare, Vol. 11 No. 1 (suppl), 2005, pp. 29–31, https://doi.org/10.1258/1357633054461796.
439 See also Fotiadis, D., Glaros, C., Likas, A., ‘Wearable Medical Devices’, in: Wiley Encyclopedia of Biomedical Engineering, edited by M.
Akay, Wiley, Hoboken, 2006, https://doi.org/10.1002/9780471740360.ebs1326; Cajita, M.I., Hodgson, N.A., Lam, K.W. et al., ‘Facilitators of
and Barriers to mHealth Adoption in Older Adults With Heart Failure’, CIN: Computers, Informatics, Nursing, Vol. 36 No. 8, 2018, pp. 376–382,
https://doi.org/10.1097/CIN.0000000000000442.
440 See also Ozanne, A., Johansson, D., Graneheim, U.H., ‘Wearables in Epilepsy and Parkinson’s Disease—A Focus Group Study’, Acta
Neurologica Scandinavica, Vol. 137 No. 2, 2017, pp. 188–194, https://doi.org/10.1111/ane.12798; Bruno, B., Simblett, S., Lang, L. et al.,
‘Wearable Technology in Epilepsy: The Views of Patients, Caregivers, and Healthcare Professionals’, Epilepsy & Behavior, Vol. 85, 2018, pp.
141-149, https://doi.org/10.1016/j.yebeh.2018.05.044; Abdolkhani, R., Gray, K., Borda, A. et al., ‘Quality Assurance of Health Wearables Data:
Participatory Workshop on Barriers, Solutions, and Expectations’, JMIR mHealth and uHealth, Vol. 8 No. 1, 2020, https://doi.org/10.2196/15329.
441 See also Riemann., G, ‘Taming Cyborgs; Wearable Technology Growth in the EU - Understanding sociological catalysts of wearable
technology and EU regulatory measures’, Thesis, Central European University and School of Public Policy, University of York, 2018, https://www.
etd.ceu.edu/2016/riemann_gregor.pdf.
442 Similar conclusion was reached in the US context by Casselman, Onopa, Khansa, supra note 417.
 JRC EXTERNAL STUDY 87

is indispensable to reduce failed efforts on the part policy-makers need to think holistically (considering
of manufacturers.443 This interdependency in the all economic actors and stakeholders) to develop
ecosystem is also mentioned by Bergman et. al.: “… measures which can effectively improve the function-
developers should consider their target user group ing of the ecosystem of wearable medical devices.
at an early stage in the design process. It also brings Raising the awareness of patients will be insufficient
attention to the need to rely more on objectively if healthcare providers are not convinced or willing to
obtained data sets throughout the development pro- make efforts to introduce wearable medical devices.
cess. Poor reporting on user preferences in this quickly Similarly, healthcare providers will not be convinced
growing research field has so far limited the build-up if use-specific clinical results are not available and
of crucial knowledge needed for a more successful the efforts of healthcare providers will come to little
integration of these sensor technologies at a clinical if manufacturers of wearable medical device face
stage. A reduction of the overall research and devel- excessive regulatory barriers and do not see a clear
opment cost, as well as increasing ecological utility reimbursement pathway in place.
can be achieved by implementing key design features
for end-users at an early stage.”444 The need to develop more holistic policy measures
for “home suite healthcare technologies” has been
4.1.7 The market ecosystem of wearable recognised in the US (see also Chapter 3.5.3). While
medical devices: implications for there are limitations to replicate all aspects in the EU
policy-making (as the management of health services and medical
There are two relevant lessons to be learnt from the care and the allocation of the resources assigned to
foregoing market analysis. them remain in the competence of Member States),
the EU’s competence to regulate inter alia medical
The first is that in trying to improve their uptake, devices and data processing, as well as possible
‘wearable medical devices’ often cannot be seen as cooperation and exchange of best practices among
a monolithic phenomenon. Stakeholders at all levels Member States could stimulate the development of
usually focus on certain application areas. As the lit- more coordinated and effective policy measures in
erature highlights, the most notable advances in the this domain.
uptake of wearable medical devices have been in the
areas where both the demand by healthcare provid-
ers and patients have been the highest and where 4.2 Value assessment and
there is evidence about the efficacy of such devices, reimbursement frameworks
such as cardiology, epilepsy or diabetes management.
With regard to these experiences, it is important that 4.2.1 Overview
policy measures target specific domains to incentivise With the growing number of digital health applications
research and stakeholder collaborations, otherwise (including wearables), a major challenge is how to
stakeholders may not pick up on broad messages. assess their clinical efficacy and provide appropriate
reimbursements. However, there are fragmentation
The second takeaway is that economic actors and in both areas. Value assessment frameworks include
stakeholders in the ecosystem do not form a “linear public assessment schemes (see also Chapter 4.2.3)
value chain”. Instead, the digital health market sur- at national or regional levels, private assessment
rounding wearable medical devices can be perceived schemes (e.g. ORCHA, MedAppCare), standards (e.g.
as a “dynamic value ecosystem”. This can be seen, CEN-ISO/TS 82304-2:2021) and medical professional
for example, in the way functional roles and bound- association initiatives. Similarly, the reimbursement
aries in the ecosystem become increasingly blurred, pathways for wearable medical devices vary signif-
fostering collaboration in new ways.445 Consequently, icantly across the EU due to differences in national

443 Ferguson, Hickman, Turkmani et al., supra note 438.

444 Bergmann, J.H.M., Chandaria, V., McGregor, A., ‘Wearable and Implantable Sensors: The Patient’s Perspective’, Sensors, Vol. 12 No. 12,
2012, pp. 16695–16709, https://doi.org/10.3390/s121216695.
445 de Jongh, Oomens, Izsák, supra note 397 gives three examples of this phenomenon: (i) End-users, through their engagement with health
apps and devices, can contribute with data to support the efforts of manufacturers. (ii) Some companies are providing integrated solutions
encompassing healthcare services and data analytics. (iii) The value ecosystem is undergoing reconfiguration, as digital technology firms
venture into healthcare, while traditional healthcare companies are providing digital health services.
88 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

regulations and the organisation of the healthcare In centralised national health systems, reimbursement
systems and funding policies of Member States.446 decisions are made centrally by government agencies
However, as Leclercq et. al. point out: “inadequate or health authorities. By contrast, in decentralised
reimbursements are ongoing barriers to realizing national health systems, reimbursement decisions
the enormous potential of these new technologies to are often made on a regional level or by dedicated
improve patient clinical outcomes and experience of funding agencies (either private or public). This is com-
care”.447 plicated with the fragmented conformity assessment
and post-market surveillance schemes. As Federici et
4.2.2 Factors influencing reimbursement of al. explain: “[i]n contrast to pharmaceuticals where
wearable medical devices the market authorization and supervision is centrally
Although healthcare systems differ in the EU, there managed by the European Medicine Agency (EMA)
are factors which may influence decisions concern- [.], the conformity assessment procedures for med-
ing the reimbursement of wearable medical devices, ical devices of risk class II or higher in Europe are
in particular: requirement to comply with regulatory decentralized and operated by public or private notifed
frameworks; funding of national health systems; the bodies (NBs) which are designated by the EU member
increased use of health technology assessment (HTA); states.”
negotiations with manufacturers; or patients’ access
to such technologies. Although their relevance to Another problem that manufacturers of digital health
wearable medical devices differs from Member State applications, such as wearable medical devices, face
to Member State, there are some commonalities or is that funding systems tend to reimburse the use
trends, which have an effect on reimbursement. of such technologies with fixed payments rather
than as an ongoing service. This problem may be a
4.2.2.1 Compliance with regulatory frameworks side-effect of the historical development of different
Often reimbursement is contingent upon demonstra- reimbursement systems. However, this may, in effect,
tion/declaration of compliance with key regulatory discourage the development of such technologies
frameworks, in particular the MDR or the GDPR. given that it makes them less profitable (i.e. a one-off
Depending on the methodology a particular country reimbursement is likely to be less than reimbursement
adopts, regulatory compliance may also be a key part as a service).450
of the HTA process (see also Chapter 4.2.2.3).
Although the lack of dedicated and harmonised
4.2.2.2 Funding models of national health reimbursement of digital health technologies is a
systems significant barrier affecting the medical device sector
EU Member States have diverse health systems rang- across the EU, there has been minimal empirical inves-
ing from fully public to mixed systems (with public and tigation of medical device reimbursement policies and
private components), following either the ‘Beveridge’ practices in Europe, especially from a comparative
or the ‘Bismarck’ social insurance models.448 Reim- perspective.451 Robinson noted that: “while the innova-
bursement policies for (wearable) medical devices tive capacity and ‘entrepreneurial ethos’ of the supply
often reflect those differences: depending on the type side of the medical device sector is strong and vibrant,
of system, the scheme to demonstrate whether or not the demand side is riddled with weaknesses, such as
a device should be reimbursed can vary significantly.449 misaligned payment systems, conflicts of interest, and

446 See also Essén, A., Stern, A.D., Haase, C.B. et al., ‘Health app policy: international comparison of nine countries’ approaches’, npj Digital
Medicine, Vol. 5, No. 31, 2022, pp. 1–10, https://doi.org/10.1038/s41746-022-00573-1.
447 Leclercq, Witt, Indricks et al., supra note 399, p. 1373.
448 See also Spain, Ministry of Health, Consumer Affairs and Social Welfare, ‘Health care systems in the European Union countries:
Health characteristics and indicators 2019’, Government of Spain, 2019, https://www.sanidad.gob.es/estadEstudios/estadisticas/docs/
presentacion_en.pdf.
449 Federici, C., Reckers-Droog, V., Ciani, O. et al., ‘Coverage with Evidence Development Schemes for Medical Devices in Europe:
Characteristics and Challenges’, The European Journal of Health Economics, Vol 22, 2021, pp. 1253-1273 at 1254, https://doi.org/10.1007/
s10198-021-01334-9.
450 van Kessel, R., Srivastava, D., Kyriopoulos, I. et al., ‘Digital Health Reimbursement Strategies of 8 European Countries and Israel: Scoping
Review and Policy Mapping’, JMIR mHealth and uHealth, Vol. 11, 2023, https://doi.org/10.2196/49003.
451 See also Sorenson, Kanavos, supra note 367.
 JRC EXTERNAL STUDY 89

data gaps.”452 Although this situation persists in most • regulatory compliance.

Member States, in recent years, some Member States
have developed dedicated reimbursement pathways In the past, HTA practices were often diverse in the
for digital medical devices, mHealth applications and EU, which led to problems in terms of using similar
telemedicine solutions (see also Chapter 4.2.3). methodologies or results of HTAs between different
Member States. Efforts to harmonise at least some
4.2.2.3 Health technology assessment (HTA) elements of the process have been ongoing for some
Health technology assessment (HTA) is a multidis- time, which have been reflected in collaborative ini-
ciplinary process that evaluates the implications of tiatives towards methodological standardisation (e.g.
the use of health technologies, including medical EUnetHTA). However, the development and implemen-
devices, procedures, treatments and interventions on tation of specific methodological tools for medical
various aspects of the health system. Its primary aim devices is still largely limited to the national level.455
is to provide policymakers, healthcare providers and This can result in different reimbursement decisions
patients with evidence‑based information to support across Europe, even for the same device.456 In general,
the adoption, utilisation and management of health there are three main methods for selecting devices
technologies.453 Depending on the country in ques- for an inclusion in a HTA scheme based on either:
tion, HTA may be a critical step to gain approval for (a) a manufacturer’s request for device inclusion on
reimbursement. HTA typically involves assessing the a positive reimbursement list (e.g. Belgium, France,
clinical effectiveness, safety, cost-effectiveness and Netherlands or Switzerland); (b) a provider's request
broader societal, ethical, and legal implications of a for additional remuneration for procedures involving
particular health technology. It draws upon various the device, such as on top of an existing diagno-
research methodologies, including systematic reviews, sis-related group (DRG) tariff (e.g. Germany); or (c) an
economic evaluations and health outcomes research evaluation request for a procedure or device already
to gather and synthesize relevant evidence.454 in clinical practice (e.g. Belgium, Germany, Spain or
Switzerland).457
HTA can play a role in reimbursement decisions for
wearable medical devices by providing evidence-based With regard to the variation of methodologies at
information to inform policymakers and payers about national level, Regulation (EU) 2021/2282 (Health
the clinical effectiveness, safety, and cost-effective- Technology Assessment Regulation, ‘HTA Regu-
ness of a device. HTAs usually involve the assessment lation’)458 could bring positive effects in this area. The
of a new technology in terms of the following criteria: aim of the HTA Regulation is to ensure efficient use
of resources and strengthen the quality of HTA across
• clinical evidence (e.g. from clinical investigation); the EU. At its core is an effort to create a transparent
• safety assessment; and inclusive framework by establishing a Coordina-
• cost effectiveness; tion Group of HTA national or regional authorities, a
• quality of life and health outcomes; stakeholder network and by laying down rules on the
• patient experience; and involvement in joint clinical assessments and joint

452 Robinson, J., ‘Value-Based Purchasing For Medical Devices’, Health Affairs, Vol. 27, No. 6, 2008, https://doi.org/10.1377/hlthaff.27.6.1523.
453 See also Henshall, C., Schuller, T., ‘Health Technology Assessment, Value-Based Decision-Making, and Innovation’, International Journal
of Technology Assessment in Health Care, Vol. 29 No. 4, 2013, pp. 353–359, https://doi.org/10.1017/S0266462313000378; Facey, K., ‘Health
Technology Assessment’, in: Patient Involvement in Health Technology Assessment, edited by K. Facey, H. Ploug Hansen, A., Single. A., Adis,
Singapore, 2017, pp. 3–16, https://doi.org/10.1007/978-981-10-4068-9_1.
454 See also O’Rourke, B., Oortwijn, W., Schuller, T. et al., ‘The New Definition of Health Technology Assessment: A Milestone in International
Collaboration’, International Journal of Technology Assessment in Health Care, Vol. 36 No. 3, 2020, pp. 187–190, https://doi.org/10.1017/
S0266462320000215.
455 Belichenova, A.I., ‘Reimburcement Policies And Health Technology Assessment Of Medical Devices In European Countries’, Economics
and Management, South-West University ‘Neofit Rilski’ Blagoevgrad, Vol. 17, No. 2, 2020, pp. 163–170, https://ideas.repec.org/a/neo/journl/
v17y2020i2p163-170.html.
456 Vreman, R., Mantel-Teeuwisse, A., Hövels, A. et al., ‘Differences in Health Technology Assessment Recommendations Among European
Jurisdictions: The Role of Practice Variations’, Value in Health, Vol 23 No. 1, 2020, pp. 10–16, https://doi.org/10.1016/j.jval.2019.07.017.
457 See also Federici, Reckers-Droog, Ciani, supra note 449.
458 Regulation (EU) 2021/2282 of 15 December 2021 on health technology assessment and amending Directive 2011/24/EU (Text with EEA
relevance) Regulation (EU) 2021/2282 of 15 December 2021 on health technology assessment and amending Directive 2011/24/EU, OJ L
458, 22.12.2021, pp. 1–32, http://data.europa.eu/eli/reg/2021/2282/oj.
90 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

scientific consultations of patients, clinical experts and Member States, patients may be required to make
other relevant experts.However, one limitation of the a co‑payment for a reimbursed (wearable) medical
HTA Regulation is that it only focuses on assessments device. The level of co‑payment may vary depending
related to the clinical domain.459 In those areas, it could on factors, such as the patient’s income, the type of
lead to joint assessments and common methodology. device or the reimbursement policy. However, those
Other common aspects of HTA though (such as cost factors may also function as a barrier to the uptake
effectiveness, social, economic aspects etc.) will be of (wearable) medical devices, if the costs affect
left for Member States to decide upon. This means a patient significantly.461 It is therefore necessary
that some fragmentation in how HTAs cover wearable that reimbursement systems take this issue into
medical devices are likely to remain, which may lead account.462 This problem may be particularly impor-
to a certain degree of uncertainty for manufacturers. tant where existing reimbursement mechanisms do
not match the type of device being used. In the case
4.2.2.4 Negotiations with manufacturers of wearable medical devices, for example, a one-off
Reimbursement negotiations between healthcare cost reimbursement system may not reflect the need
payers and device manufacturers are common. to service and continuously monitor a patient’s activ-
Negotiations vary on a case-by-case basis and may ity. To enhance uptake, it may be necessary to adjust
involve discussions on pricing, volume discounts and reimbursement schemes to the context in question.
performance-based reimbursement models. Price
negotiations are highly contextual and depend on the 4.2.3 National value assessment and
market conditions for a device. Key factors may include reimbursement schemes (with country
the level of competition and whether similar devices examples)
have already been approved. The availability of data Despite regulatory progress in certain areas, man-
(evidence) may also influence negotiations, which may ufacturers of wearable medical devices face
make references to data from clinical investigations fragmented requirements in much of the development
or HTAs. A possible challenge for manufacturers is and commercialisation pathway, including for value
that the negotiating partners vary significantly from assessment, reimbursement and pricing. There are
Member State to Member State, even within regions. challenges not only in the harmonisation of evidence
In more unitary systems the negotiating partner may requirements and value assessment frameworks,
be a central entity. In other systems, they may have but there is also a lack of standardised or specific
to negotiate with several funding bodies (public or reimbursement pathways for digital medical devices
private). Overall, as there is a lack of comparative and in most EU Member States. Where there is no specific
empirical research, it is difficult to assess the potential reimbursement pathway for such devices, wearable
role of negotiations in the reimbursement of wearable medical devices have to go through more generalised
medical devices.460 processes. This can lead to delays, which can be a
problem in a fast-changing technological environment.
4.2.2.5 Patients’ access The heterogenous landscape also makes it difficult to
Access to reimbursed (wearable) medical devices may scale effective solutions across borders (Table 2). As
vary depending on the specific indications approved Belgium and Germany are considered to be pioneers
for reimbursement and any restrictions imposed in developing value assessment and reimbursement
by healthcare payers. In some cases, patients may frameworks for digital medical devices, they are high-
need to meet certain eligibility criteria or obtain a lighted as best practices (Box 3 and Box 4).
prescription from a health professional. In some EU

459 Drummond, M., Tarricone, R., Torbica, A., ‘European Union Regulation of Health Technology Assessment: What Is Required for It to
Succeed?’, The European Journal of Health Economics, Vol. 23, 2022, pp. 913–915, https://doi.org/10.1007/s10198-022-01458-6.
460 Beck, A., Retél, V., Bhairosing, P. et al., ‘Barriers and Facilitators of Patient Access to Medical Devices in Europe: A Systematic Literature
Review’, Health Policy, Vol. 123 No. 12, 2019, pp. 1185–1198, https://doi.org/10.1016/j.healthpol.2019.10.002.
461 Prodan, A., Deimel, L, Ahlqvist., J. et al., ‘Success Factors for Scaling Up the Adoption of Digital Therapeutics Towards the Realization of
P5 Medicine’, Frontiers in Medicine, Vol. 9, 2022, 854665, https://doi.org/10.3389/fmed.2022.854665.
462 Clemens, S., Williams, K., Bohls, J. et al., ‘Telemedicine and Health Policy: A Systematic Review’, Health Policy and Technology, Vol. 10 No.
1, 2021, pp. 209–229, https://doi.org/10.1016/j.hlpt.2020.10.006.
 JRC EXTERNAL STUDY 91

Table 2: Value assessment and reimbursement frameworks for wearable medical devices (in selected Member States)

National
National value Available funding
Country reimbursement
assessment framework mechanisms
pathway
Belgium   
evidence of socio- mHealth validation Centralised funding
economic added value pyramid for mHealth
and importance in the applications
care pathway evaluated
by NIHDI
France   
evidence of PECAN pathway for Centralised funding
clinical benefits or therapeutic digital
improvements in how medical devices or
care is organised remote monitoring
reviewed by the activity
CNEDiMTS
Germany   
evidence of evidence of DiGA pathway for digital Centralised funding for
the positive healthcare health applications DiGA
effect assessed by
BfArM
Italy û û û
Netherlands û û û
under development Covered by individual
(possibly on the basis of health insurers
the CEN-ISO/TS 82304-2
standard)
Spain û û 
limited regional
reimbursements
Source: adopted (revised and updated) based on EPFIA463

463 European Federation of Pharmaceutical Industry and Associations (EFPIA), Improving Access to Digital Therapeutics in Europe, EFPIA,
Brussels, 2023, pp. 7–8, https://www.efpia.eu/media/677347/improving-access-to-digital-therapeutics-in-europe.pdf.
92 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Box 3
Digital health reimbursement system of Belgium
mHealthBelgium is the Belgian reimbursement pathway for mHealth applications (i.e. software application with a medical
purpose) that are CE-marked as a medical device.464 (It can be relevant to the software component of wearable medical
devices.) mHealthBelgium is managed by sector federations beMedTech (sector federation of the medical technologies
industry) and Agoria (sector federation of the technology industry). In addition, governmental agencies are included
in its procedures: Federal Agency for Medicines and Health Products (FAMHP), the competent authority for safety,
quality as well as efficacy and effectiveness of medicines and medical devices; and the National Institute for Health
and Disability Insurance (NIHDI) responsible for the reimbursement of medicines, medical devices and benefits in kind.
mHealthBelgium is structured as a 3-level validation pyramid (Figure 3). An Health application always enters at the
lowest level M1 and can climb up the hierarchy via level M2 to the top level M3:465
Level 1 (M1) determines the basic criteria for an mHealth application: (a) CE-marking or declaration as a medical device
notified to the FAMHP; (2) the mHealth application allows a patient to share from their own environment health-related
information (with or without sensors) with a health professional; (3) the manufacturer (and the parent company) declare
that they comply with the GDPR.
Level 2 (M2) indicates which mHealth applications have made a reimbursement request that was declared admissible
by NIHDI. They are evaluated by NIHDI on the basis of the evidence provided with regard to the socio-economic added
value and their importance in the care pathway. The manufacturer must also declare that the mHealth application
complies with a series of ICT criteria ensuring secure connection and integration.
Level 3 (M3) is reserved for mHealth applications funded by NIHDI. For each application labelled M3, the following are
indicated: whether it concerns temporary funding (M3-) or definitive funding (M3+); and for which care path(s) the
financing applies and what this entails in detail (with reference to the NIHDI website).

Source: mHealth Belgium466

Figure 3: Validation pyramid for mHealth applications in Belgium

464 See also Lievevrouw, E., Marelli, L., Van Hoyweghen, I., ‘Weaving EU Digital Health Policy into National Healthcare Practices. The Making
of a Reimbursement Standard for Digital Health Technologies in Belgium’, Social Science & Medicine, Vol 346, 2024, 116620, https://doi.
org/10.1016/j.socscimed.2024.116620.
465 Ibid.
466 mHealth Belgium, ‘Validation pyramid’, mHealth Belgium, 2024, https://mhealthbelgium.be/validation-pyramid.
 JRC EXTERNAL STUDY 93

Box 4
Digital health reimbursement system of Germany
Germany’s Digital Healthcare Act (Digitale-Versorgung-Gesetz) established the notion of ‘digital health applications’
(Digitale Gesundheitsanwendungen, ‘DiGA’), which may be prescribed for patients by a physician or psychotherapist and
are reimbursable by the health insurance. The prerequisite for this is that a DiGA must have successfully completed
the assessment of the Federal Institute for Drugs and Medical Devices (‘BfArM’) leading to a listing in the directory
of reimbursable digital health applications (DiGA directory). The Federal Ministry of Health has regulated the details
of this assessment procedure in a supplementary legal regulation, the Digital Health Applications Ordinance (Digitale
Gesundheitsanwendungen-Verordnung, ‘DiGAV’).
The BfArM assessment procedure is an accelerated ‘fast-track’ regulatory path for manufacturers to take their digital
health applications to market: within a three-month period starting with the filing of the complete application, the
BfArM has to assess the DiGA (Figure 4). The essence of the BfArM assessment procedure is the examination of the
manufacturer’s statements about the product qualities – including compliance with data protection and data security
requirements – and the examination of the evidence provided by the manufacturer of the positive healthcare effects
of the DiGA. In case scientific evidence lacks on whether the DiGA provides positive healthcare effects, then it may
be preliminary listed, which means that the manufacturer receives 12 months to deliver evidence of the positive
healthcare effect.
A DiGA must have the following properties: medical device classified as risk class I or IIa (according to the MDR); its
main function is based on digital technologies; its medical purpose is achieved through the main digital functions; it
supports the recognition, monitoring, treatment or alleviation of a disease or the recognition, treatment or alleviation
or compensation of an injury or disability; it does not support primary prevention (avoiding or preventing a disease);
and it is used solely by the patient or together by the patient and the healthcare provider (i.e. the patient must interact
directly with the application). Hence, a wearable medical device may qualify as a DiGA if it has a user interface. To be
listed in the DiGA directory, a DiGA must meet the requirements defined in the DiGAV relating to safety and suitability
for use, data protection and data/information security, and quality aspects (including interoperability). The DiGAV
specifies and supplements the requirements of the GDPR and other data protection rules for the manufacturer, for the
DiGA itself, and for all systems in connection with the DiGA (including processors, such as cloud providers). Regarding
the implementation of state-of-the-art data protection and data/information security measures, the DiGAV considers
data/information security more as a process that should be anchored in the organisation (rather than a conglomerate
of technical measures).
94 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Source: adapted (revised and updated) based on Bundesinstitut für Arzneimittel und Medizinprodukte (BfArM)467

Figure 4: DiGA fast-track procedure in Germany

4.2.4 Resolving reimbursement issues of medical devices or templates for parts of the HTA
wearable medical devices: initiatives and analyses that will be left to Member State discretion.
suggestions Although these would not be binding on Member States,
Due to a heterogenous reimbursement landscape for they could act to demonstrate best practice.
wearable medical devices in the EU, there is a need to
place more research and policy effort into discussing Facilitating the exchange of knowledge would be vital
how it could be changed (and ideally, harmonised). in the development of reimbursement approaches for
In this regard, initiatives such as the European Task- digital medical devices. Without EU-level cooperation,
force for Harmonised Evaluation of Digital Medical there is a risk that Member States (especially those
Devices (DMDs) can play an important role. Its aim which are yet to act) will adopt distinct reimburse-
is to “support integration of technologies with clinical ment policies for digital medical devices, which would
evidence into healthcare procedures, to provide access make scaling effective wearable medical devices
for patients and promote acceptability thereof across in the EU more challenging, thereby decreasing the
the [EU]” and to “provide a European-level blueprint for competitiveness of the sector. Although no approach
DMD assessment procedures and methodologies, with is inherently superior, a fee-for-service approach may
the overall goal of enabling a harmonised approach for encourage more prescribing of certain digital health
European assessment supporting national appraisal solutions, yet it may also open up the possibility of
and reimbursement by statutory health insurance supplier-induced demand and thus inflating healthcare
organisations for distinct categories of DMDs.”468 expenditure.469 Ultimately, reimbursement strategies
should strive to facilitate the integration of digital
At the EU level, the new HTA Regulation is a useful health solutions (including wearable medical devices)
development, which could facilitate market entry for within the healthcare landscape, fostering equitable
new medical devices. It could be further supported by access to innovative technologies and enhancing
the development of common forms of HTA for wearable patient outcomes.

467 Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte, BfArM), The Fast-Track Process for
Digital Health Applications (DiGA) according to Section 139e SGB V: A Guide for Manufacturers, Service Providers and Users, BfArM, 2020, p. 8,
https://www.bfarm.de/SharedDocs/Downloads/EN/MedicalDevices/DiGA_Guide.pdf?__blob=publicationFile.
468 European Taskforce for Harmonised Evaluations of Digital Medical Devices (DMDs), EIT Health, n.d, https://eithealth.eu/
external-collaborations/european-taskforce-for-harmonised-evaluations-of-digital-medical-devices-dmds/.
469 See also van Kessel, Srivastava, Kyriopoulos, supra note 450.
 JRC EXTERNAL STUDY 95

4.3 Technology transfers relating to enabling the technological or manufacturing capacity

wearable medical devices of the recipients.”471

4.3.1 Significance of technology transfers Technology transfer has become part of many organ-
relating to wearable medical devices isations’ business or research strategy, and the ability
Organisations (undertakings, universities and research to manage transfer processes has become a critical
institutes) can develop wearable medical devices competence. Technologies obtained externally must
internally through scientific knowledge and technology be transferred from one organisation to another in a
generated in their research and technological devel- systematic, timely and cost-effective manner if they
opment (RTD) activities, or they can purchase that are to be used in launching new wearable medical
knowledge and technology from other organisations devices. The effectiveness of technology transfers is
using mechanisms, such as contractual agreements, typically a function of four factors: the absorptive and
joint ventures, or mergers and acquisitions (M&A). transmission capacities of the receiving and transmit-
Generally, technology transfer refers to the intentional, ting organisations; the difference in the cultures of the
goal-oriented interaction between organisations to receiving and transmitting entities; the type of innova-
exchange technological knowledge, artifacts and tion (e.g. whether the transferred technology is similar
related rights for the purposes of scientific research to the recipients’ existing solutions); and the timing
and/or economic gains.470 In the context of medical of the transfer (e.g. at which stage of the product
devices, the WHO defines ‘technology transfer’ as lifecycle does it take place).472 In effect, the invisible
“the transfer of technical information, tacit know-how, aspects of technology, such as knowledge and skills,
performance skills, technical material or equipment, are often even more critical than the physical aspects
jointly or as individual elements, with the intent of in the successful transfer of technology.473

Box 5
Potential benefits of technology transfers relating to wearable medical devices
Technology transfers relating to wearable medical devices plays a crucial role in driving their innovation, expanding
market opportunities, improving cost-effectiveness, ensuring regulatory compliance, and fostering collaborations. The
potential main benefits are:474
• Innovation acceleration: Technology transfer can facilitate the rapid translation of research findings and innovative
ideas into tangible wearable medical devices. It expedites the journey from concept to commercialisation, allowing
breakthrough technologies to reach patients and healthcare providers faster.
• Access to expertise: Collaboration between different entities and stakeholders, such as academia and industry, can
enable the pooling of diverse expertise and resources. This collaboration can foster innovation by leveraging the
strengths of each party involved and to compensate for lack of specific competence.
• Risk mitigation: The transfer of evidence-based and effective technological solutions can minimise the risk of
research and technological development failure. In turn, this can reduce risks of having to ensure significant upfront
investments in the development of wearable medical devices.

470 See also Cormican, K., O’Connor, M., ‘Technology Transfer for Product Life Cycle Extension: A Model for Successful Implementation’,
International Journal of Innovation and Technology Management, Vol. 6 No. 3, 2009, pp. 105–114 at 105–107, https://doi.org/10.1142/
S0219877009001698.
471 World Health Organization, Local Production and Technology Transfer to Increase Access to Medical Devices – Addressing the barriers
and challenges in low- and middle-income countries, World Health Organization, Geneva, 2012, p. 13, https://www.who.int/publications/i/
item/9789241504546.
472 Afuah, A., Innovation Management: Strategies, Implementation, and Profits, Second Edition, New York, Oxford University Press, 2003, p.
75.
473 Choi, H. J., ‘Technology Transfer Issues and a New Technology Transfer Model’, The Journal of Technology Studies, Vol. 35 No. 1, 2009,
pp. 49–57 at 53, https://storage.googleapis.com/jnl-vt-j-jts-files/journals/1/articles/104/62a6d492efaa3.pdf.
474 See also Kumar, A., Motwani, J., Reisman, A., ‘Transfer of technology: A classification of motivations’, The Journal of Technology Transfer,
Vol. 21, pp. 34–42 at 36–40, 1996, https://doi.org/10.1007/BF02220305. Operon Strategist, ‘Understanding Technology Transfer in Medical
Devices’, Operon Strategist, 3 May 2024, https://operonstrategist.com/technology-transfer-in-medical-devices/.
96 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

• Market expansion: Technology transfer can enable manufacturers to access new markets and expand their product
portfolios. By licensing or acquiring technologies developed elsewhere, companies can diversify their offerings and
address unmet medical needs more effectively.
• Cost-effectiveness: Collaborating with research institutions or leveraging existing technologies through licensing
agreements can be more cost-effective than developing new technologies from scratch. This approach allows
manufacturers to allocate resources more efficiently and focus on areas of core competency.
• Regulatory compliance: Technology transfer may involve the transfer of specific competence and regulatory docu-
mentations. Working with partners experienced in regulatory affairs can streamline the regulatory approval process,
ensuring compliance with applicable laws and standards.
• Quality improvement: Collaborating with experts in technology transfer can enhance the safety, quality and per-
formance of wearable medical devices. Access to raw materials, advanced manufacturing processes and design
methodologies can lead to superior wearable medical devices that comply with regulatory requirements and best
practices.
• Cross-border and international collaborations: Technology transfer can foster collaborations at EU or even global
level, enabling the exchange of concepts, best practices and resources across borders. These collaborations can
accelerate innovation and facilitate the development of wearable medical devices tailored to specific local or national
healthcare needs.

Despite its potential benefits, technology transfer necessitate effective collaborations between the rel-
relating to wearable medical devices present various evant actors (see also Chapter 4.1). For this reason,
challenges, such as knowledge transfer, IP rights man- the EU should continue to incentivise multi-stakeholder
agement, or regulatory differences and complexities. collaborations to leverage the strengths and resources
Organisations can adopt best practices to mitigate of each actor and build trusted and sustainable digi-
any risks and facilitate a smoother transfer process. tal health ecosystems which can facilitate technology
These may include: early engagement of experts and transfers with respect to wearable medical devices.
stakeholders (to identify challenges); clear commu- Collaborations (as part of ‘innovation filieres’, i.e. chain
nication between parties; establishment of risk and of activities and dynamic transactional relationships
change management structures and processes; and leading to the development of new goods and ser-
maintaining comprehensive documentation of every vices) could enhance the sharing of expertise through
step throughout all the key phases (preparation, instal- working in association with other organisations.475
lation, and utilization). The next section addresses how However, it is always important to consider the societal
a mix of policy measures could help organisations to benefits and healthcare value of such collaborations,
further benefit from technology transfers (either as especially in the context of public–private partnerships,
transferers or recipients of technology) with respect to as the ‘externalisation of innovation’ (such as the use
the development and commercialisation of wearable of public resources by industry) can spread the risk
medical devices. These policy measures could also and cost of innovation, which may distort competition.
be instrumental in creating more effective industrial
policies to foster innovation, competitiveness and In general, policy measures may support the following
market growth in the European digital health sector. types of collaborations to enhance technology trans-
fers in relation to wearable medical devices:
4.3.2 Policy measures for driving technology
transfer in relation to wearable medical • Health data collaborations: Data (including
devices real-world data) collected by use of wearable
medical devices can be (further) processed (e.g.
4.3.2.1 Collaborations analysed) in health data governance frameworks
The interconnected aspects and complexities of established by multi-stakeholder partnerships,
telemedicine and related health data ecosystems such as health data cooperatives, federated

475 Smith, H. L., Technology Transfer and Industrial Change in Europe, London, Palgrave Macmillan, 2000, pp. 3–5, https://doi.
org/10.1057/9780230595422.
 JRC EXTERNAL STUDY 97

health data repositories or open health ecosys- from academia to industry, innovative solutions
tems.476 These health data collaborations could could reach the market more quickly. In the
facilitate technology transfers between participat- field of medical device technologies, there is an
ing actors and enable analyses of data collected increased connection between science and tech-
by use of wearable medical devices for primary or nology, as knowledge transfer from the academic
secondary use purposes while addressing several domain to the industrial domain is on the rise
challenges (e.g. data protection, rights man- globally. However, the analysis of medical device
agement, interoperability, cost-efficiency). The patents reveals that the transformation of scien-
appointment of a neutral custodian or chief part- tific knowledge into industrial applications is more
ner officer (CPO) can facilitate trust and balance advanced in the US than in Europe or the Fast
interests in these heterogenous partnerships. To East.478 The EU could close this gap by adopting
maintain effective control over data within these more incentivising and flexible IP rights govern-
complex data governance frameworks, techno- ance models for European academic institutions
logical advancements can enable algorithms (e.g. (see also Chapter 4.3.2.5). At an institutional level,
data analysis instructions) to be sent to data pro- academic technology transfer offices (TTOs) could
cessed by distributed wearable medical devices, expand their focus of commercialising digital
rather than transmitting data from distributed health innovations to commercial partners (e.g.
wearable medical devices to a large, centralised licensees, investors) by including a broader set
database (see ‘Personal Health Train’ concept).477 of considerations, such as the potential value
that such solutions may bring to end users (e.g.
• Public–private partnerships: The EU can patients, healthcare providers).479
encourage partnerships between public enti-
ties (such as public research institutes), trade • Clusters: Encouraging the formation of clusters
associations and private companies that spe- of manufacturers, research institutions and other
cialise in wearable medical devices. This may stakeholders in the wearable medical devices
include incentives to share resources, establish field could enhance collaborations and technol-
co-funded scientific research projects or support ogy transfers. Clusters should be considered as
the collaborative design and testing of wearable regional ecosystems of related industries and
medical devices. It would be important to include competences featuring a broad array of inter
a growing number of SMEs and start-ups in those industry interdependencies.480 Success factors of
partnerships to foster the creation of dynamic and medical device clusters include having access to
innovative ecosystems and to create new jobs. human capital, funding, infrastructure, innova-
tive practices and market demand.481 To support
• Academia–industry collaborations: Univer- the development of new industrial value chains
sities in the EU are often at the forefront of and ‘emerging industries’, such as the wearable
developing cutting-edge technologies, including medical devices field, modern cluster policies
those relevant to wearable medical devices. By should aim to put in place a favourable business
facilitating the transfer of those technologies ecosystem for innovation and entrepreneurship

476 See also Giannakis, A., Subasic, D., Gautschi, F. et al., Together, we can – Fast-forwarding healthcare through data collaboratives,
Accenture, 2022, https://www.accenture.com/content/dam/accenture/final/industry/life-sciences/document/Together-We-Can-Fast-Forwarding-
Healthcare-Full-Report-PoV-FINAL.pdf. Bardenheuer, K., Van Speybroeck, M., Hague, C. et al., ‘Haematology Outcomes Network in Europe
(HONEUR)—A collaborative, interdisciplinary platform to harness the potential of real-world data in hematology’, European Journal of
Haematology, Vol. 109 No. 2, 2022, pp. 138–145, https://doi.org/10.1111/ejh.13780. Roche Information Solutions, navify: Our vision, Santa
Clara, Roche Molecular Systems, 2024, https://navify.roche.com/about-us/vision-mission/.
477 See also Dutch Techcentre for Life Sciences, Personal Health Train, Utrecht, Dutch Techcentre for Life Sciences, 2024, https://www.dtls.nl/
fair-data/personal-health-train/.
478 Wang, L., Li, Z., ‘Knowledge Transfer from Science to Technology—The Case of Nano Medical Device Technologies’, Frontiers in Research
Metrics and Analytics, Vol. 3 No. 11, 2018, pp. 1–8, https://doi.org/10.3389/frma.2018.00011.
479 Miller, F. A., Sanders, C. B., Lehoux, P., ‘Imagining value, imagining users: academic technology transfer for health innovation’, Social
Science & Medicine, Vol. 68 No. 8, 2009, pp. 1481–1488, https://doi.org/10.1016/j.socscimed.2009.01.043.
480 Delgado, M., Porter, M. E., Stern, S., ‘Defining clusters of related industries’, Journal of Economic Geography, Vol. 16 No. 1, 2016, pp.
1–38, https://doi.org/10.1093/jeg/lbv017.
481 McKernan, D., McDermott, O., ‘Industrial clusters, creating a strategy for continued success’, Heliyon, Vol. 10 No. 7, 2024, e29220 at 3,
https://doi.org/10.1016%2Fj.heliyon.2024.e29220.
98 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

in which new winners can emerge. This implies funding coupled with incentives considering
more than merely supporting networking activities the needs of outcomes-based healthcare could
and setting up cluster organisations that manage catalyse the development of wearable medical
networking and provide support services to busi- devices in the EU. Efficient funding schemes could
nesses. Modern cluster policies should follow help to reduce the risks for companies (especially
specialisation strategies and a systemic approach SMEs) looking to invest in new technologies and
combining different policies, programmes and encourage them to engage in technology trans-
instruments.482 As an umbrella network, the Euro- fer activities. Specific schemes could support the
pean Cluster Collaboration Platform (ECCP) could establishment and functioning of technology
facilitate the cooperation of wearable medical transfer offices. Funding programs could support
devices clusters within the EU and help those technology transfers through multi-stakeholder
clusters access international markets. collaborations aimed at advancing RTD activities
and uptake of wearable medical devices. For
• International collaborations: The EU can example, the Trials@Home Research and Inno-
engage in international technology transfer vation Action (RIA) under the Innovative Health
efforts to import technology from global lead- Initiative public–private partnership framework
ers in wearable medical devices or to support was set up to explore the potential of wearable
the export opportunities of European wearable devices in remote decentralised clinical trials.484
medical devices manufacturers. This can be facil- However, as project-based funding schemes often
itated through trade agreements, joint ventures, attach a ‘market entry barrier’, it is important to
RTD collaborations, and globally aligned stand- consider whether there are sufficient reasons to
ardisation, harmonisation and interoperability. prevent developers from promoting wearable
Regulatory synchronisation and/or exchange of medical device before a project has concluded.
regulatory good practices could provide substan-
tial incentives to such collaborations. • Value assessment frameworks and reim-
bursement pathways: Different value
4.3.2.2 Funding and financing assessment frameworks in Member States and
lack of reimbursement pathways for wearable
• Funding schemes: The EU (Member States) medical devices (and other telemedicine solutions)
needs to adopt effective instruments and incen- undermine technology transfers due to uncertain-
tives (e.g. dedicated programs, grants, subsidies, ties around payer environments and inability to
tax incentives) to support digital transformation scale (see also Chapter 4.2). The EU should support
in European health systems, including RTD activ- cooperation between Member States to develop
ities in relation to wearable medical devices. This harmonised value assessment frameworks and
could include a dedicated EU funding programme reimbursement pathways for wearable medical
to support digitalisation of health systems and devices (and other telemedicine solutions) con-
impactful implementation of the EHDS, as well sidering the specific features of certain solutions.
as to fund high-impact digital health pilots and The Commission could collect and develop best
large-scale deployments.483 At the same time, it is practices for Member States on healthcare meas-
important to ensure that financial resources allo- urement, financing and procurement models that
cated under existing EU funding schemes (such facilitate evidence-based decisions, and link pay-
as the Horizon 2020, Innovative Health Initiative, ments or reimbursements to overall outcomes and
EU4Health and Digital Europe programmes) are value achieved for the benefits of end users (e.g.
increased, not decreased. In general, adequate patients, healthcare providers) and society.485

482 European Commission, Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs, Izsak, K., Meier zu Köcker, G.,
Ketels, C. et al., ‘Smart guide to cluster policy’, Guidebook Series: How to support SME Policy from Structural Funds, Publications Office of the
European Union, Brussels, 2016, p. 11, https://data.europa.eu/doi/10.2873/729624.
483 DIGITALEUROPE, supra note 6, p. 23.
484 Innovative Health Initiative, Trials@Home: Center of excellence – remote decentralised clinical trials, Innovative Health Initiative, 2024,
https://www.ihi.europa.eu/projects-results/project-factsheets/trialshome.
485 DIGITALEUROPE, supra note 6, p. 24.
 JRC EXTERNAL STUDY 99

4.3.2.3 Innovation and networking services data protection, cybersecurity etc. requirements.
However, there is typically less focus on incen-
• Market access and commercialisation sup- tivising innovation and managing technology
port: The EU can support wearable medical transfers (in contrast to US legislation). For this
device manufacturers navigate the path from reason, the EU should fine-tune existing legisla-
concept to market by providing technical sup- tions to ensure that they are stringent enough to
port and business development guidance. For protect end users while not being burdensome
example, the further promotion of the following to stifle innovation and technology transfers. At
opportunities could enhance organisational inter- the same, they need to guarantee legal clarity
actions enabling technology transfers: and consistency. Those principles are especially
important in digital health where a sufficient
̊ European Digital Innovation Hubs (EDIHs) can degree of legal stability is required to assure
provide access to technical expertise, testing confidence and predictability in making long-term
(including the possibility to ‘test before invest’) investment decisions.486
and other innovation services, such as financ-
ing advice, training, and skills development. • Regulatory sandboxes: A regulatory sandbox
̊ Testing and experimentation facilities (TEFs) can allow regulators to closely collaborate with
can offer a combination of physical and virtual industry to understand the risks of new care
facilities, in which technology providers can delivery models underpinned by the deployment
receive technical support (e.g. testing of AI-en- of wearable medical devices. At the same time,
abled wearable medical devices in real-world developers can test and experiment innovative
environments) to enable new innovations to products (e.g. AI-enabled wearable medical
reach market readiness and ensure higher devices) under the supervision of a regulator for
success rates when deployed to the market. a limited time. As such, regulatory sandboxes
̊ The Startup Europe initiative, supported by a can foster both regulatory learning and business
portfolio of projects, can strengthen network- learning.487 They can also contribute to technol-
ing opportunities for wearable medical device ogy transfers and commercialisation of research
manufacturers and deployers through the results. Although there is no evidence of such
connection of startups, scaleups, investors, arrangements in the EU, Singapore, for instance,
accelerators, corporate networks, universities, established a regulatory sandbox for regulators
and the media. to work with telemedicine providers to co-create
̊ The Enterprise Europe Network can provide regulations for innovative healthcare services.488
field-specific business support and network-
ing opportunities for SMEs in the area with • Harmonisation: National prohibitions and dis-
international ambitions. criminatory rules may undermine the provision
of cross-border digital health services relating
4.3.2.4 Regulatory environment, to the use of wearable medical devices. Those
standardisation and interoperability restrictions curtail the convenience and value
that patients can obtain out of access to such
• Legal certainty: The digital health sector and services, and in some cases, prevent timely
wearable medical devices are regulated in the EU access to diagnosis and treatments, putting at
by sectoral and horizontal legislations (analysed risk health outcomes. It is in the interest of all
in detail under Chapter 3). In general, the objec- stakeholders to remove administrative barriers
tive of those legislations is to ensure the rights and prevent the formulation of an uneven legal
and interests of end users (data subjects, natural landscape that undermines technology transfers.
persons) by setting safety, performance, quality,

486 Ibid.
487 Madiega, T., Van De Pol, A. L., Artificial intelligence act and regulatory sandboxes, Briefing, European Parliamentary Research Service,
Brussels, 2022, p. 2, https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/733544/EPRS_BRI(2022)733544_EN.pdf.
488 Attrey, A., Lesher, M., Lomax, C. ‘The role of sandboxes in promoting flexibility and innovation in the digital age’, OECD Going Digital
Toolkit Note, No. 2, OECD Publishing, Paris, 2020, p. 11, https://doi.org/10.1787/cdf5ed45-en.
100 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

• Globally aligned standardisation and inter- capital or private equity investment) and lead to
operability: The Commission, Member States, joint ventures, collaborations and licenses with
European standardisation organisations and strategic partners.490 This can help to expand a
national standardisation bodies should adopt (or company’s presence in the global marketplace.
revise) standards in line with international stand- However, despite the importance of IP rights,
ards. These measures can facilitate technology industry claims that the EU legal framework in
transfers by: the European (health) data economy does not
provide adequate and effective safeguards for
̊ ensuring compatibility and interoperability the protection of IP rights in digital health.491 As
between different devices, systems and organ- a matter of fact, while the number of patented
isations (which can expand the market for new medical technologies is increasing in both the US
innovations and reduce barriers to entry); and China, the corresponding number of patents
̊ enabling accuracy, consistency and availability in the EU has stagnated in the past decade.492 For
of data across product lines in documenta- this reason, the EU should ensure that its regula-
tion and exchange of product information of tory environment regarding IP protection remains
wearable medical devices or their product competitive with the rivalling US and China, oth-
components; erwise it will result in a competitive disadvantage
̊ enabling the construction of health data gov- and reduced access to state-of-the-art wearable
ernance arrangements to allow the delivery medical device solutions for patients and health
of telemedicine, monitoring the impact of professionals in the EU.
wearable medical devices, assessing related
care pathways, and understanding future pro- • Licensing strategies: While a robust IP system
jections for demand; could enhance innovation of wearable medical
̊ supporting the global competitiveness (e.g. devices, licensing models are integral to the
export opportunities) of European wearable widespread deployment of such solutions. For
medical device manufacturers. example, companies in joint ventures can agree
to license patent rights according to terms that
4.3.2.5 Effective protection and management will be mutually beneficial for them. Creative
of intellectual property rights licensing strategies, such as patent pools, are
proving helpful in building partnerships required
• Protection of IP rights: Clear and effective to accelerate medical innovation and reduce
IP laws can encourage technology transfer by transaction costs. By way of explanation, a patent
protecting the rights and legitimate interests pool is a consortium of at least two entities
of scientists and entrepreneurs, while also (typically companies) that agree to cross-license
facilitating access for users to benefit from patents relating to a particular technology on fair,
advancements in digital health, such as an inno- reasonable and non-discriminatory terms, with
vative software algorithm for remote patient respect to competition rules.493 The licensing of
monitoring.489 IP laws can incentivise and com- copyright material or datasets can be facilitated
pensate researchers and innovators for their through specific licensing schemes, such as the
trial-and-error efforts, and provide a framework Open Database License, Open Data Commons
for data sharing, licensing and other collabo- or Creative Commons. Regarding the possible
ration agreements between organisations. For integration of AI systems with wearable medical
companies, a growing IP portfolio can increase devices, licensing models will need to develop
market share, attract financing (through venture approaches to address issues relating to the use

489 World Intellectual Property Organization (WIPO), The Digital Health Revolution: Leveraging Intellectual Property for Equitable Access and
Innovation, WIPO, 4 August 2023, https://www.wipo.int/policy/en/news/global_health/2023/news_0011.html.
490 Hanratty, C., ‘Intellectual property creates value in Medtech’, Murgitroyd, 22 January 2022, https://www.murgitroyd.com/insights/patents/
intellectual-property-creates-value-in-medtech.
491 DIGITALEUROPE, supra note 6, p. 17.
492 OECD, OECD Science, Technology and Innovation Scoreboard, OECD, 2024, https://www.oecd.org/sti/scoreboard.htm.
493 Krattiger, A., ‘Promoting access to medical innovation’, WIPO Magazine, September 2013, https://www.wipo.int/wipo_magazine/
en/2013/05/article_0002.html.
 JRC EXTERNAL STUDY 101

of electronic health data as training data for an healthcare. Such measures could include develop-
AI system. Open-source models, such as those ing transferable training modules and the mutual
widely used in software development, could be recognition of professional qualifications. The EU
an effective option.494 could also support specialised (joint) educational
and training programs to nurture a new genera-
• Management of IP rights in the academic tion of health data professionals (including health
sector: Universities play a key role in advancing data protection officers, health data scientists,
wearable technologies in the EU. However, there health data security specialists).
are doubts about whether university ownership
can play an effective role in facilitating technol- • Health procurement and technology assess-
ogy transfer between academia and industry.495 ment skills: Public procurement in European
If a European university does not have tradition health systems is hindered by shortages of spe-
and experience in IP rights management and if cialised procurement skills and methodological
an academic inventor already has a strong rep- weaknesses.497 There is growing recognition that
utation and connections with the private sector, public procurement professionals in healthcare
university ownership may not be optimal. To need better understanding of the organisation
address dysfunctional arrangements in univer- of healthcare services (such as the integration
sity technology commercialisation, one potential of telemedicine), including the complex inter-
solution could be to vest ownership with the relationships between different technologies,
inventor and leave them the possibility to choose healthcare workers, and regarding advancements
the commercialisation path for their invention. An in the models of care. Health procurement pro-
alternative model could be to make all university fessionals should receive training and external
inventions publicly available through a public support to drive the procurement of effective
domain strategy or through a requirement that digital health solutions, such as wearable medical
all such inventions be licensed non-exclusively.496 devices. In addition to this, the creation of com-
munities of practice could foster human resource
4.3.2.6 Purpose-specific (re)skilling and development as well as technology transfers
transferability of skills from industry or academia to health systems.
Furthermore, by establishing best practice shar-
• Education and training programs: Investing in ing forums for health technology assessment
and restructuring educational and training pro- (HTA) professionals, the EU could improve the
grams would be essential to develop a skilled transferability and generalisability of assessment
workforce that is knowledgeable about the methods for specific types of wearable medical
availability and deployment of wearable medical devices.498
devices, and the processing of electronic health
data by use of such devices. Access to increased
number of competent human resources by 4.4 Human factors (digital health
industry, healthcare providers and public health literacy and trust) and healthcare
research institutes could facilitate technology
transfers. To achieve this, the EU should enhance
organisation
health workforce skills, including policy measures To foster trust in digital health, the EU and Member
to support the digital education and training of States need to make significant efforts to improve
health professionals and other workforce in digital health literacy and raise public awareness

494 World Health Organization, World Intellectual Property Organization, World Trade Organization, supra note 325, pp. 88–89.
495 Sterzi, V., ‘Patent quality and ownership: An analysis of UK faculty patenting’, Research Policy, Vol. 42 No. 2, 2013, pp. 564–576 at 573,
https://doi.org/10.1016/j.respol.2012.07.010.
496 Kenney, M., Patton, D., ‘Reconsidering the Bayh-Dole Act and the Current University Invention Ownership Model’, Research Policy, Vol. 38
No. 9, 2009, pp. 1407–1422, https://doi.org/10.1016/j.respol.2009.07.007.
497 García-Altés, A., McKee, M., Siciliani, L. et al., ‘Understanding public procurement within the health sector: a priority in a post-COVID-19
world’, Health Economics, Policy and Law, Vol. 18 No. 2, 2023, pp. 172–185 at 180, https://doi.org/10.1017/S1744133122000184.
498 See also Zemplényi, A., Tachkov, K., Balkanyi, L.. et al., ‘Recommendations to overcome barriers to the use of artificial intelligence-driven
evidence in health technology assessment’, Frontiers in Public Health, Vol. 11, 2023, pp. 1–10, https://doi.org/10.3389/fpubh.2023.1088121.
102 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

that digital transformation is necessary to address Digital Health (adopted by the eHealth Network)
pressing challenges in European health systems and outline principles for improving the health literacy of
unlock new opportunities. Top-down (policy-making) people and systems, including recommendations to
and bottom-up (health practice) approaches should “place digital health within a framework of human-
complement each other, as the effectiveness of pol- ist values”, “enable people to manage their digital
icies depends on their actual implementation. In this health and data [concerning them]” and “develop
regard, the health ecosystem needs to better explain inclusive digital health”.502 In the case of wearable
to the public the potential value of interconnecting medical devices, these objectives can be facilitated
and leveraging data and digital technologies (such at various stages of the product life cycle. In the con-
as wearable medical devices), as well as the safe- ceptualisation and development phase, citizen science
guards that are implemented to mitigate/eliminate programs and co-creation can ensure that wearable
any related risks. This could help to tackle misinfor- medical devices (and related data processing opera-
mation. Strengthening stakeholder engagements and tions) are designed in a transparent and trustworthy
collaborations would be an important step in help- manner that makes the devices intuitive and easy to
ing to understand the infrastructure, technologies, use, including by people with disability or low levels
datasets, and their integrations. It is also important of digital health literacy. In the deployment phase,
to consider that the relationship between patients training and technical support can help to maxim-
and health professionals has changed significantly in ise the health potentials of using wearable medical
recent years: from a traditional paternalistic model devices and ensure accountability for data processing
(in which decisions are made by health professionals) operations.503 Overall, this process could advance the
to a predominantly shared decision-making model (in “democratisation of technology” regarding the use of
which decisions are made jointly by health profession- wearable medical devices and interconnected data-
als and patients) and, in some cases, a service model driven solutions.
(in which decisions are made by the patients).499
In the uptake of wearable medical devices, patients’
From the perspective of patients, those who are not trust in health professionals remains key, but health
aware of or do not know how to use digital health professionals also need to trust and see the clear ben-
tools may not see the potential value of using a wear- efits of prescribing or recommending such solutions.
able medical device. The lack of knowledge may put Although health professionals have the most influen-
them at a disadvantage in terms of patient empow- tial role in promoting access and patient adherence to
erment and health outcomes. For this reason, digital wearable medical devices, many do not leverage their
health literacy has been referred to as a ‘super social potential.504 According to a WHO study, following infra-
determinant of health’, because it has implications for structural and technical challenges, human factors
the wider social determinants of health.500 To design (e.g. health professionals’ resistance to change, diffi-
effective policies to address this health determinant, culties in understanding and using new digital health
it is essential to recognise its consequences and the technologies, and concerns about increased workload)
populations, especially the vulnerable groups, that are the second most common set of barriers hinder-
are affected.501 The European Ethical Principles for ing the further uptake of wearable devices and other

499 Busse, T. S., Nitsche, J., Kernebeck, S. et al., ‘Approaches to Improvement of Digital Health Literacy (eHL) in the Context of Person-
Centered Care’, International Journal of Environmental Research and Public Health, Vol. 19, No. 14, 8309, 2022, pp. 1–11 at 2, https://doi.
org/10.3390/ijerph19148309.
500 Sieck, C.J., Sheon, A., Ancker, J.S. et al. ‘Digital inclusion as a social determinant of health’, npj Digital Medicine, Vol. 4, No. 52, 2021, pp.
1–3, https://doi.org/10.1038/s41746-021-00413-8.
501 Arias López, M. D. P., Ong, B. A., Borrat Frigola, X. et al., ‘Digital literacy as a new determinant of health: A scoping review’, PLOS Digit
Health, Vol. 2, No. 10, e0000279, 2023, pp. 1–21 at 3, https://doi.org/10.1371%2Fjournal.pdig.0000279.
502 European Ethical Principles For Digital Health, 21st eHealth Network meeting, 1–2 June 2022, https://www.coe.int/ru/web/
bioethics/access-to-digital-spaces-to-understand-and-use-health-services/-/highest_rated_assets/nTmcJLi8P0UU/content/
european-union-european-ethical-principles-for-digital-health.
503 See also Council of Europe, Steering Committee for Human Rights in the field of Biomedicine and Health (CDBIO), Guide to Health
Literacy – Contributing to Trust Building and Equitable Access to Healthcare, Council of Europe, Strasbourg, 2023, pp. 42–45, https://rm.coe.int/
inf-2022-17-guide-health-literacy/1680a9cb75.
504 Dahlhausen, Zinner, Bieske et al., supra note 434.
 JRC EXTERNAL STUDY 103

telehealth solutions.505 According to a survey carried is important to point out that the healthcare sector
out by the European Medical Students’ Association in is competing with other sectors for the same talent
2020, while 70-80% of medical students in Europe (e.g. data science professionals), so interdisciplinary
would see more advantages in deploying telemedicine collaborations can help to close knowledge gaps.
solutions, more than half of them evaluated their dig-
ital health skills as ‘poor’ or ‘very poor’.506 To address Finally, to improve the accessibility and availability of
these problems, Member States need to modernise wearable medical devices, European health systems
educational and training programs and support health could consider identifying essential/critical devices or
professionals in evaluating the efficacy of new solu- use cases.507 The maturation of the concept of ‘essen-
tions. Health institutions typically have a Chief Medical tial/critical’ medicines has led to discussions about the
Officer, but it would be useful if national legislations potential application of an analogous framework to
also required the appointment of a Chief Technology medical devices.508 While this merits consideration,
Officer (CTO) or Chief Medical Informatics Officer to the adoption of an essential/critical list for medical
oversee and support health professionals in identi- devices may be complicated by the lack of analogous
fying and deploying safe and effective digital health “generics”, i.e. medical devices do not follow the same
solutions (including wearable medical devices), and regulatory concept of a reference (originator) product
to manage and organise technical collaborations and and equivalent generic products. This may make it
training.. Cooperation between industry and health more challenging for decision-makers to define which
professionals and with other sectors could foster devices to select, procure and deploy.
exchange of knowledge. In connection with this, it

505 Borges do Nascimento, I. J., Abdulazeem, H., Vasanthan, L. T. et al. ‘Barriers and facilitators to utilizing digital health technologies by
healthcare professionals’, npj Digital Medicine, Vol. 6, No. 161, 2023, pp. 1 –28, https://doi.org/10.1038/s41746-023-00899-4.
506 Machleid, F., Kaczmarczyk, R., Johann, D. et al., Perceptions of Digital Health Education Among European Medical Students: Mixed
Methods Survey, Journal of Medical Internet Research, Vol. 22, No. 8, e19827, 2020, pp. 1–13 at 3, https://doi.org/10.2196/19827.
507 World Health Organization, World Intellectual Property Organization, World Trade Organization, supra note 325, p. 227.
508 This would imply a broader scope of devices compared to the ‘public health emergency critical devices list’ defined under Article 22
of the Regulation (EU) 2022/123 of the European Parliament and of the Council of 25 January 2022 on a reinforced role for the European
Medicines Agency in crisis preparedness and management for medicinal products and medical devices, OJ L 20, 31.1.2022, pp. 1–37, ELI:
http://data.europa.eu/eli/reg/2022/123/oj.
104 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

4.5 Case studies: drivers and barriers affecting innovation and technology
transfers in relation to wearable medical devices
4.5.1 Manufacturer of wearable medical devices (I.): Philips

Box 6
Philips (case study)
Philips is one of the world’s leading innovators in health technology and health informatics. In 2022, the company filed
the most patents in the medical technologies sector at the European Patent Office and the second most worldwide.509
Within its broad portfolio, Philips is the manufacturer of a wearable medical device that enables continuous remote
cardiac monitoring and is connected to the company’s AI-powered data analytics platform.510 In addition to improving
diagnoses and patient experiences, this telemedicine service aims to alleviate the growing workload on cardiology
departments and drive cost efficiencies.511
Philips recommends prioritising the following policy issues to drive digital health innovation and further uptake of
wearable medical devices in the EU:512
Regulations
The MDR is unpredictable, complex, slow and costly. As such, it contributes to a growing gap in patients’ access to
medical technologies in the EU. The MDR needs to be revised to establish predictable pathways for certification, embrace
innovation and ensure alignment with other legislation. To allow patients to benefit from state-of-the-art treatments,
the EU could consider concluding mutual recognition agreements with jurisdictions where the requirements to place
medical devices on the market are almost identical (e.g. UK, US, Canada). As the EU standardisation system has resulted
in a severe backlog in publication of medical device standards (with far-reaching consequences), the EU should also
take steps to develop a better functioning system of harmonised regulatory standards that allows easy alignment
with international standards. In addition to facilitating the availability of medical devices, the EU also needs to address
fragmented privacy and data protection rules, as Member States do not interpret the legal notions of ‘personal data’
and ‘non-personal data’ consistently, and there are no recognised standards regarding the anonymisation of personal
data (concerning health). The review of the GDPR should tackle these issues to provide a harmonised and consistent
legal framework, in support of the EHDS.
Reimbursement
Reimbursement systems in the EU are fragmented and shaped by different, often conflicting objectives. The field can
be challenging to navigate, as reimbursements are typically linked to diseases or injuries, not the technology deployed.
Furthermore, reimbursements are significantly lower in the EU than in the US, which makes scaling less attractive in
the EU. There is no standardised mechanism for demonstrating effectiveness in real-world healthcare delivery settings
(post-market phase) and to generate evidence for transparent pricing and reimbursement decisions. Although healthcare
providers, procurers and insurers often refer to clinical guidelines developed by medical societies as a basis for reim-
bursement, it is not always clear how and on what bases those documents are updated. The EU should support a more
fit-for-purpose and dynamic implementation of Health Technology Assessment (HTA) for digital health solutions and
AI. Potential pathways include developing well-accepted pathways for digital medical devices (e.g. DiGA in Germany),

509 Philips, Philips leads in medical technology patents filed at the European Patent Office, Philips, 5 April 2023, https://www.philips.com/a-w/
about/news/archive/standard/news/articles/2023/20230405-philips-leads-in-medical-technology-patents-filed-at-the-european-patent-office.
html.
510 Philips’ ePatch couples with the company’s AI-powered Cardiologs analytics platform to replace conventional Holter monitor devices,
which can be cumbersome for patients to wear, labour-intensive to manage, and provide cardiac monitoring data over a limited (typically
24–72 hours) time frame. The wearable ePatch empowers health professionals to provide an end-to-end telemedicine solution that enhances
their ability to detect and diagnose atrial fibrillation over an extended period (up to 14 days), while patients can continue their normal daily
lifestyle. The ECG analysis time can be reduced up to 40% and the clinically validated algorithms can detect over 20 types of arrhythmia
events thanks to the deep-learning technology that interprets the entire ECG.
511 Philips, First heart and stroke patients in the Netherlands being monitored with Philips wearable ePatch and AI analytics platform, Philips,
7 September 2023, https://www.philips.com/a-w/about/news/archive/standard/news/articles/2023/20230907-dutch-introduction-philips-
epatch.html.
512 See also Philips, Our vision for European Healthcare in 2030, Philips, July 2023, https://www.philips.com/c-dam/corporate/about-philips/
sustainability/downloads/publications/Our-vision-for-European-healthcare-in-2030-recommendations.pdf.
 JRC EXTERNAL STUDY 105

piloting reimbursement of selected solutions across Member States, and developing interaction between the MDR and
HTA Regulation in a real-world setting.
Funding
It would be important to establish a dedicated program to support digitalisation of healthcare systems. Funding should
support the implementation of the EHDS, large-scale pilots and deploying digital health technologies and services at
scale through long-term partnerships and collaborations. The EU should balance open science and IP obligations with
commercial interests to ensure that there is a clear path from innovation to clinical implementation.
Skills
The curricula of health professionals and healthcare training schemes should integrate digital skills and interdisciplinary
patient care that are needed to navigate modern healthcare delivery. Those skills could be included as part of EU-wide
requirements for mutual recognition of professional qualifications.
Resilience and sustainability
The EU should designate medical devices as an essential/critical sector to ensure availability of raw materials and
components for production in times of crisis. Member States should have a strategic stockpile of medical equipment (e.g.
specific wearable medical devices) which could be quickly distributed to respond to health emergencies or other crises. In
addition to strengthening resilience, the EU regulatory framework should enhance circularity, including refurbishment of
medical equipment, and create incentives for sustainable innovation. EU funding could support research and innovation
for medical technology development, such as the development and use of alternative materials.
In addition to the abovementioned policy goals, it is important that policy-makers consider the different needs of
manufacturers to facilitate successful market development and technology transfers within the sector. While larger
manufacturers may have research agreements in place with university hospitals and research centres, their in-house
developments can be slower than the innovation activities of medical technology start-ups. On the other hand, start-ups
often struggle to transform a good value proposition into a successful business, and to establish cooperations with
clinicians and academia. Those challenges may push start-ups towards acquisition by larger manufacturers. However,
this is not necessarily a favourable outcome, as acquisition by a larger player often hinders further innovation. Instead,
it would be useful to provide market access and commercialisation support to help medical device manufacturers
of different size in establishing mutually beneficial and long-lasting business partnerships through co-marketing or
financial agreements.

4.5.2 Manufacturer of wearable medical devices (II.): ResMed

Box 7
ResMed (case study)
ResMed develops, markets and supports a suite of wearable medical devices and interconnected services (e.g. cloud-
based patient management system, mobile app).513 The company’s solutions enable healthcare providers to deliver
tailored telemedicine treatments to patients with sleep disorders and respiratory diseases and allow patients to track
progress of their therapy. To improve the policy environment affecting digital health innovation and wearable medical
devices in the EU, ResMed would propose policy-makers to prioritise the resolution of key regulatory, reimbursement,
interoperability, accessibility and collaboration challenges:

513 ResMed’s AirSense 10, AirSense 11 and AirMini ranges are Continuous Positive Airway Pressure (CPAP) devices that combine advanced
performance and optimised comfort features to provide discreet and effective therapy for sleep-disordered breathing (SDB). The AirCurve
10 and AirCurve 11 ranges are Sleep Bilevel devices designed for SDB patients who need positive airway pressure but are not suitable
candidates for CPAP therapy. The Lumis, Astral and Stellar devices are ventilators that deliver effective therapy for a wide range of respiratory
diseases, including Obesity Hypoventilation Syndrome (OHS) and Chronic Obstructive Pulmonary Disease (COPD). ResMed’s HDS/ISO 27001
certified AirView cloud-based patient management system can support health professionals in delivering personalised care and streamline
patient management by offering connectivity to the aforementioned devices, including secure data-sharing, interoperability and collaboration
functions. ResMed’s myAir app uses similar functions to support patients in setting up, acquainting and leveraging the capabilities of their
sleep therapy device through interactive coaching, personal therapy assistance and subjective questionnaires, and by allowing the tracking
and viewing of nightly sleep data.
106 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Regulations
It is becoming resource-intensive for manufacturers in the field to comply with complex and occasionally conflicting EU
regulations and additional national requirements, including in the UK and Switzerland. Increasing compliance costs for
conformity assessment and related barriers/risks (e.g. lengthy approval processes and the lack of predictability) are hin-
dering manufacturers from accessing the EU market. These circumstances are diverting medical device manufacturers
away from the EU to prioritise the US as the geography where they first place their wearable medical devices on the
market. This trend is expected to exacerbate with the emergence of combined products, in which cases manufacturers
(providers) will be required to comply with multiple regulatory frameworks, for example, under the MDR and the AI
Act. To tackle regulatory challenges, it would be important to align and streamline parallel legal requirements. To
ease administrative burden on manufacturers and national authorities, the certificates of conformity under the MDR
could be automatically renewed after five years if there are no post-market surveillance issues or other incidents. The
establishment of a ‘one-stop shop’ system could support manufacturers (and other economic operators) to comply with
all relevant regulatory requirements in the medical devices field. Ultimately, the medtech sector would also need an EU
innovation pathway (similarly to the pharmaceutical sector) that recognises the value of having a regional and more
streamlined innovation enablement process through the development of specific pathways and coordinated guidance
and tools for notified bodies (similarly to what the EMA is developing regarding innovative medicinal products).
Reimbursement
There is a lack of reimbursement pathways in Member States for connected medical devices. Also, reimbursements
do not consider data platform services that are connected to wearable medical devices and bring incremental value
to the provision of telemedicine services. It would be important for the EU to encourage cooperation between Member
States to develop reimbursement pathways specifically for digital health technologies in order to make the EU a more
attractive place for innovation. These coordinated efforts could build on recent initiatives developed by some Member
States (e.g. DiGA in Germany, Pecan in France), which also allow generation of evidence under early access schemes.
Interoperability
Data interoperability in digital health is a prerequisite for accessing and sharing data, driving innovation, and improving
patient outcomes. If implemented effectively, the EHDS could facilitate interoperability, data integration, and secondary
use of electronic health data to drive the innovation of digital health solutions. The accurate monitoring of the safety,
performance and clinical effectiveness of wearable medical devices and projections for demand are dependent on
having access to longitudinal datasets.
Equity of access to care
Connectivity affects access to telemedicine services. The Internet-connectivity of wearable medical devices via a SIM
card is more seamless than via Bluetooth, which requires patients’ active interventions. It is also important to point out
that the construction of 5G networks is progressing rather slowly in the EU, but electronic (chips) component shortages
are pushing manufacturers to switch to 5G technology. This may lead to subpar performances in connectivity, especially
for patients living in “dead zones”. Furthermore, the multiplicity of national standards across the EU makes leveraging
embarked connectivity costly and difficult to manage for manufacturers.
Industry–academy collaborations
It would be useful to develop policies for improving coordination between academia and industry in the EU to facilitate
technology transfers in the medical device sector. For example, by setting mutually beneficial goals (e.g. agreements on
similar research and development lines), industry could be incentivised to invest in science. In turn, this could enable the
pooling of resources and create a route to commercialise innovations developed at universities. However, the realisation
of this potential is often hindered by difficulties in contracting with European universities (in contrast to universities in
other geographies, e.g. US, Singapore). Another issue to consider is that technology transfer offices often overvalue IP or
undervalue that the further development, certification and marketing of a university-borne innovation is a resource-in-
tensive process for industrial actors. It would be important to resolve these frictions by facilitating academy–industry
collaborations (through e.g. innovation clusters, health data collaborations) and issuing guidance on the handling of
recurring legal and financial challenges in these settings. Better coordination could harness the innovation potential of
the EU in the medical devices field and contribute to improved patient outcomes and more efficient health systems.
 JRC EXTERNAL STUDY 107

4.5.3 University involved in technology transfers in relation to wearable medical devices: Vrije
Universiteit Brussel

Box 8
Vrije Universiteit Brussel (case study)
Vrije Universiteit Brussel (VUB) is an independent university that conducts fundamental, strategic and applied research
with an international reach. VUB supports the transfer of expertise, tangibles and related IP rights between the univer-
sity and industry-society through the creation of spin-off companies, the licensing of IP, contract research or services
agreements based on the outputs of university science and technology research. As part of VUB’s Vice-rectorate
Innovation & Industry Relations, the university has a dedicated multidisciplinary team of experts (VUB TechTransfer)
responsible for technology transfer, business consultancy, contract negotiations, scientific funding for applied research,
legal and IP issues, event organisation and communication.514 VUB Tech Transfer aims to connect the university with
businesses and society by providing advice to VUB’s researchers at every phase of their collaborations with third parties
or in starting up a spin-off.515
VUB TechTransfer has observed the following policy challenges that affect university researchers involved in the research
and development of (wearable) medical devices and related technology transfer and potential commercialisation
activities:
Regulatory issues
Universities (and university hospitals) are reluctant to take up the role of a manufacturer, as they strive to perform
research and are not in a position to directly undertake manufacturing or production obligations, such as certain product
safety and liability requirements. With regard to their distinct legal status, with a predominant research purpose as
opposed to a manufacturing purpose, university researchers (and university hospitals) require guidance to comply with
the MDR on specific issues (e.g. whether or not they qualify as a ‘manufacturer’; allocation of responsibilities in clinical
investigations involving third-party companies).
The MDR creates uncertainty between business and research goals. That uncertainty can be attributed to the broad
scope and definitions of the MDR, which, amongst other issues, designates the ‘manufacturer’ by defining the purpose
of its device as a ‘medical device’. Such broad concepts challenge responsibilities when research is formulated for a
(wearable) medical device. The broad regulatory approach creates a gap for universities and businesses alike, which
manifests itself in the form of discrepancy between research goals and market implementation. The uncertainty is
apparent in discussions relating to the scope of the research itself, as well as about the suitability of using research
results to obtain certification for market entry (predominantly when the original research purpose is not designated
to develop a medical device). Uncertainties between research and market use are further exacerbated in the context
of university hospitals. Potentially, the addition of an explicit research exemption under the MDR could alleviate and
clarify such uncertainties.516
The conformity assessment procedures for obtaining certification to qualify for market entry are complex, expensive
and lengthy with uncertain outcomes. Furthermore, the requirements seem to be interpreted differently among different
stakeholders/countries. University spin-offs (like many other SMEs) experience difficulties in undertaking the conformity
assessment of their (wearable) medical devices. Ethics committees also often find it challenging to interpret the MDR.
The shortcomings of conformity assessment procedures, in conjunction with regulatory uncertainties, pose significant
risks and consequently undermine the general willingness to invest resources and time for purposeful research and
development of wearables (especially of those which may not be deemed viable for market entry as a ‘medical device’).
Despite encouragement by the university, the regulatory and procedural circumstances often make researchers hesitant
to go to the market.

514 VUB TechTransfer, TechTransfer at the university – Together we connect society & science, Vrije Universiteit Brussel, n.d., https://www.
vubtechtransfer.be/.
515 VUB TechTransfer, Knowledge and technology transfer – Finding your way through the jungle, 5th edition, Vrije Universiteit Brussel, 2022,
https://www.vubtechtransfer.be/sites/default/files/2022-11/59243%20Jungle%20brochure_UPDATE%202022_ISSUU.pdf.
516 Thomas De Doncker, VUB TechTransfer, supra note 514. [byline].
108 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Financial issues
Courtesy of the Industrial Research Fund (Industrieel Onderzoeksfonds, IOF), Flemish universities receive funding
according to their output performance, such as the number of contracts with industry, publications and citations, share
in the European Framework Programme for R&D, number of patents and spin-offs. The IOF also funds proof-of-concept
projects that aim to bring scientific research closer to the market.
Despite such important initiatives, university researchers often lack resources to adhere to increasingly costly regulatory
requirements (e.g. to establish and maintain a quality management system). For university spin-offs, it is very chal-
lenging to find appropriate and adequate forms of public/private funding or investments on the market. The perceived
risks (e.g. legal, liability and financial challenges) often outweigh the appeal to undertake, fund or invest in expensive
innovation, compliance and marketing processes, which have uncertain outcomes. In turn, this may have a self-fulfilling
economic effect on systems such as the IOF.517 It also questions whether funding schemes can be sufficient per se to
effectively incentivise the uptake of medtech solutions.
Commercialisation and IP strategies
Given the high market entry barriers in the medtech domain and the aforementioned regulatory uncertainties, university
researchers are circumstantially compelled to keep projects within the academic or research sphere for as long as
possible. As researchers aim to maintain their freedom to continue to perform scientific research, they prefer to avoid
a situation of being confined to requirements for market entry (and related uncertainties). In those cases, the university
remains the owner of IP rights relating to research and development processes, but the transfer or licensing of IP rights
can be negotiated on an ad hoc basis (e.g. a spin-off can buy out or license the IP rights from the university).
Global competitiveness
VUB is part of MEDVIA, an innovation cluster that involves more than 150 public and private entities present in the
Flemish health ecosystem (healthtech companies, research institutions, universities, hospitals and patient advocacy
groups). MEDVIA supports R&D at the intersection of biotech, medtech and digital technologies, providing funding and
services as well as jointly tackling the challenges entrepreneurs face to launch health innovations on the global market.
According to MEDVIA’s Strategic Position 2024: “the rapidly changing healthcare ecosystem, lack of much-needed new
processes and systems, together with the absence of adjusted regulatory and reimbursement frameworks, poses a
significant obstacle for entrepreneurs in Flanders attempting to develop sustainable business models. The current
situation is driving our entrepreneurs into alternative international markets, with over 85% of health innovators in
Flanders indicating a preference to initially launch their products in the US. This shift jeopardizes the timely access of
Flemish citizens to innovations developed using local public resources.”518

4.5.4 Deployer of wearable medical devices: European Society of Cardiology

Box 9
European Society of Cardiology (case study)
The European Society of Cardiology (ESC) is a not-for-profit medical society that unites 57 national cardiac societies
and over 100,000 scientists, clinicians, nurses and allied professionals across all cardiology subspecialities.519 The ESC
aims to reduce the burden of cardiovascular disease, which remains the leading cause of death worldwide and accounts
for 4 million deaths per year in Europe (47% of all mortalities).520 The ESC disseminates evidence-based scientific
knowledge to cardiovascular professionals to advance the prevention, diagnosis and treatment of diseases of the heart
and blood vessels. The ESC recognises the potential of Mobile health (mHealth) solutions, including wearables and/or
apps, in empowering patients to assume a more active role in monitoring and managing their chronic conditions and

517 Ibid.
518 MEDVIA, Strategic Position 2024, MEDVIA, 2024, https://medvia.be/wp-content/uploads/2024/05/MEDVIA-Strategic-Position-2024_
FINAL_ENG.pdf.
519 European Society of Cardiology (ESC), Who We Are, ESC, n.d., https://www.escardio.org/The-ESC/Who-we-are.
520 European Society of Cardiology (ESC), What We Do, ESC, n.d., https://www.escardio.org/The-ESC/What-we-do.
 JRC EXTERNAL STUDY 109

therapeutic regimens, as well as providing healthcare professionals (HCPs) with more data and enabling more frequent
follow-ups than in classical care.
For successful integration into routine clinical practice, healthcare professionals (HCPs) need accepted criteria to support
selection between mHealth solutions, while patients require transparency to trust their use. To facilitate these objectives,
the ESC recommends the following issues for consideration by EU policy-makers:521
Healthcare professionals’ and patients’ needs
A pivotal concern of HCPs for the guidance or prescription of mHealth solutions is whether there is sufficient scientific
evidence to support their intended use, in addition to being technically robust, interoperable, secure, and compliant
with privacy and data protection rules. Patients should have information about manufacturers, their commitment to
ensure long-term support, and documentation on the accuracy, reliability and usability of mHealth solutions not only
on laboratory conditions, but also in real world settings.522 To ensure high standards of safety and performance, the
design processes should involve relevant stakeholders (e.g. patients, caregivers, HCPs) from concept to release. Soft-
ware and interfaces should be intuitive and user-friendly. In this regard, the potential need for education and training
should also be considered. To avoid any side-effects relating to ‘over-monitoring’, the purpose of use should always
be clear and specific. Furthermore, the costs/reimbursement rules should be transparent, as they may play a role in
the accessibility of mHealth solutions.
Accessibility
Although making available mHealth solutions through company websites or app stores may provide democratised
access at low to no cost to a broader population, this route of access presents disadvantages from a search and quality
perspective (e.g. lack of filters for medical devices; information about efficacy, certification class and relevant clinical
evidence is often not available). On the other hand, when a HCP suggests a solution to a patient, then it is important
to consider that this requires a degree of responsibility of the HCP, which may include a commitment to regularly
review the data collected by the patient and to communicate digitally with the patient. However, this is often done
without compensation or reimbursement for this additional work, if the mHealth solution is not integrated as part of
a standard care pathway.
Regulatory issues
The ambiguity and fragmentation of the regulatory landscape, and the new risk classification scheme under the MDR
have led to an increase in regulatory workload and a steep learning curve for both innovators and notified bodies.
Many manufacturers struggle to classify their device properly or to define their intended purpose fully. The experience
of certifying mHealth solutions as class IIa or higher-risk devices with notified bodies has been limited, especially for
clinical performance evaluation. Where the required level of supporting data for clinical evidence is not predefined,
the criteria listed in MDCG guidance documents are very generic. There is also a lack of clarity as to which changes in
software require recertification or review by the notified body. Because of these challenges, differences in assessments
may exist both within and between notified bodies, and input from medical professional associations (e.g. clinical
guidelines) could be useful to improve the application of the MDR, particularly for new technologies. It is also important
to point out that the complexity and budgetary impact of the certification process may discourage innovation in the
EU and decrease access for patients to effective devices. Innovators may go out of business or move to the US where
regulation is less strict and less expensive, or they may downgrade the intended purpose of their products. The AI Act
may exacerbate this issue, if it becomes an excessive regulatory burden.
Assessment frameworks
Although there are national/regional efforts in the EU to develop quality assessment frameworks for mHealth solutions,
the existing public assessment schemes and curated libraries are heterogenous in terms of the clinical evidence
required, and even the front runners have yet to achieve an efficient certification process. There are also several
private assessment schemes that have gained prominence, but no international accreditation body exists to compare
their quality and consistency. However, the development of the CEN-ISO/TS 82304-2 health app quality assessment
framework (in response to a request from the Commission) has the potential to address this issue and to become
a widely used and efficient tool to help drive decision-making internationally. Once applied and operative, this could

521 See also Caiani, E. G., Kemps, H., Hoogendoorn P. et al., ‘Standardised assessment of evidence supporting the adoption of mobile health
solutions: A Clinical Consensus Statement of the ESC Regulatory Affairs Committee’, European Heart Journal - Digital Health, ztae042, 2024,
https://doi.org/10.1093/ehjdh/ztae042.
522 See also Lopez Perales, C. R., Van Spall, H. G. C., Maeda, S. et al. ‘Mobile health applications for the detection of atrial fibrillation: a
systematic review’, EP Europace, Vol. 23, No. 1, 2021, pp. 11–28. https://doi.org/10.1093/europace/euaa139.
110 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

result in a label (created by a conformity assessment and certification body based on the replies of the manufacturer
to specific questions and related evidence) summarising the app’s benefits in several domains (‘healthy and safe’, ‘easy
to use’, ‘secure data’, ‘robust build’), as well as an overall health app quality score, ready-to-be-used by the clinician. In
addition to these, medical associations are becoming increasingly active in developing guidelines with which HCPs can
evaluate the available clinical evidence for mHealth solutions to provide informed advice to patients. It is important
to ensure that there is transparency around the development of guidelines, which is usually dependent on the good
functioning of medical associations. The potential value of clinical guidelines is that they can address possible aspects
that a clinician can take into consideration to evaluate the level of clinical evidence associated to a certain mHealth
solution by examining different sources of information (e.g. results from randomised clinical trials, existing publications,
manufacturer’s claims through its website, public or private assessment schemes).

4.5.5 End users (patients’ perspectives) of wearable medical devices: EURORDIS – Rare Diseases
Europe

Box 10
EURORDIS – Rare Diseases Europe (case study)
EURORDIS – Rare Diseases Europe is a unique, non-profit alliance of over 1000 rare disease patient organisations from
74 countries that work together to improve the lives of over 30 million people living with a rare disease in Europe. By
connecting patients, families and patient groups, as well as by bringing together all stakeholders and mobilising the
rare disease community, EURORDIS strengthens the patient voice and shapes research, policies and patient services.
Most rare diseases lack sufficient diagnosis and treatment tools. Treatment is limited by high research and development
costs and low success rates, which lead to market failures and ‘unmet medical needs’.523 One of the most promising
advancements for people living with rare diseases is the integration of wearable medical devices and telemedicine into
their care. These healthcare delivery modes offer significant potential for reducing diagnosis time, enabling continuous
patient monitoring, personalising treatment, and improving access to specialised care, while keeping costs down.
However, the successful implementation and widespread adoption of these digital health solutions require careful
consideration of several key factors by EU policymakers.
Addressing gaps in regulatory and reimbursement frameworks
Despite continuous efforts to create a more comprehensive regulatory framework, some challenges remain in the
integration of wearable medical devices and telemedicine. Regulatory gaps include a lack of standardised protocols
for device interoperability, fragmented regulatory environments across Member States, and complex compliance with
GDPR and security standards. Additionally, there is uncertainty in device classification, inadequate post-market sur-
veillance, and a need for updated frameworks to accommodate emerging technologies like artificial intelligence and
machine learning. Reimbursement issues also hinder the adoption of these technologies. There is a lack of standardised
reimbursement policies and clarity on evidence requirements. Demonstrating cost-effectiveness and securing funds in
constrained healthcare budgets are also major barriers. Furthermore, disparities in access to these technologies due to
geographical and socioeconomic factors highlight the need for more equitable reimbursement frameworks. Addressing
these gaps requires coordinated efforts to create a cohesive regulatory and supportive reimbursement environment.
Ensuring the implementation and use of healthcare coding systems (ICD-11, ORPHA codes and ICD-O3)
Due to their rarity and complexities, rare diseases are under-represented in healthcare coding systems. This exacerbates
the problems that stem from their lack of recognition and hinders the collection of data by wearable medical devices that
is needed to structure and analyse data sets for healthcare and research purposes. Consequently, this leads to delayed
diagnosis, treatment and care. The International Classification of Diseases (ICD) has long been the main basis for the
comparability of statistics on the causes of mortality and morbidity across places and over time. In 2019, the World
Health Assembly adopted a revised version of this Classification, ICD-11, which has been significantly more expressive
and comprehensive than historical versions and includes rare diseases, though only to a certain extent. To enhance data

523 Antunes, L., ‘What if biosensors could help treat rare diseases?’, Scientific Foresight: What if?, European Parliamentary Research Service,
2023, https://www.europarl.europa.eu/RegData/etudes/ATAG/2023/747441/EPRS_ATA(2023)747441_EN.pdf.
 JRC EXTERNAL STUDY 111

collection and its quality for healthcare purposes and beyond, ICD-11 should be mandatory within Electronic Health
Record (EHR) systems, as well as within other databases collecting data about rare diseases, in conjunction with the use
of Orphanet nomenclature (i.e. the ORPHA codes). This is essential to ensure patients’ visibility within national health
and social systems, building thereby a robust and accurate longitudinal care record on rare diseases.
Increasing digital health literacy
Digital health literacy is a prerequisite for people with rare diseases, healthcare professionals, researchers, and other
involved stakeholders to have the necessary skills to be able to benefit from the use of wearable medical devices and
other digital health tools. Digital health literacy can be considered as the convergence of digital literacy and health
literacy, and includes but is not limited to the following competences:524
(1) the ability to successfully read and write about health using technological devices;
(2) the ability to control, adapt and collaborate in communication about health with others in online social environments;
(3) the ability to evaluate the relevance, trustworthiness and risks of sharing and receiving health-related information
through the digital ecosystem;
(4) the ability to apply health-related information from the digital ecosystem in different contexts.
It would be necessary to include these elements in educational and training programs targeting specific groups. In the
case of end users (patients), this is critical, as if they do not have sufficient level of digital health literacy, a wearable
medical device may not function effectively and achieve its intended purpose. Educational and training programs could
also help to address the significant demand for professionals specialised in healthcare digitalisation who can provide
support to both healthcare professionals and patients, where needed.

524 Paige, S. R., Stellefson, M., Krieger, J. L. et al., ‘Proposing a Transactional Model of eHealth Literacy: Concept Analysis’, Journal of Medical
Internet Research, Vol. 20, No. 10, 2018, e10175, pp. 1–16, https://doi.org/10.2196/10175.
 Conclusions: key areas to address

Safety, Performance, and

Quality Requirements

RABLE MEDIC
Future Research EA AL
and Policy
Analyses
W Cybersecurity and
Interoperability
Requirements

DE
U
NCING THE E

VIC
E ECOSY
Human Factors Privacy, Data
Protection, and
A

Data Governance
H

Requirements
EN

EM

Technology Protection and

Transfers Governance of
IP Rights

Value Assessment
and Reimbursement
 JRC EXTERNAL STUDY 113

5. Conclusions
Based on the analysis of trends, opportunities, chal- to ensure predictable pathways for certification and
lenges and barriers affecting digital health (and consistent assessments (Chapter 4.5).
specifically, wearable medical devices) in the EU,
several pressing issues need to be addressed to help In cases where a wearable medical device (or its com-
the ecosystem to thrive. There is a real risk that with- ponent) contains an AI system, it would be important
out corrective legislative interventions and impactful to clarify the interaction of the AI Act with the MDR to
policy measures, stakeholders and the health systems clarify what the integration of “necessary testing and
of EU Member States will experience further diffi- reporting processes, information and documentation”
culties. The following eight action points provide key provided according to the MDR would entail in terms
recommendations on what policy-makers (primarily of demonstrating compliance with specific require-
at EU level, in cooperation with Member States and ments under the AI Act. This could help to streamline
stakeholders) could do to support innovation, regu- conformity assessment procedures (Chapter 3.1.4).
lation, financing, technology transfers and further
uptake of wearable medical devices in a trustworthy 2. Cybersecurity and interoperability
manner. requirements:

Legislative recommendations: The Guidance on Cybersecurity for Medical Devices

(MDCG 2019-16 rev. 1) needs to be updated to
1. Safety, performance and quality clarify the interaction between the cybersecurity
requirements: requirements under the MDR and other EU legislations
(including the Cybersecurity Act and the AI Act). The
Due to the ambivalent legal status of wearables MDCG could consider a more holistic approach when
between the highly regulated domain of ‘medical determining the meaning of ‘joint responsibility’ of
devices’ and the less regulated sphere of ‘wellness stakeholders in ensuring a secured environment for
applications’, it would be important to make the the benefit of patients’ safety, including cybersecurity
borderline between medical devices and wellness aspects (Chapter 3.2.2.1).
applications clearer (Chapter 3.1.1). Given the com-
plexity of digital health solutions, the definition of To streamline compliance requirements and decrease
‘medical device’ under the MDR would require further compliance costs for manufacturers (providers, con-
clarification (or refinement) to ensure its consistent trollers) in relation to the placing of the market of
application. In particular, it would be useful to clarify wearable medical devices (for the purpose of pro-
the application of the MDR to the physical hardware cessing personal data and/or including an AI system
and interconnected software components of a (wear- component), it would be useful to develop a consol-
able) medical device, as well as the objective medical idated European cybersecurity certification scheme
functions that a device should fulfil and the manufac- envisaged under the Cybersecurity Act which would
turer’s subjective intention, in line with the case law of allow the demonstration of compliance with multiple
the CJEU (Chapter 3.1.2). Furthermore, stakeholders (often overlapping) cybersecurity legal frameworks
share concerns that the conformity assessment proce- under the MDR, the AI Act and the GDPR (Chapters
dures under the MDR are complex, slow and costly. For 3.2.2.4, 3.2.3.1 and 3.2.4.1).
this reason, the MDR needs to be fine-tuned (and its
implementation supported with appropriate resources)
114 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

It would be useful to clarify the conditions under which (Chapter 4.2). As stakeholders have also pointed out,
a manufacturer may/should claim that its wearable potential solutions could include building on recent
medical device is ‘interoperable’ with (one or more) initiatives developed by some Member States (e.g.
EHR systems and the application of relevant require- DiGA, mHealth validation pyramid, Pecan), a more fit-
ments under Annex II of the EHDS (Chapter 3.2.5.3). for-purpose and dynamic implementation of Health
Technology Assessment (HTA), and standardising
3. Privacy, data protection and data govern- mechanisms for generating evidence and demonstrat-
ance requirements: ing effectiveness, including in real-world environment
(Chapter 4.5).
It would be important to fine-tune the EHDS to miti-
gate potential risks which stem from its inconsistency 6. Technology transfers:
with the GDPR and the Data Act in relation to both
primary and secondary use of electronic health data. Policy measures are instrumental in developing more
The proper application of definitions (e.g. ‘personal’ effective industrial strategies to foster innovation,
and ‘non-personal electronic health data’), the rights competitiveness and market growth in the European
of data subjects / natural persons / users, and the digital health sector. It would be important to adopt
corresponding obligations of controllers / health data effective measures to support technology transfers in
holders / data holders in the context of wearable med- the medtech sector by addressing the following areas:
ical devices are riddled with uncertainties (Chapters intra- and intersectoral collaborations; funding and
3.3.4, 3.3.6 and 3.3.7). Data processing by wearable financing; innovation and networking services; regu-
medical devices is an illustrative use case to assess lation, standardisation and interoperability; protection
the potential shortcomings of regulatory requirements and management of IP rights; and purpose-specific
in the new EU legal landscape for digital health. It (re)skilling and transferability of skills (Chapter 4.3).
also highlights the importance of addressing privacy
risks (which may not be covered by data protection 7. Human factors:
law) that may arise from the use of wearable medical
devices in IoT and big data environments (Chapter There is a need to combine top-down and bottom-up
3.3.1). approaches to improve skills, digital health literacy,
and increase the trust of stakeholders in the use of
4. Governance of IP rights: digital health solutions, including wearable medical
devices. In addition to tailored educational and train-
To maintain adequate incentives for digital health ing programs, information campaigns and stakeholder
innovation in the EU, it would be essential to fine- collaborations, such as citizen science programs and
tune the EHDS (and align it with international IP law) co-creation, could support those goals (Chapter 4.4).
to provide effective safeguards for protecting the
acquired rights of IP rights holders when electronic Suggestions for future analyses:
health data from wearable medical devices that is
subject to IP rights are made available for secondary 8. Future research and policy analyses:
use purposes (Chapter 3.4).
With regard to technological advancements and inte-
Further recommendations for improving grations, new regulatory frameworks applicable to
competitiveness: digital health, and a heterogenous landscape for evi-
dence generation and reimbursement, there is a need
5. Value assessment and reimbursement: to conduct further research and have multi-stake-
holder discussions on important challenges affecting
Based on comparative assessment and best practices, the digital health ecosystem (and specifically, weara-
the Commission could encourage cooperation between ble medical devices) in the EU. As part of that, it would
Member States to develop and facilitate alignment be useful to identify what policy actions are suitable
(where possible) of national frameworks on value to meet the needs of stakeholders, strengthen trust
assessment and reimbursement for digital medical and improve predictability in the sector.
devices (and interconnected technologies), considering
the specific use cases of wearable medical devices
 JRC EXTERNAL STUDY 115

References

OJ L 119, 4.5.2016, pp. 1–88, ELI: http://data.europa.eu/

International treaties
eli/reg/2016/679/oj.
Paris Convention for the Protection of Industrial Property (Paris, Regulation (EU) 2017/745 of the European Parliament and of
20 March 1883, as amended on 28 September 1979), the Council of 5 April 2017 on medical devices, amending
https://www.wipo.int/wipolex/en/text/288514. Directive 2001/83/EC, Regulation (EC) No 178/2002 and
Berne Convention for the Protection of Literary and Artistic Regulation (EC) No 1223/2009 and repealing Council
Works (Paris, 9 September 1886, as amended on 28 Directives 90/385/EEC and 93/42/EEC, OJ L 117, 5.5.2017,
September 1979), https://www.wipo.int/wipolex/en/ pp. 1–175, ELI: http://data.europa.eu/eli/reg/2017/745/oj.
text/283698. Regulation (EU) 2017/746 of the European Parliament and of
Patent Cooperation Treaty (Washington, 19 June 1970, as in the Council of 5 April 2017 on in vitro diagnostic medical
force from 1 April 2002), https://www.wipo.int/pct/en/texts/ devices and repealing Directive 98/79/EC and Commission
articles/atoc.html. Decision 2010/227/EU, OJ L 117, 5.5.2017, pp. 176–332,
Convention on the Grant of European Patents (European Patent ELI: http://data.europa.eu/eli/reg/2017/746/oj.
Convention) (5 October 1973, as revised by the Act revising Regulation (EU) 2019/881 of the European Parliament and
Article 63 EPC of 17 December 1991 and the Act revising of the Council of 17 April 2019 on ENISA (the European
the EPC of 29 November 2000), Article 52, https://www. Union Agency for Cybersecurity) and on information and
epo.org/en/legal/epc/2020/a52.html. communications technology cybersecurity certification and
Marrakesh Agreement Establishing the World Trade Organization repealing Regulation (EU) No 526/2013 (Cybersecurity Act),
(Marrakesh, 15 April 1994), Annex 1C: Agreement on Trade- OJ L 151, 7.6.2019, pp. 15–69, ELI: http://data.europa.eu/
Related Aspects of Intellectual Property Rights (amended eli/reg/2019/881/oj.
through the Protocol of 6 December 2005 that entered into Regulation (EU) 2021/2282 of 15 December 2021 on health
force on 23 January 2017), https://www.wto.org/english/ technology assessment and amending Directive 2011/24/
docs_e/legal_e/31bis_trips_01_e.htm. EU (Text with EEA relevance) Regulation (EU) 2021/2282 of
WIPO Copyright Treaty (Geneva, 20 December 1996), https:// 15 December 2021 on health technology assessment and
www.wipo.int/wipolex/en/text/295166#P56_5626. amending Directive 2011/24/EU, OJ L 458, 22.12.2021, pp.
1–32, http://data.europa.eu/eli/reg/2021/2282/oj.
Regulation (EU) 2022/123 of the European Parliament and of
the Council of 25 January 2022 on a reinforced role for
EU legislation
the European Medicines Agency in crisis preparedness and
Consolidated version of the Treaty on the Functioning of the management for medicinal products and medical devices,
European Union, OJ C 115, 9.5.2008, pp. 47–388, ELI: OJ L 20, 31.1.2022, pp. 1–37, ELI: http://data.europa.eu/
https://data.europa.eu/eli/treaty/tfeu_2008/oj. eli/reg/2022/123/oj.
Charter of Fundamental Rights of the European Union, OJ C Regulation (EU) 2022/868 of the European Parliament and of
326, 26.10.2012, pp. 391–407, ELI: http://data.europa.eu/ the Council of 30 May 2022 on European data governance
eli/treaty/char_2012/oj. and amending Regulation (EU) 2018/1724 (Data
Explanations relating to the Charter of Fundamental Governance Act) http://data.europa.eu/eli/reg/2022/868/oj.
Rights, OJ C 303, 14.12.2007, pp. 17–35 at Regulation (EU) 2023/988 of the European Parliament and
20, https://eur-lex.europa.eu/legal-content/EN/ of the Council of 10 May 2023 on general product safety,
TXT/?uri=uriserv:OJ.C_.2007.303.01.0017.01.ENG. amending Regulation (EU) No 1025/2012 of the European
Regulation (EU) No 1257/2012 of the European Parliament Parliament and of the Council and Directive (EU) 2020/1828
and of the Council of 17 December 2012 implementing of the European Parliament and the Council, and repealing
enhanced cooperation in the area of the creation of unitary Directive 2001/95/EC of the European Parliament and of
patent protection, OJ L 361, 31.12.2012, pp. 1–8, ELI: http:// the Council and Council Directive 87/357/EEC, OJ L 135,
data.europa.eu/eli/reg/2012/1257/oj. 23.5.2023, pp. 1–51, ELI: https://eur-lex.europa.eu/eli/
reg/2023/988/oj.
Regulation (EU) 2016/679 of the European Parliament and of
the Council of 27 April 2016 on the protection of natural Regulation (EU) 2023/2854 of the European Parliament and of
persons with regard to the processing of personal data the Council of 13 December 2023 on harmonised rules on
and on the free movement of such data, and repealing fair access to and use of data and amending Regulation
Directive 95/46/EC (General Data Protection Regulation), (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act),
116 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

OJ L, 2023/2854, 22.12.2023, ELI: https://eur-lex.europa. Directive (EU) 2016/943 of the European Parliament and of the
eu/eli/reg/2023/2854. Council of 8 June 2016 on the protection of undisclosed
Regulation (EU) 2024/1689 of the European Parliament and know-how and business information (trade secrets)
of the Council of 13 June 2024 laying down harmonised against their unlawful acquisition, use and disclosure, OJ
rules on artificial intelligence and amending Regulations L 157, 15.6.2016, pp. 1–18, ELI: http://data.europa.eu/eli/
(EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, dir/2016/943/oj.
(EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directive (EU) 2022/2555 of the European Parliament and
Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 of the Council of 14 December 2022 on measures for
(Artificial Intelligence Act), OJ L, 2024/1689, 12.7.2024, a high common level of cybersecurity across the Union,
ELI: http://data.europa.eu/eli/reg/2024/1689/oj. amending Regulation (EU) No 910/2014 and Directive (EU)
Regulation (EU) 2024/… of the European Parliament and of 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2
the Council on horizontal cybersecurity requirements for Directive), OJ L 333, 27.12.2022, pp. 80–152, ELI: http://
products with digital elements and amending Regulations data.europa.eu/eli/dir/2022/2555/oj.
(EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) Commission Regulation (EU) No 207/2012 of 9 March 2012
2020/1828 (Cyber Resilience Act) (position of the European on electronic instructions for use of medical devices, OJ
Parliament adopted at first reading on 12 March 2024, L 72, 10.3.2012, pp. 28–31. ELI: http://data.europa.eu/eli/
awaiting Council's 1st reading position), ELI: https://eur-lex. reg/2012/207/oj.
europa.eu/legal-content/EN/HIS/?uri=celex:52022PC0454. Commission Delegated Regulation (EU) 2022/30 of 29 October
Proposal for a Regulation on the European Health Data Space 2021 supplementing Directive 2014/53/EU of the European
- Mandate for negotiations with the European Parliament, Parliament and of the Council with regard to the application
General Secretariat of the Council, Brussels, 7 December of the essential requirements referred to in Article 3(3),
2023, https://data.consilium.europa.eu/doc/document/ points (d), (e) and (f), of that Directive, OJ L 7, 12.1.2022,
ST-16048-2023-REV-1/en/pdf. pp. 6–10, ELI: http://data.europa.eu/eli/reg_del/2022/30/oj.
Amendments adopted by the European Parliament on 13 U.S. Code of Federal Regulations, Title 21 (Parts 1–1499)
December 2023 on the proposal for a regulation of (1 April 2024) https://www.govinfo.gov/app/collection/
the European Parliament and of the Council on the cfr/2024/title21.
European Health Data Space, Strasbourg, 13 December US Federal Food Drug & Cosmetic Act (FD&C Act). https://
2023, https://www.europarl.europa.eu/doceo/document/ www.fda.gov/regulatory-information/laws-enforced-fda/
TA-9-2023-0462_EN.html. federal-food-drug-and-cosmetic-act-fdc-act.
Proposal for a Regulation on the European Health Data Space
- Analysis of the final compromise text with a view to
agreement, 18 March 2024, https://www.consilium.europa.
eu/media/70909/st07553-en24.pdf see also https://eur-lex. Case law (judicial and authoritative acts)
europa.eu/legal-content/EN/HIS/?uri=celex:52022PC0197. Brain Products GmbH v. BioSemi VOF and Others (C-219/11),
Directive 96/9/EC of the European Parliament and of the Council Judgment of the Court (Third Chamber), 22 November
of 11 March 1996 on the legal protection of databases, 2012, Court Reports – Court of Justice, ECLI:EU:C:2012:742,
OJ L 77, 27.3.1996, pp. 20–28, ELI: http://data.europa.eu/ https://curia.europa.eu/juris/liste.jsf?num=C-219/11.
eli/dir/1996/9/oj. Brain Products GmbH v. BioSemi VOF and Others (C-219/11),
Directive 2002/58/EC of the European Parliament and of the Opinion of Advocate General Mengozzi, 15 May 2012, Court
Council of 12 July 2002 concerning the processing of Reports – Court of Justice, ECLI:EU:C:2012:299, https://
personal data and the protection of privacy in the electronic curia.europa.eu/juris/liste.jsf?num=C-219/11.
communications sector (Directive on privacy and electronic Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV
communications), OJ L 201, 31.7.2002, pp. 37–47, ELI: (C-40/17), Judgment of the Court (Second Chamber), 29 July
http://data.europa.eu/eli/dir/2002/58/oj. 2019, Court Reports – General Court, ECLI:EU:C:2019:629,
Directive 2011/24/EU of the European Parliament and of the https://curia.europa.eu/juris/liste.jsf?num=C-40/17.
Council of 9 March 2011 on the application of patients’ Fixtures Marketing Ltd v Organismos prognostikon agonon
rights in cross-border healthcare, OJ L 88, 4.4.2011, pp. podosfairou AE (OPAP) (C-444/02), Judgment of the Court
45–65. ELI: https://data.europa.eu/eli/dir/2011/24/oj. (Grand Chamber), 9 November 2004, European Court
Directive 2014/53/EU of the European Parliament and of the Reports 2004 I-10549, EU:C:2004:697, https://curia.europa.
Council of 16 April 2014 on the harmonisation of the laws eu/juris/liste.jsf?num=C-444/02.
of the Member States relating to the making available on Fixtures Marketing v Oy Veikkaus AB (C-46/02), Judgment of
the market of radio equipment and repealing Directive the Court (Grand Chamber), 9 November 2004, European
1999/5/EC, OJ L 153, 22.5.2014, pp. 62–106, ELI: https:// Court Reports 2004 I-10365, EU:C:2004:694, https://curia.
eur-lex.europa.eu/eli/dir/2014/53/oj. europa.eu/juris/liste.jsf?num=C-46/02.
 JRC EXTERNAL STUDY 117

Fixtures Marketing v Svenska Spel AB (C-338/02), Judgment of Article 29 Data Protection Working Party, Letter from the ART 29
the Court (Grand Chamber), 9 November 2004, European WP to the European Commission, DG CONNECT on mHealth,
Court Reports 2004 I-10497, EU:C:2004:696, https://curia. Annex – health data in apps and devices, 5 February 2015,
europa.eu/juris/liste.jsf?num=C-338/02. https://ec.europa.eu/justice/article-29/documentation/
Laboratoires Lyocentre v Lääkealan turvallisuus– ja other-document/files/2015/20150205_letter_art29wp_
kehittämiskeskus, Sosiaali– ja terveysalan lupa– ja ec_health_data_after_plenary_annex_en.pdf.
valvontavirasto (C-109/12), Opinion of Advocate General Article 29 Data Protection Working Party, Opinion 05/2014
Sharpston, 30 May 2013, Court Reports – Court of Justice, on Anonymisation Techniques (WP 216), 10 April 2014,
ECLI:EU:C:2013:353, https://curia.europa.eu/juris/liste. https://ec.europa.eu/justice/article-29/documentation/
jsf?num=C-109/12. opinion-recommendation/files/2014/wp216_en.pdf.
Qualification opinion on ingestible sensor system for Article 29 Data Protection Working Party, Opinion 06/2014 on
medication adherence as biomarker for measuring patient the notion of legitimate interests of the data controller
adherence to medication in clinical trials (EMA/CHMP/ under Article 7 of Directive 95/46/EC (WP 217), 9 April 2014,
SAWP/513571/2015), 15 February 2016, European https://ec.europa.eu/justice/article-29/documentation/
Medicines Agency Committee for Medicinal Products opinion-recommendation/files/2014/wp217_en.pdf.
for Human Use, London, https://www.ema.europa.eu/ Article 29 Data Protection Working Party, Opinion 8/2014 on
documents/regulatory-procedural-guideline/qualification- the on Recent Developments on the Internet of Things (WP
opinion-ingestible-sensor-system-medication-adherence- 223), 16 September 2014, https://ec.europa.eu/justice/
biomarker-measuring-patient_en.pdf. article-29/documentation/opinion-recommendation/
Patrick Breyer v. Bundesrepublik Deutschland (C‑582/14), files/2014/wp223_en.pdf.
Judgment of the Court (Second Chamber), 19 October Article 29 Data Protection Working Party, Guidelines on the right
2016, Court Reports – Court of Justice, ECLI:EU:C:2016:779, to data portability (rev. 01), 5 April 2017, https://ec.europa.
para. 24, https://eur-lex.europa.eu/legal-content/EN/ eu/newsroom/article29/items/611233.
TXT/?uri=CELEX:62014CJ0582.
Article 29 Data Protection Working Party, Guidelines on
Syndicat national de l’industrie des technologies médicales Automated individual decision-making and Profiling for
(Snitem), Philips France v Premier ministre, Ministre des the purposes of Regulation 2016/679 (WP 251rev.01), 3
Affaires sociales et de la Santé (C-329/16), Opinion of October 2017 (as last revised and adopted on 6 February
Advocate General Campos Sánchez-Bordona, 28 June 2018), https://ec.europa.eu/newsroom/article29/redirection/
2017, Court Reports – Court of Justice, ECLI:EU:C:2017:501, document/49826.
https://curia.europa.eu/juris/liste.jsf?num=C-329/16.
European Commission, Clinical Investigation: A Guide for
Syndicat national de l’industrie des technologies médicales Manufacturers and Notified Bodies under Directives
(Snitem), Philips France v Premier ministre, Ministre des 93/42/EEC or 90/385/EEC – Guidelines on Medical Devices
Affaires sociales et de la Santé (C-329/16), Judgment (MEDDEV 2.7/1 revision 4), June 2016, http://www.
of the Court (Fourth Chamber), 7 December 2017, Court ec.europa.eu/DocsRoom/documents/17522/attachments/1/
Reports – Court of Justice, ECLI:EU:C:2017:947, https:// translations/en/renditions/native.
curia.europa.eu/juris/liste.jsf?num=C-329/16.
European Data Protection Board, Guidelines 3/2018 on
The British Horseracing Board Ltd and Others v William Hill the territorial scope of the GDPR (Article 3) (v. 2.1), 12
Organization Ltd. (C-203/02), Judgment of the Court (Grand November 2019, https://edpb.europa.eu/sites/default/files/
Chamber), 9 November 2004, European Court Reports files/file1/edpb_guidelines_3_2018_territorial_scope_
2004 I-10415, EU:C:2004:695, https://curia.europa.eu/juris/ after_public_consultation_en_1.pdf.
liste.jsf?num=C-203/02.
European Data Protection Board, Guidelines 05/2020 on
Unabhängiges Landeszentrum für Datenschutz Schleswig- consent under Regulation 2016/679 (v. 1.1), 4 May 2020,
Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, https://www.edpb.europa.eu/sites/default/files/files/file1/
Judgment of the Court (Grand Chamber) (C-210/16), 5 June edpb_guidelines_202005_consent_en.pdf.
2018, Court Reports – Court of Justice, ECLI:EU:C:2018:388,
European Data Protection Board, Guidelines 07/2020
https://curia.europa.eu/juris/liste.jsf?num=C-210/16.
on the concepts of controller and processor
in the GDPR, 2 September 2020, https://edpb.
europa.eu/sites/default/files/consultation/
Soft law (e.g. standards, guidelines) edpb_guidelines_202007_controllerprocessor_en.pdf.
European Data Protection Board, Guidelines 01/2022 on
Article 29 Data Protection Working Party, Opinion 4/2007 on
data subject rights - Right of access, 18 January 2022,
the concept of personal data (WP 136), 20 June 2007,
https://www.edpb.europa.eu/system/files/2023-04/
https://ec.europa.eu/justice/article-29/documentation/
edpb_guidelines_202201_data_subject_rights_access_
opinion-recommendation/files/2007/wp136_en.pdf.
v2_en.pdf.
118 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

European Data Protection Board, Guidelines 9/2022 on (06/2012), International Telecommunication Union, Geneva,
personal data breach notification under GDPR (v. 2), 2012, https://www.itu.int/rec/T-REC-Y.2060-201206-I.
28 March 2023, https://www.edpb.europa.eu/system/ International Telecommunication Union, Information
files/2023-04/edpb_guidelines_202209_personal_data_ technology – Cloud computing – Overview and vocabulary.
breach_notification_v2.0_en.pdf. Recommendation Y.3500 (08/14), International
European Data Protection Board, European Data Protection Telecommunication Union, Geneva, 2014, https://www.
Supervisor, EDPB-EDPS Joint Opinion 2/2022 on the itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-Y.3500-
Proposal of the European Parliament and of the Council 201408-I!!PDF-E&type=items.
on harmonised rules on fair access to and use of data (Data International Telecommunication Union, Big data – Cloud
Act), 4 May 2022, https://www.edpb.europa.eu/system/ computing based requirements and capabilities.
files/2022-05/edpb-edps_joint_opinion_22022_on_data_ Recommendation Y.3600 (11/2015), International
act_proposal_en.pdf. Telecommunication Union, Geneva, 2015, https://www.itu.
European Data Protection Board, European Data Protection int/rec/T-REC-Y.3600/en.
Supervisor, EDPB-EDPS Joint Opinion 03/2022 on the International Telecommunication Union, Requirements of
Proposal for a Regulation on the European Health Data the network for the Internet of things. Recommendation
Space, 12 July 2022, https://www.edpb.europa.eu/ ITU-T Y.4113 (09/2016), International Telecommunication
system/files/2022-07/edpb_edps_jointopinion_202203_ Union, Geneva, 2016, https://www.itu.int/
europeanhealthdataspace_en.pdf. rec/T-REC-Y.4113-201609-I/en.
European Ethical Principles For Digital Health, 21st eHealth Medical Device Coordination Group, Guidance on Qualification
Network meeting, 1–2 June 2022, https://www.coe.int/ru/ and Classification of Software in Regulation (EU) 2017/745
web/bioethics/access-to-digital-spaces-to-understand- – MDR and Regulation (EU) 2017/746 – IVDR (MDCG
and-use-health-services/-/highest_rated_assets/ 2019-11), 11 October 2019, https://ec.europa.eu/health/
nTmcJLi8P0UU/content/european-union-european-ethical- sites/default/files/md_sector/docs/md_mdcg_2019_11_
principles-for-digital-health. guidance_qualification_classification_software_en.pdf.
European Telecommunications Standards Institute, ETSI Medical Device Coordination Group, Guidance on Cybersecurity
TR 102 764 V1.1.1 (2009-02): eHEALTH; Architecture; for medical devices (MDCG 2019-16 rev. 1), December
Analysis of user service models, technologies and 2019, https://health.ec.europa.eu/document/download/
applications supporting eHealth, Technical Report, European b23b362f-8a56-434c-922a-5b3ca4d0a7a1_
Telecommunications Standards Institute, Sophia Antipolis, en?filename=md_cybersecurity_en.pdf
2009, https://www.etsi.org/deliver/etsi_tr/102700_102799
Medical Device Coordination Group, Clinical Evaluation –
/102764/01.01.01_60/tr_102764v010101p.pdf.
Equivalence: A guide for manufacturers and notified bodies
European Telecommunications Standards Institute, ETSI TR (MDCG 2020-5), April 2020, https://health.ec.europa.eu/
103 477 V1.2.1 (2020-08): eHEALTH; Standardization system/files/2020-09/md_mdcg_2020_5_guidance_
use cases for eHealth, Technical Report, European clinical_evaluation_equivalence_en_0.pdf.
Telecommunications Standards Institute, Sophia Antipolis,
Medical Device Coordination Group, Regulation (EU) 2017/745:
2020, https://www.etsi.org/deliver/etsi_tr/103400_103499
Clinical evidence needed for medical devices previously CE
/103477/01.02.01_60/tr_103477v010201p.pdf.
marked under Directives 93/42/EEC or 90/385/EEC. A guide
IEEE Standards Association, IEEE 2413-2019 - IEEE Standard for manufacturers and notified bodies (MDCG 2020-6), 23
for an Architectural Framework for the Internet of Things April 2020, https://health.ec.europa.eu/document/download/
(IoT), IEEE Standards Association, Piscataway, 2019, https:// a6d29444-b5d5-4afb-8024-10be85256aa7_en.
standards.ieee.org/ieee/2413/6226.
U.S. Department of Health and Human Services, Food and
International Medical Device Regulators Forum, Software as a Drug Administration, Information Sheet Guidance For
Medical Device (SaMD): Key Definitions, IMDRF/SaMD WG/ IRBs, Clinical Investigators, and Sponsors - Frequently
N10FINAL:2013, 9 December 2013, https://www.imdrf.org/ Asked Questions About Medical Devices, Silver Spring,
sites/default/files/docs/imdrf/final/technical/imdrf-tech- 2006, https://www.fda.gov/files/about%20fda/published/
131209-samd-key-definitions-140901.pdf. Frequently-Asked-Questions-About-Medical-Devices---
International Organization for Standardization, International Information-Sheet.pdf.
Electrotechnical Commission, ISO/IEC 30141:2018(en) U.S. Department of Health and Human Services, Food and Drug
Internet of Things (loT) — Reference Architecture, International Administration, FDA 522 Postmarket Surveillance Studies
Organization for Standardization, Geneva, 2018, https:// Database, https://www.accessdata.fda.gov/scripts/cdrh/
www.iso.org/obp/ui/#iso:std:iso-iec:30141:ed-1:v1:en. cfdocs/cfPMA/pss.cfm.
International Telecommunication Union, Overview of the
Internet of things. Recommendation ITU-T Y.4000/Y.2060
 JRC EXTERNAL STUDY 119

Humanized Computing, Vol. 8, 2017, pp. 273–289, https://

Bibliography (including policy documents)
doi.org/10.1007/s12652-016-0387-y.
Abdolkhani, R., Gray, K., Borda, A. et al., ‘Quality Assurance of Badnjević, A., Pokvić, L.G., Deumić, A. et al. ‘Post-Market
Health Wearables Data: Participatory Workshop on Barriers, Surveillance of Medical Devices: A Review’, Technology
Solutions, and Expectations’, JMIR mHealth and uHealth, and Health Care, Vol. 30, No. 6, pp. 1315–1329, https://
Vol. 8 No. 1, 2020, https://doi.org/10.2196/15329. doi.org/10.3233/THC-220284.
Afuah, A., Innovation Management: Strategies, Implementation, Baker, S. B., Xiang, W., Atkinson, I., ‘Internet of Things for Smart
and Profits, Second Edition, New York, Oxford University Healthcare: Technologies, Challenges, and Opportunities’,
Press, 2003. IEEE Access, Vol. 5, 2017, pp. 26521–26544, https://doi.
Al-Faruque, F., Califf: New systems needed for bringing org/10.1109/ACCESS.2017.2775180.
rare disease treatments, at-home devices to market, Banerjee, S., Hemphill, T., Longstreet, P., ‘Wearable Devices and
Regulatory Focus, 15 February 2024, https://www. Healthcare: Data Sharing and Privacy’, The Information
raps.org/news-and-articles/news-articles/2024/2/ Society, Vol. 34, No. 1, 2018, pp. 49–57, https://doi.org/10
califf-new-systems-needed-for-bringing-rare-diseas. .1080/01972243.2017.1391912.
Alharbi, R., Almagwashi, H., ‘The Privacy Requirements Bardenheuer, K., Van Speybroeck, M., Hague, C. et al.,
for Wearable IoT Devices in Healthcare Domain’, 7th ‘Haematology Outcomes Network in Europe (HONEUR)—A
International Conference on Future Internet of Things and collaborative, interdisciplinary platform to harness the
Cloud Workshops (FiCloudW), Istanbul, 26–28 August 2019, potential of real-world data in hematology’, European
pp. 18–25, https://doi.org/10.1109/FiCloudW.2019.00017. Journal of Haematology, Vol. 109 No. 2, 2022, pp. 138–
Anmulwar, S., Gupta, A. K., Derawi, M., ‘Challenges of IoT in 145, https://doi.org/10.1111/ejh.13780.
Healthcare’, in: IoT and ICT for Healthcare Applications, Bayer, ‘Bayer and Samsung take action against sleep
edited by N. Gupta, S. Paiva, Springer, Cham, 2020, pp. disturbances associated with menopause’, Bayer,
11–20, https://doi.org/10.1007/978-3-030-42934-8_2. 3 June 2024, https://www.bayer.com/media/en-us/
Antunes, L., ‘What if biosensors could help treat rare bayer-and-samsung-take-action-against-sleep-
diseases?’, Scientific Foresight: What if?, European disturbances-associated-with-menopause/.
Parliamentary Research Service, 2023, https://www. Beck, A., Retél, V., Bhairosing, P. et al., ‘Barriers and Facilitators
europarl.europa.eu/RegData/etudes/ATAG/2023/747441/ of Patient Access to Medical Devices in Europe: A
EPRS_ATA(2023)747441_EN.pdf. Systematic Literature Review’, Health Policy, Vol. 123
Aplin, T., Liddicoat, J., Discussion Paper on the Interplay between No. 12, 2019, pp. 1185–1198, https://doi.org/10.1016/j.
Patents and Trade Secrets in Medical Technologies, WIPO, healthpol.2019.10.002.
October 2023, https://www.wipo.int/edocs/mdocs/scp/en/ Beckers, R., Kwade, Z., Zanca, F., ‘The EU medical device
wipo_ip_covid_ge_2_22/wipo_ip_covid_ge_2_22_paper. regulation: Implications for artificial intelligence-based
pdf. medical device software in medical physics’, Physica
Arias López, M. D. P., Ong, B. A., Borrat Frigola, X. et al., ‘Digital Medica, Vol. 83, 2021, pp. 1–8., https://doi.org/10.1016/j.
literacy as a new determinant of health: A scoping review’, ejmp.2021.02.011.
PLOS Digit Health, Vol. 2, No. 10, e0000279, 2023, pp. Belichenova, A.I., ‘Reimburcement Policies And Health
1–21, https://doi.org/10.1371%2Fjournal.pdig.0000279. Technology Assessment Of Medical Devices In European
Arnow, G., ‘Apple Watch-Ing You: Why Wearable Technology Countries’, Economics and Management, South-West
Should Be Federally Regulated’, Loyola of Los Angeles University ‘Neofit Rilski’ Blagoevgrad, Vol. 17, No. 2,
Law Review, Vol. 49 No. 3, 2016, pp. 607–34, https:// 2020, pp. 163–170, https://ideas.repec.org/a/neo/journl/
digitalcommons.lmu.edu/llr/vol49/iss3/2/. v17y2020i2p163-170.html.
Assenza, G., Fioravanti, C., Guarino, S. et al., ‘New Perspectives Beregi, R., Pedone, G., Mezgár, I., ‘A novel fluid architecture
on Wearable Devices and Electronic Health Record Systems’, for cyber-physical production systems’, International
2020 IEEE International Workshop on Metrology for Industry Journal of Computer Integrated Manufacturing, Vol. 32
4.0 & IoT, Rome, 3–5 June 2020, pp. 740–745, https://doi. No. 4–5, 2019, pp. 340–351, https://doi.org/10.1080/095
org/10.1109/MetroInd4.0IoT48571.2020.9138170. 1192X.2019.1571239.
Attrey, A., Lesher, M., Lomax, C. ‘The role of sandboxes in Bergmann, J.H.M., Chandaria, V., McGregor, A., ‘Wearable and
promoting flexibility and innovation in the digital age’, Implantable Sensors: The Patient’s Perspective’, Sensors,
OECD Going Digital Toolkit Note, No. 2, OECD Publishing, Vol. 12 No. 12, 2012, pp. 16695–16709, https://doi.
Paris, 2020, https://doi.org/10.1787/cdf5ed45-en. org/10.3390/s121216695.
Azimi, I., Rahmani, A. M., Liljeberg, P. et al., ‘Internet of Bhaskar, S., Bradley, S., Chattu, V. K. et al., ‘Telemedicine Across
things for remote elderly monitoring: a study from user- the Globe-Position Paper From the COVID-19 Pandemic
centered perspective’, Journal of Ambient Intelligence and Health System Resilience PROGRAM (REPROGRAM)
International Consortium (Part 1)’, Frontiers in Public
120 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Health, Vol. 8 No. 556720, 2020, pp. 1–15, https://doi. Busse, T. S., Nitsche, J., Kernebeck, S. et al., ‘Approaches to
org/10.3389/fslapubh.2020.556720. Improvement of Digital Health Literacy (eHL) in the
Biasin, E., Kamenjasevic, B., ‘Cybersecurity of Medical Devices: Context of Person-Centered Care’, International Journal
Regulatory Challenges in the EU’, in: ‘The Future of Medical of Environmental Research and Public Health, Vol. 19,
Device Regulation: Innovation and Protection’, edited by I. G. No. 14, 8309, 2022, pp. 1–11, https://doi.org/10.3390/
Cohen et. al., Cambridge University Press, Cambridge, 2022, ijerph19148309.
pp. 51–62, https://doi.org/10.1017/9781108975452. Caiani, E. G., Kemps, H., Hoogendoorn P. et al., ‘Standardised
Biasin, E., Yaşar, B., Kamenjašević, E., ‘New Cybersecurity assessment of evidence supporting the adoption of mobile
Requirements for Medical Devices in the EU: The health solutions: A Clinical Consensus Statement of the
Forthcoming European Health Data Space, Data Act, and ESC Regulatory Affairs Committee’, European Heart Journal
Artificial Intelligence Act’, Law, Technology and Humans’, - Digital Health, ztae042, 2024, https://doi.org/10.1093/
Vol. 5 No. 5, 2023, pp. 43–58, https://doi.org/10.5204/ ehjdh/ztae042.
lthj.3068. Cajita, M.I., Hodgson, N.A., Lam, K.W. et al., ‘Facilitators of
Borges do Nascimento, I. J., Abdulazeem, H., Vasanthan, L. T. and Barriers to mHealth Adoption in Older Adults With
et al. ‘Barriers and facilitators to utilizing digital health Heart Failure’, CIN: Computers, Informatics, Nursing, Vol.
technologies by healthcare professionals’, npj Digital 36 No. 8, 2018, pp. 376–382, https://doi.org/10.1097/
Medicine, Vol. 6, No. 161, 2023, pp. 1 –28, https://doi. CIN.0000000000000442.
org/10.1038/s41746-023-00899-4. Cale, H., ‘Roche introduces AI-powered diabetes tracker to
Boucher, M., ‘How Connected Medical Devices Will Revolutionize predict blood sugar highs and lows’, FierceHealthcare,
Healthcare’, PTC, 13 May 2024, https://www.ptc.com/en/ 8 March 2024, https://www.fiercebiotech.com/medtech/
blogs/iiot/an-overview-of-connected-medical-devices. roche-introduces-ai-powered-diabetes-tracker-predict-
blood-sugar-highs-and-lows.
Bratan, T., Clarke, M., Jones, R., ‘Evaluation of the Practical
Feasibility and Acceptability of Home Monitoring in Cangardel, K., Volgina, D., ‘The Convergence of Consumer
Residential Homes’, Journal of Telemedicine and Telecare, Wearables & Medical Devices, Part 3: Opportunities for
Vol. 11 No. 1 (suppl), 2005, pp. 29–31, https://doi. Consumer Wearables Manufacturers’, A Blog for Blue
org/10.1258/1357633054461796. Matter, 21 November 2023, https://bluematterconsulting.
com/convergence-of-consumer-wearables-medical-
Brînzac, M. G., Kuhlmann, E., Dussault, G. et al., ‘Defining medical
devices-part-3/.
deserts—an international consensus-building exercise’,
European Journal of Public Health, Vol. 33, No. 5, 2023, Carter, S., ‘The Ultimate IP Guide for MedTech Companies: All
pp. 785–788, https://doi.org/10.1093/eurpub/ckad107. Your Questions Answered’, The Intellectual Property Works,
20 June 2023, https://theintellectualpropertyworks.co.uk/
Brönneke, J.B., Müller, J., Mouratis, K. et. al., ‘Regulatory, Legal,
the-ultimate-ip-guide-for-medtech-companies-all-your-
and Market Aspects of Smart Wearables for Cardiac
questions-answered/.
Monitoring’, Sensors, Vol. 21 No. 14, 2021, 4937, https://
doi.org/10.3390/s21144937. Casarosa, F., ‘Cybersecurity Certification of Artificial Intelligence:
A Missed Opportunity to Coordinate between the Artificial
Brophy, K., Davies, S., Olenik, S. et al., ‘The future of wearable
Intelligence Act and the Cybersecurity Act’, International
technologies’, Briefing Paper 6, Imperial College London,
Cybersecurity Law Review, Vol. 3, 2022, pp. 115–130,
London, 2021, https://doi.org/10.25561/88893.
https://doi.org/10.1365/s43439-021-00043-6.
Brückner, S., Brightwell, C., Gilbert, S., ‘FDA launches health care
Casselman, J., Onopa, N., Khansa, L., ‘Wearable Healthcare:
at home initiative to drive equity in digital medical care’,
Lessons from the Past and a Peek into the Future’,
npj Digital Medicine, Vol. 7, No. 204, 2024, pp. 1–3, https://
Telematics and Informatics, Vol. 34, No. 7, 2017, pp.
doi.org/10.1038/s41746-024-01198-2.
1011–1023, https://doi.org/10.1016/j.tele.2017.04.011.
Bruno, B., Simblett, S., Lang, L. et al., ‘Wearable Technology in
Catarinucci, L., Donno, D. D., Mainetti, L. et al., ‘An IoT-Aware
Epilepsy: The Views of Patients, Caregivers, and Healthcare
Architecture for Smart Healthcare Systems’, IEEE Internet
Professionals’, Epilepsy & Behavior, Vol. 85, 2018, pp. 141-
of Things Journal, Vol. 2 No. 6, 2015, pp. 515–526, https://
149, https://doi.org/10.1016/j.yebeh.2018.05.044.
doi.org/10.1109/JIOT.2015.2417684.
Bui, J., ‘Lack of Privacy Regulations in the Fitness and Health
CEA-Leti, ‘CEA-Leti Announces EU Project to Mimic Multi-
Mobile App Industry: Assessing the Health Insurance
Timescale Processing of Biological Neural Systems’,
Portability and Accountability Act (HIPPAA) for Meeting the
CEA Leti, 20 April 2021, https://www.cea.fr/cea-tech/
Needs of User Data Collection’, Intellectual Property and
leti/Pages/actualites/Communique%20de%20presse/
Technology Law Journal, Vol. 21 No. 1, 2016, pp. 1–20,
CEA-Leti-Announces-EU-Project-to-Mimic--Multi-
https://heinonline.org/HOL/LandingPage?handle=hein.
Timescale-Processing-of-Biological-Neural-Systems.aspx.
journals/iprop21&div=5&id=&page=.
Chip Law Group, Chintalapoodi, P., ‘How Intellectual Property
Law is Impacting the Healthcare Industry’, Lexology, 21
 JRC EXTERNAL STUDY 121

March 2023, https://www.lexology.com/library/detail. Commission Staff Working Document Impact Assessment

aspx?g=080d5c38-8773-4b13-a434-710c618bb135. Report Accompanying the Document ‘Proposal for a
Choi, H. J., ‘Technology Transfer Issues and a New Technology Regulation of the European Parliament and of the Council
Transfer Model’, The Journal of Technology Studies, Vol. 35 on the European Health Data Space, COM(2022) 197
No. 1, 2009, pp. 49–57, https://storage.googleapis.com/jnl- final - SEC(2022) 196 final - SWD(2022) 130 final -
vt-j-jts-files/journals/1/articles/104/62a6d492efaa3.pdf. SWD(2022) 132 final’, SWD(2022) 131 final, Strasbourg,
3 May 2022, https://eur-lex.europa.eu/legal-content/EN/
Cimina, V., 'The Proposal for a European Health Data Space:
TXT/?uri=CELEX%3A52022SC0131.
Between Pursued Objectives and Data Protection
Challenges', ERA Forum, Vol. 24, 2023, pp. 343–359 at Cormican, K., O’Connor, M., ‘Technology Transfer for Product Life
345, https://doi.org/10.1007/s12027-023-00764-7. Cycle Extension: A Model for Successful Implementation’,
International Journal of Innovation and Technology
Clarke, N., Vale, G., Reeves, E.P. et al., ‘GDPR: An Impediment
Management, Vol. 6 No. 3, 2009, pp. 105–114, https://doi.
to Research?’, Irish Journal of Medical Science, Vol.
org/10.1142/S0219877009001698.
188, 2019, pp. 1129–1135, https://doi.org/10.1007/
s11845-019-01980-2. Council of Europe, Steering Committee for Human Rights in the
field of Biomedicine and Health (CDBIO), Guide to Health
Clemens, S., Williams, K., Bohls, J. et al., ‘Telemedicine and
Literacy – Contributing to Trust Building and Equitable Access
Health Policy: A Systematic Review’, Health Policy and
to Healthcare, Council of Europe, Strasbourg, 2023, https://
Technology, Vol. 10 No. 1, 2021, pp. 209–229, https://doi.
rm.coe.int/inf-2022-17-guide-health-literacy/1680a9cb75.
org/10.1016/j.hlpt.2020.10.006.
Cozzolino, A., Geiger, S., ‘Ecosystem Disruption and Regulatory
Climedo, Trials24, The Patient Perspective on Clinical Trials –
Positioning: Entry Strategies of Digital Health Startup
What’s Going Well, What Needs to Change? Survey Results,
Orchestrators and Complementors’, Research Policy, Vol. 53,
Climedo, Trials24, 2023, https://climedo.de/wp-content/
No. 2, 2024, https://doi.org/10.1016/j.respol.2023.104913.
uploads/2023/03/2023_Climedo-Patient-Perspective-on-
Clinical-Trials.pdf. Csizmadia, I., Láng, R., Kis, M., ‘D5.1 - Report on policy action on
innovative use of big data in health’, Information note: WP5
Communication from the Commission on effective, accessible
Innovative Use of Health data (v. 0.3) (2 February 2020),
and resilient health systems, COM/2014/215 final, Brussels,
17th eHealth Network meeting (June 2020), eHAction: Joint
4 April 2014, https://eur-lex.europa.eu/legal-content/en/
Action to support the eHealth Network, http://ehaction.eu/
ALL/?uri=CELEX:52014DC0215.
wp-content/uploads/2020/08/03.06.2020_eHN-adopted_
Communication from the Commission to the European eHAction-D5.1-Report-on-policy-action-on-innovative-use-
Parliament, the Council, the European Economic and of-big-data-in-health_v0.3-1.pdf.
Social Committee and the Committee of the Regions
Custers, B., Vrabec, H., ‘Tell me something new: data subject
on the Mid-Term Review on the implementation of the
rights applied to inferred data and profiles’, Computer Law
Digital Single Market Strategy: A Connected Digital
& Security Review, Vol. 52 No. 105956, 2024, pp. 1–14,
Single Market for All, COM(2017) 228 final, Brussels, 10
https://doi.org/10.1016/j.clsr.2024.105956.
May 2017, https://eur-lex.europa.eu/legal-content/EN/
ALL/?uri=CELEX:52017DC0228. Dahlhausen, F., Zinner, M., Bieske, L. et al. ‘There’s an app for
that, but nobody’s using it: Insights on improving patient
Communication from the Commission to the European
access and adherence to digital therapeutics in Germany’,
Parliament, the Council, the European Economic and
DIGITAL HEALTH, Vol. 8, 2022, pp. 1–12, https://doi.
Social Committee and the Committee of the Regions on
org/10.1177/20552076221104672.
enabling the digital transformation of health and care in
the Digital Single Market; empowering citizens and building de Jongh, T., Oomens., I., Izsák, K., Strategic Value Chain
a healthier society, COM/2018/233 final, Brussels, 25 Report of Smart Health, Technopolis Group, Brighton,
April 2018, https://eur-lex.europa.eu/legal-content/EN/ 2019 (commissioned by the Strategic Forum on Important
TXT/?uri=COM:2018:233:FIN. Projects of Common European Interest) (not available
online), report supporting: Strategic Forum for Important
Commission Staff Working Document ‘Evaluation of Directive
Projects of Common European Commission, Strengthening
96/9/EC on the legal protection of databases, SWD(2018)
Strategic Value Chains for a future-ready EU Industry -
147 final’, SWD(2018) 146 final, 25 April 2018, https://
report of the Strategic Forum for Important Projects
ec.europa.eu/newsroom/dae/redirection/document/51764.
of Common European Interest, European Commission,
Commission Staff Working Document Accompanying the Brussels, 2019.
Document ‘Report from the Commission to the Council
Delgado, M., Porter, M. E., Stern, S., ‘Defining clusters of related
and the European Parliament: Final report - Sector inquiry
industries’, Journal of Economic Geography, Vol. 16 No. 1,
into consumer Internet of Things, COM(2022) 19 final’,
2016, pp. 1–38, https://doi.org/10.1093/jeg/lbv017.
SWD(2022) 10 final, Brussels, 20 January 2022, https://eur-
lex.europa.eu/legal-content/EN/ALL/?uri=SWD:2022:10:FIN. DeNoncour, M., ‘Healthcare Technology Regulation in the US’,
in: HealthTech – Law and Regulation, edited by J. Madir,
122 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Edward Elgar Publishing, Cheltenham, 2020, pp. 80–113, Dutch Techcentre for Life Sciences, Personal Health Train,
https://doi.org/10.4337/9781839104909.00014. Utrecht, Dutch Techcentre for Life Sciences, 2024, https://
DeVore, A.D., Wosik, J., Hernandez, A.F., ‘The Future of www.dtls.nl/fair-data/personal-health-train/.
Wearables in Heart Failure Patients’, JACC: Heart Failure, Eckhardt, P., Kotovskaia, A., ‘The EU’s Cybersecurity Framework:
Vol. 7 No. 11, 2019, pp. 922–932, https://doi.org/10.1016/j. The Interplay between the Cyber Resilience Act and the
jchf.2019.08.008. NIS 2 Directive’, International Cybersecurity Law Review,
Dey, N., Ashour, A. S., Bhatt, C., ‘Internet of Things Driven Vol. 4, 2023, pp. 147–164, https://doi.org/10.1365/
Connected Healthcare’, in: Internet of Things and Big Data s43439-023-00084-z.
Technologies for Next Generation Healthcare, edited by C. EDITH, Project, EDITH European Virtual Human Twin, n.d., https://
Bhatt, N. Dey, A. S. Ashour, Springer, Cham, 2017, pp. 3–12, www.edith-csa.eu/edith/.
https://doi.org/10.1007/978-3-319-49736-5_1. EDITH, Spot on a EDITH use case: The innovative EPFL
DIGITALEUROPE, Reflection Paper on regulatory biosensing platform, EDITH European Virtual Human Twin, 5
frameworks for digital health technologies in Europe, February 2024, https://www.edith-csa.eu/2024/02/05/spot-
DIGITALEUROPE, Brussels, 2019, https://cdn.digitaleurope. on-a-edith-use-case-the-innovative-biosensing-platform/.
org/uploads/2019/04/DIGITALEUROPE-Reflection-on- Eidel, O., ‘MDR Class 1 Devices: Do They Exist (as software)?’,
regulatory-frameworks-for-digital-health-technologies- Open Regulatory, 31 August 2021, https://openregulatory.
in-Europe-.pdf. com/do-software-mdr-class-1-devices-exist.
DIGITALEUROPE, European Health Data Space (EHDS): Erkılıç, C.E., Yalçın, E., ‘Evaluation of the Wearable Technology
key issues to address in trilogues, DIGITALEUROPE, Market within the Scope of Digital Health Technologies’,
Brussels, 22 December 2023, https://cdn.digitaleurope. Gazi İktisat ve İşletme Dergisi, Vol. 6 No. 3, 2020, pp.
org/uploads/2024/01/EHDS-trilogues-DIGITALEUROPE- 310–323, https://doi.org/10.30855/gjeb.2020.6.3.006.
position-paper-1.pdf.
Essén, A., Stern, A.D., Haase, C.B. et al., ‘Health app policy:
DIGITALEUROPE, DIGITALEUROPE Executive Council for Health’s international comparison of nine countries’ approaches’,
recommendations for EU digital health policy (2024-29), npj Digital Medicine, Vol. 5, No. 31, 2022, pp. 1–10, https://
DIGITALEUROPE, Brussels, 2024, https://cdn.digitaleurope. doi.org/10.1038/s41746-022-00573-1.
org/uploads/2024/02/DIGITALEUROPE-recommendations-
European Association of Urology, European Respiratory Society,
EU-digital-health-policy-2024-29-policy-paper.pdf.
Biomedical Alliance in Europe et al., Stakeholder coalition
Dinh-Le, C., Chuang, R., Chokshi, S. et al., ‘Wearable Health calls for legislative refinement of the EHDS, 4 December
Technology and Electronic Health Record Integration: 2023, https://uroweb.org/news/stakeholder-coalition-calls-
Scoping Review and Future Directions’, JMIR mHealth for-legislative-refinement-of-the-ehds.
and uHealth, Vol. 7 No. 9, 2018, e12861, https://doi.
European Commission, Green Paper on mobile Health
org/10.2196/12861.
("mHealth"), COM/2014/0219 final, Brussels, 10 April
Drexl, J., Banda, C., Otero, B. G. et al., Position Statement of 2014, https://eur-lex.europa.eu/legal-content/EN/
the Max Planck Institute for Innovation and Competition TXT/?uri=celex:52014DC0219.
of 25 May 2022 on the Commission’s Proposal of 23
European Commission, Consumers, Health, Agriculture and
February 2022 for a Regulation on harmonised rules on
Food Executive Agency, Hansen, J., Wilson, P., Verhoeven,
fair access to and use of data (Data Act), Max Planck
E. et al., Assessment of the EU Member States’ rules on
Institute for Innovation and Competition, Munich, 2022,
health data in the light of GDPR, Publications Office of the
https://pure.mpg.de/rest/items/item_3388757/component/
European Union, Luxembourg, 2021, https://data.europa.
file_3395639/content.
eu/doi/10.2818/546193.
Drummond, M., Tarricone, R., Torbica, A., ‘European Union
European Commission, Directorate-General for Communications
Regulation of Health Technology Assessment: What Is
Networks, Content and Technology, Shaping the digital
Required for It to Succeed?’, The European Journal of
transformation in Europe, Publications Office of the
Health Economics, Vol. 23, 2022, pp. 913–915, https://doi.
European Union, Luxembourg, 2020, https://data.europa.
org/10.1007/s10198-022-01458-6.
eu/doi/10.2759/294260.
Duncker, D., Ding, W.Y., Etheridge, S. et al., ‘Smart Wearables
European Commission, Directorate-General for Communications
for Cardiac Monitoring—Real-World Use beyond Atrial
Networks, Content and Technology, Karanikolova, K.,
Fibrillation’, Sensors, Vol. 21 No. 7, 2021, 2539, https://
Chicot, J., Gkogka, A. et al., Study in support of the
doi.org/10.3390/s21072539.
evaluation of Directive 96/9/EC on the legal protection
Dunn, J., Runge, R., Snyder, M., ‘Wearables and the Medical of databases – Final report, Publications Office of the
Revolution’, Personalized Medicine, Vol. 15 No. 5, 2018, pp. European Union, Luxembourg, 2018, https://data.europa.
429–448 https://doi.org/10.2217/pme-2018-0044. eu/doi/10.2759/04895.
 JRC EXTERNAL STUDY 123

European Commission, Directorate-General for Communications European Commission, Joint Research Centre, Junklewitz,
Networks, Content and Technology, Hartmann, C., Allan, J., H., Hamon, R., André, A. et al., Cybersecurity of artificial
Hugenholtz, P. et al., Trends and developments in artificial intelligence in the AI Act – Guiding principles to address
intelligence: challenges to the intellectual property rights the cybersecurity requirement for high-risk AI systems,
framework – Final report, Publications Office of the Publications Office of the European Union, Luxembourg,
European Union, Luxembourg, 2020, https://data.europa. 2023, https://data.europa.eu/doi/10.2760/271009.
eu/doi/10.2759/683128. European Commission, Joint Research Centre, Samoili, S., López
European Commission, Directorate-General for Communications Cobo, M., Delipetrev, B. et al., AI Watch. Defining Artificial
Networks, Content and Technology, PwC, Study on eHealth, Intelligence 2.0 – Towards an operational definition and
Interoperability of Health Data and Artificial Intelligence taxonomy for the AI landscape, JRC Technical Reports,
for Health and Care in the European Union – Lot 2: Publications Office of the European Union, Luxembourg,
Artificial Intelligence for health and care in the EU, Final 2021, https://data.europa.eu/doi/10.2760/019901.
Study Report, Publications Office of the European Union, European Commission, Joint Research Centre, Soler Garrido, J.,
Luxembourg, 2021, https://ec.europa.eu/newsroom/dae/ Fano Yela, D., Panigutti, C. et al., Analysis of the preliminary
redirection/document/80948. AI standardisation work plan in support of the AI Act,
European Commission, Directorate-General for Communications Publications Office of the European Union, Luxembourg,
Networks, Content and Technology, Maier, N., De Michiel, F., 2023, https://data.europa.eu/doi/10.2760/5847.
Peter, V., et al., Study to support an impact assessment European Federation of Pharmaceutical Industry and
for the review of the database directive – Final report, Associations (EFPIA), Improving Access to Digital
Publications Office of the European Union, Luxembourg, Therapeutics in Europe, EFPIA, Brussels, 2023, pp. 7–8,
2022, https://data.europa.eu/doi/10.2759/647387. https://www.efpia.eu/media/677347/improving-access-to-
European Commission, Directorate-General for Health and digital-therapeutics-in-europe.pdf.
Food Safety, State of health in the EU – Companion report European Patent Office (EPO), Hardware and software, EPO,
2021, Publications Office of the European Union, 2022, n.d., https://www.epo.org/en/news-events/in-focus/ict/
https://data.europa.eu/doi/10.2875/835293. hardware-and-software.
European Commission, Directorate-General for Health European Society of Cardiology (ESC), What We Do, ESC, n.d.,
and Food Safety, EU initiative on a European Health https://www.escardio.org/The-ESC/What-we-do.
Data Space (EHDS): Public Consultation Factual
European Society of Cardiology (ESC), Who We Are, ESC, n.d.,
Summary Report, European Commission, Brussels,
https://www.escardio.org/The-ESC/Who-we-are.
Ref. Ares(2022)636543 – 27/01/2022, 2022,
https://ec.europa.eu/info/law/better-regulation/ European Taskforce for Harmonised Evaluations of Digital
have-your-say/initiatives/12663-Digital-health- Medical Devices (DMDs), EIT Health, n.d, https://eithealth.
data-and-services-the-European-health-data-space/ eu/external-collaborations/european-taskforce-for-
public-consultation_en. harmonised-evaluations-of-digital-medical-devices-dmds/.

European Commission, Directorate-General for Health and Facey, K., ‘Health Technology Assessment’, in: Patient
Food Safety, Lupiáñez-Villanueva, F., Gunderson, L., Vitiello, Involvement in Health Technology Assessment, edited by K.
S. et al., Study on Health Data, Digital Health and Artificial Facey, H. Ploug Hansen, A., Single. A., Adis, Singapore, 2017,
Intelligence in Healthcare, Publications Office of the pp. 3–16, https://doi.org/10.1007/978-981-10-4068-9_1.
European Union, Luxembourg, 2022, https://data.europa. Fåhraeus, D., Reichel, J., Slokenberga, S., ‘The European Health
eu/doi/10.2875/702007. Data Space: Challenges and Opportunities’, Sieps European
European Commission, Directorate-General for Health and Food Policy Analysis, 2epa, 2024, pp. 1–20, https://su.diva-portal.
Safety, State of health in the EU – Synthesis report 2023, org/smash/get/diva2:1842096/FULLTEXT01.pdf.
Publications Office of the European Union, Luxembourg, Fairbrother, P., Ure, J., Hanley., H. et al., ‘Telemonitoring for
2023, https://data.europa.eu/doi/10.2875/458883. Chronic Heart Failure: The Views of Patients and Healthcare
European Commission, Directorate-General for Internal Market, Professionals – a Qualitative Study’, Journal of Clinical
Industry, Entrepreneurship and SMEs, Izsak, K., Meier zu Nursing, Vol. 23 No. 1–2, 2013, pp. 132–144 https://doi.
Köcker, G., Ketels, C. et al., ‘Smart guide to cluster policy’, org/10.1111/jocn.12137.
Guidebook Series: How to support SME Policy from Structural Fan, K., Jiang, W., Li, H. et al. ‘Lightweight RFID Protocol for
Funds, Publications Office of the European Union, Brussels, Medical Privacy Protection in IoT’, IEEE Transactions on
2016, https://data.europa.eu/doi/10.2873/729624. Industrial Informatics, Vol. 14 No. 4, 2018, pp. 1656–1665,
European Commission, Executive Agency for Small and https://doi.org/10.1109/TII.2018.2794996.
Medium-sized Enterprises, Your guide to IP in Europe, Farahani, B., Firouzi, F., Chakrabarty, K., ‘Healthcare IoT’,
Publications Office of the European Union, Luxembourg, in: Intelligent Internet of Things: From Device to Fog
2019, https://data.europa.eu/doi/10.2826/94924. and Cloud, edited by F. Firouzi, K. Chakrabarty, S.
124 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Nassif, Springer, Cham, 2020, pp. 515–545, https://doi. Brussels, 14 May 2019, https://cris.vub.be/ws/portalfiles/
org/10.1007/978-3-030-30367-9_11. portal/45839230/20190513.Working_Paper_Gonza_lez_
Federal Institute for Drugs and Medical Devices (Bundesinstitut Fuster_Hijmans_3_.pdf.
für Arzneimittel und Medizinprodukte, BfArM), The Fast-Track Gaeta, M., ‘Hard Law and Soft Law on Data Protection: What
Process for Digital Health Applications (DiGA) according to a DPO Should Know to Better Perform His or Her Tasks’,
Section 139e SGB V: A Guide for Manufacturers, Service European Journal of Privacy Law & Technologies, Vol. 2,
Providers and Users, BfArM, 2020, https://www.bfarm.de/ 2019, pp. 61–78, https://universitypress.unisob.na.it/ojs/
SharedDocs/Downloads/EN/MedicalDevices/DiGA_Guide. index.php/ejplt/article/view/1069/313.
pdf?__blob=publicationFile. Galen Growth, ‘Is Big Tech Important to Digital Health Innovation?’,
Federici, C., Reckers-Droog, V., Ciani, O. et al., ‘Coverage with Galen Growth, 7 June 2024, https://galengrowth.com/
Evidence Development Schemes for Medical Devices in is-big-tech-important-to-digital-health-innovation/.
Europe: Characteristics and Challenges’, The European García-Altés, A., McKee, M., Siciliani, L. et al., ‘Understanding
Journal of Health Economics, Vol 22, 2021, pp. 1253-1273, public procurement within the health sector: a priority in a
https://doi.org/10.1007/s10198-021-01334-9. post-COVID-19 world’, Health Economics, Policy and Law,
Ferguson. C., Hickman, L.D., Turkmani, S. et al., ‘”Wearables Vol. 18 No. 2, 2023, pp. 172–185, https://doi.org/10.1017/
Only Work on Patients That Wear Them”: Barriers and S1744133122000184.
Facilitators to the Adoption of Wearable Cardiac Monitoring Gellert, R., Gutwirth, S., ‘The legal construction of privacy and
Technologies’, Cardiovascular Digital Health Journal, Vol. data protection’, Computer Law & Security Review, Vol.
2 No. 2, 2021, pp. 137–147, https://doi.org/10.1016/j. 29 No. 5, 2013, pp. 522–530, https://doi.org/10.1016/j.
cvdhj.2021.02.001. clsr.2013.07.005.
Ferguson, D.D.S., ‘The Outcome Efficacy of the Entity Risk Gerke, S., ‘Health AI for Good Rather Than Evil? The Need for a
Management Requirements of the NIS 2 Directive’, New Regulatory Framework for AI-Based Medical Devices’,
International Cybersecurity Law Review, Vol. 4, 2023, pp. Yale Journal of Health Policy, Law, and Ethics, No. 20 Vol.
371–386, https://doi.org/10.1365/s43439-023-00097-8. 2, 2021, pp. 432–512, https://yaleconnect.yale.edu/get_
Fiedler, B.A., ‘Chapter 18 - Challenges of New Technology: file?pid=fd7fce9fbc17724a4b17d7f1ce4581a33c87d-
Securing Medical Devices and Their Software for HIPPA 962fbbae12115c3217cdb56240.
Compliance’, in: Managing Medical Devices Within a Ghazizadeh, E., Naseri, Z., Deigner, H-P et al., ‘Approaches of
Regulatory Framework, edited by B.A. Fiedler, Elsevier, wearable and implantable biosensor towards of developing
Amsterdam, 2017, pp. 315–329. https://doi.org/10.1016/ in precision medicine’, Frontiers in Medicine, Vol. 11 No.
B978-0-12-804179-6.00018-6. 1390634, 2024, pp. 1–21, https://doi.org/10.3389/
Fink, M., Akra, B., ‘Comparison of the International Regulations fmed.2024.1390634.
for Medical Devices–USA versus Europe’, Injury, Vol. 54, Giannakis, A., Subasic, D., Gautschi, F. et al., Together, we can
2023, https://doi.org/10.1016/j.injury.2023.110908. – Fast-forwarding healthcare through data collaboratives,
Fitzpatrick, P. J., ‘Improving health literacy using the power of Accenture, 2022, https://www.accenture.com/content/
digital communications to achieve better health outcomes dam/accenture/final/industry/life-sciences/document/
for patients and practitioners’, Frontiers in Digital Health, Together-We-Can-Fast-Forwarding-Healthcare-Full-
Vol. 5, 1264780, 2023, pp. 1–13, https://doi.org/10.3389/ Report-PoV-FINAL.pdf.
fdgth.2023.1264780. Giannoutakis, K. M., Spanopoulos-Karalexidis, M., Papadopoulos,
Fortune Business Insights, Wearable Medical Devices Market, C. K. F. et al., ‘Next Generation Cloud Architecture’,
Fortune Business Insights, Maharashtra, 2023, https:// in: Embodied Computing: Wearables, Implantables,
www.fortunebusinessinsights.com/industry-reports/ Embeddables, Ingestibles, edited by P. T. Lynn, J. Mooney,
wearable-medical-devices-market-101070. B. Lee et al., Palgrave Macmillan, Cham, 2020, pp. 23–39,
Fotiadis, D., Glaros, C., Likas, A., ‘Wearable Medical Devices’, https://doi.org/10.1007/978-3-030-41110-7_2.
in: Wiley Encyclopedia of Biomedical Engineering, Gkotsopoulou, G., Quinn P., ‘Data Protection and Privacy Issues
edited by M. Akay, Wiley, Hoboken, 2006, https://doi. of the Internet of Things’, in Internet of Things, Threats,
org/10.1002/9780471740360.ebs1326. Landscape, and Countermeasures, edited by S. Shiaeles,
Fraden, J., Handbook of Modern Sensors: Physics, Designs, and N. Kolokotronis, Taylor and Francis, Oxford, 2021 pp. 1–46,
Applications, Fifth Edition, Cham, Springer, 2015, https:// https://doi.org/10.1201/9781003006152.
link.springer.com/chapter/10.1007/978-3-319-19303-8_1. Gobeo, G., Fowler, C., Buchanan W. J., GDPR and Cyber Security
Fuster, G. G., Hijmans, H., ‘The EU rights to privacy and for Business Information Systems, River Publishers, New
personal data protection: 20 years in 10 questions’, York, 2022, https://doi.org/10.1201/9781003338253.
Exploring the Privacy and Data Protection connection: Grand View Research, Wearable Medical Devices Market
International Workshop on the Legal Notions of Privacy Size & Share Report 2030, Grand View Research, San
and Data Protection in EU Law in a Rapidly Changing World,
 JRC EXTERNAL STUDY 125

Fransisco, 2024, https://www.grandviewresearch.com/ Huhn, S., Axt, M., Gunga, H. et al., ‘The Impact of Wearable
industry-analysis/wearable-medical-devices-market. Technologies in Health Research: Scoping Review’, JMIR
Greco, L., Percannella, G., Ritrovato, P., ‘Trends in IoT based mHealth and uHealth, Vol 10 No. 1, 2021, e34384, https://
solutions for health care: Moving AI to the edge’, Pattern doi.org/10.2196/34384.
Recognition Letters, Vol. 135, 2020, pp. 346–353, https:// Ienca, M., Malgieri, G., ‘Mental Data Protection and the GDPR’,
doi.org/10.1016/j.patrec.2020.05.016. Journal of Law and the Biosciences, Vol. 9 No. 1, 2022, pp.
Greiwe, J., Nyenhuis, S., ‘Wearable Technology and How This 1–19, https://doi.org/10.1093/jlb/lsac006.
Can Be Implemented into Clinical Practice’, Current Allergy imec, ‘Technology for wearable pain and stress monitoring
and Asthma Reports, Vol. 20 No. 36, 2020, https://doi. devices’, imec, n.d., https://www.imec-int.com/en/expertise/
org/10.1007/s11882-020-00927-3. health-technologies/pain-and-stress-monitoring.
Gronden, J., Veenbrink, M., ‘EHDS and Free Movement of Ince, M., ‘AI and Big Tech Are Leading the Charge in Digital
Patients: What EU Intervention Is Needed?’, European Health Market in 2024’, Research 2 Guidance, 2024, https://
Journal of Health Law, Vol. 31 No. 3, 2024, pp. 249–284, research2guidance.com/ai-and-big-tech-are-leading-the-
https://doi.org/10.1163/15718093-bja10125. charge-in-digital-health-market-in-2024/.
Gruber, A., Ségur-Cabanac, N., ‘Necessary or Premature? Innovative Health Initiative, Trials@Home: Center of excellence
The NIS 2 Directive from the Perspective of the – remote decentralised clinical trials, Innovative Health
Telecommunications Sector’, International Cybersecurity Initiative, 2024, https://www.ihi.europa.eu/projects-results/
Law Review, Vol. 2, 2021, pp. 223–243, https://doi. project-factsheets/trialshome.
org/10.1365/s43439-021-00035-6. Iorga, M., Feldman, L., Barton, R. et al., Fog Computing Conceptual
Gowda, V., Schulzrinne, V., Miller, B., ‘The Case for Medical Model – Recommendations of the National Institute of
Device Interoperability’, JAMA Health Forum, Vol. Standards and Technology, NIST Special Publication 500-
3 No. 1, e214313, 2022, https://doi.org/10.1001/ 325, U.S. Department of Commerce, National Institute of
jamahealthforum.2021.4313. Standards and Technology, Washington, 2018, https://doi.
Hanratty, C., ‘Intellectual property creates value org/10.6028/NIST.SP.500-325.
in Medtech’, Murgitroyd, 22 January 2022, IoT Business News, ‘World’s first IoT ‘device-to-cloud’ solution
h t t p s : / / w w w. m u r g i t r oyd . c o m / i n s i g h t s / p a t e n t s / announced’, IoT Business News, 27 November 2019, https://
intellectual-property-creates-value-in-medtech. iotbusinessnews.com/2019/11/27/50213-worlds-first-iot-
Hardman, T., Aitchison, R., Scaife, R. et al., ‘The Future of Clinical device-to-cloud-solution-announced.
Trials and Drug Development: 2050’, Drugs in Context, Vol. Iqbal, S. M. A., Mahgoub, I., Du, E. et al. ‘Advances in healthcare
12, 2023, https://doi.org/10.7573/dic.2023-2-2. wearable devices’, npj Flexible Electronics, Vol. 5 No. 9, 2021,
Harer, J., ‘Post-Market Surveillance and Vigilance on the European pp. 1–14, https://doi.org/10.1038/s41528-021-00107-x.
Market’, in: Medical Devices and In Vitro Diagnostics: Islam, S. M. R., Kwak, D., Kabir, M. H. et al., ‘The Internet of
Requirements in Europe, edited by C. Baumgartner, J. Harer, Things for Health Care: A Comprehensive Survey’, IEEE
J. Schröttner, Springer, Cham, 2023, pp. 585–623, https:// Access, Vol. 3, 2015, pp. 678–708, https://doi.org/10.1109/
doi.org/10.1007/978-3-031-22091-3_22. ACCESS.2015.2437951.
Henshall, C., Schuller, T., ‘Health Technology Assessment, Value- Izmailova, E., McLean, I.L., Bhatia, G. et al., ‘Evaluation of
Based Decision-Making, and Innovation’, International Wearable Digital Devices in a Phase I Clinical Trial’, Clinical
Journal of Technology Assessment in Health Care, Vol. and Translational Science, Vol. 12 No. 3, 2019, pp. 247–
29 No. 4, 2013, pp. 353–359, https://doi.org/10.1017/ 256, https://doi.org/10.1111/cts.12602.
S0266462313000378 Izmailova, E., Wagner, J., Perakslis, E., ‘Wearable Devices in
Hermes, S., Riasanow, T., Clemons, E. et al., ‘The Digital Clinical Trials: Hype and Hypothesis’, Clinical Pharmacology
Transformation of the Healthcare Industry: Exploring & Therapeutics, Vol. 104 No. 1, 2017, pp. 42–52, https://
the Rise of Emerging Platform Ecosystems and Their doi.org/10.1002/cpt.966.
Influence on the Role of Patients’, Business Research, Vol. Jia, X., Feng, Q., Fan, T. et al., ‘RFID technology and its applications
13, 2020, pp. 1033-1066 at 1060, https://doi.org/10.1007/ in Internet of Things (IoT)’, 2nd International Conference
s40685-020-00125-x. on Consumer Electronics, Communications and Networks
Hill, R., ‘Smart Wearables: The Overlooked and Underrated (CECNet), Yichang, 21–23 April 2012, pp. 1282–1285,
Essential Worker Notes’, William & Mary Law Review, Vol. https://doi.org/10.1109/CECNet.2012.6201508.
64 No. 5, 2023, pp. 1583–1615, https://scholarship.law. Johner, C., ‘MDR Classification Rule 11 for Medical Device
wm.edu/wmlr/vol64/iss5/7. Software’, Johner Institute, 22 July 2017, https://www.
Hoyt, R., Muenchen, R. ’Artificial Intelligence’, in: Introduction to johner-institute.com/articles/regulatory-affairs/and-more/
Biomedical Data Science, edited by R. Hoyt, R. Muenchen, mdr-rule-11-software.
Informatics Education, Pensacola, 2019, pp. 191–214.
126 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Kasoju, N., Remya, N.S., Sasi, R. et al., ‘Digital Health: Trends, Kumar, A., Motwani, J., Reisman, A., ‘Transfer of technology: A
Opportunities and Challenges in Medical Devices, Pharma classification of motivations’, The Journal of Technology
and Bio-Technology’, CSI Transactions, Vol. 11, 2023, pp. Transfer, Vol. 21, pp. 34–42, 1996, https://doi.org/10.1007/
1–30, https://doi.org/10.1007/s40012-023-00380-3. BF02220305.
Kaye, J., Whitley, E. A., Lund, D. et al., ‘Dynamic consent: a Kyriazakos, S., Pnevmatikakis, A., Cesario, A. et al., ‘Discovering
patient interface for twenty-first century research Composite Lifestyle Biomarkers With Artificial Intelligence
networks’, European Journal of Human Genetics, Vol. 23, From Clinical Studies to Enable Smart eHealth and Digital
2015, pp. 141–146, https://doi.org/10.1038/ejhg.2014.71. Therapeutic Services’, Frontiers in Digital Health, Vol. 3,
Kenney, M., Patton, D., ‘Reconsidering the Bayh-Dole Act and the 648190, 2021, https://doi.org/10.3389/fdgth.2021.648190.
Current University Invention Ownership Model’, Research Landi, H., ‘Merck taps Evidation to use apps, wearables to
Policy, Vol. 38 No. 9, 2009, pp. 1407–1422, https://doi. detect early stages of Alzheimer's’, FierceHealthcare, 22
org/10.1016/j.respol.2009.07.007. July 2021, https://www.fiercehealthcare.com/digital-health/
Khandelwal, C. P., ‘How generative AI is revolutionising intermountain-health-story-health-expanding-virtual-
the wearables industry’, Financial Express, 26 June heart-failure-management-program.
2024, https://www.financialexpress.com/business/ Langley, M., ‘Hide Your Health: Addressing the New Privacy
industry-how-generative-ai-is-revolutionising-the- Problem of Consumer Wearables’, Georgetown Law
wearables-industry-3534974/. Journal, 2014, pp. 1641–1660. https://heinonline.
Kitain, J., ‘Beware of Wearables: Protecting Privacy in a Data- org/HOL/LandingPage?handle=hein.journals/
Collecting World’, Drexel Law Review, Vol. 9 No.1, 2017, pp. glj103&div=50&id=&page=.
1–30, https://drexel.edu/~/media/Files/law/law%20review/ Laplante-Lévesque, A., Dimakopoulos, N., Papagrigoriou, P.
v9-1/Kitain.ashx. et al., ‘First Market Analysis and Exploitation Report’,
Kloza, D., Van Dijk, N., Casiraghi, S. et al., ‘Towards a Method for Deliverable 8.4, Evidenced based management of hearing
Data Protection Impact Assessment: Making Sense of GDPR impairments: Public health policy making based on fusing
Requirements’, Brussels Laboratory for Data Protection & big data analytics and simulation (EVOTION), H2020 project
Privacy Impact Assessments (d.pia.lab) Policy Brief, Vol. 1, (GA no.: 72752), 2019, https://h2020evotion.eu/wp-content/
2019, pp. 1–8, https://doi.org/10.31228/osf.io/es8bm. uploads/delightful-downloads/2017/11/727521-EVOTION-
D8.4-FIRST-MARKET-ANALYSIS-REPORT.pdf.
Klessascheck, M., ‘Radio Equipment Directive (RED) for
networked medical devices’, Johner Institute, 2 February Latif, S., Qadir, J., Farooq, S. et al., ‘How 5G Wireless (and
2024, https://blog.johner-institute.com/regulatory-affairs/ Concomitant Technologies) Will Revolutionize Healthcare?’,
radio-equipment-directive-red/. Future Internet, Vol. 9 No. 93, 2017, pp. 1–24, https://www.
mdpi.com/1999-5903/9/4/93.
Kohler, C., ‘The EU Cybersecurity Act and European Standards:
An Introduction to the Role of European Standardization’, Leclercq, C., Witt, H., Hindricks, G. et al., ‘Wearables,
International Cybersecurity Law Review, Vol. 1, 2020, pp. Telemedicine, and Artificial Intelligence’ in: Arrhythmias
7-12, https://doi.org/10.1365/s43439-020-00008-1. and Heart Failure: Proceedings of the European Society of
Cardiology Cardiovascular Round Table', EP Europace, Vol.
Korff, D., ‘GDPR Requirements on Data Protection Impact
24 No. 9, 2022, pp. 1372–1383, https://doi.org/10.1093/
Assessments & Methodologies for DPIAs’, SSRN, 2020, pp.
europace/euac052.
1 –25, https://dx.doi.org/10.2139/ssrn.3656234.
Lewis., A., Valla V., Charitou P., ‘Digital Health Technologies
Kramer, D.B., Xu, S., Kesselheim, A.S., ‘Regulation of Medical
for Medical Devices – Real World Evidence Collection
Devices in the United States and European Union’, New
– Challenges and Solutions Towards Clinical Evidence’,
England Journal of Medcine, Vol. 366 No. 9, 2012, https://
International Journal of Digital Health, Vol 2 No. 1:8, 2022,
doi.org/10.1056/NEJMhle1113918.
pp. 1–18, https://doi.org/10.29337/ijdh.49.
Krattiger, A., ‘Promoting access to medical innovation’, WIPO
Li, W., Quinn, P., ‘The European Health Data Space: An expanded
Magazine, September 2013, https://www.wipo.int/wipo_
right to data portability?’, Computer Law & Security
magazine/en/2013/05/article_0002.html.
Review, Vol. 52, No. 105913, pp. 1 –13, 2024, https://doi.
Krystlik, J., ‘With GDPR, Preparation Is Everything’, Computer org/10.1016/j.clsr.2023.105913.
Fraud & Security, Vol. 2017, No. 6, pp. 5–8, 2017, https://
Lievevrouw, E., Marelli, L., Van Hoyweghen, I., ‘Weaving EU
doi.org/10.1016/S1361-3723(17)30050-7.
Digital Health Policy into National Healthcare Practices.
Kulkarni, A., Sathe, S., ‘Healthcare applications of the Internet The Making of a Reimbursement Standard for Digital
of Things: A Review’, International Journal of Computer Health Technologies in Belgium’, Social Science &
Science and Information Technologies, Vol. 5 No. 5, Medicine, Vol 346, 2024, 116620, https://doi.org/10.1016/j.
2014, pp. 6229–6232, https://ijcsit.com/docs/Volume 5/ socscimed.2024.116620.
vol5issue05/ijcsit2014050551.pdf.
Liu, X., Merritt, J., Tiscareno, K. K. et al., Shaping the Future
of the Internet of Bodies: New challenges of technology
 JRC EXTERNAL STUDY 127

governance, Briefing Paper, 2020, World Economic Forum, Marcus, J.S., Martens, B., Carugati, C. et al., ‘The European
Geneva, https://www3.weforum.org/docs/WEF_IoB_ Health Data Space’, Study requested by the Industry,
briefing_paper_2020.pdf. Research and Energy (ITRE) committee, Directorate-General
Lopez Perales, C. R., Van Spall, H. G. C., Maeda, S. et al. ‘Mobile for Internal Policies, European Parliament, Luxembourg,
health applications for the detection of atrial fibrillation: a 2022, https://www.europarl.europa.eu/RegData/etudes/
systematic review’, EP Europace, Vol. 23, No. 1, 2021, pp. STUD/2022/740054/IPOL_STU(2022)740054_EN.pdf.
11–28. https://doi.org/10.1093/europace/euaa139. Mathias, R., McCulloch, P., Chalkidou, A. et al. ‘How can regulation
Lorenzoni, L., Marino, A., Morgan, D. et al., Health Spending and reimbursement better accommodate flexible suites
Projections to 2030: New results based on a revised of digital health technologies?’ npj Digital Medicine,
OECD methodology, OECD Health Working Papers Vol. 7, No. 170, 2024, pp. 1–3, https://doi.org/10.1038/
No. 110, OECD Publishing, Paris, 2019, https://doi. s41746-024-01156-y.
org/10.1787/5667f23d-en. Matwyshyn, A. M., ‘The Internet of Bodies’, William &
Lu, L., Zhang J., Xie Y. et al., ‘Wearable Health Devices in Health Mary Law Review, Vol. 61 No. 1, 2019, pp. 77–168,
Care: Narrative Systematic Review’, JMIR Mhealth Uhealth, https://scholarship.law.wm.edu/cgi/viewcontent.
Vol. 8 No. 11, 2020, e18907, https://doi.org/10.2196/18907. cgi?article=3827&context=wmlr.
Lucivero, F., Prainsack, B., ‘The lifestylisation of healthcare? Mayana, R. F., Ramli, A. M., Santika, T., ‘The Role of Intellectual
‘Consumer genomics’ and mobile health as technologies for Property in the Development of Digital Health System –
healthy lifestyle’, Applied & Translational Genomics, Vol. 4, Lesson Learned from the Pandemic’, in: Proceedings of the
2015, pp. 44–49, https://doi.org/10.1016/j.atg.2015.02.001. 2nd International Conference on Law and Human Rights
2021 (ICLHR 2021) – Restructuring Law and Human Rights
Ludvigsen, K. R., ‘The Role of Cybersecurity in Medical
in New-Normal Society, edited by Irawaty, R., Ramadita, M.,
Devices Regulation: Future Considerations and Solutions
Fitriyani, Atlantic Press, online, 3–6 May 2021, pp. 416–424,
Symposium: Regulatory Futures and Medical Devices’, Law,
https://www.atlantis-press.com/article/125963856.pdf.
Technology and Humans, Vol. 5 No. 2, 2023, pp. 59–77,
https://doi.org/10.5204/lthj.3080. Mayo, M., ‘The Current State of Automated Machine Learning’,
KDnuggets, 18 January 2017, https://www.kdnuggets.
Ludvigsen, K., Nagaraja, S., Daly, A., ‘When Is Software a Medical
com/2017/01/current-state-automated-machine-learning.
Device? Understanding and Determining the “Intention” and
html.
Requirements for Software as a Medical Device in European
Union Law’, European Journal of Risk Regulation, Vol. 13 Mayo, M., ‘The Data Science Puzzle, Revisited’, KDnuggets, 20
No. 1, 2021, pp. 1–16, https://doi.org/10.1017/err.2021.45. January 2017, https://www.kdnuggets.com/2017/01/data-
science-puzzle-revisited.html.
Luengo, J., García-Gil, D., Ramírez-Gallego, S. et al., Big Data
Preprocessing: Enabling Smart Data, Springer, Cham, 2020, McKernan, D., McDermott, O., ‘Industrial clusters, creating a
https://doi.org/10.1007/978-3-030-39105-8. strategy for continued success’, Heliyon, Vol. 10 No. 7,
2024, e29220, https://doi.org/10.1016%2Fj.heliyon.2024.
Lynskey, O., The Foundations of EU Data Protection Law, Oxford
e29220.
University Press, Oxford, 2015.
Medicines and Healthcare products Regulatory Agency,
Machleid, F., Kaczmarczyk, R., Johann, D. et al., Perceptions
BioIndustry Association, The Eighth Joint BIA/MHRA
of Digital Health Education Among European Medical
Conference – Collaborative Working in the UK, Driving
Students: Mixed Methods Survey, Journal of Medical
Innovation Forward, Medicines and Healthcare products
Internet Research, Vol. 22, No. 8, e19827, 2020, pp. 1–13,
Regulatory Agency, BioIndustry Association, London, 5
https://doi.org/10.2196/19827.
July 2018, https://www.biaregulatoryconference.org/static/
Madiega, T., Van De Pol, A. L., Artificial intelligence act and uploaded/2ceb87ee-bd78-4549-94bff0655fffa5b6.pdf.
regulatory sandboxes, Briefing, European Parliamentary
MedTech Europe, ‘Facts & Figures 2024’, MedTech Europe,
Research Service, Brussels, 2022, https://www.europarl.
Brussels, 2024, https://www.medtecheurope.org/
europa.eu/RegData/etudes/BRIE/2022/733544/
wp-content/uploads/2024/07/medtech-europes-facts-
EPRS_BRI(2022)733544_EN.pdf.
figures-2024.pdf.
Malgieri, G., Comandé, G., ‘Sensitive-by-distance: quasi-health
Meskó, B., Dhunnoo, P., ‘The Intellectual Property Journey Of
data in the algorithmic era’, Information & Communications
Patients’ Digital Health Data’, The Medical Futurist, 22
Technology Law, Vol. 26 No. 3, 2017, pp. 229–249, https://
August 2023, https://medicalfuturist.com/the-intellectual-
doi.org/10.1080/13600834.2017.1335468.
property-journey-of-patients-digital-health-data/.
Manita, A.D., Vikram, A.C.R., Prabodh, C.S., ‘Regulation and
mHealth Belgium, ‘Validation pyramid’, mHealth Belgium, 2024,
Clinical Investigation of Medical Device in the European
https://mhealthbelgium.be/validation-pyramid.
Union’, Applied Clinical Research, Clinical Trials and
Regulatory Affairs, Vol. 6 No. 3, 2019, pp. 163–181, https:// Middlemass, J., Vos, J., Siriwardena, A.N., ‘Perceptions on
doi.org/10.2174/2213476X06666190821095407. Use of Home Telemonitoring in Patients with Long Term
Conditions – Concordance with the Health Information
128 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Technology Acceptance Model: A Qualitative Collective Niculae, I., ‘Piloting wearable sensor technologies for
Case Study’, BMC Medical Informatics and Decision Making, clinical trials’, UCB, 30 May 2022, https://www.
Vol. 17, No. 19, 2017, pp. 1–13, https://doi.org/10.1186/ ucb.com/Our-Science/magazine/detail/article/
s12911-017-0486-5; Piloting-wearable-sensor-technologies-for-clinical-trials.
Miller, F. A., Sanders, C. B., Lehoux, P., ‘Imagining value, imagining Noone, G., ‘Putting AI in IoT chips? It’s a question of
users: academic technology transfer for health innovation’, memory’, Tech Monitor, 10 February 2022, https://
Social Science & Medicine, Vol. 68 No. 8, 2009, pp. 1481– t e c h m o n i t o r. a i / t e c h n o l o g y / a i - a n d - a u t o m a t i o n /
1488, https://doi.org/10.1016/j.socscimed.2009.01.043. tinyml-putting-ai-in-iot-chips-a-question-of-memory.
Mitrakas, A., ‘The Emerging EU Framework on Cybersecurity Nwankwo, I., Stauch, M., Radoglou-Grammatikis, P, et al.,
Certification’, Datenschutz Und Datensicherheit, Vol. ‘Data Protection and Cybersecurity Certification Activities
42, 2018, pp. 411–414, https://doi.org/10.1007/ and Schemes in the Energy Sector’, Electronics, Vol.
s11623-018-0969-2. 11, No. 6, 2022, pp. 965–983, https://doi.org/10.3390/
Mocker, M., Ross, J., ‘Digital Transformation at Royal Philips’, in: electronics11060965
39th International Conference on Information Systems (ICIS OECD, Health in the 21st Century – Putting Data to Work for
2018): Bridging the Internet of people, data and things, San Stronger Health Systems, OECD Health Policy Studies,
Francisco, 13–16 December 2018, pp. 2695–2711, https:// OECD Publishing, Paris, 2019, https://doi.org/10.1787/
www.proceedings.com/content/047/047764webtoc.pdf. e3b23f8e-en.
Mone, V., Shakhlo, F., ‘Health Data on the Go: Navigating Privacy OECD, ‘Scoping the OECD AI principles: Deliberations of the
Concerns with Wearable Technologies’, Legal Information Expert Group on Artificial Intelligence at the OECD (AIGO)’,
Management, Vol.23 No. 3, 2023, pp. 179–188, https://doi. OECD Digital Economy Papers, No. 291, OECD, Paris, 2019,
org/10.1017/S1472669623000427. https://doi.org/10.1787/d62f618a-en.
Nahavandi, D., Roohallah Alizadehsani, R., Khosravi, A. et al., OECD, Health at a Glance 2023: OECD Indicators, OECD Publishing,
‘Application of Artificial Intelligence in Wearable Devices: Paris, 2023, https://doi.org/10.1787/7a7afb35-en.
Opportunities and Challenges’, Computer Methods and OECD, The COVID-19 Pandemic and the Future of Telemedicine,
Programs in Biomedicine, Vol. 213, No. 106541, 2022, OECD Health Policy Studies, OECD Publishing, Paris, 2023,
https://doi.org/10.1016/j.cmpb.2021.106541. https://doi.org/10.1787/ac8b0a27-en.
Nan, X., Wang, X., Kang, T. et al., ‘Review of Flexible Wearable OECD, OECD Science, Technology and Innovation Scoreboard,
Sensor Devices for Biomedical Application’, Micromachines OECD, 2024, https://www.oecd.org/sti/scoreboard.htm.
Vol. 13, 1395, 2022, https://doi.org/10.3390/mi13091395.
Oliveira Hashiguchi, T., ‘Bringing health care to the patient: An
Nantume, A., Shah, S., Cauvel, T., ‘Developing Medical overview of the use of telemedicine in OECD countries’,
Technologies for Low-Resource Settings: Lessons From a OECD Health Working Papers, No. 116, OECD Publishing,
Wireless Wearable Vital Signs Monitor–neoGuard’, Frontiers Paris, 2020, https://doi.org/10.1787/8e56ede7-en.
in Digital Health, Vol. 3, No. 730951, 2021, pp. 1–9, https://
Ong, J.S., Wong, S.N., Arulsamy, A. et al., ‘Medical Technology: A
doi.org/10.3389/fdgth.2021.730951.
Systematic Review on Medical Devices Utilized for Epilepsy
Naresh, V., Lee, N., ‘A Review on Biosensors and Recent Prediction and Management’, Current Neuropharmacology,
Development of Nanostructured Materials-Enabled Vol 20 No. 5, 2022, pp. 950–964 https://doi.org/10.2174/1
Biosensors’, Sensors, Vol. 21 No. 4, 1109, 2021, https:// 570159X19666211108153001.
doi.org/10.3390/s21041109.
Operon Strategist, ‘Understanding Technology
Natarajan, A., Parate, A., Gaiser, E. et al., ‘Detecting cocaine use Transfer in Medical Devices’, Operon Strategist,
with wearable electrocardiogram sensors’, in: UbiComp '13: 3 May 2024, https://operonstrategist.com/
Proceedings of The 2013 ACM International Joint Conference technology-transfer-in-medical-devices/.
on Pervasive and Ubiquitous Computing, edited by Santini,
O’Rourke, B., Oortwijn, W., Schuller, T. et al., ‘The New Definition of
S., Mattern, F., Zurich, 8–12 September 2013, pp. 123–132,
Health Technology Assessment: A Milestone in International
https://dl.acm.org/doi/10.1145/2493432.2493496.
Collaboration’, International Journal of Technology
Negreiro, M., The rise of digital health technologies during Assessment in Health Care, Vol. 36 No. 3, 2020, pp. 187–
the pandemic, Briefing, European Parliamentary 190, https://doi.org/10.1017/S0266462320000215.
Research Service, Brussels, 2021, https://www.europarl.
Ozanne, A., Johansson, D., Graneheim, U.H., ‘Wearables in
europa.eu/RegData/etudes/BRIE/2021/690548/
Epilepsy and Parkinson’s Disease—A Focus Group Study’,
EPRS_BRI(2021)690548_EN.pdf.
Acta Neurologica Scandinavica, Vol. 137 No. 2, 2017, pp.
Newman, T., Kreick, J., ‘The Impact of HIPAA (and Other 188–194, https://doi.org/10.1111/ane.12798.
Federal Law) on Wearable Technology’, SMU Science
Papakonstantinou, V., ‘Cybersecurity as Praxis and as a State:
and Technology Law Review, Vol. 19 No. 4, 2015, pp.
The EU Law Path Towards Acknowledgement of a New
429–454, https://scholar.smu.edu/cgi/viewcontent.
cgi?article=1027&context=scitech.
 JRC EXTERNAL STUDY 129

Right to Cybersecurity?’ Computer Law & Security Review, Framework’, The German Law Journal, Vol. 22 No. 8, 2022,
Vol. 44, 2022, https://doi.org/10.1016/j.clsr.2022.105653 pp. 1583–1612, https://doi.org/10.1017/glj.2021.79.
Papandrea, P., ‘Addressing the HIPAA-Potamus Sized Gap in Panesar, A., Machine Learning and AI for Healthcare Big Data for
Wearable Technology Regulation Note’, Minnesota Law Improved Health Outcomes, Apress, New York, 2019, https://
Review, Vol. 104 No. 2, 2019, pp. 1095–1132, https:// link.springer.com/book/10.1007/978-1-4842-3799-1.
scholarship.law.umn.edu/mlr/3246 Parvinen, P., Pöyry, E., Gustafsson, R. et al., ‘Advancing
Pecchia, L., Maccaro, A., Matarrese, M. et al., ‘Artificial Intelligence, Data Monetization and the Creation of Data-Based
Data Protection and Medical Device Regulations: Squaring Business Models’, Communications of the Association for
the Circle with a Historical Perspective in Europe’, Health Information Systems, Vol. 47, 2020, pp. 25–49, https://doi.
and Technology, Vol 14, 2024, pp. 663–670, https://doi. org/10.17705/1cais.04702.
org/10.1007/s12553-024-00878-z. Pedersen, I., Iliadis, A., ‘Introduction: Embodied Computing’,
Perumal, V., ‘The Future of U.S. Data Privacy: Lessons from the in: Embodied Computing: Wearables, Implantables,
GDPR and State Legislation Notes’, Notre Dame Journal Embeddables, Ingestibles, edited by I. Pedersen, A. Iliadis,
of International & Comparative Law, Vol.12 No. 1, 2022, MIT Press, Cambridge (USA), 2020, pp. ix–xxxix, https://doi.
https://scholarship.law.nd.edu/ndjicl/vol12/iss1/7. org/10.7551/mitpress/11564.003.0002.
Piwowarczyk vel Dabrowski, M., Sandkuhl, K., ‘Towards a Peppet, S. R., ‘Regulating the Internet of Things: First Steps
Management System for Regulative Compliance of Toward Managing Discrimination, Privacy, Security &
Information-Intensive Medical Devices’, in: Human Centred Consent’ Texas Law Review, Vol. 93, 2014, pp. 85–176,
Intelligent Systems, edited by A. Zimmermann, R.C. Howlett, https://texaslawreview.org/wp-content/uploads/2015/08/
L. Jain, Springer, Singapore, 2022, pp. 205–215, https://doi. Peppet-93-1.pdf.
org/10.1007/978-981-19-3455-1_16. Pouget, H., Zuhdi, R., ‘AI and Product Safety Standards Under
Politou. E., Michota, A., Alepis, E. et al., ‘Backups and the Right the EU AI Act’, Carnegie Endowment for International
to Be Forgotten in the GDPR: An Uneasy Relationship’, Peace, 5 March 2024, https://carnegieendowment.org/
Computer Law & Security Review, Vol. 34 No. 6, 2018, research/2024/03/ai-and-product-safety-standards-under-
pp. 1247–1257, https://doi.org/10.1016/j.clsr.2018.08.006. the-eu-ai-act?lang=en.
Prodan, A., Deimel, L, Ahlqvist., J. et al., ‘Success Factors for Prainsack, B., Forgó, N., ‘New AI regulation in the EU seeks
Scaling Up the Adoption of Digital Therapeutics Towards to reduce risk without assessing public benefit’, Nature
the Realization of P5 Medicine’, Frontiers in Medicine, Vol. 9, Medicine, Vol. 30, 2024, pp. 1235–1237, https://doi.
2022, 854665, https://doi.org/10.3389/fmed.2022.854665. org/10.1038/s41591-024-02874-2.
Quinn, P., ‘The EU commission’s risky choice for a non-risk-based Purtova, N. ‘eHealth Spare Parts as a Service: Modular eHealth
strategy on assessment of medical devices’, Computer Solutions and Medical Device Reform’, European Journal
Law & Security Review, Vol. 33 No. 3, 2017, pp. 361–370, of Health Law, Vol. 24, 2017, pp. 463–486, https://doi.
https://doi.org/10.1016/j.clsr.2017.03.019. org/10.1163/15718093-12341430.
Quinn, P., ‘The Anonymisation of Research Data—A Pyric Victory PwC, Market study on telemedicine, European Commission
for Privacy That Should Not Be Pushed Too Hard by the EU Directorate-General for Health and Food Safety,
Data Protection Framework?’, European Journal of Health Brussels, 2018, https://health.ec.europa.eu/document/
Law, Vol. 24 No. 4, 2017, pp. 347–367, https://brill.com/ download/e8937f58-0bbc-4616-b515-08dacef8ae3e_
view/journals/ejhl/24/4/article-p347_347.xml en?filename=2018_provision_marketstudy_telemedicine_
Quinn, P., ‘Is the GDPR and Its Right to Data Portability a Major en.pdf.
Enabler of Citizen Science?’, Global Jurist, Vol. 18 No. 2, Raeesi Vanani, I., Amirhosseini, M., ‘IoT-Based Diseases Prediction
2018, https://doi.org/10.1515/gj-2018-0021. and Diagnosis System for Healthcare’, in: Internet of Things
Quinn, P., 'Research under the GDPR – a Level Playing Field for Healthcare Technologies, edited by C. Chakraborty, A.
for Public and Private Sector Research?’, Life Sciences, Banerjee, M. Kolekar et al., Springer, Singapore, 2021, pp.
Society and Policy, Vol. 17 No. 14, 2021, pp. 1–33, https:// 21–48, https://doi.org/10.1007/978-981-15-4112-4_2.
doi.org/10.1186/s40504-021-00111-z. Raij, A., Ghosh, A., Kumar, S. et al., ‘Privacy risks emerging
Quinn, P., Habbig, A. K., Mantovani, E. et al., ‘The Data Protection from the adoption of innocuous wearable sensors in
and Medical Device Frameworks — Obstacles to the the mobile environment’, CHI ‘11: Proceedings of the
Deployment of mHealth across Europe?’, European Journal SIGCHI Conference on Human Factors in Computing
of Health Law, Vol. 20, 2015, pp. 185–204 at 203, https:// Systems, Vancouver, 7 May 2011, pp. 11–20, https://doi.
doi.org/10.1163/15718093-12341267. org/10.1145/1978942.1978945.
Quinn, P., Malgieri, G., ‘The Difficulty of Defining Sensitive Data Rak, R., ‘International Transfers of Data Concerning Health
– The Concept of Sensitive Data in the EU Data Protection After Schrems II: A Need for Sector-Specific Legal Avenues
and Supplementary Measures’, in: The Application of EU
Law Beyond Its Borders, CLEER Papers 2022/3, edited
130 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

by F. Casolari, M. Gatti, T.M.C. Asser Institute, The Hague, Seneviratne, S., Hu, Y., Nguyen, T. et al., ‘A Survey of Wearable
2022, pp. 187–206, https://www.asser.nl/media/795814/ Devices and Challenges’, IEEE Communications Surveys &
cleer_022-03_web_final.pdf. Tutorials, Vol. 19 No. 4, 2017, pp. 2573–2620, https://doi.
Rak, R., ‘Anonymisation, pseudonymisation and secure org/10.1109/COMST.2017.2731979.
processing environments relating to the secondary use Shamim, M. Z., Parayangat, M., Thafasal Ijyas, V. P. et al.,
of electronic health data in the European Health Data ‘Distributed Intelligent Networks: Convergence of 5G, AI,
Space (EHDS)’, European Journal of Risk Regulation, 2024, and IoT’, in: Enabling Technologies for Next Generation
pp. 1-11, https://doi.org/10.1017/err.2024.67. Wireless Communications, edited by M. Usman, M/ Wajid,
Redberg., R.F., Dhruva, S.S., ‘Moving From Substantial Equivalence M. D. Ansari, CRC Press, Boca Raton, 2021, pp. 137–148,
to Substantial Improvement for 510(k) Devices’, JAMA, Vol https://doi.org/10.1201/9781003003472.
322 No. 10, 2019, pp. 927–928, https://doi.org/10.1001/ Sharon, T., ‘The Googlization of Health Research: From
jama.2019.10191. Disruptive Innovation to Disruptive Ethics’, Personalized
Reuschlaw, ‘Does the Product Safety Regulation apply to Medicine, Vol. 13 No. 6, 2016, pp. 563–574, https://doi.
medical devices?’, Reuschlaw, 11 June 2023, https://www. org/10.2217/pme-2016-0057.
reuschlaw.de/en/news/does-the-product-safety-regulation- Sheppard, M. K., ‘EU Medical Device Legislation and the Safety
apply-to-medical-devices/. Implications for App Users’, in: Legal Issues of Mobile
Riemann., G, ‘Taming Cyborgs; Wearable Technology Growth in Apps: A Practical Guide, edited by I. Iglezakis, Kluwer Law
the EU - Understanding sociological catalysts of wearable International, Alphen aan den Rijn, 2020.
technology and EU regulatory measures’, Thesis, Central Sieck, C.J., Sheon, A., Ancker, J.S. et al. ‘Digital inclusion as
European University and School of Public Policy, University a social determinant of health’, npj Digital Medicine,
of York, 2018, https://www.etd.ceu.edu/2016/riemann_ Vol. 4, No. 52, 2021, pp. 1–3, https://doi.org/10.1038/
gregor.pdf. s41746-021-00413-8.
Robinson, J., ‘Value-Based Purchasing For Medical Devices’, Sievers, T., ‘Proposal for a NIS Directive 2.0: Companies Covered
Health Affairs, Vol. 27, No. 6, 2008, https://doi.org/10.1377/ by the Extended Scope of Application and Their Obligations’,
hlthaff.27.6.1523. International Cybersecurity Law Review, Vol. 2, 2021, pp.
Roche Information Solutions, navify: Our vision, Santa Clara, 223–231, https://doi.org/10.1365/s43439-021-00033-8.
Roche Molecular Systems, 2024, https://navify.roche.com/ Skala, K., Davidović, D., Afgan, E. et al., 'Scalable Distributed
about-us/vision-mission/. Computing Hierarchy: Cloud, Fog and Dew Computing’,
Rodrigues, J. J. P. C., De Rezende Segundo, D. B., Junqueira, H. Open Journal of Cloud Computing, Vol. 2 No. 1, 2015, pp.
A. et al. (2018) ‘Enabling Technologies for the Internet of 16–24, https://doi.org/10.19210/1002.2.1.16.
Health Things’, IEEE Access, Vol. 6, 2018, pp. 13129–13141, Smith, H. L., Technology Transfer and Industrial Change in
https://doi.org/10.1109/ACCESS.2017.2789329. Europe, London, Palgrave Macmillan, 2000, https://doi.
Rose, K., Eldridge, S., Chapin, L., ‘The Internet of Things: an org/10.1057/9780230595422.
Overview. Understanding the Issues and Challenges of a Smirthwaite, A., Clinical evaluation under EU MDR, British
More Connected World’, Internet Society, 2015, https://www. Standards Institution, London, 2021, https://www.bsigroup.
internetsociety.org/wp-content/uploads/2017/08/ISOC-IoT- com/globalassets/localfiles/en-gb/medical-devices/
Overview-20151221-en.pdf. whitepapers/clinical-evaluation-white-paper/clinical-
Sani, E. S., Xu, C., Wang, C. et al., ‘A stretchable wireless evaluation-under-eu-mdr.pdf.
wearable bioelectronic system for multiplexed monitoring Sood, S., Mbarika, V., Jugoo, S. et al., ‘What is telemedicine?
and combination treatment of infected chronic wounds’, A collection of 104 peer-reviewed perspectives and
Science Advances, Vol. 9 No. 12, 2023, eadf7388, https:// theoretical underpinnings’, Telemedicine and eHealth, Vol.
doi.org/10.1126/sciadv.adf7388. 13 No. 5, 2007, pp. 573–590, https://doi.org/10.1089/
Schwartz, J., ‘U of Nottingham start-up develops world’s first tmj.2006.0073.
wearable device for treating Tourette’s Syndrome’, Tech Sorenson, C., Kanavos, P., ‘Medical Technology Procurement in
Transfer Central, 27 March 2024, https://techtransfercentral. Europe: A Cross-Country Comparison of Current Practice
com/2024/03/27/u-of-nottingham-start-up-develops- and Policy’, Health Policy, Vol. 100 No. 1, 2011, pp. 43–50,
worlds-first-wearable-device-for-treating-tourettes/. https://doi.org/10.1016/j.healthpol.2010.08.001.
Sen, S., ‘Creation of an Wearable Startup: From a Laboratory Spain, Ministry of Health, Consumer Affairs and Social Welfare,
Incubator to a Revenue Generating Business’, in: ‘Health care systems in the European Union countries:
Proceedings of the IEEE/ACM 42nd International Conference Health characteristics and indicators 2019’, Government
on Software Engineering Workshops (ICSEW), Seoul, 27 of Spain, 2019, https://www.sanidad.gob.es/estadEstudios/
June 2020 – 19 July 2020, pp. 623–626, https://doi. estadisticas/docs/presentacion_en.pdf.
org/10.1145/3387940.3392226.
 JRC EXTERNAL STUDY 131

Stark, A., ‘Protecting your digital health’, Managing van Kessel, R., Srivastava, D., Kyriopoulos, I. et al., ‘Digital Health
IP, 15 October 2020, https://www.managingip. Reimbursement Strategies of 8 European Countries and
com/article/2a5cxnmoiyww9ziwukq9s/ Israel: Scoping Review and Policy Mapping’, JMIR mHealth
protecting-your-digital-health. and uHealth, Vol. 11, 2023, https://doi.org/10.2196/49003.
Steensen, J., ‘Approval of medical devices with radio’, Force Vermesan, O., Coppola, M., Nava, M. D. et al., ‘New Waves of
Technology, 2019, https://forcetechnology.com/en/articles/ IoT Technologies Research – Transcending Intelligence
medical-devices-with-radio-approval-emc. and Senses at the Edge to Create Multi Experience
Sterzi, V., ‘Patent quality and ownership: An analysis of UK Environments’ in: Internet of Things – The Call of the Edge:
faculty patenting’, Research Policy, Vol. 42 No. 2, 2013, Everything Intelligent Everywhere, edited by O. Vermesan,
pp. 564–576, https://doi.org/10.1016/j.respol.2012.07.010. J. Bacquet, River Publishers, Gistrup, 2020, pp. 17– 184,
https://doi.org/10.13052/rp-9788770221955.
Szalados, J.E., ‘Medical Records and Confidentiality: Evolving
Liability Issues Inherent in the Electronic Health Record, Vermesan, O., Friess, P., Guillemin, P. et al., ‘Internet of
HIPAA, and Cybersecurity’, in: The Medical-Legal Aspects Things Strategic Research and Innovation Agenda’, in:
of Acute Care Medicine: A Resource for Clinicians, Internet of Things – Converging Technologies for Smart
Administrators, and Risk Managers, edited by J.E. Szalados, Environments and Integrated Ecosystems, edited by O.
Springer International Publishing, Cham, 2021, pp. 315– Vermesan, P. Friess, River Publishers, Aalborg, 2013, pp.
342, https://doi.org/10.1007/978-3-030-68570-6_13. 7–142, https://www.internet-of-things-research.eu/pdf/
Converging_Technologies_for_Smart_Environments_and_
Taka, A-M., ‘A deep dive into dynamic data flows, wearable
Integrated_Ecosystems_IERC_Book_Open_Access_2013.
devices, and the concept of health data’, International Data
pdf.
Privacy Law, Vol. 13 No. 2, 2023, pp. 124–140, https://doi.
org/10.1093/idpl/ipad007. Voigt, P., Von dem Bussche, A., The EU General Data Protection
Regulation (GDPR): A Practical Guide. 1st Edition,
Taylor, P., ‘Roche, Boehringer tap biosensor firms
Springer International Publishing, 2017, https://doi.
for patient studies’, pharmaphorum, 26 January
org/10.1007/978-3-319-57959-7
2023, https://pharmaphorum.com/news/
roche-boehringer-tap-biosensor-firms-for-patient-studies. Von Ditfurth, L., Lienemann, G., ‘The Data Governance Act: –
Promoting or Restricting Data Intermediaries?’, Competition
Temesgen, Z. M., DeSimone, D. C., Mahmood, M. et al.,
and Regulation in Network Industries, Vol. 23, No. 4, 2022, pp.
‘Health Care After the COVID-19 Pandemic and the
270–295, https://doi.org/10.1177/17835917221141324.
Influence of Telemedicine’, Mayo Clinic Proceedings, Vol.
95 No. 9, 2020, pp. S66–S68, https://doi.org/10.1016/j. Vreman, R., Mantel-Teeuwisse, A., Hövels, A. et al., ‘Differences in
mayocp.2020.06.052. Health Technology Assessment Recommendations Among
European Jurisdictions: The Role of Practice Variations’,
Terzis, P., OE Santamaria Echeverria, E., ‘Interoperability and
Value in Health, Vol 23 No. 1, 2020, pp. 10–16, https://doi.
Governance in the European Health Data Space Regulation’,
org/10.1016/j.jval.2019.07.017.
Medical Law International, Vol. 23 No. 4, 2023, pp. 368–
376, https://doi.org/10.1177/09685332231165692. Wachter, S., ‘The GDPR and the Internet of Things: a three-step
transparency model’, Law, Innovation and Technology, Vol.
Thomason, J., ‘Big Tech, Big Data and the New World of Digital
10 No. 2, 2018, pp. 266–294, https://doi.org/10.1080/175
Health’, Global Health Journal, Special issue on Intelligent
79961.2018.1527479.
Medicine Leads the New Development of Human Health,
Vol. 5 No. 4, 2021, pp. 165–168, https://doi.org/10.1016/j. Wang, L., Li, Z., ‘Knowledge Transfer from Science to Technology—
glohj.2021.11.003. The Case of Nano Medical Device Technologies’, Frontiers
in Research Metrics and Analytics, Vol. 3 No. 11, 2018, pp.
Tikkinen-Piri, C., Rohunen, A., Markkula, J., ‘EU General Data
1–8, https://doi.org/10.3389/frma.2018.00011.
Protection Regulation: Changes and Implications for
Personal Data Collecting Companies’, Computer Law & Warner, J.J., Crook, H.L., Whelan, K.M. et al. ‘Improving
Security Review, Vol. 34 No. 1, 2018, pp. 134–153, https:// Cardiovascular Drug and Device Development and
doi.org/10.1016/j.clsr.2017.05.015. Evidence Through Patient-Centered Research and
Clinical Trials’, Circulation: Cardiovascular Quality and
Tschofenig, H., Arkko, J., Thaler, D. et al., ‘Architectural
Outcomes, Vol. 13 No. 7, 2020, https://doi.org/10.1161/
Considerations in Smart Object Networking’, Internet
CIRCOUTCOMES.120.006606.
Architecture Board, 2015, https://www.rfc-editor.org/rfc/
rfc7452.txt. World Health Organization, Local Production and Technology
Transfer to Increase Access to Medical Devices – Addressing
Upadhyay, D., Sharma, S., ‘Convergence of Artificial Intelligence
the barriers and challenges in low- and middle-income
of Things: Concepts, Designing, and Applications’, in:
countries, World Health Organization, Geneva, 2012, https://
Towards Smart World: Homes to Cities Using Internet of
www.who.int/publications/i/item/9789241504546.
Things, edited by L. Sharma, CRC Press, Boca Raton, 2020,
pp. 119–142, https://doi.org/10.1201/9781003056751. World Health Organization, Ethics and Governance of Artificial
Intelligence for Health: WHO Guidance, World Health
132 | E N H A N C I N G D I G I TA L H E A LT H I N N OVAT I O N I N T H E E U W I T H E F F E C T I V E I N D U S T R I A L S T R AT E G Y P O L I C I E S

Organization, Geneva, 2021, https://apps.who.int/iris/rest/ Organization, 4 August 2023, https://www.wipo.int/policy/

bitstreams/1352854/retrieve. en/news/global_health/2023/news_0011.html.
World Health Organization, The health workforce crisis Wyler, J., ‘The intended purpose – or, what does your medical
in Europe is no longer a looming threat – it is here device do?’, Decomplix, 4 February 2020, https://decomplix.
and now. The Bucharest Declaration charts a way com/intended-purpose-medical-device.
forward, World Health Organization, Bucharest, Yeng, P., Yang, B., Wolthusen, S., ‘Legal Requirements toward
22 March 2023, https://www.who.int/europe/news/ Enhancing the Security of Medical Devices’, International
item/22-03-2023-the-health-workforce-crisis-in-europe- Journal of Advanced Computer Science and Applications,
is-no-longer-a-looming-threat---it-is-here-and-now.-the- Vol. 11 No. 11, 2020, https://doi.org/10.14569/
bucharest-declaration-charts-a-way-forward. IJACSA.2020.0111181.
World Health Organization, Classification of digital interventions, Yetisen, A., Martinez-Hurtado J., Ünal, B., et al., ‘Wearables in
services and applications in health: A shared language to Medicine’, Advanced Materials, Vol. 30, No. 16, 2018, pp.
describe the uses of digital technology for health, second 1–26, https://doi.org/10.1002/adma.201706910
edition, World Health Organization, Geneva, 2023, https://
Yousefpour, A., Fung, C., Nguyen, T. et al., ‘All one needs to
www.who.int/publications/i/item/9789240081949.
know about fog computing and related edge computing
World Health Organization Global Observatory for eHealth, paradigms: A complete survey’, Journal of Systems
Telemedicine: opportunities and developments in Member Architecture, Vol. 98, 2019, pp. 289–330, https://doi.
States: report on the second global survey on eHealth, org/10.1016/j.sysarc.2019.02.009.
World Health Organization, 2010, https://iris.who.int/
Zajki-Zechmeister, T.,‘A Regulatory Guide for Medical
handle/10665/44497.
Device Start-Ups in Europe: Challenges and Pitfalls’, in:
World Health Organization, World Intellectual Property Medical Devices and In Vitro Diagnostics: Requirements
Organization, World Trade Organization, Promoting in Europe, edited by C. Baumgartner, J. Harer, J.
Access to Medical Technologies and Innovation – Schröttner, Springer, Cham, 2022, pp. 1–25 https://doi.
Intersections between public health, intellectual property org/10.1007/978-3-030-98743-5_3-1.
and trade, Second Edition, World Health Organization,
Zemplényi, A., Tachkov, K., Balkanyi, L.. et al., ‘Recommendations
World Intellectual Property Organization, World Trade
to overcome barriers to the use of artificial intelligence-
Organization, Geneva, 2020, https://iris.who.int/
driven evidence in health technology assessment’, Frontiers
bitstream/handle/10665/333552/9789240008267-eng.
in Public Health, Vol. 11, 2023, pp. 1–10, https://doi.
pdf?sequence=1.
org/10.3389/fpubh.2023.1088121.
World Intellectual Property Organization, The Digital Health
Zhang, Y., Zhang, Y., Han, Y. et al., ‘Micro/Nanorobots for Medical
Revolution: Leveraging Intellectual Property for Equitable
Diagnosis and Disease Treatment’, Micromachines, Vol. 13,
Access and Innovation, World Intellectual Property
648, 2022, p. 1–19, https://doi.org/10.3390/mi13050648.
 JRC EXTERNAL STUDY 133

List of boxes
Box 1: Classification of wearable medical devices...................................................................................................................................12
Box 2: Definition of ‘telemedicine’ in relation to other digital health concepts........................................................................13
Box 3: Digital health reimbursement system of Belgium.....................................................................................................................92
Box 4: Digital health reimbursement system of Germany...................................................................................................................93
Box 5: Potential benefits of technology transfers relating to wearable medical devices..................................................95
Box 6: Philips (case study)...................................................................................................................................................................................104
Box 7: ResMed (case study)................................................................................................................................................................................105
Box 8: Vrije Universiteit Brussel (case study)...........................................................................................................................................107
Box 9: European Society of Cardiology (case study)............................................................................................................................108
Box 10: EURORDIS – Rare Diseases Europe (case study).....................................................................................................................110

List of figures
Figure 1: EU cybersecurity requirements (directly/indirectly) relevant to wearable medical devices.........................38
Figure 2: Representation of the digital health ecosystem...................................................................................................................82
Figure 3: Validation pyramid for mHealth applications in Belgium................................................................................................92
Figure 4: DiGA fast-track procedure in Germany......................................................................................................................................94

List of tables
Table 1: Cybersecurity requirements across the life cycle of (wearable) medical devices according to
the MDR/IVDR...........................................................................................................................................................................................40
Table 2: Value assessment and reimbursement frameworks for wearable medical devices (in selected
Member States).......................................................................................................................................................................................91
GETTING IN TOUCH WITH THE EU

In person
All over the European Union there are hundreds of Europe Direct centres. You can find the address of the
centre nearest you online (european-union.europa.eu/contact-eu/meet-us_en).

On the phone or in writing

Europe Direct is a service that answers your questions about the European Union. You can contact this service:
— by freephone: 00 800 6 7 8 9 10 11 (certain operators may charge for these calls),
— at the following standard number: +32 22999696,
— via the following form: european-union.europa.eu/contact-eu/write-us_en.

FINDING INFORMATION ABOUT THE EU

Online
Information about the European Union in all the official languages of the EU is available on the Europa
website (european-union.europa.eu).

EU publications
You can view or order EU publications at op.europa.eu/en/publications. Multiple copies of free
publications can be obtained by contacting Europe Direct or your local documentation centre
(european-union.europa.eu/contact-eu/meet-us_en).

EU law and related documents

For access to legal information from the EU, including all EU law since 1951 in all the official language
versions, go to EUR-Lex (eur-lex.europa.eu).

EU open data
The portal data.europa.eu provides access to open datasets from the EU institutions, bodies and agencies.
These can be downloaded and reused for free, for both commercial and non-commercial purposes. The portal
also provides access to a wealth of datasets from European countries.
Science for policy The Joint Research Centre (JRC) provides
independent, evidence-based knowledge
and science, supporting EU policies to
positively impact society

EU Science Hub
Joint-research-centre.ec.europa.eu