GAWEL
INSIGHT // 10 Emerging Issue

Regulatory Sandbox for Digital Health in Switzerland: Opportunities and Limitations

· · 12 min read ·
ICT & AI Regulatory MedTech
Abstract: The regulatory sandbox, a controlled environment allowing innovators to test products under relaxed regulatory requirements, has gained traction globally as a tool for balancing innovation and patient safety. Switzerland has adopted elements of this approach for digital health, but within a framework that differs substantially from more permissive models in Singapore, the UK, or certain US states. This article examines what the Swiss regulatory sandbox actually offers, its limitations, and what it means for digital health companies seeking Swiss market entry.
Plain Language Summary

A "regulatory sandbox" lets firms test new health technologies with real patients under special rules. The trade-off is less paperwork in exchange for built-in safeguards. Switzerland offers sandbox-like arrangements for digital health products. The Swiss approach is more cautious than in many other countries. This article examines Switzerland's framework, the constraints that distinguish it from more permissive models abroad, and the strategic questions firms face.

Table of Contents
  1. The Sandbox Concept in Swiss Context
  2. Regulatory Architecture
  3. Swiss Approaches
  4. International Comparison
  5. Strategic Questions

A Zurich-based startup has developed an AI-powered diagnostic tool that analyzes retinal images to detect early signs of diabetic retinopathy. The algorithm performs comparably to specialist ophthalmologists in clinical validation studies. The founders want to deploy the tool in Swiss primary care settings, allowing general practitioners to screen patients who might otherwise wait months for specialist appointments. Under the MepV (in force since 26 May 2021), the product requires conformity assessment as a Class IIa device before market placement. The founders estimate 18–24 months to CE marking, assuming they can find a Notified Body with capacity. They ask whether Switzerland offers a faster pathway.

The answer is nuanced. Switzerland has developed mechanisms that permit earlier market access for certain digital health products under defined conditions. But these mechanisms operate within constraints that may disappoint founders expecting the permissive sandboxes advertised in other jurisdictions.

1. The Sandbox Concept in Swiss Context

The regulatory sandbox originated in financial services, where the UK Financial Conduct Authority pioneered the concept in 2016. The core idea is straightforward: allow innovators to test products with real customers under regulatory supervision, with certain requirements temporarily relaxed, while maintaining essential consumer protections. If the test succeeds, the product graduates to full regulatory compliance. If it fails, exposure is limited to the sandbox cohort.

Applying this concept to healthcare raises distinct challenges. Financial losses can be compensated; patient harm may be irreversible. The sandbox must balance innovation incentives against patient safety in ways that financial sandboxes need not. Different jurisdictions have struck this balance differently, ranging from Singapore's relatively permissive Ministry of Health sandbox to the EU's more cautious approach under the Medical Device Regulation.1Ministry of Health (Singapore), Licensing Experimentation and Adaptation Programme (LEAP); Art. 59 Regulation (EU) 2017/745 (MDR) [2017] OJ L117/1.

Switzerland occupies a middle position. The Federal Council has expressed support for innovation-friendly regulation, and Swissmedic has developed guidance facilitating digital health market access. But Switzerland lacks a formal, statutory sandbox regime comparable to Singapore's. What exists instead is a combination of existing regulatory flexibilities, enhanced guidance, and informal engagement pathways that together create sandbox-like effects without the sandbox label.

The contrast with Switzerland's own financial regulation is instructive. The Bankengesetz framework provides formal statutory carve-outs, notably Art. 6(2) BankV (sandbox exemption for public deposits up to CHF 1 million) and Art. 1b BankG (fintech license for deposits up to CHF 100 million), where Parliament and the Federal Council decided that financial innovation warranted regulatory relaxation.2Art. 6(2) Bankenverordnung (BankV) vom 30. April 2014 (SR 952.02) (sandbox); Art. 1b Bankengesetz (BankG) vom 8. November 1934 (SR 952.0) (fintech license); FINMA Circular 2008/3 (Public Deposits with Non-Banks). No equivalent exists for digital health. The Federal Council has acknowledged the gap but concluded that patient safety concerns justify a more cautious approach than applies to financial products, where losses are monetary rather than corporeal.

Parliament carved out formal sandboxes for fintech. For digital health, the Federal Council decided patient safety warranted a different calculus.

2. What Regulatory Architecture Applies?

Digital health products in Switzerland face a regulatory framework that depends on how the product is classified. The Medizinprodukteverordnung (MepV), adopted 1 July 2020 and substantively effective from 26 May 2021 to align with EU MDR application, governs medical devices including software as a medical device (SaMD).3Medizinprodukteverordnung (MepV) vom 1. Juli 2020 (SR 812.213), with key provisions effective 26 May 2021. Products that do not qualify as medical devices (wellness apps, fitness trackers, administrative health software) fall outside Swissmedic's jurisdiction entirely. The classification boundary, as discussed in earlier analysis, turns on intended purpose: software that diagnoses, treats, or monitors disease is typically a medical device; software that merely records or displays health information may not be.4See Insight 07: Software as a Medical Device (SaMD): Classification Pitfalls in Switzerland and the EU.

For products that are medical devices, Swiss law requires conformity assessment before market placement. Since Switzerland's exclusion from the EU MRA chapter on medical devices in May 2021, the landscape has diverged: Switzerland unilaterally recognizes EU CE marking for Swiss market access (Art. 13 and 46 MepV), but Swiss manufacturers seeking EU market access face third-country requirements under the MDR, including an EU authorized representative and conformity assessment through EU-recognized Notified Bodies.

Notified Body capacity remains a structural bottleneck that shapes the practical timeline for any device sandbox or fast-track pathway. Approximately 50 Notified Bodies have been designated under the MDR, compared with approximately 80 under the predecessor MDD, and among those designated, few have built assessment expertise for AI-enabled SaMD.5European Commission, 'Notified Bodies: NANDO Database'; Team-NB, Designated Notified Bodies under MDR/IVDR: Statistics (2024): approximately 50 Notified Bodies designated under MDR by end of 2024, compared with ~80 under MDD. The resulting backlogs mean that companies with complete technical documentation may face 12–18 months or longer for Notified Body engagement depending on device class, Notified Body choice, and technical complexity, extending typical development timelines to 24–36 months in practice. Any assessment of Swiss sandbox alternatives must account for this constraint: regulatory flexibility in Switzerland cannot compress the EU Notified Body queue that most Swiss digital health companies must ultimately navigate.

The Heilmittelgesetz (Therapeutic Products Act) and its implementing ordinances govern pharmaceuticals and certain combination products.6Bundesgesetz über Arzneimittel und Medizinprodukte (Heilmittelgesetz, HMG) vom 15. Dezember 2000 (SR 812.21). Digital therapeutics that incorporate drug delivery or that are regulated as drug-device combinations face additional requirements. The Federal Office of Public Health (BAG) oversees health insurance coverage and reimbursement, a separate regulatory track that determines whether approved products can actually reach patients through the funded healthcare system.

This multi-authority architecture creates complexity for digital health innovators. A single product may require Swissmedic device approval, BAG reimbursement approval, cantonal health authority notification for telemedicine services, and compliance with federal data protection requirements under the Datenschutzgesetz. No single "sandbox" covers all these domains. The jurisdictional overlaps (which authority has primacy, whether engagement must proceed sequentially or can run in parallel, and how cybersecurity expectations interact with data protection obligations) create interdependencies that multiply as product complexity increases. No sandbox arrangement resolves them holistically.

The revised Datenschutzgesetz (DSG), effective 1 September 2023, adds a further layer.7Bundesgesetz über den Datenschutz (Datenschutzgesetz, DSG) vom 25. September 2020 (SR 235.1), effective 1 September 2023. Health data constitutes sensitive personal data under Art. 5(c) DSG, and cross-border transfers face restrictions under Art. 16–17 DSG regardless of product regulatory status. Where products process data across EU and Swiss jurisdictions, the interaction between GDPR and DSG creates divergences that no sandbox arrangement in either jurisdiction can override.8See Insight 03: Data Privacy in Clinical Trials: GDPR Meets DSG, discussing cross-jurisdictional data protection challenges for health data. There is no data protection sandbox; a product deployed under any sandbox-like arrangement remains subject to full DSG requirements.

A product deployed under any sandbox-like arrangement remains subject to full data protection requirements; there is no DSG sandbox.

This regulatory architecture (multi-authority, domain-specific, and lacking unified sandbox provisions) does not preclude flexibility. Within each domain, mechanisms exist that permit earlier market access, regulatory dialogue, or controlled deployment under conditions that differ from full conformity assessment. The following section examines these mechanisms and assesses what they actually offer.

3. What Does Switzerland Actually Offer?

Within this architecture, Switzerland has developed several mechanisms that facilitate earlier market access, none of which constitute a formal sandbox, but which together create pathways that differ from the models advertised elsewhere.

At the federal level, Swissmedic offers pre-submission engagement that can clarify classification, clinical evidence requirements, and conformity assessment pathway uncertainties, though the scope of such engagement varies, particularly for AI-enabled devices where MDCG guidance is still evolving.9Swissmedic, Information Sheet on Medical Device Software (BW630_30_007, Version 3.0, 10 April 2024). Art. 9b HMG permits temporary authorization for use of non-authorized medicinal products in individual cases, applicable to pharmaceuticals rather than devices but relevant for drug-device combinations.10Art. 9b HMG. For medical devices specifically, Art. 22 MepV (transposing Art. 59 MDR) permits Swissmedic to authorize market placement without completed conformity assessment where public health or patient safety interests justify it, the closest Swiss analogue to a formal device sandbox, though designed for exceptional circumstances rather than routine innovation facilitation.11Art. 22 MepV (Inverkehrbringen im Interesse des Gesundheitsschutzes); Art. 59 MDR (n 1) (derogation from the conformity assessment procedures).

The clinical investigation framework (the Verordnung über klinische Versuche mit Medizinprodukten, KlinV-Mep, transposing Art. 62 ff. MDR, together with the general Verordnung über klinische Versuche, KlinV) permits real-world device deployment with patients under ethical oversight and informed consent, without prior conformity assessment.12Verordnung über klinische Versuche mit Medizinprodukten (KlinV-Mep) vom 1. Juli 2020 (SR 810.306); Art. 62 ff. MDR (n 1); Verordnung über klinische Versuche (KlinV) vom 20. September 2013 (SR 810.305). The relationship between clinical investigation deployment and subsequent commercial market placement, however, raises questions that the pathway's formal structure does not fully resolve.

On the reimbursement side, Germany's Digitale Gesundheitsanwendungen (DiGA) framework, permitting provisional directory listing based on plausibility, with permanent listing contingent on demonstrating positive healthcare effect within twelve to twenty-four months, has influenced Swiss policy discussions.13Digitale-Versorgung-Gesetz (DVG) vom 9. Dezember 2019 (BGBl I S 2562); Digitale Gesundheitsanwendungen-Verordnung (DiGAV) vom 8. April 2020 (BGBl I S 768). Switzerland has not adopted a formal equivalent, though cantonal pilot programs exploring coverage models for digital therapeutics have emerged with varying scope.14Bundesrat, Gesundheitspolitische Strategie 2020–2030 (Gesundheit2030) (6 December 2019); BAG, Strategie eHealth Schweiz 2.0 (2018). Several cantons have established innovation programs under their respective Gesundheitsgesetze that provide sandbox-like environments (telemedicine pilots, digital triage trials, clinical validation partnerships), though these operate within federal regulatory constraints and cannot substitute for Swissmedic conformity assessment.

4. How Does Switzerland Compare?

The variation across jurisdictions is substantial. Singapore's regulatory authorities operate formal sandbox programs with defined entry and exit criteria;15Ministry of Health (Singapore), LEAP (n 1) (standing healthcare-services sandbox with defined entry and exit conditions); Cyber Security Agency of Singapore, MOH, HSA, and Synapxe, Cybersecurity Labelling Scheme for Medical Devices (CLS(MD)) (CSA Singapore), which operated a time-limited sandbox phase from October 2023 to July 2024. the UK's MHRA launched its "AI Airlock" sandbox in May 2024 for evidence-collection exploration; Germany's DiGA framework creates a fast-track reimbursement pathway with provisional listing;13Digitale-Versorgung-Gesetz (DVG) vom 9. Dezember 2019 (BGBl I S 2562); Digitale Gesundheitsanwendungen-Verordnung (DiGAV) vom 8. April 2020 (BGBl I S 768). and the FDA's Predetermined Change Control Plan (PCCP) mechanism (final guidance issued December 2024) contemplates pre-authorization of specific planned modifications for AI-enabled devices, though practical implementation scope remains subject to FDA interpretation, after the five-year Pre-Certification pilot concluded without reaching operational status.16FDA, Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence-Enabled Device Software Functions (Final Guidance, December 2024). The comparative matrix below situates Switzerland's guidance-based approach against these statutory and programmatic alternatives.

Switzerland's approach is more conservative than Singapore's or the UK's, but the comparative assessment is not straightforward. The variables that determine which jurisdiction's framework best serves a particular company (speed to first patient exposure, alignment with the EU conformity assessment pathway the company will eventually need, capacity to accommodate genuinely novel product categories, and clarity of post-sandbox obligations) pull in different directions. A framework that optimizes for one dimension may impose costs in others, and the weighting depends on commercial strategy, development stage, and risk tolerance in ways that the jurisdictional comparison alone cannot resolve.

Comparative Matrix: Digital Health Sandbox Approaches A comparison table of regulatory sandbox frameworks across five jurisdictions (Switzerland, Singapore, United Kingdom, Germany, and United States) covering statutory basis, scope, evidence requirements, graduation pathway, patient exposure, and data protection requirements. Switzerland is highlighted as lacking a formal statutory sandbox but offering derogation and clinical investigation pathways. Comparative Matrix: Digital Health Sandbox Approaches Jurisdiction Statutory Basis Scope Evidence Requirements Graduation Pathway Patient Exposure Data Reqs Switzerland (Swissmedic) No formal statute; Art. 22 MepV (derogation); KlinV-Mep (clin. invest.) Medical devices; digital health software Full MDR-aligned conformity assessment Standard CE/CH marking; no formal sandbox exit Clinical invest. or hospital pilots only DSG (full) Singapore (MOH/CSA) LEAP (MOH, 2018); CLS(MD) (CSA, 2023); multi-agency Care-delivery models; device cybersecurity Reduced; safety- focused with ongoing monitoring Full registration after sandbox; defined exit criteria Real patients; geographic restrictions PDPA (full) United Kingdom (MHRA) AI Airlock (2024); IDAP pilot; non-statutory AI/ML medical devices; innovative devices Exploratory; evidence-collection under supervision Standard UKCA marking; sandbox informs pathway Virtual/simulated; IDAP: real patients UK GDPR (full) Germany (BfArM/DiGA) DVG (2019); DiGAV; statutory fast-track Low-risk digital health apps (Class I/IIa) Provisional: plausibility; permanent: positive care effect within 12–24 months Permanent DiGA listing or delisting Real patients; prescribable and reimbursed GDPR (full) United States (FDA) Pre-Cert (ended 2022); PCCP guidance (2024); CDS exemption AI/ML SaMD; digital health software PCCP: pre-authorized change plans; CDS: exempt Standard 510(k) or De Novo; PCCP is ongoing CDS: immediate; PCCP: post- authorization HIPAA (full) Note: All jurisdictions maintain full data protection requirements regardless of sandbox status. Switzerland (highlighted) lacks a formal statutory sandbox but offers derogation and clinical investigation pathways.
Fig. 1: Comparative matrix of digital health regulatory sandbox approaches. Switzerland's position reflects guidance-based flexibility rather than statutory sandbox frameworks.

5. What Strategic Questions Remain?

The analysis resolves into a sequence in which each step constrains the next: classification of the product shapes the evidence-generation route, the evidence route shapes the market-access pathway, and that pathway must be planned against EU and Swiss requirements in parallel rather than in series.

The strategic questions begin with classification, but the classification question is not purely technical. The same underlying technology may support positioning as a wellness tool (minimal regulatory burden, no medical claims, no reimbursement) or as a Class IIa medical device (conformity assessment, diagnostic claims, reimbursement eligibility) depending on intended purpose and marketing claims. Swissmedic's pre-submission engagement pathways can clarify classification and evidence requirements, but the utility of regulatory dialogue depends on development stage and whether the company's questions are ones the regulator can answer without constraining later pivots.

Technical architecture questions compound this uncertainty. Swissmedic applies evolving cybersecurity expectations that no sandbox arrangement can defer, referencing MDCG 2019-16 and anticipating the EU Cyber Resilience Act (Regulation (EU) 2024/2847), which will impose reporting obligations from September 2026 and full compliance from December 2027, with conformity assessment stringency varying by product category.17Medical Device Coordination Group, MDCG 2019-16 Rev. 1: Guidance on Cybersecurity for Medical Devices (July 2020); Regulation (EU) 2024/2847 (Cyber Resilience Act) [2024] OJ L 2024/2847; Swissmedic Information Sheet (n 9), IT security requirements. Whether a product's architecture will satisfy these requirements as of 2025, and adapt to requirements that will tighten, depends on design choices that interact with regulatory classification in ways that may not be apparent until both analyses are underway.

The BAG reimbursement pathway presents similar interdependencies: coverage decisions depend on clinical evidence, but the type of evidence required depends on how the product is positioned, which in turn depends on regulatory classification. Cantonal innovation programs and hospital pilot partnerships may accelerate clinical validation, or may not be available for products in particular categories or at particular development stages.

The EU dimension creates both efficiencies and tensions. CE marking remains the gateway to the EU market, and Swissmedic accepts CE marking for Swiss market access, but a development program must account for both sets of requirements from the outset. The EU AI Act (Regulation (EU) 2024/1689) compounds this calculus: AI-enabled medical devices requiring third-party conformity assessment under MDR are listed as high-risk AI under Annex I, which is expected to trigger additional Chapter III requirements alongside MDR obligations, though the precise interaction between the two regimes remains subject to Commission guidance.18Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (AI Act) [2024] OJ L 2024/1689; Annex I, Section A lists medical devices (MDR) and IVDR as high-risk product legislation. Switzerland has no equivalent AI legislation, and the AI Act's own regulatory sandbox provision (Art. 57 ff.) creates EU-territory mechanisms from which Swiss-based companies are excluded unless they have EU establishments. The European Health Data Space (Regulation (EU) 2025/327), with phased implementation from 2027, will add interoperability and data governance requirements that further affect product architecture planning.19Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space (EHDS), OJ L 2025/327.

The regulatory landscape itself is shifting. The Federal Council has commissioned studies on regulatory modernization for digital health, and parliamentary initiatives have proposed formal sandbox legislation. No statutory sandbox existed as of October 2025, but the policy direction suggests that more permissive frameworks may emerge. For companies with longer development timelines, the question is whether market entry strategy should assume the rules in force at the time of filing or anticipate liberalization, and the answer depends on risk tolerance, competitive dynamics, and how the company would respond if anticipated liberalization does not materialize or takes a different form than expected. The phased EU deadlines discussed above are collated on the firm's regulatory tracker.

The retinal imaging startup that opened this analysis faces questions that do not resolve themselves through general guidance. The product likely requires conformity assessment as a medical device, but the classification analysis requires examination of the specific intended purpose and claims. Regulatory engagement can clarify requirements, but the engagement will be specific to this product's architecture and clinical positioning. Cantonal pilot programs may accelerate evidence generation, but availability depends on the product category and program capacity at the time of application. The 18–24 month timeline the founders estimated looks optimistic rather than conservative when measured against the Notified Body queue described above, though whether it is unnecessarily long depends on classification, Notified Body choice, and clinical positioning. These determinations require analysis tailored to specific facts, technical architecture, and commercial objectives.

REFERENCES

01
Ministry of Health (Singapore), Licensing Experimentation and Adaptation Programme (LEAP); Art. 59 Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices [2017] OJ L117/1 (MDR) (derogations from conformity assessment procedures).
02
Art. 6(2) Verordnung über die Banken und Sparkassen (Bankenverordnung, BankV) vom 30. April 2014 (SR 952.02) (sandbox exemption for public deposits up to CHF 1 million); Art. 1b Bundesgesetz über die Banken und Sparkassen (Bankengesetz, BankG) vom 8. November 1934 (SR 952.0) (fintech license for deposits up to CHF 100 million); FINMA Circular 2008/3, Public Deposits with Non-Banks.
03
Medizinprodukteverordnung (MepV) vom 1. Juli 2020 (SR 812.213), with key provisions effective 26 May 2021.
04
See Insight 07: Software as a Medical Device (SaMD): Classification Pitfalls in Switzerland and the EU.
05
European Commission, 'Notified Bodies: NANDO Database'; Team-NB, Designated Notified Bodies under MDR/IVDR: Statistics (2024): approximately 50 Notified Bodies designated under MDR by end of 2024, compared with approximately 80 under MDD; few have developed specific assessment expertise for AI-enabled SaMD.
06
Bundesgesetz über Arzneimittel und Medizinprodukte (Heilmittelgesetz, HMG) vom 15. Dezember 2000 (SR 812.21).
07
Bundesgesetz über den Datenschutz (Datenschutzgesetz, DSG) vom 25. September 2020 (SR 235.1), effective 1 September 2023; Art. 5(c) (sensitive personal data), 16–17 (cross-border transfers).
08
See Insight 03: Data Privacy in Clinical Trials: GDPR Meets DSG, discussing cross-jurisdictional data protection challenges for health data processing.
09
Swissmedic, Information Sheet on Medical Device Software (BW630_30_007, Version 3.0, 10 April 2024).
10
Art. 9b HMG.
11
Art. 22 MepV (Inverkehrbringen im Interesse des Gesundheitsschutzes); Art. 59 MDR (n 1) (derogation from the conformity assessment procedures); the authorization may apply to individual devices or defined batches, subject to conditions.
12
Verordnung über klinische Versuche mit Medizinprodukten (KlinV-Mep) vom 1. Juli 2020 (SR 810.306); Art. 62 ff. MDR (n 1) (clinical investigations); Verordnung über klinische Versuche (KlinV) vom 20. September 2013 (SR 810.305).
13
Digitale-Versorgung-Gesetz (DVG) vom 9. Dezember 2019 (BGBl I S 2562); Digitale Gesundheitsanwendungen-Verordnung (DiGAV) vom 8. April 2020 (BGBl I S 768).
14
Bundesrat, Gesundheitspolitische Strategie des Bundesrates 2020–2030 (Gesundheit2030) (6 December 2019), Schwerpunkt Technologischer und Digitaler Wandel; BAG, Strategie eHealth Schweiz 2.0 (2018), Handlungsfeld A (Digitalisierung fördern); cantonal pilot programs vary in scope and reporting.
15
Ministry of Health (Singapore), LEAP (n 1) (standing healthcare-services sandbox with defined entry and exit conditions); Cyber Security Agency of Singapore, MOH, HSA, and Synapxe, Cybersecurity Labelling Scheme for Medical Devices (CLS(MD)) (CSA Singapore), which operated a time-limited sandbox phase from October 2023 to July 2024.
16
FDA, Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence-Enabled Device Software Functions (Final Guidance, December 2024).
17
Medical Device Coordination Group, MDCG 2019-16 Rev. 1: Guidance on Cybersecurity for Medical Devices (July 2020); Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act) [2024] OJ L 2024/2847; Swissmedic Information Sheet (n 9), section on IT security requirements.
18
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (AI Act) [2024] OJ L 2024/1689; Annex I, Section A (Union harmonisation legislation listed under high-risk AI, including MDR and IVDR); Art. 57 ff. (AI regulatory sandboxes).
19
Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space (EHDS) [2025] OJ L 2025/327; establishing interoperability standards for electronic health records and a framework for secondary use of health data.

RELATED INDUSTRIES

ICT & Digital Health MedTech

RELATED INSIGHTS

MedTech

Software as a Medical Device (SaMD): Classification Pitfalls in Switzerland and the EU

12 min read ICT & AI

AI-Enabled Medical Devices: Regulatory Uncertainty

10 min read

The distance between an assumption and a validated position is measured in the remediation cost when they diverge.

Get in Touch