Why combine MDR/IVDR, the AI Act and data protection into one mandate?

Because a single digital-health product usually triggers all three at once. A software-as-a-medical-device tool is regulated as a device under MDR or IVDR, is high-risk under the EU AI Act where it is a medical-device product requiring third-party conformity assessment (Art. 6(1)), and processes health data that is sensitive under DSG. Run as separate workstreams these regimes overlap, contradict and duplicate documentation; run as one mandate the device file, the AI conformity material and the data-protection record are built once and kept consistent.

Is AI/ML diagnostic or decision-support software high-risk under the EU AI Act?

Generally yes, where it is a medical device. An AI system that is itself a medical device, or a safety component of one, and that must undergo third-party conformity assessment under the Union harmonisation legislation in Annex I, is high-risk under Art. 6(1) of the AI Act. Most AI/ML diagnostic imaging and clinical-decision-support software falls into a conformity-assessed class under MDR or IVDR, so it is dual-regulated as both a device and a high-risk AI system, not exempt. The detailed AI Act analysis is set out on the EU AI Act spoke.

How is health data handled for a telemedicine or digital-therapeutics platform?

Health data is sensitive personal data under Art. 5 DSG, which raises the bar for lawful processing, security and transparency, and a platform operated from outside Switzerland may also need a Swiss data-protection representative. Where the product feeds clinical research with health-related personal data, HFG can apply as well (Art. 2). The mandate maps which regime governs which data flow and points to the firm's health-research-data and Swiss data-protection representative spokes for the detailed work.

How does this integrated service relate to the separate component spokes?

This page frames the single coordinated mandate; the component spokes carry the depth. MDR/IVDR device work, the EU AI Act analysis, health-research and clinical-data law, and the Swiss data-protection representative function each have a dedicated service page with the detailed obligations and pin-cites. A digital-health engagement draws on whichever components a given product needs and keeps them aligned under one timeline and one set of documentation.

Service

Digital health compliance counsel.

Digital-health products sit across three regimes at once. The firm runs them as one mandate spanning medical-device law (MDR/IVDR), the EU AI Act and data protection, across software as a medical device, AI/ML diagnostic and decision-support tools, and cross-border telemedicine. One integrated function keeps device, AI and data documentation consistent, with the firm's component services supplying the detailed work in each regime.

Map the digital-health pathway

Who this is for

Digital-therapeutics makers placing software as a medical device on the EU or Swiss market.
AI/ML diagnostic-imaging and clinical-decision-support providers regulated as both device and high-risk AI.
Cross-border telemedicine platforms operating into the DACH region and handling health data.

What's included

This is one integrated mandate, not four parallel projects. The firm maps which regimes a given product triggers, runs them on a single timeline with one consistent set of documentation, and draws on its dedicated component services for the detailed obligations and pin-cites in each regime.

Single regulatory map: one assessment of which regimes each digital-health product triggers across its lifecycle, so device, AI and data workstreams are scoped together rather than discovered one at a time.
Medical-device pathway (MDR/IVDR): software-as-a-medical-device classification, conformity-assessment route and technical-documentation strategy under the EU device regulations, with the detail handled by the firm's MDR/IVDR compliance service.
AI Act layer: high-risk classification for medical-device AI under Art. 6(1) and how the AI Act's high-risk requirements sit alongside device conformity assessment, with the full analysis on the EU AI Act compliance service.
Health-data governance: lawful processing, security and transparency for health data, which is sensitive personal data under DSG (Art. 5), plus the clinical-research overlay where HFG applies (Art. 2), via the firm's health-research and data law service.
Cross-border representation: where a platform is operated from outside Switzerland, the Swiss data-protection representative function for the local-presence requirement under DSG.
Coordinated documentation: the device file, the AI conformity material and the data-protection record built once and kept aligned, with major filings priced as fixed-fee modules.

How it works

Scoping. The firm maps the product and identifies which regimes (device, AI, data) it triggers across its lifecycle.
Integration plan. The firm sets one timeline and assigns each obligation to the right component workstream.
Gap assessment. The firm compares current documentation and governance against the combined obligations.
Build. The firm delivers the device, AI and data documentation as fixed-fee modules, kept consistent across regimes.
Ongoing advisory. The firm runs change management and post-market monitoring across all three regimes on a retainer.

Indicative pricing

Monthly subscription

from CHF 9,500 / month

One integrated mandate; major filings as fixed-fee modules.

Indicative starting prices, net and exclusive of Swiss MWST (VAT) where applicable; final fee per written engagement letter.

Frequently asked questions

Why combine MDR/IVDR, the AI Act and data protection into one mandate?: Because a single digital-health product usually triggers all three at once. A software-as-a-medical-device tool is regulated as a device under MDR or IVDR, is high-risk under the EU AI Act where it is a medical-device product requiring third-party conformity assessment (Art. 6(1)), and processes health data that is sensitive under DSG. Run as separate workstreams these regimes overlap, contradict and duplicate documentation; run as one mandate the device file, the AI conformity material and the data-protection record are built once and kept consistent.
Is AI/ML diagnostic or decision-support software high-risk under the EU AI Act?: Generally yes, where it is a medical device. An AI system that is itself a medical device, or a safety component of one, and that must undergo third-party conformity assessment under the Union harmonisation legislation in Annex I, is high-risk under Art. 6(1) of the AI Act. Most AI/ML diagnostic imaging and clinical-decision-support software falls into a conformity-assessed class under MDR or IVDR, so it is dual-regulated as both a device and a high-risk AI system, not exempt. The detailed AI Act analysis is set out on the EU AI Act spoke.
How is health data handled for a telemedicine or digital-therapeutics platform?: Health data is sensitive personal data under Art. 5 DSG, which raises the bar for lawful processing, security and transparency, and a platform operated from outside Switzerland may also need a Swiss data-protection representative. Where the product feeds clinical research with health-related personal data, HFG can apply as well (Art. 2). The mandate maps which regime governs which data flow and points to the firm's health-research-data and Swiss data-protection representative spokes for the detailed work.
How does this integrated service relate to the separate component spokes?: This page frames the single coordinated mandate; the component spokes carry the depth. MDR/IVDR device work, the EU AI Act analysis, health-research and clinical-data law, and the Swiss data-protection representative function each have a dedicated service page with the detailed obligations and pin-cites. A digital-health engagement draws on whichever components a given product needs and keeps them aligned under one timeline and one set of documentation.

Last updated: 2026-05-31

Discuss a digital-health mandate