2025 was an incredibly busy year for digital health, and 2026 is likely to be no different. This edition of Vital Signs covers numerous developments, along with a look to 2026 in Industry Insights. Thank you to our Jones Day contributors who are committed to bringing you a curated one-stop resource on notable digital health updates.
This past year was a busy one for the entire health care and life sciences industries, and the realm of digital health was no exception. Trends and developments in 2025 inevitably give clues as to what may be on the horizon for 2026:
Trends in State AI Regulation, With Preempting Federal Regulation to Follow?
2025 saw a flurry of activity at the state level to regulate the use of AI in the health care context. However, state approaches to AI regulation have shifted from broad AI laws to narrower, use-case-specific rules, including targeted applications in the contexts of clinical care, system safety, and mental health.
In clinical settings, for example, Texas SB 1188 establishes obligations when AI is used for “diagnostic” purposes and involving AI‑generated records. On the AI model system safety front, California’s SB 53, a first-of-its-kind legislation governing large AI model developers, appears to mandate transparency reports and safety frameworks for identifying, assessing, and mitigating high‑impact risks. While focused on developers of AI models, the requirements will influence health care entities as they adopt and integrate such models in operations. And for direct AI-patient interaction, especially in the mental health space, California’s SB 243 calls for disclosures when certain users are interacting with non‑human agents, robust protocols to prevent suicide and self‑harm content, and annual reporting regarding suicide prevention. Legislatures in New York and Illinois have similarly focused on the mental health chatbot space.
Though states have narrowed their application of AI laws, the federal government has called for further de-regulation. On December 11, 2025, President Trump signed an Executive Order (“EO”) calling for a “national [AI] policy” free of “cumbersome” state AI regulation. While Congressional action on the topic may be necessary, the EO foreshadows increasing government attention and likely litigation over state AI laws inconsistent with the policy of “global AI dominance through a minimally burdensome national policy framework for AI.” A few days after the EO, on December 19, 2025, the U.S. Department of Health and Human Services (“HHS”) issued a Request for Information seeking broad stakeholder feedback on how HHS should use its regulatory, reimbursement, and research and development authorities to accelerate the adoption and use of AI in clinical care in a “forward-leaning, industry-supportive” approach. Comments are due by February 23, 2026.
Continued Medicare Coverage for Telehealth Services . . . For Now
Following uncertainty over coverage for Medicare telehealth services during the 2025 federal government shutdown, broad Medicare coverage for such services remains temporary, with key waivers and flexibilities currently extended only through January 30, 2026, as of the date of this publication. These flexibilities, which were first implemented during the COVID-19 public health emergency and subsequently extended on a temporary basis several times, make telehealth services available to many more Medicare beneficiaries than would have access under pre-COVID limitations. We expect to see continued lobbying by stakeholders in 2026, as Congress must act to make many of these flexibilities permanent.
Absent Congressional action, the Centers for Medicare and Medicaid Services (“CMS”) continues to take action aimed at increasing the adoption of digital health tools and this focus seems likely to continue into 2026. In addition to the TEMPO/ACCESS collaboration (described below), CMS recently clarified rules regarding provider billing location and related Medicare enrollment requirements (making it easier for providers to provide services from home) and adopted changes as part of the 2026 Physician Fee Schedule that reflect its support of telehealth and the use of other digital health technologies. These changes include making it easier to permanently add services to the Medicare telehealth services list, permanently removing frequency limitations on certain telehealth subsequent care services in inpatient and nursing facility settings and critical care consultations, permanently allowing use of two-way audio/video communications technology to satisfy “direct supervision” in most circumstances, and authorizing payment for certain digital mental health treatment.
Final Rules (Finally?) on Remote Controlled Substances Prescribing
The Drug Enforcement Administration (“DEA”) also opted to temporarily continue telehealth flexibilities into 2026 to prevent the “telemedicine cliff:” the reinstatement of the pre-pandemic restrictions imposed by the Controlled Substances Act requiring (in most cases) at least one in-person medical evaluation before a provider can remotely prescribe controlled substances. The latest temporary rule, published on December 31, 2025, and authorizing DEA-registered practitioners to remotely prescribe Schedules II-V controlled substances without an in-person medical evaluation through December 31, 2026, is the fourth time DEA has issued such an extension. Notably, DEA cited the abrupt cessation of Medicare’s telehealth flexibilities during the government shutdown and disruption in care that followed as one of the justifications for issuing the extension.
DEA also indicated that the continued extension will provide DEA with additional time to finalize and implement effective permanent regulations (e.g., under the special registration authority in the Controlled Substances Act). DEA published a proposed special registration framework in a proposed rule on January 17, 2025, but the rule has not yet been finalized. According to DEA, the latest extension provides it additional time to consider the more than 6,000 comments it received on the proposed rule, as well as the presentations made at the Telemedicine Listening Sessions, the Tribal Consultations, and the E.O. 12866 meetings held in 2023 and 2024. This suggests that 2026 may be the year we finally see final remote controlled substance prescribing regulations.
An FDA Focused on Accelerating Adoption and Integration of Digital Health Technologies
In 2025, the Food and Drug Administration (“FDA”) Commissioner Marty Makary announced a number of policy changes and launched several pilot programs, all aimed at accelerating the development and marketing of new therapies and products to address unmet medical needs. This includes the adoption and integration of new technologies and digital health devices.
On December 5, 2025, FDA announced the voluntary Technology‑Enabled Meaningful Patient Outcomes for Digital Health Devices Pilot (“TEMPO”), a program designed to expand access to technology-enabled, integrated care for patients with chronic diseases. TEMPO appears to support limited, clinician‑supervised real‑world use of certain digital health devices in Medicare — focused on cardio‑kidney‑metabolic, musculoskeletal, and behavioral health — to generate evidence for future FDA authorization, while CMS’s Advancing Chronic Care with Effective, Scalable Solutions (“ACCESS”) model tests outcomes‑based payment to support adoption. Together, the TEMPO/ACCESS collaboration signals FDA and CMS interest in new development models that bridge evidence generation for authorization, clinical adoption, and payer coverage. Expected to accept statements of interest starting January 2, 2026, FDA may select 10 manufacturers per clinical area, and operate in parallel with ACCESS, which plans to accept applications in early 2026 (due April 1) for a first performance period beginning July 1, 2026. For more information about TEMPO, read our recent Alert.
On December 15, 2025, FDA issued a press release stating that the agency intends to accept real-world evidence (“RWE”) for devices, drugs, and biologics without requiring sponsors to submit identifiable, individual patient data in all cases collected from real-world data (“RWD”) sources in regulated product marketing applications. This means digital health, AI, and software-enabled medical products can now use large scale, de-identified RWD from registries, hospital networks, and claims databases as FDA-acceptable evidence to demonstrate treatment impact at scale and bring therapies to patients faster.
Complementing this change, on December 18, 2025, FDA finalized a long-awaited guidance for device sponsors on the Use of Real-World Evidence to Support Regulatory Decision-Making for Medical Devices. The guidance clarifies how FDA evaluates RWD to determine whether they are of sufficient quality and provenance to be accepted as RWE suitable for review and reliance by FDA in regulatory decision-making for medical devices. Relative to the draft guidance from 2023, the final guidance places greater focus on assessing the relevance and reliability of RWD rather than whether they are “fit-for-purpose” going so far as to include a Relevance and Reliability Elements for Documentation and FDA Review checklist in Appendix A. FDA also expanded Appendix B of the final guidance with lengthier examples of how FDA may consider RWE in regulatory decision-making, including for a new PMA approval, expanded indications for use, 522 responses, and a de novo grant. FDA does not expect industry to begin implementing the final guidance recommendations until February 16, 2026, but has indicated that the agency is ready to review such information if submitted at any time.
Pairing the changes discussed here with the three other guidances with digital health and AI-related content that CDRH published in 2025 (final guidance for a Predetermined Change Control Plan for AI Enabled Device Software Functions (August 2025); a final guidance on Cybersecurity in Medical Devices (June 2025); and a draft guidance on AI-Enabled Device Software Functions (January 2025)), we see an FDA focused on embracing the integration of new technologies and RWE into regulatory frameworks to permit more agile pathways for digital health technologies across therapeutic areas. Indeed, for 2026, CDRH has prioritized plans to publish a new draft guidance on Policy for Device Software Functions, and, as resources permit, plans to finalize the draft guidance on AI-Enabled Device Software Functions and develop a guidance on Clinical Evidence Considerations for Digital Mental Health Treatment Devices, including Computerized Behavioral Therapy Devices.
OIG Issues Favorable Opinion on Telehealth Arrangement
In a recent Advisory Opinion (AO 25-03), the Office of Inspector General (“OIG”) of the U.S. Department of Health and Human Services (“HHS”) offered a note of reassurance to a telehealth platform company and its affiliated “friendly PCs” (professional corporations or “PCs”). The June 2025 Advisory Opinion responded to a request by a “hub” PC and its management services organization (“MSO”) that proposed an arrangement with specialty PCs (“Platform PCs”) offering telehealth services using platforms hosted by their related MSOs (“Platforms”).
As described in the Advisory Opinion, the hub PC maintained contracts with payors representing roughly 80% of all commercially covered lives and 65% of Medicare Advantage covered lives. The Platform PCs wanted to leverage the reach of the hub PC to expand their respective specialty telehealth offerings. The Platform PCs leased their contracted health care practitioners (“HCPs”) to the hub PC, and the hub PC contracted with the Platforms for the HIPAA-compliant telehealth platform and administrative services. Supported by third-party valuations, the hub PC paid hourly lease fees to the Platform PCs and administrative fees to the Platforms. In turn, under its managed care contracts, the hub PC billed and retained the fees paid for services provided by the contracted HCPs, taking the collection risk under its contracts.
OIG analyzed the proposed arrangement under the Personal Services and Management Contracts Safe Harbor, 42 CFR 1001.952(d). OIG found that the proposed arrangement would qualify for the Safe Harbor and accordingly would not generate prohibited remuneration under the Federal Anti-Kickback statute.
DOJ Remains Focused on Telehealth & “Telehealth-Like” Schemes Involving Durable Medical Equipment, Genetic Testing, and Laboratory Services
The Department of Justice (“DOJ”) continues to focus its health care enforcement efforts on telemedicine schemes, including claims for genetic testing and Durable Medical Equipment (“DME”), as evidenced by a number of actions over the past several months:
FDA Issues Final Guidance on Cybersecurity in Medical Devices
On June 27, 2025, FDA issued its updated final guidance entitled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” which builds on the guidance and select updates issued in 2023 and 2024 and provides a robust framework for ensuring the cybersecurity of medical devices and clarifications that reflect the evolving cyber and technological landscape, including FDA’s expectations for documentation, design, and labeling requirements under section 524B of the Federal Food, Drug, and Cosmetic Act (“FDCA”). By stressing that cybersecurity must be a core quality attribute throughout the total product lifecycle, FDA clarifies in the guidance how manufacturers should demonstrate “reasonable assurance of cybersecurity” in both device pre-submissions and significant postmarket modifications. Further, FDA elaborates on expectations for software bills of materials, secure product development frameworks, coordinated vulnerability disclosure policies, and labeling that communicates cybersecurity controls to users. FDA also notably expands the definition of “cyber device” to include any device with software capabilities with connectivity features.
FDA Expands Agency-Wide AI Integration and Launches “Elsa”
In June 2025, FDA announced the launch of “Elsa,” its first Agency-wide generative artificial intelligence platform designed to augment internal regulatory review processes. The announcement followed completion of the Agency’s initial AI-assisted scientific review pilot, which tested the use of AI tools for summarizing complex clinical and scientific data. Elsa operates within FDA’s information technology environment and is explicitly isolated from industry-submitted data, meaning it cannot train on confidential submissions. Reports indicate the tool is already being used to help staff summarize clinical protocols, compare labeling across drug products, identify trends in adverse event data, and assist in drafting technical documents. FDA officials have described Elsa as part of a broader digital modernization effort aimed at improving efficiency, transparency, and workload management across centers. The Agency has plans for additional pilots to evaluate AI support for other tasks.
FDA Warns Wrist Wearable Company Over Blood Pressure Insights Feature
FDA issued a warning letter to a fitness technology company for allegedly marketing its “Blood Pressure Insights” feature without FDA marketing authorization in violation of the FDCA. FDA takes the position that the feature, which provides users with feedback based on biometric data collected through wearable wristbands, meets the definition of a medical device because it purports to measure or estimate users’ blood pressure, which is inherently associated with the diagnosis of hypo- and hypertension. As such, according to FDA, it is not an exempt general wellness software device because it implies a causal link between a user’s blood pressure measurement and wellness results. Also, it is not a low-risk device that qualifies for FDA enforcement discretion under its general wellness policy because providing blood pressure estimation is not a low-risk function given the significant consequences to users who may rely on an inaccurate or misleading blood pressure measurement. In response, the company asserts that the feature is not intended to diagnose any condition and is clearly labeled for non-medical use. The dispute highlights the growing tension between wellness-focused wearable technologies and medical device regulation as companies continue to expand their biometric capabilities.
FDA Seeks Public Comment on Real-World Performance of AI-Enabled Devices
On September 30, 2025, FDA’s Center for Devices and Radiological Health published a Request for Public Comment on methods for measuring and evaluating the performance of AI-enabled medical devices in real-world settings. The Agency seeks stakeholder input on how best to assess “data drift,” define performance baselines, and monitor adaptive algorithms once deployed in clinical environments. The notice reflects FDA’s ongoing effort to develop a comprehensive framework for AI-driven technologies, complementing earlier guidance on predetermined change control plans. FDA asked developers, health systems, and patient groups to provide feedback on practical metrics for reliability, transparency, and human oversight.
Digital Health Advisory Committee to Examine Generative AI Mental Health Tools
FDA’s Digital Health Advisory Committee met in November 2025 to discuss the emerging category of generative AI-enabled digital mental health medical devices. The meeting focused on how AI tools can address the widening gap in access to mental health services in the United States, while also considering the potential risks associated with hallucination, bias, and patient harm in conversational or generative models used for mental health purposes. The session also aimed to clarify the boundary between general wellness applications and products requiring FDA authorization.
Bipartisan Healthcare Cybersecurity Act of 2025 Introduced in House and Senate
In June 2025, Congress introduced parallel bipartisan bills (H.R. 3841 / S. 1851) to strengthen cybersecurity in the health sector by directing HHS and the Cybersecurity and Infrastructure Security Agency (“CISA”) to partner more closely. If passed, the bills would establish a permanent CISA liaison embedded within HHS and require CISA to provide direct technical assistance, threat intelligence, and incident-response support to non-federal health care entities, including hospitals, clinics, and public health agencies. Proponents cite the growing incidence of health data breaches, including the 2024 Change Healthcare cyber attack, and argue the bill is necessary to protect uptime and patient safety in health systems.
Federal Lawmakers Reintroduce “My Body, My Data” Act
Federal lawmakers reintroduced the My Body, My Data Act to protect reproductive and sexual health information. If passed, the bill would apply to all entities that collect, use, or disclose reproductive health data, including mobile app developers, data brokers, and online platforms, and would require them to limit such activities to what is strictly necessary to provide a requested service. Covered entities would also be obligated to implement reasonable security measures, publish clear privacy policies, and obtain affirmative consent before sharing or selling reproductive health data to third parties. In addition, the bill grants individual consumers the right to access, delete, and correct reproductive health information held by covered entities. Enforcement authority would rest with the Federal Trade Commission, which would be empowered to investigate and penalize companies that fail to comply with these data-handling requirements.
STATE
Montana Genetic Information Privacy Act Amended to Include “Neurotechnology Data”
Montana recently enacted SB 163, amending the Montana Genetic Information Privacy Act (“MGIPA”) to include “neurotechnology data” within its scope of protection. MGIPA, first enacted in 2021, involves the collection, use, or disclosure of genetic information and involves consent from consumers, privacy notices, certain data deletion capabilities, and restrictions around certain third-party transfers. Under SB 163, those same obligations now extend to data generated by technologies that record, interpret, or alter activity of the human nervous system, including brain-computer interfaces and neural sensors. The new law also includes a de-identification exception for research data and consent when transferring or storing certain neurotechnology data. The law took effect October 1, 2025.
Texas SB 922: EMR Holding Period for Sensitive Results
SB 922 amends certain provisions of the Texas Medical Practice Act, establishing criteria involving disclosure by electronic means of “sensitive test results”. A “sensitive test result” is defined as: (i) a pathology or radiology report that has a “reasonable likelihood of showing a finding of malignancy”; or (ii) a test result that may reveal a genetic marker. SB 922 went into effect September 1, 2025.
The European Commission proposed a new European BioTech Act as part of the Commission’s broader Strategy for European Life Sciences, which focuses on how the EU can support green and digital transitions and develop high-value technologies. The forthcoming BioTech Act provides a framework for biotechnology, covering health and pharmaceuticals and other adjacent industry applications. Its central goal is to make it easier to bring biotechnological products from laboratory to factory and onto the market, while upholding the EU’s high standards for safety and environmental protection.
According to Commission President Ursula von der Leyen’s Political Guidelines for the Next European Commission, the BioTech Act is expected to: (i) introduce measures to streamline regulatory pathways and accelerate the transition of biotech products to market; (ii) encourage innovation in areas such as health technology assessment and clinical trials; and (iii) examine factors including regulatory speed and efficiency, access to finance, scaling of production and market size, and the use of AI in biotechnology.
As part of the legislative preparation, the Commission held a public consultation through November 10, 2025. The European Parliament previously published a briefing outlining Member State positions and key policy considerations. The proposal was officially published on December 16, 2025.
European Commission Launches Life Sciences Strategy
This summer, the European Commission launched its “Life Sciences Strategy” (the “Strategy”) covering economic activities that rely on knowledge of living systems, including biotechnology, agriculture, food technologies, health care, pharmaceuticals, medical devices, bio-based products, and biomanufacturing. The Strategy aims to unlock the full potential of life sciences to strengthen Europe’s competitiveness, health resilience, and sustainability. The Commission has published a Communication, Q&A, and factsheet relating to the Strategy.
The Strategy sets out a three-phase approach: (i) fostering research and innovation; (ii) accelerating market access; and (iii) promoting the uptake of innovative medical and biotechnological solutions. It seeks to ensure that Europe remains an attractive location for life sciences investment, supports strategic autonomy in critical technologies and medicines, and promotes environmentally sustainable production.
Key initiatives include improving coordination between research and industrial policy, reducing regulatory complexity to shorten time-to-market for innovative products, enhancing access to finance, and strengthening the EU’s biomanufacturing capabilities. The Strategy also supports closer collaboration between regulators, industry, and health systems to facilitate faster patient access to innovation.
The Strategy complements other EU initiatives such as the Pharmaceutical Strategy for Europe, the Green Deal Industrial Plan, and the European Health Union, positioning life sciences as a central pillar of Europe’s competitiveness and health preparedness.
European Commission Publishes Guidance on Medical Device Software Apps
The European Commission issued “Guidance on the safe making available of medical device software” (“MDSW”) apps on online platforms (MDCG 2025-4). The document outlines the respective obligations and responsibilities of platform providers under the Medical Devices Regulation (“MDR”), the In Vitro Diagnostic Medical Devices Regulation (“IVDR”), and the Digital Services Act (“DSA”). The guidance emphasizes that clear distinction is required — platforms should clearly separate MDSW from non-medical wellness or lifestyle apps — while also clarifying key definitions: Uploading an MDSW app by the manufacturer constitutes “placing [the app] on the market,” while the period during which the app is hosted on the platform and can be obtained by users constitutes “making [the app] available on the market.”
Additional key principles outlined in the guidance include the following:
European Commission Publishes Draft Guidelines on Good Manufacturing Practice (GMP)
On July 7, 2025, the European Commission published revised draft guidelines on Good Manufacturing Practice (“GMP”). The updated GMP guidelines revise Chapter 4 (Documentation) and Annex 11 (Computerized Systems) and include a new Annex 22 (Artificial Intelligence):
European Commission Publishes FAQ on Interplay Between Medical Devices and AI
The European Commission published frequently asked questions (FAQ) on the interplay between the MDR, IVDR, and AI Act (MDCG 2025-6). The FAQ clarifies how regulated medical devices and in-vitro diagnostics that incorporate or operate together with AI should navigate the convergence of the MDR, IVDR, and the AI Act.
Among others, the FAQ clarifies the following:
The iterative guidance will be continuously developed and updated. Stakeholders may wish to consider submitting concrete examples (e.g., device use cases, training-data provenance documents, performance monitoring records) to inform subsequent guidance.
Study Shows Environmental Impact of Electronic Patient Information
The European Federation of Pharmaceutical Industries and Associations (“EFPIA”) published the results of a comparative Life Cycle Assessment (“LCA”) comparing the difference in environmental impacts between a paper patient information leaflet (“PIL”) and an electronic version (“ePI”). Results of the LCA indicate that an ePI has between 89% and 98% fewer environmental impacts in the studied categories (ecosystems, resources, cumulative energy demand, and climate change). A paper PIL has 20 times higher climate change impacts than an ePI. When scaling up to a full year of drug sales for four of the pharmaceutical companies identified in the assessment (5.2 billion units), switching to 100% ePI would reduce carbon emissions by 49,507 Metric Tons of Carbon Dioxide Equivalent (“MTCO2e”) in one year.
Council of the EU Calls for Greater Efforts to Protect Youth Mental Health in the Digital Era
In the summer of 2025, the Council of the EU adopted conclusions urging Member States and EU institutions to intensify efforts to protect the mental health of children and adolescents in a rapidly evolving digital landscape. While acknowledging the positive potential of digital technologies — including access to information, social connection, and remote psychological support — the Council warns of the growing mental health risks linked to online manipulation, addictive features, harmful content, and excessive screen time.
The Council’s conclusions set out several expectations for online platforms, digital service providers, and AI developers, including to:
The Council also calls for the following action items: (i) greater access to psychological counseling, peer-support and digital safety services for young people; (ii) integration of mental health, media, and digital literacy into education; (iii) public campaigns to help parents and educators identify signs of digital distress; and (iv) research and expert advisory bodies to improve understanding of the “psyche-digital” interface.
These conclusions reinforce existing obligations under the DSA and AI Act, signaling a broader EU policy shift toward responsible digital design and child-centric online governance. Companies operating in digital markets may wish to consider proactively assessing compliance and preparing for heightened scrutiny of the mental health impacts of their services.
European Council Adopts Position on New Pharma Package
The Council of the EU adopted a position regarding the proposed reform of EU pharmaceutical legislation (the “Proposed Reform”), paving the way for negotiations with the European Parliament, which previously adopted a position in April 2024. (See Jones Day’s coverage of the European Commission’s Proposal of Major Reform of Pharmaceutical Legislation in a prior edition of Vital Signs here). Those negotiations have since resulted in a provisional (“early second reading”) political agreement between the co-legislators.
Key pieces of the Council and Parliament’s provisional agreement include an eight-year regulatory data protection term for innovative medicines and an additional year of regulatory market protection.
The Council of the EU and the European Parliament reached a provisional agreement on the Proposed Reform in December 2025; formal adoption steps are expected to follow.
European Court of Justice Rules that Polish Prohibition on Pharmacy Advertising Violates EU Law
On June 19, 2025, the European Court of Justice (“ECJ”) delivered its judgment in case C-200/24 Commission v. Poland (Publicité pour les pharmacies), finding that Poland’s general and absolute prohibition on pharmacy advertising is incompatible with EU law.
The court held that the EU Directive on Electronic Commerce entitles members of regulated professions — such as pharmacists in Poland — to use online commercial communications to promote their services. While such communications must comply with professional conduct rules, those rules cannot impose a blanket ban on all forms of advertising, as Polish law currently does.
The ECJ further found that the Polish prohibition infringes on the EU freedoms to provide services and of establishment, as it prevents pharmacists from making their services known to potential clients and from promoting their professional activities. The restriction also makes market access more difficult, particularly for pharmacists established in other Member States who wish to open pharmacies in Poland.
European Union Agency for Cybersecurity Publishes a Cyber Stress Testing Handbook
In 2025, the European Union Agency for Cybersecurity (ENISA) released a practical Handbook for Cyber Stress Testing to help national authorities assess the resilience of critical sectors, including health care. The handbook introduces a five-step process — planning, preparation, execution, analysis, and follow-up — to design and conduct stress tests at a national, regional, or EU level. It provides guidance on selecting target entities, developing realistic threat scenarios, defining resilience metrics, assessing interdependencies, and translating results into policy and regulatory measures to strengthen systemic cyber resilience.
In a practical example from the health care sector, the handbook shows how a national authority could apply this process to test the resilience of hospitals, large clinics, and health agencies. The exercise focuses on both IT systems — such as electronic health records and hospital management platforms — and operational technology, including connected medical devices and building infrastructure. The simulated scenario involves a ransomware attack that encrypts hospital networks, steals patient data, and disrupts emergency and online services. Working with Computer Security Incident Response Teams (CSIRTs), law enforcement, and information and communication technology (“ICT”) providers, participants assess their ability to detect, respond to, and recover from such an incident using predefined resilience metrics. The results expose weak technical safeguards and the rapid spread of ransomware between systems, prompting specific recommendations and a national program to strengthen cybersecurity and modernize healthcare infrastructure.
EU Commission adopts EU4Health Work Program 2025
On July 23, 2025, the European Commission announced two targeted initiatives aimed at accelerating digital health and responsible AI innovation in the EU, to be implemented under the EU4Health Programme, notably including the following:
FINLAND
Finnish Data Protection Authority Fines Large Pharmacy Chain
On June 17, 2025, the Finnish Data Protection Authority (DPA) imposed a fine of EUR 1.1 million on one of the nation’s largest pharmacy chains for failing to adequately protect personal data in its online shop between May 2018 and September 2022. The investigation, prompted by a doctoral student’s research, found that the company violated key GDPR principles (including confidentiality and security) by using cookies and tracking tools that transmitted detailed information about users’ interactions — including which prescription and over-the-counter medicines they viewed or added to their carts, along with IP addresses — to third-party technology companies. The DPA concluded that this practice allowed third parties to potentially profile users’ health conditions, representing a serious breach of data protection rules.
BELGIUM
Belgian Federal Agency for Medicines and Health Products Publishes Annual Report
On July 28, 2025, the Belgian Federal Agency for Medicines and Health Products (“FAMHP”) published its annual report for 2024 (the “Report”), highlighting the agency’s key activities and developments over the past year. The Report covers progress across several areas, including pharmacovigilance, digital transformation, and EU-level collaboration, with a particular emphasis on the agency’s growing use of digital and AI tools.
The Report outlines how FAMHP is integrating AI into pharmacovigilance processes — such as through automating translations, supporting case analysis, and facilitating communication with the EMA. However, FAMHP highlights the continued need for high-quality source data: AI complements but does not replace thorough reporting.
Additionally, the report educates readers about several upcoming and existing digital tools, like some applications and websites that allow users (including health care professionals, journalists, and patients) to check the real-time availability of medicines in Belgium as well as substitution tracking.
The Report reaffirms FAMHP’s commitment to further invest in digital modernization to strengthen the safety and accessibility of medicines and medical devices and to improve transparency and access to information.
Belgian Council of Ministers Approves Several Draft Laws Related to Digital Health
The Belgian Council of Ministers was active throughout the summer, approving various laws, including these:
These draft laws were submitted for advice and upon formal adoption by Parliament are entered into force.
Belgian FAMHP Applies Accelerated Timelines for Clinical Trials
On October 14, 2025, the Belgian FAMHP announced expedited review timelines for clinical trial applications to facilitate quicker access to innovative therapies in Belgium.
From January 2026, clinical trials conducted exclusively in Belgium will benefit from substantially reduced evaluation timelines, which represent (approximately) a 50% reduction compared to current procedures:
FAHMP also initiated a pilot program for expedited assessment of multinational clinical trials in early phases (Phase I, I/II, and II), where Belgium acts as the reporting Member State under the EU Clinical Trials Regulation. The pilot program’s key features include the following:
SLOVENIA
Information Commissioner Issues an Opinion on Patient Access to Health Records and Data Management
On July 22, 2025, the Slovenian Information Commissioner issued a non-binding opinion (No. 07121-1/2025/573) to clarify patients’ rights to access their medical records and the corresponding obligations of health care providers. The opinion confirmed that while patients are not entitled to a detailed explanation of every data-entry practice, they do have a clear right to obtain a copy of their medical record or an electronic printout. The Commissioner stressed that data controllers are required to implement clear and transparent procedures for handling such requests, maintaining traceability and accurate record-keeping.
On October 10, 2025, Italy’s first national law on artificial intelligence (Law No. 132/2025) officially came into effect. Complementing the EU AI Act, the new legislation introduces specific provisions for “general-purpose” AI systems and models, along with a range of sector-specific measures.
In the health care sector, the law recognizes the development and experimentation of AI systems for scientific research as an area of substantial public interest. It allows public and private entities to process personal data, including special categories of data, for these purposes. The law also simplifies patient information obligations and enables the secondary use of personal and health data for scientific research without requiring renewed consent, provided appropriate de-identification measures are applied.
Moreover, while the duty to inform remains, the law explicitly permits the reuse of personal and health data for anonymization, pseudonymization, or data synthesis — so long as this processing supports scientific research or the planning, management, control, or evaluation of health care services. Certain data processing activities in this context are now formally recognized as being of significant public interest, subject to rules on secondary use and prior notification to the Italian Data Protection Authority.
Italy’s Garante Issues a Fine for GDPR Violations in AI-Based Cancer Research
Earlier in the year, the Italian Data Protection Authority fined a cancer-focused technology and research company for GDPR breaches related to its software, which used deep learning to analyze patient cell images for cancer research. Although most data were pseudonymized and the company cooperated fully, the DPA found that fundamental GDPR obligations — particularly regarding transparency, data minimization, and accountability — were not fully met during the processing of highly sensitive health data, including data from individuals with multiple myeloma.
Italian Data Protection Authority Warns on Health Data and AI Risks
On July 30, 2025, the Italian Data Protection Authority issued a statement addressing the privacy and safety risks of individuals uploading sensitive medical data — such as lab results, X-rays, and clinical analyses — to generative AI platforms for interpretation or diagnosis. The authority cautioned that these AI tools are often not certified as medical devices, creating potential patient safety hazards and risks related to data control, as uploaded data could be used for future model training. The DPA stressed that AI must not replace professional medical advice and highlighted the necessity of qualified human oversight and strict compliance with GDPR and the EU Artificial Intelligence Act, particularly regarding safety, transparency, and accountability.
GREECE
Hellenic Association of Pharmaceutical Companies Issues Revised Code of Ethics
On July 1, 2025, the new Code of Ethics (the “Code”), issued by the Hellenic Association of Pharmaceutical Companies, entered into force. The new Code introduces a series of amendments aimed at enhancing transparency, aligning industry practices with recent regulatory developments, and strengthening the principles of self-regulation.
The new Code updates and clarifies definitions, expands rules on advisory boards and scientific events in line with the National Organization for Medicines’ new Corrigendum Circular 45560/16.04.2025, and revises guidance on patient education. It adds a section on the origin and value of self‑regulation programs, tightens provisions on medical samples, and allows inclusion of Summary of Product Characteristics (“SmPC”) via QR code provided a printed SmPC is available on request. It also reclassifies scientific events and categorizes patient information events by organizer (patient organizations, health care organizations, pharmaceutical companies), and introduces dedicated sections for events organized by foreign pharmaceutical companies both abroad and in Greece. The Code also revises sponsorship thresholds and daily hospitality/accommodation caps and updates the methodology for calculating fair market value.
FRANCE
The French Top Administrative Court Rejects a Potential Appeal Against the Health Minister’s Decision to Allow Health Data Hosting by U.S. Companies
In a challenge brought by several claimants, the French top administrative court, the Conseil d’État, (the “Conseil”) rejected an action seeking annulment of a February 2023 ministerial letter (and of a prior 2020 letter) relating to the hosting of the French Health Data Hub by a U.S. company. The claimants argued that the letter amounted to the State renouncing its earlier commitment to migrate the health-data platform to a fully “sovereign” European hosting solution to avoid potential U.S. jurisdictional access. The Conseil held that the letter did not constitute a binding decision subject to judicial review (since it gave rise to no definitive legal consequences) and accordingly dismissed the action. However, the court simultaneously affirmed that the objective of migrating to a more sovereign hosting solution remains alive and that the Minister’s letter was characterized not as a renunciation but as a temporary adjustment in light of the absence of an immediately viable alternative hosted exclusively under French/EU law. The decision confirms that policy commitments lacking finality may not be litigated, yet the underlying sovereignty objective retains operational importance.
The French DPA Holds a Public Consultation on its Recommendations Concerning Electronic Patient Records
In light of numerous inspections and formal notices issued to health care establishments for deficiencies in security and confidentiality of patient records, the French DPA issued a draft recommendation specifically addressing the management and protection of electronic patient records (“DPI”). The draft document consolidates both legal obligations and technical/organizational measures and was subject to a public consultation open until 16 June 2025.
For those in the health-data ecosystem (hospitals, health-IT vendors, data protection officers), the draft recommendation signals heightened regulatory scrutiny. Key features include the following: (i) reinforced measures such as multifactor authentication and encryption of DPI systems; (ii) clearer delineation of sub-processors and third-party obligations; and (iii) structured guidance via 14 thematic guides covering governance, retention, access control, and maintenance of health-data systems.
NETHERLANDS
Dutch Authority for Consumers and Markets Calls for Mandatory Openness of Health Care Information and Communication Technology Systems
The Dutch Authority for Consumers and Markets (“ACM”) found that ICT systems markets in the health care sector do not function effectively due to the “closed” nature of the systems. This means that other suppliers or health care providers who want to develop their own ICT cannot test or integrate new services, and their information systems do not communicate as effectively or efficiently. As a result, innovation stalls, it is difficult for new entrants to compete, and health care providers become dependent on an increasingly limited number of ICT suppliers. This leads to fewer choices, rising administrative burdens, and ultimately lower-quality care for patients.
The ACM states that it does not have the tools to effect structural change against this closed system. It therefore advises the Ministry of Health, Welfare and Sport to act through the Electronic Data Exchange in Healthcare Act. This law offers the possibility of setting sector-wide requirements for the openness of ICT systems, within strict frameworks for information security.
Dutch University Hospital Introduces AI Model to Predict Postoperative Infection Risks
Health care providers at a prominent university medical center will now use a new AI model to predict infection risk in newly operated patients. This will enable them to intervene more quickly and detect complications earlier. Now, 5% to 20% of patients experience an infection following operations. The model predicts the risk of infections within seven and 30 days after surgery, aiding provider assessment of at-risk patients.
Lawyer Spotlights
Melissa Mannion (Washington, Health Care & Life Sciences) is a seasoned regulatory attorney with more than a decade of experience in the public health space, notably serving at the Food and Drug Administration in the Center for Drug Evaluation and Research, where she led agency-wide implementation of programs and represented the agency both domestically and internationally. She is a leading strategic counselor to clients in the life sciences space, helping them navigate complex regulatory regimes and requirements, particularly in drug development and testing, supply chain and distribution, and investigations. Melissa has testified as an expert witness during criminal proceedings involving the Food, Drug & Cosmetic Act, and other related statutes, and is a licensed pharmacist.
Taylor Stevens (San Diego/Silicon Valley, M&A, Private Equity, Technology, Health Care & Life Sciences, Venture Capital & Emerging Companies) is an industry-leading corporate lawyer and M.B.A.-trained advisor to high-growth technology and life sciences companies, with more than 25 years of experience across venture capital, mergers and acquisitions, and capital market transactions. Active in the San Diego and Silicon Valley communities, he counsels a range of emerging growth and established companies throughout the full corporate life cycle — from formation and financing to strategic exits — and represents venture capital firms and strategic corporate investors in early-stage and growth investments. Taylor has led a wide range of public and private M&A transactions, including auction sales, divestitures, carve outs, roll ups, and cross-border deals, and regularly guides clients through venture capital and debt financing transactions. He is frequently recognized by Best Lawyers in America and The Legal 500 United States for his corporate and venture capital work, and he presents on venture and corporate topics at leading forums. Taylor also contributes to the innovation ecosystem through service and prior Executive Committee and board roles for an organization fostering technology and life sciences innovation.
Steve Forster (Washington, Health Care & Life Sciences) is a leading regulatory attorney who advises digital health and pharmaceutical companies on a range of complex drug and device pricing regulations under Medicare, Medicaid, and the 340B Drug Pricing Program, as well as on product launches, patient assistance and copay programs, distribution and specialty-pharmacy arrangements, and state price-transparency laws. Steve’s practice also includes compliance counseling, litigation, and government-investigation matters involving the Anti-Kickback Statute and the False Claims Act. Steve also guides organizations (global and emerging) and investors throughout all stages of commercialization and provides strategic counsel on transactions. Drawing on years of in-house leadership at global pharmaceutical companies and the government, Steve brings a rare blend of public sector and senior in-house experience to support insightful solutions.
