Digital health applications (DiGA) require the following certificates in the area of data protection and data security (in addition to many other requirements) in order to be listed in the BfArM directory:
- Data security certificate according to BSI TR-03161
- Data protection certificate in accordance with the GDPR
In addition, there is the maintenance of an ISO/IEC 27001-certified information security management system, which is not the focus of this article, however.
We explain what the data protection and data security certificate is all about, when the certifications become mandatory, and how you can obtain them as a manufacturer.
Table of Contents
- 1. When does the certification requirement take effect?
- 2. How do I obtain the DiGA certificate for data security?
- 3. How do I obtain the DiGA certificate for data protection?
- 4. Conclusion
- 5. Preparation for Certification
1. When does the certification requirement take effect?
The current deadlines for DiGA certification in accordance with data protection and data security regulations are as follows:
Data security certificate according to BSI TR-03161: January 1, 2025
Since January 1, 2025, manufacturers of digital health applications (DiGA) have been required to prove compliance with data security requirements by means of an official certificate.
- New DiGA applications: There was previously a transitional arrangement for new DiGA applications, but this is no longer relevant. To be included in the DiGA directory, you currently require data security certification in accordance with BSI TR-03161.
- Listed DiGA: For DiGA that are already listed, the BfArM currently tolerates missing certificates. The prerequisite is that the manufacturer can prove that it is in the ongoing certification process. This practice is subject to change at any time. Manufacturers of listed DiGA should ensure that they obtain the BSI certificate as soon as possible.
Data protection certificate in accordance with GDPR: still unclear
Currently, there is no obligation for DiGA to submit a formal data protection certificate. The reason for this is that there are currently no accredited certification bodies for certification in accordance with the data protection criteria set out in Section 139e (11) SGB V and Section 78a (8) SGB XI.
The BfArM is currently working with the BfDI and the BSI to implement the legal requirements. The underlying data protection criteria have already been updated and published. In the future, they will form the basis for an official data protection certificate that covers both the requirements of the GDPR and additional DiGA- and DiPA-specific requirements. However, the certificate is still under development. Changes to test criteria and test methods are therefore possible.
As long as certification is not yet technically and organizationally feasible, the data protection requirements of the DiGAV continue to apply.
Once certification bodies have been accredited, the BfArM will require the submission of a data protection certificate with sufficient advance notice. Specific time frames will be published on the BfArM website. Manufacturers of already listed DiGA will then be individually requested to submit the certificate.
2. How do I obtain the DiGA certificate for data security?
The data security certificate for DiGA is based on BSI TR-03161 and is awarded via a multi-stage process. A prerequisite is the complete technical and organizational implementation of the requirements.
The path to certification in brief:
- Preparation: Implementation of the technical and organizational requirements of BSI TR-03161 in the manufacturer’s product and processes.
- Testing by an accredited testing agency: A testing agency approved by the BSI tests the product, architecture, source code, documentation, and security processes and prepares a test report.
- Certification decision by the BSI: Based on the test report, the BSI decides whether to issue the certificate and issues it if the evaluation is positive.
We have written a detailed guide that gives you an overview of the entire process of data security certification according to BSI TR-03161. In this context, we deal with the following topics:
- What exactly does TR-03161 require?
- How does certification with the testing center and BSI work?
- What are the associated costs and how long does such certification take?
- What are the practical implications of BSI TR-03161 for DiGA?
- What does the future hold for BSI certification? (Keyword: BSI TR-03185)
Here you will find our guide to BSI TR-03161 certification: To the technical article
3. How do I obtain the DiGA certificate for data protection?
The data protection certificate is a certification in accordance with Article 42 of the GDPR. The underlying assessment is to be carried out on the basis of test criteria published by the BfArM several months ago: DiGA and DiPA data protection criteria.
According to the GDPR, corresponding certificates can be issued by the supervisory authorities themselves or by accredited bodies. In practice, however, the picture is different.
The Bavarian Federal Office for Data Protection Supervision (BayLDA), for example, does not carry out any certifications itself “due to a lack of human resources.” Instead, it refers to organizations accredited by DAkkS (German Accreditation Body), which do not yet appear to exist (source: BayLDA – Certification). (As of March 15, 2024)
Unfortunately, many questions that concern DiGA manufacturers cannot be answered at this time. These include, among others:
- Who can carry out the relevant tests required for certification?
- How long do the certification procedures take?
- How much do the certifications cost?
- etc.
The central information with which DiGA manufacturers can fulfill the legal requirements is therefore still missing. Therefore, data protection certification is not currently possible.
As soon as this changes or new information becomes available, we will notify all subscribers to our DiGA newsletter. If you would like to stay up to date on this, subscribe to our newsletter for DiGA manufacturers here.
4. Conclusion
We are actively monitoring the situation with data protection certification for all our DiGA customers and are eager to hear when there will be news on this. The fact is: data protection certification is coming. It is only a matter of time before this happens.
With regard to data security certification, a testing process is already in place and more than 10 DiGA applications have already been certified according to BSI TR-03161 (as of January 2026). The testing process has room for improvement in many areas, so updates are expected in the near future. You can find more information on this in our technical article on BSI certification of DiGA.
