Digital health applications (DiGA) require certificates for data security and data protection. Following repeated problems with the handling of personal data in some DiGAs in the past, manufacturers will have to have their applications checked more closely in future in order to obtain the relevant certificates.
The BSI TR-03161 guideline is the basis for the data security certificate. The data protection certificate is based on the General Data Protection Regulation (GDPR).
You can find out what these certificates are all about, when you need them and how to obtain them in this specialist article.
Table of contents
1. Data security certificate according to BSI TR-03161
1.1 When do I need the certificate according to BSI TR-03161?
The legal deadline for certification was 01.01.2025 (§ 139e SGB V), but the following transitional regulations currently apply:
- For already listed DiGA: A certificate must be available from 01.01.25. If this was not possible, at least contact must have been made with the testing organization (must be discussed with the BfArM in individual cases).
- DiGA in the application review: Since 01.01.25, the certificate has been a prerequisite for the formal completeness of the application. This means that a missing certificate in accordance with TR-03161 also blocks the DiGA application procedure.
- For new DiGAs for which no application has yet been submitted: The certificate is necessary for the formal completeness of the application. A missing certificate therefore blocks the DiGA application procedure, as the BfArM cannot start a content review.
- For DiGA, which were already in the content review on 01.01.25 (after formal completeness of the application): The certificate can be submitted subsequently during the test procedure until 30.06.25. This means that the application procedure can be continued up to this deadline, but a missing certificate will block inclusion in the DiGA directory. If the information on the BfArM website is interpreted strictly, all application procedures would also have to be terminated if the certificate is missing after this deadline. However, to what extent the BfArM meets this deadline and whether there are still possibilities to submit the certificate later.
(as of 13.06.2025)
In practice, we currently draw the conclusion that all DiGAs (both listed and not yet listed) should apply for a BSI certificate as soon as possible. Inclusion without a certificate is no longer possible and remaining in the DiGA directory will be jeopardized for the foreseeable future.
Timeline 2025 for certification according to BSI TR-03161
1.2 How do I get the certificate according to BSI TR-03161?
The basis for the data security certificate is the technical guideline TR-03161 of the German Federal Office for Information Security (BSI).
The data security certificates themselves are issued by the BSI, but the underlying test is carried out by external test centers that are recognized by the BSI. You can find the list of bodies that are authorized to carry out a test in accordance with TR-03161 here.
Specifically, manufacturers must carry out the following steps in order to obtain the relevant certification:
- Implementation of all applicable aspects of BSI TR-03161 (mobile applications, web applications, background systems)
- Selection of a suitable provider for the audit
- Going through the test procedure with the relevant provider
- Waiting for the final decision from the BSI (issuing of the certificate)
You should allow at least 4-6 months for the entire process.
1.3 Preparation for certification in accordance with BSI TR-03161
In preparation for the data security certificate, BSI TR-03161 must be implemented for the DiGA. In addition to the technical requirements, many test centers require additional documentation, which you may still have to prepare. It is generally advisable to contact several test centers and, above all, to clarify the costs and schedule. In our experience, there can be differences of several months in how long it takes to complete the test. You should also clarify with the inspection body in advance by when which documents must be submitted. You may have the option of starting the examination early and submitting certain information later during the procedure.
With BSI TR-03161, there are a few stumbling blocks, especially in the technical implementation, which could cost DiGA manufacturers certification.
1.4 Which DiGAs already have a certificate in accordance with BSI TR-03161?
To the best of our knowledge, as of June 30, there are a total of three DiGAs (in the application) that have already received a certificate in accordance with BSI TR-03161. We are not naming the manufacturers at this time until they are linked on the official BSI website.
The first known DiGA (in application) ever to receive a BSI certificate at the beginning of June was actually developed by QuickBird Medical: More information.
If you are planning to develop a DiGA, please get in touch with us. We can take over the development or support your in-house development team with the implementation of BSI TR-03161.
2. Data protection certificate (GDPR)
2.1 When do I need the data protection certificate (GDPR)?
The statutory deadline for certification was 01.08.2024 (Section 139e SGB V). However, as long as there is no certification procedure or accredited certification bodies, the BfArM will decide on the deadlines by which a data protection certificate must be submitted. According to the BfArM website, the test criteria for the certificate may also still change. Manufacturers will therefore have to wait until the BfArM announces the actual certification deadlines.
Tip: Subscribe to our newsletter to be informed in good time about the upcoming certification obligation.
2.2 How do I obtain the DiGA certificate for data protection?
The data protection certificate is a certification in accordance with Article 42 GDPR. The underlying audit is to be carried out on the basis of audit criteria that were published some time ago by the BfArM: DiGA and DiPA data protection criteria
According to the GDPR, corresponding certificates can be issued by the supervisory authorities themselves or by accredited bodies.
BUT: There are currently no test centers, so certification is not possible. As long as this status does not change, the BfArM is not expected to issue a certificate. Instead, the BfArM website states that corresponding deadlines will be announced as soon as a certification procedure exists (as of 13.06.2025).
2.3 Preparation for certification
For the data protection certificate, it is worth going through the BfArM criteria. However, according to the BfArM, these criteria may still change, so it is not clear when the actual implementation should begin. In addition, it is not yet clear when the first test centers will be able to issue a corresponding certificate. It is therefore advisable to monitor changes in this area closely. We will update this article and inform you via our newsletter as soon as there are any changes.
Further specialist articles and guidelines for the development of DiGA can be found here: https://quickbirdmedical.come/diga-development-approval/