{"id":24521,"date":"2025-12-17T13:58:26","date_gmt":"2025-12-17T13:58:26","guid":{"rendered":"https:\/\/quickbirdmedical.com\/?p=24521"},"modified":"2026-01-13T10:41:22","modified_gmt":"2026-01-13T10:41:22","slug":"bsi-tr-03161-diga-certification-requirements","status":"publish","type":"post","link":"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/","title":{"rendered":"BSI TR-03161 for DiGA: Data Security Certification"},"content":{"rendered":"<p><span style=\"font-weight: 400;\"><strong>Since January 1, 2025<\/strong>, manufacturers of digital health applications (DiGA) must prove compliance with data security requirements by means of an <strong>official certificate<\/strong>. The basis for certification is BSI TR-03161, which was first published in 2020. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">The BfArM checks <strong>certification as a fixed requirement<\/strong> for listing an application in the DiGA directory. No new DiGA will be accepted without a valid certificate. Listed DiGA also face removal from the directory without certification (however, there is currently no deadline for listed DiGA). <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Many manufacturers underestimate the extensive implications of this certification and how complex the testing process is.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With this article, we would like to provide (prospective) DiGA manufacturers with a <strong>structured overview<\/strong>:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">What exactly does TR-03161 require?<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">How does certification with the testing center and BSI work?<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">What are the associated costs and how long does such certification take?<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">What are the practical implications of BSI TR-03161 for DiGA?<\/span><\/li>\n<li aria-level=\"1\">What does the future hold for BSI certification? (Keyword: <strong>BSI TR-03185<\/strong>)<\/li>\n<\/ul>\n<p>Based on <a href=\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-consulting\/\">our practical experience from several TR-03161 projects<\/a>, <span style=\"font-weight: 400;\">we describe the current status of certification requirements.<\/span><\/p>\n<h2>Table of Contents<\/h2>\n<ul>\n<li><a href=\"#1\">1. Who does BSI TR-03161 apply to?<\/a><\/li>\n<li><a href=\"#2\">2. Requirements and Structure of BSI TR-03161<\/a>\n<ul>\n<li><a href=\"#2-1\">2.1 Structure of BSI TR-03161<\/a><\/li>\n<li><a href=\"#2-2\">2.2 Scope: Product and Processes<\/a><\/li>\n<li><a href=\"#2-3\">2.3 Test Aspects<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#3\">3. The Certification Process<\/a><\/li>\n<li><a href=\"#4\">4. Costs and Time Frame of the Certification Process<\/a>\n<ul>\n<li><a href=\"#4-1\">4.1 Costs of the Certification Process<\/a><\/li>\n<li><a href=\"#4-2\">4.2 Time Frame for the Certification Process<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#5\">5. Validity Period &amp; Recertification according to BSI TR-03161<\/a><\/li>\n<li><a href=\"#6\">6. BSI TR-03161 Certificate with Conditions<\/a><\/li>\n<li><a href=\"#7\">7. Changes to Certified Products &#8211; BSI TR-03185<\/a><\/li>\n<li><a href=\"#8\">8. Practical Implications for DiGA<\/a><\/li>\n<li><a href=\"#9\">9. Mandatory Penetration Testing for DiGA<\/a><\/li>\n<li><a href=\"#10\">10. BSI TR-03161 vs. ISO 27001<\/a><\/li>\n<li><a href=\"#11\">11. Criticism of the Process<\/a><\/li>\n<li><a href=\"#12\">12. Important Links and Resources<\/a>\n<ul>\n<li><a href=\"#12-1\">12.1 General Information<\/a><\/li>\n<li><a href=\"#12-2\">12.2 List of Applications already certified according to TR-03161<\/a><\/li>\n<li><a href=\"#12-3\">12.3 List of Testing Centers for BSI TR-03161<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#13\">13. Future Outlook for BSI TR-03161 and DiGA Data Security Certification<\/a><\/li>\n<li><a href=\"#14\">14. Conclusion<\/a><\/li>\n<\/ul>\n<h2 id=\"1\">1. Who does BSI TR-03161 apply to?<\/h2>\n<p><span style=\"font-weight: 400;\">The TR-03161 can generally be used for many applications in the German healthcare sector that process sensitive data.<\/span><\/p>\n<p>However, it is primarily legally binding for <a href=\"https:\/\/quickbirdmedical.com\/en\/diga-definition-criteria-app\/\"><strong>digital health applications (DiGA)<\/strong><\/a><span style=\"font-weight: 400;\"> in accordance with Section 139e of the German Social Code, Book V (SGB V) and <strong>digital care applications (DiPA)<\/strong> in accordance with Section 78a of SGB XI. An official certificate must be presented for these products from January 1, 2025. <\/span><\/p>\n<p>This article <strong>focuses on <strong><a href=\"https:\/\/quickbirdmedical.come\/diga-development-approval\/\">DiGA<\/a><\/strong><\/strong>, as certification requirements currently have the greatest practical relevance in this area.<\/p>\n<p><span style=\"font-weight: 400;\">For certification according to BSI TR-03161, please note:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\">It can be <span style=\"font-weight: 400;\">applied<\/span> <span style=\"font-weight: 400;\">regardless<\/span> of the <a href=\"https:\/\/quickbirdmedical.com\/en\/medical-device-class-software-app-mdr\/\">risk class<\/a>.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">It includes all components of the application (i.e., app, backend, web portal, and patient and practitioner access).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Even if hosting or infrastructure is outsourced to external cloud providers, these components must comply with the requirements of BSI TR-03161. At the same time, server providers must have a Type 2 C5 certificate. <\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">New digital health applications already require certification in accordance with BSI TR-03161 in order to be included in the digital health application directory.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">For DiGA already listed at this point in time, the BfArM currently still tolerates the absence of a certificate as long as the manufacturer can prove that it is in the process of certification. However, this may change at any time. <\/span><\/li>\n<\/ul>\n<p><b>Note:<\/b><span style=\"font-weight: 400;\"> For the sake of simplicity, we refer to the product of a (prospective) DiGA manufacturer in this article as \u201cDiGA,\u201d regardless of whether it is already listed or not. Of course, not every application is listed as a DiGA as soon as it begins the certification process according to BSI TR-03161. <\/span><\/p>\n<h2 id=\"2\">2. Requirements and Structure of BSI TR-03161<\/h2>\n<p><span style=\"font-weight: 400;\">Technical Guideline TR-03161 defines the <strong>minimum requirements for data security for digital health and care applications<\/strong>. It thus forms the basis for the <strong>legally required data security certification<\/strong> in accordance with Section 139e of the German Social Code, Book V (SGB V) and Section 78a of the German Social Code, Book XI (SGB XI). <\/span><\/p>\n<p><span style=\"font-weight: 400;\">IT security in general and BSI TR-03161 in particular, essentially pursue <strong>three protection goals<\/strong>: <strong>confidentiality<\/strong>, <strong>integrity<\/strong> and <strong>availability<\/strong>. The standard specifies concrete measures that you, as a manufacturer, must take to ensure that sensitive data remains confidential, intact and available. <\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Confidentiality<\/b><span style=\"font-weight: 400;\"> means that only authorized persons or systems may access sensitive data. Unauthorized persons may not view or read data, either in the app or during transmission.<br \/>\n<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Integrity<\/b><span style=\"font-weight: 400;\"> ensures that data remains accurate and unchanged. Manipulation or unintentional changes are prevented or clearly identified.<br \/>\n<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Availability<\/b><span style=\"font-weight: 400;\"> means that applications and data can be used reliably. Failures or interruptions are minimized through appropriate technical and organizational measures. <\/span><\/li>\n<\/ul>\n<h3 id=\"2-1\">2.1 Structure of BSI TR-03161<\/h3>\n<p><span style=\"font-weight: 400;\"><strong>TR-03161 consists of three parts<\/strong> that together cover all security-related components of a digital health application. Each part focuses on a specific system level and formulates specific requirements that are later checked individually in the certification audit. This results in a complete security model that secures the <strong>app, web front end and back end equally.<\/strong> <\/span><\/p>\n<p><span style=\"font-weight: 400;\">The three parts of the guideline cover all technical components of a DiGA. The app, web front end and back end are each tested and certified separately. <\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Part 1: Mobile Applications (Apps):<\/b><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\"> Part 1 describes the security requirements for mobile applications (such as iOS and Android). It specifies how apps may process sensitive data, how they may use device functions and how they must be protected against manipulation. <\/span><\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Part 2: Web Applications:<\/b><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\"> Part 2 addresses web-based components (e.g., a web interface that a practitioner or patient can access in a browser). This part describes how web applications are executed securely in the browser and how typical web vulnerabilities must be prevented. <\/span><\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Part 3: Backend Systems: <\/b><span style=\"font-weight: 400;\">Part 3 defines the requirements for server-side components, regardless of whether they are operated on-premises or in the cloud. Since sensitive health data is usually processed centrally, this part contains particularly comprehensive specifications regarding architecture and operation. <\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">It is important to note that for each DiGA, an individual decision is made as to which of these three parts apply to the product. For example, a web application with a backend server only needs to comply with parts 2 and 3 and <\/span>does not consider Part 1 (for mobile applications) as part of the certification process.<\/p>\n<h3 id=\"2-2\">2.2 Scope: Product and Processes<\/h3>\n<p><span style=\"font-weight: 400;\">The structure of the guideline follows a clear system based on a so-called security problem definition. This includes: <\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Assumptions about browsers, end devices and backend infrastructure<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Defined threat scenarios such as unauthorized access, data manipulation, exploitation of debug functions, or misconfigurations<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Organizational security guidelines that the manufacturer must implement, for example: security lifecycle, patch management, disclosure of the purpose of data processing, processes for reporting vulnerabilities<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">TR-03161 therefore considers <strong>not only technical implementation <\/strong>(source code and product), but also <strong>processes and documentation<\/strong>. A product-related <strong>pen test is therefore not sufficient for certification<\/strong>. The manufacturer&#8217;s processes and documentation are also reviewed. <\/span><\/p>\n<h3 id=\"2-3\">2.3 Test Aspects<\/h3>\n<p><span style=\"font-weight: 400;\">The guideline structures all requirements into test aspects. Each test aspect contains specific rules marked with <strong>MUST, SHOULD, MAY<\/strong> or <strong>MUST NOT<\/strong>. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Each part of BSI TR-03161 <strong>contains<\/strong> <strong>11<\/strong> (in parts 1 and 2) or <strong>10<\/strong> (in part 3) <strong>test aspects<\/strong>:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Intended use<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Architecture<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Source code<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Third-party software<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Cryptographic implementation<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Authentication and authorization<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Data security<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Paid resources<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Network communication<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Organizational security (only for Part 3 &#8211; Background systems)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Platform-specific interactions (only for parts 1 and 2 &#8211; mobile &amp; web)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Resilience (only for parts 1 and 2 &#8211; Mobile &amp; Web)<\/span><\/li>\n<\/ol>\n<p><b>Tip:<\/b><span style=\"font-weight: 400;\"> Copy a list of the individual test aspects of each part of TR-03161 into your documents and check them off in a structured manner, one after the other. This is a helpful project management tool for your development team. <\/span><\/p>\n<h2 id=\"3\">3. The Certification Process<\/h2>\n<p><span style=\"font-weight: 400;\">The entire certification process for a DiGA consists of three phases:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Preparation phase:<\/b><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\"> As a DiGA manufacturer, you prepare for the testing process. You familiarize yourself with the BSI TR-03161 <strong>standard<\/strong> and implement the requirements to the best of your knowledge within your product and processes. You also <strong>look for a testing center for certification<\/strong>, establish the contractual basis for cooperation with it and reserve a test date. <\/span><\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Test phase:<\/b><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\"> Once you have completed the implementation of the TR requirements on your side, send your <strong>documentation, product access details and software source code to the testing center<\/strong>. The testing center will begin the testing process and send you the test report, including any deviations, once the test has been completed. Whether you receive interim feedback or other communication depends on the testing center in question. If the testing center is satisfied with all aspects, it will prepare the test report for submission to the BSI. <\/span><\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Certification phase:<\/b><span style=\"font-weight: 400;\"> The BSI certification body receives the final test report from the testing laboratory and evaluates whether it can give a positive assessment of the certification on this basis. If so, you will <strong>receive the certificate<\/strong> including the conformity report from the BSI. If not, the BSI will return an annotated list of the test report to the testing agency. The testing agency will evaluate the feedback and forward the deviations relevant to you as a manufacturer to the DiGA manufacturer for implementation. <\/span><\/li>\n<\/ol>\n<p><b>Note<\/b>: <span style=\"font-weight: 400;\">The<\/span> <b>testing agency <\/b><span style=\"font-weight: 400;\">refers to<\/span> <b>a private company<\/b><span style=\"font-weight: 400;\">which has been officially accredited by the BSI to test this technical guideline. A list of testing agencies can be found below <a href=\"#12-3\">in this article<\/a>. <\/span>Certification body, on the other hand, refers to the department at the BSI that is responsible for certification and makes the final decision in this regard.<\/p>\n<p><span style=\"font-weight: 400;\">We have also outlined the certification process in simplified form in the following illustration.<\/span><\/p>\n<p><a href=\"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/BSI-DiGA-Certification-Process.webp\"><img decoding=\"async\" class=\"aligncenter wp-image-24523 size-full\" src=\"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/BSI-DiGA-Certification-Process.webp\" alt=\"BSI DiGA Certification Process\" width=\"1875\" height=\"815\" srcset=\"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/BSI-DiGA-Certification-Process.webp 1875w, https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/BSI-DiGA-Certification-Process-1280x556.webp 1280w, https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/BSI-DiGA-Certification-Process-980x426.webp 980w, https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/BSI-DiGA-Certification-Process-480x209.webp 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) and (max-width: 1280px) 1280px, (min-width: 1281px) 1875px, 100vw\" \/><\/a><\/p>\n<p style=\"text-align: center;\"><strong>BSI Certification Process for DiGA Manufacturers according to TR-03161<\/strong><\/p>\n<h2 id=\"4\">4. Costs and Time Frame of the Certification Process<\/h2>\n<h3 id=\"4-1\">4.1 Costs of the Certification Process<\/h3>\n<p><span style=\"font-weight: 400;\">For internal budget planning, you should anticipate the following cost packages:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>The costs of the testing center:<\/b><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\"> The work carried out by the certification body naturally incurs costs. The amount of these costs varies between certification bodies and also depends on your product and the scope of the testing. We recommend that you obtain several quotes so that you can compare them. <\/span><\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>The costs for the BSI:<\/b><span style=\"font-weight: 400;\"> What may be less obvious is that the BSI will also send you an invoice after the certification process has been completed. Incidentally, this happens regardless of whether the audit was successful or not. You can find the fee schedule <\/span> <a href=\"https:\/\/www.gesetze-im-internet.de\/bmibgebv\/BJNR135900019.html\">here.<\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Development costs:<\/b><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\"> The development team will incur significant costs in implementing the TR requirements. You should, of course, also factor in the associated costs. <\/span><\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Consulting costs:<\/b><span style=\"font-weight: 400;\"> It is advisable to work with a team that has already successfully completed the BSI certification process for other DiGA. This can often save you weeks of work thanks to practical insights. The costs for this are relatively manageable, but should be factored in. <\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">At QuickBird Medical, <strong>we support companies in all technical and organizational aspects of BSI certification<\/strong>. Among other things, we have received <a href=\"https:\/\/quickbirdmedical.com\/en\/project\/oriko\/\">one of the first three BSI certificates ever with our DiGA \u201cOriko\u00ae\u201d<\/a> which we developed ourselves. <\/span><strong>We will help you get through the certification process<\/strong> efficiently and securely. Please <strong>feel free to <a href=\"https:\/\/quickbirdmedical.com\/en\/kontakt\/\">contact us.<\/a><\/strong><\/p>\n<h3 id=\"4-2\">4.2 Time Frame for the Certification Process<\/h3>\n<p><span style=\"font-weight: 400;\">The certification process and thus also the schedule can be divided into the three phases mentioned above:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Preparation phase:<\/b><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\"> This is where your development team implements the BSI requirements. How quickly you can do this depends on many factors (the developers&#8217; expertise, the current state of the system in terms of security, the number of developers, etc.). <\/span><\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Test phase:<\/b><span style=\"font-weight: 400;\"><span style=\"font-weight: 400;\"> The time frame here depends heavily on the testing agency and the quality of your documentation and product implementation. You should expect to wait at least 4 to 6 weeks before you receive a test report. <\/span><\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Certification phase:<\/b><span style=\"font-weight: 400;\"> Once the testing agency has sent the test report for your product to the BSI, the certification phase begins. The official BSI website states that this takes three weeks. However, in our experience, it is currently more realistic to expect this to take six weeks. <\/span><\/li>\n<\/ol>\n<h2 id=\"5\">5. Validity Period &amp; Recertification according to BSI TR-03161<\/h2>\n<p><span style=\"font-weight: 400;\">A certificate issued by the BSI in accordance with technical guidelines <strong>is valid for a limited period of time<\/strong>. As a rule, the validity period of a product certificate is <\/span>five years.<\/p>\n<p><span style=\"font-weight: 400;\">Different terms are only possible if this is expressly specified in the respective certification program. Validity is also always <strong><strong>limited<\/strong> to the specific product version<\/strong> that has been tested and to the underlying version of the technical guideline. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">If the conformity of a product cannot be confirmed after expiry of the validity period or <strong>after significant safety-related changes<\/strong> without re-testing, <strong>recertification is <strong>required<\/strong><\/strong>. This involves re-testing the product to ensure that it meets the requirements of the TR. The scope of the test may be limited to the modified parts, provided that previous test results are still valid. <\/span><\/p>\n<p>According to the official quote from the BSI <a href=\"https:\/\/www.bsi.bund.de\/SharedDocs\/Downloads\/DE\/BSI\/Zertifizierung\/PZS-TR.pdf?__blob=publicationFile&amp;v=11\">here,<\/a><span style=\"font-weight: 400;\">recertification should be applied for no later than three months after the existing certificate expires (it remains to be seen whether the BfArM will agree to this for DiGA). Upon successful completion, a new certificate will be issued for the modified product version. <\/span><\/p>\n<h2 id=\"6\">6. BSI TR-03161 Certificate with Conditions<\/h2>\n<p><span style=\"font-weight: 400;\">A certificate in accordance with BSI TR-03161 is <strong>usually valid for up to five years<\/strong>. In individual cases, however, the BSI may, as part of its certification decision, impose <strong>additional conditions in the form of requirements<\/strong> that must be implemented by the manufacturer within a defined period of time. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">In practice, this means that a certificate can be issued with a validity of a few months until certain requirements have been met. In this case, the manufacturer initially receives a valid certificate (with conditions), but i<strong>s obliged to implement and verify the specified conditions within the specified period<\/strong>. If these conditions are not met, the certification can be revoked. If the conditions are demonstrably fulfilled within the deadline, a regular certificate without conditions is then issued. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">This approach makes it possible to follow up on isolated deviations later on, for example, <strong>so as not to block the DiGA application process<\/strong> (or be rejected by the BfArM). However, a BSI certificate with conditions requires comprehensive implementation of all BSI TR-03161 requirements by the DiGA manufacturer. Certification remains extremely challenging and should not be underestimated under any circumstances. <\/span><\/p>\n<h2 id=\"7\">7. Changes to Certified Products &#8211; BSI TR-03185<\/h2>\n<p><span style=\"font-weight: 400;\">A certificate is only valid for the product version tested as part of the conformity assessment. <strong>Any changes to the product, such as further development, updates, patches or hotfixes, initially result in a new version<\/strong> for which the existing certificate is no longer automatically valid. Whether and how these changes are handled in terms of certification depends on their impact on TR conformity. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">If an impact on conformity cannot be ruled out, recertification is required. However, if the changes are minor and an impact on conformity can be clearly ruled out, a maintenance procedure may be considered. In this case, the existing certificate is extended to the new product version without the need for a complete conformity assessment. The decision on this is made by the BSI on the basis of change documentation and an impact analysis to be submitted by the manufacturer. The original term of the certificate remains unchanged. <\/span><\/p>\n<p><b>Future handling of product changes \u2013 the new BSI TR-03185<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Having every minor change approved by the BSI naturally makes the DiGA development process significantly less efficient. Especially when critical errors occur in a DiGA, it is important to fix problems quickly with hotfixes. The current process of having every change reviewed by the BSI does not seem suitable for this. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">The BSI is therefore currently working on a fundamental rethink of how product changes are handled in DiGAs. The focus here is on the planned introduction of the <\/span><b>BSI TR-03185 \u201cSecure Software Lifecycle,\u201d <\/b><span style=\"font-weight: 400;\">which is intended to address the update and change process for software products in a structured manner.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">TR-03185 provides for an independent certification program in which conformity assessments are carried out by <strong>IT baseline protection auditors accredited by the BSI<\/strong>. <\/span><\/p>\n<p><b>The idea behind it:<\/b><span style=\"font-weight: 400;\"> DiGA manufacturers with additional certification according to BSI TR-03185 have proven that they have a secure software development process (or life cycle). These manufacturers should therefore be allowed to publish <strong>certain changes to the product without prior BSI testing<\/strong>. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">It is envisaged that DiGA manufacturers with BSI TR-03185 certification will have to carry out significantly fewer test procedures for subsequent versions of their BSI TR-03161-certified products. However, DiGA manufacturers are not explicitly required to obtain BSI TR-03185 certification. Implicitly, however, the smooth operation of a DiGA without TR-03185 certification will probably be difficult to achieve. <\/span><\/p>\n<p>You can view the contents of BSI TR-03185 here: <a href=\"https:\/\/www.bsi.bund.de\/DE\/Themen\/Unternehmen-und-Organisationen\/Standards-und-Zertifizierung\/Technische-Richtlinien\/TR-nach-Thema-sortiert\/tr03185\/TR-03185_node.html\">Link (BSI website)<\/a><\/p>\n<p><span style=\"font-weight: 400;\"><strong>Currently, no applications or certifications are possible.<\/strong> As things stand at present, the first certifications are expected in early 2026 at the earliest. However, the specific framework conditions for this are still being negotiated. <\/span><\/p>\n<h2 id=\"8\">8. Practical Implications for DiGA<\/h2>\n<p><span style=\"font-weight: 400;\">The requirements of BSI TR-03161 have a direct impact on the product as well as the development, operation, and further development of DiGAs. <a href=\"https:\/\/quickbirdmedical.com\/en\/project\/oriko\/\">At QuickBird Medical, we have now fully implemented the BSI requirements in several DiGAs and, for example, received one of the first three BSI certificates for the DiGA \u201cOriko\u00ae\u201d<\/a>. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">BSI certification has had many effects on our customer projects. We summarize some of them here: <\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Changes after certification:<\/b> <span style=\"font-weight: 400;\">Product modifications are significantly more complex later on, as a complex change process must be followed and approvals per release incur additional time and costs.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Strongly regulated two-factor authentication:<\/b><span style=\"font-weight: 400;\"> There are very high requirements for the implementation of two-factor authentication in DiGA. Depending on the implementation, these requirements can significantly impair the user-friendliness of DiGA. There are better and worse variants of implementation in terms of user-friendliness. <\/span> (<a href=\"https:\/\/quickbirdmedical.com\/en\/kontakt\/\">Please contact us<\/a> if you need any input on this.)<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Short session durations and potentially frequent re-logins: The requirements of BSI TR-03161 mean that login and session times must be severely limited. Depending on the technical implementation, this can mean that users have to log in again relatively frequently, which can noticeably impair the user-friendliness of the DiGA. Here, too, there are ways to solve the problem in a way that has less impact on the user. (<a href=\"https:\/\/quickbirdmedical.com\/en\/kontakt\/\">Please contact us<\/a> if you need input on this.)<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Increased development effort: Architecture, implementation, testing, and documentation require significantly more effort than for non-regulated applications.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Data loss in case of device loss:<\/b><span style=\"font-weight: 400;\">There are various ways to implement the TR requirements in a DiGA. Each has its advantages and disadvantages. With certain authentication options, it is virtually impossible to recover DiGA data if a user loses their cell phone, for example. <\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Strict resilience requirements:<\/b><span style=\"font-weight: 400;\">Certain operating system versions and device configurations are excluded, such as older Android versions or activated developer mode, even though these are still widely used by a significant proportion of users. On the one hand, this is understandable from a security perspective, but it means that up to 10% of your target group, for example, cannot access the DiGA. <\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Limited hotfix capability:<\/b><span style=\"font-weight: 400;\">Short-term bug fixes are officially only possible with approval from the BSI, which makes it difficult to respond quickly. This is set to improve in the future thanks to additional certification in accordance with TR-03185, which means that certain changes may no longer require approval. <\/span><\/li>\n<\/ul>\n<h2 id=\"9\">9. Mandatory Penetration Testing for DiGA<\/h2>\n<p><span style=\"font-weight: 400;\">The obligation to perform a penetration test (\u201cpen test\u201d) does not arise from BSI TR-03161. It stems from the legal framework of the DiGA Regulation (DiGAV). This stipulates that every DiGA must provide evidence of a current penetration test in order to meet the data security requirements in accordance with Annex 1 DiGAV. <\/span><\/p>\n<p>With the <a href=\"https:\/\/quickbirdmedical.com\/en\/diga-guide-history-of-all-changes\/\">new DiGA guidelines dated December 10, 2025<\/a>, the BfArM takes a concrete position on this issue: <strong>Certification according to TR-03161 eliminates the need for an additional pen test<\/strong> for the approval of a DiGA.<\/p>\n<h2 id=\"10\">10. BSI TR-03161 vs. ISO 27001<\/h2>\n<p><span style=\"font-weight: 400;\">In order for a DiGA to be listed in the BfArM directory, the manufacturer must submit both ISO 27001 certification and BSI TR-03161 certification. Both relate to information security. So why two certifications? <\/span><\/p>\n<p><span style=\"font-weight: 400;\">The reason for this lies in the focus of these two standards.<\/span><\/p>\n<p>ISO 27001<span style=\"font-weight: 400;\"> is purely a management standard: it defines how a comprehensive information security management system (ISMS) is set up, operated and continuously improved within a company. Certification is therefore granted for the <\/span><b>Company and its processes,<\/b><span style=\"font-weight: 400;\">not a single product. <\/span>There is no product-related testing, no architecture review and no analysis of source code or specific security measures of a product.<\/p>\n<p>BSI TR-03161, on the other hand, is a technical product certification<span style=\"font-weight: 400;\"> specifically for digital health and care applications. It sets out very specific <\/span>technical and organizational security requirements and checks whether the individual product<span style=\"font-weight: 400;\"> (including app, backend, interfaces) meets them. This makes it significantly <\/span>more specific, stricter and more product-oriented than ISO 27001. The BSI TR-03161 serves as the legal basis for <a href=\"https:\/\/quickbirdmedical.come\/diga-development-approval\/\">DiGA<\/a> and <a href=\"https:\/\/quickbirdmedical.com\/en\/dipa-guide-digital-care-applications\/\">DiPA approvals<\/a> in Germany.<\/p>\n<div class=\"post-table-container\" style=\"overflow-x: scroll; width: 100%;\">\n<table>\n<tbody>\n<tr>\n<td><b>Category<\/b><\/td>\n<td>ISO 27001<\/td>\n<td>BSI TR-03161<\/td>\n<\/tr>\n<tr>\n<td>Type of Standard<\/td>\n<td>Management standard<\/td>\n<td>Technical product safety guideline<\/td>\n<\/tr>\n<tr>\n<td><b>Certification Object<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Company or ISMS<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Specific product (app, backend, web portal) and specifically specific product version<\/span><\/td>\n<\/tr>\n<tr>\n<td>Focus<\/td>\n<td><span style=\"font-weight: 400;\">Processes, governance, risk management<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Technical security requirements, architecture, implementation<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Scope<\/b><\/td>\n<td>Company-wide, regardless of products<\/td>\n<td>Product-related and mandatory for DiGA\/DiPA<\/td>\n<\/tr>\n<tr>\n<td><b>Technical Tests<\/b><\/td>\n<td><span style=\"font-weight: 400;\">No specific product tests<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Detailed technical tests including cryptography, APIs, hosting <\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Source Code Analysis<\/b><\/td>\n<td>Not included<\/td>\n<td>An integral part of the audit<\/td>\n<\/tr>\n<tr>\n<td><b>Requirements<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Abstract, process-oriented<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Concrete, detailed specifications for products and processes<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Objective<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Establishment of an ISMS<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Secure operation and development of a healthcare application<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h2 id=\"11\">11. Criticism of the Process<\/h2>\n<p><span style=\"font-weight: 400;\">Both the obligation to obtain certification in accordance with BSI TR-03161 and the resulting very strict requirements are heavily criticized by many parties. Frequently mentioned points include: <\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Limitations in user-friendliness:<\/b><span style=\"font-weight: 400;\"> Multi-level security mechanisms and strict requirements can significantly impair usability. It is emphasized that this makes it more difficult for patients to access digital health services. <\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Limited accessibility for relevant target groups:<\/b><span style=\"font-weight: 400;\"> The very restrictive device and system requirements of BSI TR-03161 exclude many end devices. Older people and people with physical or cognitive impairments in particular often use devices that do not meet these requirements and are therefore not accepted. As a result, a significant proportion of the relevant target group is excluded from using digital health applications. <\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>High implementation and documentation costs: <\/b><span style=\"font-weight: 400;\">According to numerous manufacturers, the highly detailed safety and process requirements lead to considerable additional development and documentation work. Months of additional work complicate and prevent such new innovations. <\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Rising costs for providers:<\/b><span style=\"font-weight: 400;\"> Both the certification itself and the ongoing verification of compliance incur enormous costs for DiGA manufacturers. These costs are difficult or impossible to finance, especially for small businesses. <\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Uncertainty regarding requirements: <\/b><span style=\"font-weight: 400;\">In many areas of TR-03161, it is unclear what the BSI considers to be the correct implementation. In some cases, individual requirements also contradict each other. As a result, DiGA manufacturers invest a lot of time in an implementation that may then be rejected by the BSI after long waiting periods. <\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">A national solo effort: Critics complain that BSI TR-03161 is a purely German security standard that <a href=\"https:\/\/quickbirdmedical.com\/diga-eu-europa-schweiz\/\">is not harmonized with European requirements<\/a><span style=\"font-weight: 400;\"> . This complicates international scaling and increases the regulatory burden on manufacturers.<\/span><\/li>\n<\/ul>\n<p>Several industry representatives have highlighted these points in their statements and called for a more balanced solution between security, practicality, and economic feasibility (see, for example, <a href=\"https:\/\/www.handelsblatt.com\/technik\/medizin\/inside-digital-health\/gesundheitsdaten-herstellerverbaende-kritisieren-neue-bsi-richtlinie\/28429674.html\">here<\/a>, <a href=\"https:\/\/www.bundesgesundheitsministerium.de\/fileadmin\/Dateien\/3_Downloads\/Gesetze_und_Verordnungen\/Stellungnahmen_WP20\/VDiPA\/BiM.pdf\">here<\/a>, and <a href=\"https:\/\/www.lobbyregister.bundestag.de\/media\/5e\/7a\/571224\/Stellungnahme-Gutachten-SG2506250057.pdf\">here<\/a>).<\/p>\n<p><span style=\"font-weight: 400;\">It remains to be seen to what extent these points will be addressed in the future. The next <strong>update to BSI TR-03161<\/strong>, which is expected to be released in 2026, is particularly relevant here. <\/span><\/p>\n<h2 id=\"12\">12. Important Links and Resources<\/h2>\n<h3 id=\"12-1\">12.1 General Information<\/h3>\n<p><span style=\"font-weight: 400;\">Here you will find important resources relating to BSI certification:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Links to the PDFs of BSI TR-03161 (see bottom of page): <a href=\"https:\/\/www.bsi.bund.de\/DE\/Themen\/Unternehmen-und-Organisationen\/Standards-und-Zertifizierung\/Technische-Richtlinien\/TR-nach-Thema-sortiert\/tr03161\/tr-03161.html\">Link (BSI website)<\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">FAQ on BSI TR-03161: <a href=\"https:\/\/www.bsi.bund.de\/DE\/Themen\/Unternehmen-und-Organisationen\/Standards-und-Zertifizierung\/Technische-Richtlinien\/TR-nach-Thema-sortiert\/tr03161\/TR-03161-FAQ\/FAQ-TR-03161_node.html\">Link (BSI website)<\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Information on TR certifications at the BSI: <a href=\"https:\/\/www.bsi.bund.de\/SharedDocs\/Downloads\/DE\/BSI\/Zertifizierung\/PZS-TR.pdf?__blob=publicationFile&amp;v=11\">Link (BSI website)<\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Links to the PDFs of BSI TR-03161 (Secure Software Lifecycle): <a href=\"https:\/\/www.bsi.bund.de\/DE\/Themen\/Unternehmen-und-Organisationen\/Standards-und-Zertifizierung\/Technische-Richtlinien\/TR-nach-Thema-sortiert\/tr03185\/TR-03185_node.html\">Link (BSI website)<\/a><\/li>\n<\/ul>\n<h3 id=\"12-2\">12.2 List of Applications already certified according to TR-03161<\/h3>\n<p data-renderer-start-pos=\"177\">You can conveniently filter for BSI-certified DiGA in our DiGA Directory Analyzer, view the respective DiGA testing center, and compare other attributes: <a class=\"_ymio1r31 _ypr0glyw _zcxs1o36 _mizu194a _1ah3dkaa _ra3xnqa1 _128mdkaa _1cvmnqa1 _4davt94y _4bfu18uv _1hms8stv _ajmmnqa1 _vchhusvi _kqswh2mm _syaz13af _ect41gqc _1a3b18uv _4fpr8stv _5goinqa1 _f8pj13af _9oik18uv _1bnxglyw _jf4cnqa1 _30l313af _1nrm18uv _c2waglyw _1iohnqa1 _9h8h12zz _10531ra0 _1ien1ra0 _n0fx1ra0 _1vhv17z1\" title=\"https:\/\/quickbirdmedical.com\/diga-verzeichnis\/\" href=\"https:\/\/quickbirdmedical.com\/diga-verzeichnis\/\" data-renderer-mark=\"true\">DiGA Directory for Manufacturers (including BSI certifications)<\/a><\/p>\n<p data-renderer-start-pos=\"421\">The official list of digital health applications (including applications prior to listing) that have already received a certificate from the BSI can be found here: <a class=\"_ymio1r31 _ypr0glyw _zcxs1o36 _mizu194a _1ah3dkaa _ra3xnqa1 _128mdkaa _1cvmnqa1 _4davt94y _4bfu18uv _1hms8stv _ajmmnqa1 _vchhusvi _kqswh2mm _syaz13af _ect41gqc _1a3b18uv _4fpr8stv _5goinqa1 _f8pj13af _9oik18uv _1bnxglyw _jf4cnqa1 _30l313af _1nrm18uv _c2waglyw _1iohnqa1 _9h8h12zz _10531ra0 _1ien1ra0 _n0fx1ra0 _1vhv17z1\" title=\"https:\/\/www.bsi.bund.de\/DE\/Themen\/Unternehmen-und-Organisationen\/Standards-und-Zertifizierung\/Zertifizierung-und-Anerkennung\/Listen\/Zertifizierte-Produkte-nach-TR\/Digitale_Gesundheitsanwendungen\/Digitale_Gesundheitsanwendungen_node.html\" href=\"https:\/\/www.bsi.bund.de\/DE\/Themen\/Unternehmen-und-Organisationen\/Standards-und-Zertifizierung\/Zertifizierung-und-Anerkennung\/Listen\/Zertifizierte-Produkte-nach-TR\/Digitale_Gesundheitsanwendungen\/Digitale_Gesundheitsanwendungen_node.html\" data-renderer-mark=\"true\">Official list of certified applications<\/a><\/p>\n<h3 id=\"12-3\">12.3 List of Testing Centers for BSI TR-03161<\/h3>\n<p>Here you will find a list of testing laboratories accredited by the BSI: <a href=\"https:\/\/www.bsi.bund.de\/DE\/Themen\/Unternehmen-und-Organisationen\/Standards-und-Zertifizierung\/Zertifizierung-und-Anerkennung\/Listen\/Liste-TR-Pruefstellen\/liste-tr-pruefstellen.html\">List of accredited TR testing laboratories<\/a><\/p>\n<p><span style=\"font-weight: 400;\">If you search for \u201c03161\u201d on the page, you will find all the places that can accompany your certification according to BSI TR-03161.<\/span><\/p>\n<h2 id=\"13\">13. Future Outlook for BSI TR-03161 and DiGA Data Security Certification<\/h2>\n<p><span style=\"font-weight: 400;\">Data security requirements for DiGAs are currently evolving and will be further specified in the coming years. Three relevant developments in particular are emerging that DiGA manufacturers should plan for at an early stage. <\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Update of BSI TR-03161:<\/b><span style=\"font-weight: 400;\"> An update to TR-03161 has been announced for the coming year. It is expected that practical experience gained from previous applications will be incorporated and that individual requirements will be clarified or adapted. <\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Introduction of BSI TR-03185 for secure software lifecycle:<\/b><span style=\"font-weight: 400;\"> In addition to TR-03161, a new certification for the entire software lifecycle is in preparation with the TR-03185. The aim is to map update and change processes more systematically and, in the long term, to reduce the effort required for recurring recertifications in subsequent versions. <\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\">Data protection certification: In addition to data security, <a href=\"https:\/\/quickbirdmedical.com\/en\/diga-certificate-data-protection-data-security\/\">data protection certification<\/a><span style=\"font-weight: 400;\"> is also planned for DiGA (and has already been enshrined in law). Once a testing process and testing bodies have been established for this purpose, the BfArM will require DiGA manufacturers to obtain this certification. <\/span><\/li>\n<\/ul>\n<h2 id=\"14\">14. Conclusion<\/h2>\n<p>For DiGAs, <strong>the number of mandatory certifications appears to be rising steadily<\/strong>: <a href=\"https:\/\/quickbirdmedical.com\/en\/medical-device-certification-approval-mdr\/\">medical device approval<\/a> or certification, ISO 27001, BSI TR-03161, and future certifications such as BSI TR-03185 (not mandatory, but seemingly unavoidable) and the <a href=\"https:\/\/quickbirdmedical.com\/en\/diga-certificate-data-protection-data-security\/\">data protection certificate <\/a>for DiGA.<\/p>\n<p><span style=\"font-weight: 400;\">This leads to increasing regulatory complexity, which places a heavy burden on smaller manufacturers in particular. The budget required to prepare, implement, and continuously maintain these certifications is currently growing steadily. In our view, there is a <strong>risk that this will slow down or even prevent the speed of innovation and market entry of new solutions<\/strong>. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Nevertheless, <strong>with the right strategy (and sufficient budget), the whole thing is still feasible<\/strong>. We have learned to deal with complexity in our DiGA projects and have gained a lot of knowledge that we are happy to pass on. Particularly with regard to BSI TR-03161 certification, there is a lack of clear official guidelines for the implementation of some requirements. To ensure that not every manufacturer has to learn these lessons from scratch, <\/span> <a href=\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-consulting\/\">we advise manufacturers on the implementation of BSI requirements<\/a>.<\/p>\n<p>If you <strong>need a partner to implement your DiGA<\/strong>, <strong>fulfill BSI requirements <\/strong>and <strong>take care of all other regulatory obligations<\/strong> for you, please <a href=\"https:\/\/quickbirdmedical.com\/en\/kontakt\/\">feel free to contact us<\/a>.<span style=\"font-weight: 400;\">. We have already been involved in the implementation of <strong>over 15 different DiGA projects<\/strong> and have the necessary<\/span><a href=\"https:\/\/quickbirdmedical.com\/en\/mdr-fda-certification-standards-guidelines\/\"> <span style=\"font-weight: 400;\">certificates<\/span><\/a><span style=\"font-weight: 400;\">to bring your DiGA to market safely. You can find more information on this <\/span> <a href=\"https:\/\/quickbirdmedical.com\/en\/diga-development\/\"> <span style=\"font-weight: 400;\">here.<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since January 1, 2025, manufacturers of digital health applications (DiGA) must prove compliance with data security requirements by means of an official certificate. The basis for certification is BSI TR-03161, which was first published in 2020. The BfArM checks certification as a fixed requirement for listing an application in the DiGA directory. No new DiGA [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":24528,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[43],"tags":[],"class_list":["post-24521","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-diga-whitepaper-en"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>BSI TR-03161 for DiGA: Data Security Certification<\/title>\n<meta name=\"description\" content=\"BSI TR-03161 explained: Requirements, certification process, costs, and timeframe for DiGA from 2025 onwards \u2013 practical experience.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"BSI TR-03161 for DiGA: Data Security Certification\" \/>\n<meta property=\"og:description\" content=\"BSI TR-03161 explained: Requirements, certification process, costs, and timeframe for DiGA from 2025 onwards \u2013 practical experience.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/\" \/>\n<meta property=\"og:site_name\" content=\"QuickBird Medical\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-17T13:58:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-01-13T10:41:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/Social_BSI-TR-03161-for-DiGA_Data-Security-Certification.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"984\" \/>\n\t<meta property=\"og:image:height\" content=\"519\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"Malte Bucksch\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"BSI TR-03161 for DiGA: Data Security Certification\" \/>\n<meta name=\"twitter:description\" content=\"BSI TR-03161 explained: Requirements, certification process, costs, and timeframe for DiGA from 2025 onwards \u2013 practical experience.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/Social_BSI-TR-03161-for-DiGA_Data-Security-Certification.webp\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Malte Bucksch\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"26 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/\"},\"author\":{\"name\":\"Malte Bucksch\",\"@id\":\"https:\/\/quickbirdmedical.com\/en\/#\/schema\/person\/68dc3b77c3063221a18032bb0e66eadd\"},\"headline\":\"BSI TR-03161 for DiGA: Data Security Certification\",\"datePublished\":\"2025-12-17T13:58:26+00:00\",\"dateModified\":\"2026-01-13T10:41:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/\"},\"wordCount\":4455,\"publisher\":{\"@id\":\"https:\/\/quickbirdmedical.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/BSI-TR-03161-for-DiGA_Data-Security-Certification.webp\",\"articleSection\":[\"diga-whitepaper\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/\",\"url\":\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/\",\"name\":\"BSI TR-03161 for DiGA: Data Security Certification\",\"isPartOf\":{\"@id\":\"https:\/\/quickbirdmedical.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/BSI-TR-03161-for-DiGA_Data-Security-Certification.webp\",\"datePublished\":\"2025-12-17T13:58:26+00:00\",\"dateModified\":\"2026-01-13T10:41:22+00:00\",\"description\":\"BSI TR-03161 explained: Requirements, certification process, costs, and timeframe for DiGA from 2025 onwards \u2013 practical experience.\",\"breadcrumb\":{\"@id\":\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/#primaryimage\",\"url\":\"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/BSI-TR-03161-for-DiGA_Data-Security-Certification.webp\",\"contentUrl\":\"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/BSI-TR-03161-for-DiGA_Data-Security-Certification.webp\",\"width\":2000,\"height\":692,\"caption\":\"BSI TR-03161 for DiGA: Data Security Certification\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/quickbirdmedical.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"BSI TR-03161 for DiGA: Data Security Certification\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/quickbirdmedical.com\/en\/#website\",\"url\":\"https:\/\/quickbirdmedical.com\/en\/\",\"name\":\"QuickBird Medical\",\"description\":\"Entwicklung von medizinischer Software und DiGA\",\"publisher\":{\"@id\":\"https:\/\/quickbirdmedical.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/quickbirdmedical.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/quickbirdmedical.com\/en\/#organization\",\"name\":\"QuickBird Medical\",\"url\":\"https:\/\/quickbirdmedical.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/quickbirdmedical.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2022\/06\/QBM_Logo_web-01-1.webp\",\"contentUrl\":\"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2022\/06\/QBM_Logo_web-01-1.webp\",\"width\":875,\"height\":255,\"caption\":\"QuickBird Medical\"},\"image\":{\"@id\":\"https:\/\/quickbirdmedical.com\/en\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/de.linkedin.com\/showcase\/quickbird-medical\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/quickbirdmedical.com\/en\/#\/schema\/person\/68dc3b77c3063221a18032bb0e66eadd\",\"name\":\"Malte Bucksch\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/0008587c7a9850eec4b980c0b6fe62e32d2ab71fd24e0b4afeb044581b3490d7?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0008587c7a9850eec4b980c0b6fe62e32d2ab71fd24e0b4afeb044581b3490d7?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0008587c7a9850eec4b980c0b6fe62e32d2ab71fd24e0b4afeb044581b3490d7?s=96&d=mm&r=g\",\"caption\":\"Malte Bucksch\"},\"url\":\"https:\/\/quickbirdmedical.com\/en\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"BSI TR-03161 for DiGA: Data Security Certification","description":"BSI TR-03161 explained: Requirements, certification process, costs, and timeframe for DiGA from 2025 onwards \u2013 practical experience.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/","og_locale":"en_US","og_type":"article","og_title":"BSI TR-03161 for DiGA: Data Security Certification","og_description":"BSI TR-03161 explained: Requirements, certification process, costs, and timeframe for DiGA from 2025 onwards \u2013 practical experience.","og_url":"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/","og_site_name":"QuickBird Medical","article_published_time":"2025-12-17T13:58:26+00:00","article_modified_time":"2026-01-13T10:41:22+00:00","og_image":[{"width":984,"height":519,"url":"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/Social_BSI-TR-03161-for-DiGA_Data-Security-Certification.webp","type":"image\/webp"}],"author":"Malte Bucksch","twitter_card":"summary_large_image","twitter_title":"BSI TR-03161 for DiGA: Data Security Certification","twitter_description":"BSI TR-03161 explained: Requirements, certification process, costs, and timeframe for DiGA from 2025 onwards \u2013 practical experience.","twitter_image":"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/Social_BSI-TR-03161-for-DiGA_Data-Security-Certification.webp","twitter_misc":{"Written by":"Malte Bucksch","Est. reading time":"26 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/#article","isPartOf":{"@id":"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/"},"author":{"name":"Malte Bucksch","@id":"https:\/\/quickbirdmedical.com\/en\/#\/schema\/person\/68dc3b77c3063221a18032bb0e66eadd"},"headline":"BSI TR-03161 for DiGA: Data Security Certification","datePublished":"2025-12-17T13:58:26+00:00","dateModified":"2026-01-13T10:41:22+00:00","mainEntityOfPage":{"@id":"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/"},"wordCount":4455,"publisher":{"@id":"https:\/\/quickbirdmedical.com\/en\/#organization"},"image":{"@id":"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/#primaryimage"},"thumbnailUrl":"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/BSI-TR-03161-for-DiGA_Data-Security-Certification.webp","articleSection":["diga-whitepaper"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/","url":"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/","name":"BSI TR-03161 for DiGA: Data Security Certification","isPartOf":{"@id":"https:\/\/quickbirdmedical.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/#primaryimage"},"image":{"@id":"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/#primaryimage"},"thumbnailUrl":"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/BSI-TR-03161-for-DiGA_Data-Security-Certification.webp","datePublished":"2025-12-17T13:58:26+00:00","dateModified":"2026-01-13T10:41:22+00:00","description":"BSI TR-03161 explained: Requirements, certification process, costs, and timeframe for DiGA from 2025 onwards \u2013 practical experience.","breadcrumb":{"@id":"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/#primaryimage","url":"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/BSI-TR-03161-for-DiGA_Data-Security-Certification.webp","contentUrl":"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2025\/12\/BSI-TR-03161-for-DiGA_Data-Security-Certification.webp","width":2000,"height":692,"caption":"BSI TR-03161 for DiGA: Data Security Certification"},{"@type":"BreadcrumbList","@id":"https:\/\/quickbirdmedical.com\/en\/bsi-tr-03161-diga-certification-requirements\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/quickbirdmedical.com\/en\/"},{"@type":"ListItem","position":2,"name":"BSI TR-03161 for DiGA: Data Security Certification"}]},{"@type":"WebSite","@id":"https:\/\/quickbirdmedical.com\/en\/#website","url":"https:\/\/quickbirdmedical.com\/en\/","name":"QuickBird Medical","description":"Entwicklung von medizinischer Software und DiGA","publisher":{"@id":"https:\/\/quickbirdmedical.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/quickbirdmedical.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/quickbirdmedical.com\/en\/#organization","name":"QuickBird Medical","url":"https:\/\/quickbirdmedical.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/quickbirdmedical.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2022\/06\/QBM_Logo_web-01-1.webp","contentUrl":"https:\/\/quickbirdmedical.com\/wp-content\/uploads\/2022\/06\/QBM_Logo_web-01-1.webp","width":875,"height":255,"caption":"QuickBird Medical"},"image":{"@id":"https:\/\/quickbirdmedical.com\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/de.linkedin.com\/showcase\/quickbird-medical\/"]},{"@type":"Person","@id":"https:\/\/quickbirdmedical.com\/en\/#\/schema\/person\/68dc3b77c3063221a18032bb0e66eadd","name":"Malte Bucksch","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/0008587c7a9850eec4b980c0b6fe62e32d2ab71fd24e0b4afeb044581b3490d7?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/0008587c7a9850eec4b980c0b6fe62e32d2ab71fd24e0b4afeb044581b3490d7?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0008587c7a9850eec4b980c0b6fe62e32d2ab71fd24e0b4afeb044581b3490d7?s=96&d=mm&r=g","caption":"Malte Bucksch"},"url":"https:\/\/quickbirdmedical.com\/en\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/quickbirdmedical.com\/en\/wp-json\/wp\/v2\/posts\/24521","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/quickbirdmedical.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/quickbirdmedical.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/quickbirdmedical.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/quickbirdmedical.com\/en\/wp-json\/wp\/v2\/comments?post=24521"}],"version-history":[{"count":6,"href":"https:\/\/quickbirdmedical.com\/en\/wp-json\/wp\/v2\/posts\/24521\/revisions"}],"predecessor-version":[{"id":24788,"href":"https:\/\/quickbirdmedical.com\/en\/wp-json\/wp\/v2\/posts\/24521\/revisions\/24788"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/quickbirdmedical.com\/en\/wp-json\/wp\/v2\/media\/24528"}],"wp:attachment":[{"href":"https:\/\/quickbirdmedical.com\/en\/wp-json\/wp\/v2\/media?parent=24521"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/quickbirdmedical.com\/en\/wp-json\/wp\/v2\/categories?post=24521"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/quickbirdmedical.com\/en\/wp-json\/wp\/v2\/tags?post=24521"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}