Introduction to Ethical, Social, and Legal Issues (ELSI) in Digital Health

Last update: 12 December 2023

image_pdfSave as PDFimage_printPrint this page

Digital health technologies (DHT) can be deployed over a broad range of use in healthcare. This entails different approaches in their regulation and the assessment of their benefits, risks, safety and use. In light of these considerations, all health systems need Digital Health regulations, legislation, and financial frameworks on top of technical and skills changes. The legal framework applicable to Digital Health in the European Union is still fragmented. However, this framework has been and is under revision with the aim of establishing a consistent legal and regulatory environment.

Exploring the Legal Landscape of Health Data

Health data may be available in various forms; it is not managed in the same way in all EU Member States or within national health systems.

In order to enable the EU to make full use of the potential offered by a safe and secure exchange, use and reuse of health data, without the existing obstacles, the Commission put forward a legislative proposal to create a European Health Data Space (EDHS), to empower individuals to take control of their own health data and to allow its use for better healthcare delivery [1] [2].

The proposed Regulation:

  • Supports individuals to take control of their electronic personal health data, in their country and cross-border (primary use of data) [3]
  • Improving the use of health data for research, innovation, policymaking and regulatory activities (secondary use of data)[4]

The European Health Data Space is the first common EU data space in a specific area to emerge from the European strategy for data. It builds further on the General Data Protection Regulation (GDPR), proposed Data Governance Act [3], draft Data Act [4] and Network and Information Systems Directive (NIS) [5].

Decoding Big Data

The transformation of Digital Health enables to collect real-world data (RWD) and real-world evidence (RWE) using digital technologies and advanced analytics. In this context and according to the joint HMA/EMA Big Data Task Force, RWD/RWE can be considered a source for Big Data. Sources include real-world data (such as electronic health records, insurance claims data and data from patient registries), genomicsclinical trials, spontaneous adverse drug reaction reports, social media and wearable devices.

Further adaptation of the EU regulatory environment concerning the inclusion of Big Data obtained from RWD/RWE in regulatory procedures is ongoing. The HMA/EMA Big Data Task Force originally recommended developing ‘DARWIN EU’ (accd. to the EMA-HMA Big Data Steering Group workplan and the EMA network strategy to 2025 [6]).

Navigating Medical Device Compliance

Digital technologies that fall within the scope of medical devices must meet all the regulatory framework’s essential administrative and safety requirement, all regulatory requirements for placing on the market and conformity assessment. Where a given product does not fall under the definition of a medical device, or is excluded by the scope of the Medical Devices Regulations, other Community and/or national legislation may be applicable.

Medical devices in the European Union are regulated at EU Member State level, i.e. are under regulatory oversight by the National competent authorities (NCAs), but the EMA is involved in the regulatory process. As such, the Medical Devices Regulation (Regulation (EU) 2017/745 [7], (MDR) and the In Vitro Medical Device Regulation (Regulation (EU) 2017/746 [8], (IVDR) introduced new responsibilities for EMA and national competent authorities in the assessment of certain categories of medical device. EMA’s remit as regards digital health technologies (DHTs) is limited to the specific use of a methodology in the development, use or monitoring of medicinal products pre- or post- authorisation, taking into account the expected role of such technologies[9] .

Specifically for software (a set of instructions that processes input data and creates output data) falling within the scope of the MDR and the IVDR, the Medical Device Coordination Group (MDCG) provides guidance.

Insights into Digital Health Services Regulations 

Digital Health Services are not as such governed by a specific EU regulatory legislation. They could, however, fall within the scope of Directive (EU) 2019/770 [10] concerning contracts for the supply of any digital content or digital service (DCSD) that constitutes a medical device, such as health applications (health apps), that can be obtained by the consumer without being prescribed or provided by a health professional. Its provisions are mandatory and they are intended to offer the highest possible standards of consumer safeguards.

Safeguarding Data Integrity: GDPR, Data Protection & Legislative Measures

Data privacy, protection and security are more important than ever. In an environment of heightened community awareness around data collection, new data sources, methods, and technologies, digital health systems must support safe storage and sharing of data to meet legislative requirements and encourage public trust. The General Data Protection Regulation (GDPR) [11], which applies since 25 May 2018, is at the centre of the EU framework guaranteeing the fundamental right of EU citizens to protection of their personal data, as laid down in the Charter of Fundamental Rights of the European Union(Article 8) and in the Treaties (Article 16 of the Treaty on the Functioning of the European Union, ‘TFEU’). Regulation 2018/1725 [12]contains the rules applicable to the processing of personal data by European Union institutions, bodies, offices and agencies (e.g., the EMA). The Commission has also proposed complementing the data protection and privacy legislative framework by the e-Privacy Regulation [13] (intended to replace the current e-Privacy Directive [14]

Learning Resources

Take your skills to new heights by earning certification in emerging fields like Digital Health! Explore the EUPATI Open Classroom and delve into the module Legal, Regulatory, and Health Technology Assessment (HTA) Concepts of Digital Health  to deepen your understanding of the Digital Health landscape. Strengthen your expertise, empowering you to advocate for, engage in discussions, and play a pivotal role in implementing key elements that align with your vision for the healthcare system.


[1] Proposal for a Regulation of The European Parliament and of the Council on the European Health Data Space.

[2] Annexes to the Regulation of The European Parliament and of the Council on the European Health Data Space.

[3] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on European data governance (Data Governance Act).

[4] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on harmonised rules on fair access to and use of data (Data Act).

[5] DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL-concerning measures for a high common level of security of network and information systems across the Union.

[6]Big Data Steering Group Big Data Workplan 2022-2025.

[7] Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices:

[8] Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices:

[9] Questions and answers: Qualification of digital technology-based methodologies to support approval of medicinal products.

[10] Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services.

[11] Regulation (EU) 2016/679 of the European Parliament and of the Council.

[12] Regulation 2018/1725.

[13] Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).

[14] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) – OJ L 201, 31/07/2002 P. 0037 – 0047.

Article information

Categories: ,

Tags: , , ,
Back to top

Search Toolbox

Find Out More