In the digital age, software plays a critical role in healthcare. From diagnostic tools to AI-powered treatment recommendations, technology is revolutionizing patient care. These technologies have the power to transform patient care, but not all are created or regulated equally. While some solutions are subject to rigorous regulatory oversight, others operate in a gray area—leaving hospitals and patients vulnerable to unintended risks.
In this post, we will break down when software is classified as a medical device, what the European Medical Device Regulation (MDR) says about it, and the risks of using non-CE-certified clinical software.
According to the European Medical Device Regulation (MDR 2017/745), a medical device is:
"Any instrument, apparatus, appliance, software, implant, reagent, material or other article intended by the manufacturer to be used, alone or in combination, for one or more of the following specific medical purposes:
and which does not achieve its principal intended action by pharmacological, immunological or metabolic means, in or on the human body, but which may be assisted in its function by such means.”
This definition explicitly includes software. But not all healthcare-related software qualifies.
The key factor in determining whether software qualifies as a medical device is its intended purpose - what the manufacturer claims the software is designed to do.
Think of it this way: the same type of software can either be a regulated medical device or just a general tool, depending on how it’s intended to be used.
A mobile app that tracks general fitness data (e.g., step counting, heart rate) for wellness purposes is NOT a medical device.
The same app, if it claims to alert users of potential heart conditions, now has a medical purpose and must comply with MDR.
On the other hand, processing data to provide healthcare professionals with meaningful and actionable insights—rather than just raw information or potential noise—is precisely what makes software valuable in a clinical context. This active processing is not only essential for clinical utility, but also a defining factor for classification as a medical device under the MDR. It’s not about simply storing or transferring data; it’s about transforming it into something that can inform and support medical decisions.
So for example, if we talk now about voice AI, an AI software that engages with patients, analyzes their responses, organizes the information around clinically relevant questions, and prioritizes or even schedules patients based on that analysis is directly supporting clinical decision-making, and therefore is considered a software as a medical device.
When the outputs of a software are used to prioritize care (e.g., by advancing an appointment), monitor patients, adjust treatment, or support diagnosis among others, the software is classified as a medical device.
To help clarify when software qualifies as a medical device, the European Commission issued the MDCG 2019-11 guidance. This document provides a step-by-step framework for determining if software falls under MDR (2017/745) for medical devices.
Software is a medical device if it has a medical purpose: if it actively processes, analyzes, or interprets medical data to aid clinical decisions, it is under MDR scope.
Software with a non-medical purpose such as software used only for administration is NOT a medical device. Hospital management systems, or billing software is excluded from MDR.
Examples of Software that Is a Medical Device:
Examples of Software that Is Not a Medical Device:
The key factor? If software influences or makes clinical decisions or may impact patient outcomes, it is a medical device and must comply with MDR regulations.
Yet, we often find that many hospitals and clinics still rely on software that hasn’t undergone the rigorous evaluation required to be classified as a CE-marked medical device. This oversight can have serious consequences and significant risks— for patients, professionals, and the institutions themselves.
Unregulated software might provide inaccurate diagnoses or incorrect treatment recommendations, leading to harm. A CE-marked medical device undergoes rigorous validation to minimize these risks. Without proper oversight, the software may not provide the same level of accuracy or reliability as certified software, increasing the risk of errors that could negatively affect patient care.
Hospitals that use uncertified software may face serious legal risks, including fines, liability lawsuits, or even the loss of accreditation if patient harm occurs. Regulatory authorities can also prohibit the use of such software. On the other hand, manufacturers of medical device software are legally liable for any damage caused by a defective device in accordance with applicable Union and national law.
Beyond legal risks, hospitals rely heavily on public trust. Using non-CE-certified software that results in clinical errors can lead to costly lawsuits, financial setbacks, and long-term reputational damage. Even a single incident can undermine years of trust built with patients, partners, and regulators.
Non-certified medical software may not comply with cybersecurity regulations mandatory for medical device manufacturers, exposing hospitals to data breaches, ransomware attacks, and GDPR violations. Software that doesn't meet certification standards often lacks the necessary security features to safeguard patient data. Hospitals using non-certified software may face data leaks or cyber-attacks that could result in hefty fines under regulations like GDPR, alongside the loss of sensitive patient information.
For hospitals, clinics, and healthcare professionals, the safety of patients is the top priority. That’s why the safety and efficacy of medical software are paramount. To ensure patient protection, it is essential to verify that the software used for clinical purposes carries the CE mark as a medical device. This certification guarantees that the software has undergone rigorous testing and meets the high standards set by European regulations.
Before implementing any new medical software, hospitals should ensure that it complies with the European Medical Device Regulation (MDR). This includes reviewing the software’s intended use, functionality, and regulatory status to confirm that it aligns with healthcare needs and regulatory requirements. Non-compliant software can not only lead to unsafe patient outcomes but can also expose healthcare providers to legal liabilities.
Moreover, hospitals and healthcare providers should partner with trusted vendors who specialize in regulatory-compliant health tech. By doing so, they can avoid costly risks and focus on what matters most: delivering quality care to patients.
As the landscape of medical software evolves, regulatory compliance is not just a legal requirement, it is a cornerstone of patient safety, care quality, and healthcare trust. Ensuring that software meets CE-certification standards is an investment in both the health of patients and the credibility of healthcare institutions.
To conclude, let’s look at a real-world example of why trust and regulation are essential when it comes to patient care: Tucuvi Health Manager (THM), our Patient Management product, with LOLA, our Clinical AI Agent, at the center of it.
Classified as a medical device and holding a CE certification under the European Medical Device Regulation (MDR), THM meets the highest standards for safety, performance, and clinical reliability. When engaging with patients, LOLA actively collects, analyzes, and transmits validated health data, not only augmenting the capacity of care teams but also empowering them to make informed clinical decisions across more than 50 healthcare systems, without errors or hallucinations.
THM represents a clear example of medical software developed and validated under the strictest regulatory standards, with patient safety and clinical accuracy at its core.
Because when it comes to patient care, safety, trust, and regulatory compliance are not negotiable.
Whether you want to scale your capacity of care, automate repetitive tasks, improve care team efficiency, or reduce relapses through early interventions, we have a solution for you.
Fill out the form and our team will get in touch with you soon.
.svg)
