01
Special-category data at scale
Article 9 health data needs explicit consent or another lawful basis. DPIAs are mandatory. Pseudonymisation rarely fits clinical workflows.
IMPACTAZOP and BfDI fines starting in low six figures.
SECTOR PRACTICE · HEALTHCARE & LIFE SCIENCES
EU compliance for healthcare & life sciences
GDPR, NIS2, and cybersecurity for hospitals, pharma, medical devices, and research
REGULATIONS.STACK · HEALTH● 09
GDPRSpecial-category health data
NIS2Hospitals as essential entities
AI ACTMedical AI and diagnostic tools
MDRMedical Device Regulation
IVDRIn-Vitro Diagnostic Regulation
CTRClinical Trials Regulation
EHDSEuropean Health Data Space
GMPGood Manufacturing Practice
EIDASeID for patient services
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / WHO WE SERVE
Six healthcare profiles, one compliance map.
From single-site clinics to multinational pharma. The regulatory load changes with patient volume, data sensitivity and product type.
HOSPITALS
Hospitals & clinics
Patient records, breach reporting, AZOP and BfArM liaison.
GDPRNIS2EHDS
PHARMA
Pharmaceutical companies
Clinical trial data, pharmacovigilance, supply-chain integrity.
GDPRCTRGMP
MEDICAL DEVICES
Medical device manufacturers
MDR/IVDR conformity, post-market surveillance, software as MD.
MDRIVDRGDPR
DIGITAL HEALTH
Digital health & telemedicine
GDPR for health apps, AI Act for diagnostic AI, EHDS interoperability.
GDPRAI ACTEHDS
BIOTECH
Biotech & research labs
Genomic data, research ethics, cross-border data sharing.
GDPRCTREHDS
DIAGNOSTICS
Diagnostic laboratories
IVDR conformity, AI-assisted diagnostics, accreditation regimes.
IVDRAI ACTGDPR
§ 02 / LANDSCAPE
The healthcare regulatory clock.
Eight regimes interlock. We sequence them around your release cadence.
LIVEGDPR
IN FORCE
Health data special category
Article 9 lawful basis, DPIA mandatory, breach reporting in 72h, patient rights at scale.
LIVEMDR
IN FORCE
Medical Device Regulation
Conformity assessment, CE marking, post-market surveillance, vigilance reporting.
LIVEIVDR
IN FORCE
In-Vitro Diagnostic Regulation
Risk classification, notified body involvement for higher classes, technical documentation.
LIVENIS2
IN FORCE
Healthcare as essential entity
Risk management, 24h/72h incident reporting, supply-chain security, board accountability.
NEXTEHDS
MAR 2026
European Health Data Space
Patient access to own data, secondary use of health data for research, interoperability obligations.
CRITICALAI ACT
AUG 2026
High-risk medical AI
Annex III medical AI: conformity assessment, technical documentation, human oversight, post-market monitoring.
NEXTCTR
ROLLING
Clinical Trials Regulation
EU Clinical Trials Information System (CTIS), centralised submission, public transparency.
PLANNEDEPRIVACY
TBD
ePrivacy Regulation
Stricter consent for cookies, marketing and metadata. Replaces national rules.
§ 03 / WHAT TO SOLVE
Where healthcare organisations get stuck.
02
MDR / IVDR documentation backlog
Notified bodies are overloaded. Conformity assessment timelines stretched to 18+ months for some classes.
IMPACTProduct market entry delayed past commercial windows.
03
AI Act applies to diagnostic AI
Annex III lists medical AI as high-risk. Conformity, technical file, human oversight, post-market monitoring all required.
IMPACTMis-classified AI faces market withdrawal.
04
NIS2 hospital classification
Hospitals fall under essential entity scope. Cyber-attacks on healthcare have doubled since 2022.
IMPACTBoard members personally named in supervisory letters.
05
Cross-border clinical trial data
EU Clinical Trials Regulation centralised submission, but data flows still hit Schrems II issues for US sponsors.
IMPACTTransfer impact assessments per protocol amendment.
06
EHDS readiness for secondary use
Patient data must be made available for research with safeguards. Anonymisation standards still being defined.
IMPACTNon-compliance triggers Health Data Access Body action.
§ 04 / OFFERING
Our services for healthcare
HX-01
GDPR programme for healthcare
Article 9 mapping, patient rights workflow, DPIA library, breach response, AZOP and BfDI liaison.
DArt. 9 mappingDDPIA libraryDAZOP/BfDI liaison
HX-02
MDR / IVDR conformity support
Technical documentation, risk management (ISO 14971), notified body submissions, post-market surveillance.
DTech fileDPMS planDNB liaison
HX-03
Medical AI (AI Act + MDR overlap)
Combined AI Act and MDR conformity, technical file (Annex IV), human oversight, post-market monitoring.
DAnnex IVDHuman oversightDPMM
HX-04
NIS2 for hospitals and pharma
Entity classification, ISMS build, supply-chain assurance, 24h/72h reporting playbook.
DGap reportDISMSDIncident SOP
HX-05
Clinical trial compliance
CTR Article 81 transparency, CTIS submissions, data flow mapping, transfer impact assessments.
DCTIS supportDTransparencyDTIA
HX-06
EHDS readiness
Data interoperability, secondary-use governance, Health Data Access Body engagement.
DEHDS gapDGovernanceDHDAB liaison
HX-07
Pharmacovigilance and ICSR
ICSR data handling, signal management, EudraVigilance integration, GxP-aligned data governance.
DICSR opsDSignal managementDEV
HX-08
Telemedicine and digital health
Health-app GDPR programme, cross-border telemedicine, patient consent workflows.
DApp GDPRDCross-borderDConsent
HX-09
Outsourced healthcare DPO
Senior DPO with healthcare experience, named to AZOP / BfDI, board reporting, DSAR handling.
DDPO contractDDSAR opsDBoard memos
§ 05 / SELECTED WORK
All case studies →Healthcare engagements.
CASE 01EU hospital group
GDPR + NIS2 programme across 9 hospitals. AZOP audit closed with zero findings.
9
HOSPITALS
1.4M
PATIENTS
0
FINDINGS
SCOPEGDPR · NIS2 · ISO 27001 · Breach response
CASE 02Medical device SaaS
MDR + AI Act conformity for AI-assisted diagnostic platform. CE marking obtained.
IIa
CLASS
11 mo
NB CYCLE
Granted
CE
SCOPEMDR · AI Act · ISO 13485 · Technical file
CASE 03Multi-country CRO
Clinical Trials Regulation programme rolled across 12 EU member states.
27
PROTOCOLS
12
STATES
Live
CTIS
SCOPECTR · CTIS · Pharmacovigilance · GxP
§ 06 / FREE TOOL
Map your healthcare stack to the EU rulebook.
Eight questions about your patient base, products and data flows. Get an indicative obligations map across GDPR, MDR, IVDR, NIS2, AI Act and EHDS.
Run obligations mapper~ 4 MINMAPPER.PREVIEWSTEP 4 / 8
Does your product or service handle patient health data in the EU?
Yes, direct patient care or clinical recordsA
Yes, research or trial data (pseudonymised)B
Indirect, payer or admin data onlyC
No patient dataD
INDICATIVE → GDPR ART. 9 + NIS2 ART. 21
§ 07 / FAQ
Frequently Asked Questions
01Are we in scope for NIS2 as a hospital?+
Yes. NIS2 Annex I explicitly lists healthcare providers as essential entities. Risk-management measures, 24h early-warning and 72h incident notification apply. Board members carry personal accountability.
02How does the AI Act apply to our medical AI?+
If your AI is intended for medical purposes under MDR, it is classified as high-risk under Annex III. You need conformity assessment, technical documentation (Annex IV), human oversight and post-market monitoring on top of MDR obligations.
03Can MDR and AI Act conformity be combined?+
Yes. We build a combined technical file that satisfies both regimes. The Commission has confirmed alignment between MDR conformity assessment and AI Act conformity, with one notified body sufficient in most cases.
04What is the European Health Data Space?+
EHDS gives patients access to their own health data and creates a secondary-use regime for research. It applies from March 2026 phased through 2031. We help build the governance and interoperability layers.
05Do we need a DPO?+
Healthcare organisations processing patient data at scale almost always need a DPO under Article 37(1)(c) GDPR. We provide a senior DPO with healthcare-specific experience under retainer.
06How are pharma clinical trials affected by GDPR?+
Trial participants are data subjects with GDPR rights. The Clinical Trials Regulation governs consent and transparency, but GDPR adds the data protection layer. Both apply in parallel.
07What about cross-border data transfers?+
Health data transfers outside the EEA require GDPR transfer mechanisms (typically SCCs 2021 plus a transfer impact assessment). Most US-EU healthcare partnerships need supplementary measures.
08Do you work with our existing notified body?+
Yes. We coordinate with your chosen notified body, prepare the technical file, manage queries and run dry-run interviews before submission.
§ 08 / RELATED
Related practices.
Data Protection (DPO)
GDPR programme for health data, DPIA library and supervisory authority liaison.
Open practice →AI Compliance
AI Act conformity for medical AI, combined with MDR conformity assessment.
Open practice →NIS2 Compliance
NIS2 scoping, ISMS and supervisory readiness for healthcare essential entities.
Open practice →09 / GET STARTED
Need EU compliance for your healthcare organization?
Typical outcomes: GDPR roadmap, NIS2 priorities, incident response readiness.