MDCG 2025-4: Medical Apps on Online Platforms

On June 16, 2025, the guideline MDCG 2025-4: Guidance on the safe making available of medical device software (MDSW) apps on online platforms was published, dedicated to the safe provision of software apps qualified as medical devices (Medical Device Software – MDSW) through online platforms.

The document aims to clarify the roles and responsibilities of providers of such platforms (like App Store and Google Play) and MDSW manufacturers, based on the requirements set by EU Regulation 2017/745 (MDR), EU Regulation 2017/746 (IVDR), and the Digital Services Act (DSA). Additionally, it defines the information obligations related to devices and the information to be provided both on the platform and in the accompanying documentation.

Roles and Responsibilities of Platform Providers

According to the New Legislative Framework, as clarified in the European Commission communication, a product can be subject to multiple European Union harmonization legal acts simultaneously (e.g., MDR, IVDR, and DSA). The making available or putting into service can only occur if the product complies with all applicable regulations.

Based on these considerations, MDCG 2025-4 identifies two main models for making medical apps available on the EU market, which apply distinctly or in combination, depending on the role effectively played by the platform provider:

• The platform provider acts exclusively as an intermediary, under the Digital Services Act (DSA);
• The platform provider assumes the role of distributor or importer, in compliance with MDR/IVDR.

These models can be applied in a “pure” form or in a “hybrid” form, if the platform provider performs both roles, for example offering both its own apps and third-party apps.

Intermediaries

The DSA defines an intermediary service as one of the following information society services:

• A “mere conduit” service, which consists of transmitting, on a communication network, information provided by a recipient of the service, or providing access to a communication network;
• A “caching” service, which consists of transmitting, on a communication network, information provided by a recipient of the service, involving the automatic, intermediate, and temporary storage of that information, performed for the sole purpose of making more efficient the information’s onward transmission to other recipients upon their request;
• A “hosting” service, which consists of storing information provided by, and at the request of, a recipient of the service.

In cases where digital platform providers offer only third-party MDSW, they play the role of intermediary service providers between the manufacturer and the end user (for example, the patient downloading the application). In this case:

• They are not considered economic operators under the MDR, so they do not need to be identified as such by the manufacturer.
• Platforms must be fully compliant with the DSA, fulfilling obligations such as:
  • Notification of illegal content: they must have mechanisms for the prompt reporting of illegal content. Competent authorities can order the removal of such content (Articles 9 and 10 DSA).
  • Transparency: they must ensure that the interface allows manufacturers to comply with the information obligations set by EU law (for example, Annex I MDR), and verify the completeness and reliability of the information provided (Articles 30 and 31 DSA).
  • Responsibilities of VLOPs: Very Large Online Platforms are required to conduct an annual risk analysis to assess, for example, risks related to the spread of illegal content, and adopt appropriate mitigation measures.

Distributors and Importers of Medical Apps

If the platform provider receives an MDSW app from a manufacturer and makes it directly available to the end user (for example, by transferring rights or ownership), it assumes the role of:

• Distributor, if the manufacturer is established in the EU.
• Importer, if the manufacturer is based outside the EU.

In this scenario:

• The platform is subject to the obligations of Article 14 (distributors) or Article 13 (importers) of the MDR/IVDR.
• The DSA does not apply, but the requirements of medical device regulations must be met, including:
  • Conformity assurance: ensuring that apps comply with MDR/IVDR requirements, including aspects of safety, performance, and data protection.
  • Collaboration with authorities: providing competent authorities with information and documentation related to apps distributed through the platform.

It’s important to emphasize that if the manufacturer is based in a third country and the platform provider is based in the EU, the latter assumes the role of importer and the manufacturer must still appoint an authorized representative in the EU. In the absence of such appointment, the device cannot be placed on the Union market.

Information Obligations

In the Documentation to be Transferred to the Patient

In accordance with Annex I, point 23 of the MDR, the manufacturer must include in the label and instructions for use the following information to be transferred to the end user:

• The name or trade name of the device;*
• The name, registered trade name or registered trademark of the manufacturer, the address of its registered place of business and the related single registration number (SRN);*
• Symbol or indication identifying the product as a medical device (MD) or in vitro diagnostic medical device (IVD);*
• Clear description of the device and its intended purpose;*
• Important warnings or precautions to be brought immediately to the attention of the device user or other persons. This information may be kept to a minimum, provided that more detailed information is available in the instructions for use, taking into account the intended users;*
• Link to the eIFU;*
• UDI-DI (Unique Device Identification – Device Identifier) code;*
• Name and address of the authorized representative;
• Notified body notification number;
• Certificate number;
• Any particular operating instructions;
• Information on the availability of a manufacturer’s HW device to be used as part of the MD or as an accessory;
• Minimum requirements for HW, setup, and secure connection.

(*mandatory information)

On the Platform

Intermediary service providers, before including the MDSW on the platform, must randomly verify that the applications and services offered do not have illegal content.

Additionally, they must verify that manufacturers have provided the following information:

• Name, address, economic operator number;
• Information for clear and unambiguous identification of products;
• Manufacturer’s identifying marks such as brand, symbol, or logo;
• Information regarding labeling and marking in compliance with applicable standards.

Categorization of Medical Apps (MDSW)

A significant innovation introduced by the MDCG 2025-4 guideline concerns the obligation for a clear categorization of software applications present on digital platforms.

This measure aims to ensure that patients and end users can unambiguously recognize apps classified as Medical Device Software (MDSW) compared to those without a declared medical purpose, such as general health or lifestyle/wellness apps.

In practice, online platforms will need to provide a specific category dedicated to MDSW, clearly distinct from other types of applications. This classification must be:

• Directly selectable by the manufacturer when publishing the app;
• Activatable only in the presence of all information and documentation required by applicable European regulations.

This categorization represents a first step towards increasing transparency for users and strengthening the safety of use of health applications.