The article highlights the aspects related to the life cycle of the digital health applications included in the respective directory.

HSA Guidance on Change Notification: Overview

The Federal Institute for Drugs and Medical Devices (BfArM), the German regulating authority in the sphere of healthcare products, has published a guidance document dedicated to the Digital Health Applications (DiGA) and the regulatory framework associated thereto.

The document provides an overview of the applicable regulatory requirements, as well as additional clarifications and recommendations to be taken into consideration by medical device manufacturers (software developers) and other parties involved to ensure compliance with it.

At the same time, the authority also reserves the right to make changes to the guidance and recommendations provided therein, should such changes be reasonably necessary to reflect corresponding amendments to the underlying legislation. 

The scope of the guidance covers, the aspects related to the life cycle of the products included in the respective directory.

Regulatory Background 

According to the guidance, the lifecycle of a Digital Health Application within the directory is a structured process governed by specific regulations and standards.

The present guidance issued by BfArM outlines the journey of a DiGA from its inclusion in the directory to its potential removal, highlighting the roles and responsibilities of both the authority and the DiGA manufacturers.

BfArM on fast track (lifecycle)

Visibility and Information Presentation in DiGA Directory

Once a DiGA is approved for inclusion in the directory, it becomes publicly visible, typically within three days of the decision’s email delivery.
The BfArM plays a crucial role in ensuring the accuracy of the information presented in the directory.

This information, derived from the application review, is made accessible to various stakeholders, including doctors, psychotherapists, insured persons, and other interested groups.

Obligations of the BfArM After DiGA Inclusion

The authority further emphasizes the importance of incorporating the positive care effects (pVE) demonstrated in the study submitted for the DiGA’s permanent admission.
These effects, alongside other data from the manufacturer’s application, are updated in the directory.

The BfArM also specifies the necessary medical services in relation to the DiGA, communicating this assessment to relevant committees and the GKV umbrella association.

Remuneration Negotiation Process

Following DiGA’s inclusion in the directory, the manufacturer and the GKV-SV negotiate the remuneration amount.

This negotiation is based on the pVE entries and required medical services listed in the directory, and the BfArM informs the GKV-SV about the need for price negotiations.

Obligations of the Manufacturer After DiGA Inclusion

The guidance also highlights the aspects related to the obligations of medical device manufacturers (software developers).

In particular, manufacturers are required to publish the relevant study within a year of completion and report the publication location to the BfArM.

They must also assess and report significant changes to their DiGA, following Section 18 DiGAV.

All displayed or linked information in the directory must be current and complete, with updates made through the BfArM’s approval.

Manufacturers should also continuously maintain and update technical and organizational measures for data protection and security.

This includes conducting penetration tests, managing product configurations, and keeping track of third-party software.

They are also responsible for deleting or blocking unnecessary data and evaluating log data for security events.

Regulation of a DiGA

Different regulatory entries can be created for a DiGA, each with a unique identification number and a pharmaceutical central number (PZN).

These identifiers facilitate the prescription process, enabling doctors and psychotherapists to prescribe specific DiGA units.

The BfArM lists reimbursable DiGA in its directory, providing essential data for practice management systems.
This process ensures that prescribing professionals have access to the latest DiGA information.

New regulatory requirements mandate further developments in DiGA. These include establishing an Information Security Management System (ISMS) and ensuring interoperability.
As specifically mentioned by the authority, manufacturers must comply with these updates to remain listed in the directory.

Removing a DiGA from the Directory

Following the applicable regulatory requirements, manufacturers responsible for applications can request the removal of a DiGA from the directory through the BfArM’s electronic portal.

The BfArM also has the authority to remove a DiGA if it fails to meet the required criteria or if significant changes render it non-compliant.


In summary, the present BfArM guidance highlights the structured and regulated process governing DiGAs in the healthcare system.
From inclusion to potential removal, the responsibilities of the BfArM and manufacturers are clearly defined, ensuring that DiGA maintains high standards of effectiveness, safety, and compliance.

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.