DiGa Banner - Lemberg Solutions
10 minutes

When Healthcare Apps Must Get DiGa Certification

Healthcare digital solutions have become an irreplaceable part of the healthcare system and treatment plans. The healthcare industry adopts cutting-edge technologies and innovations to make illness detection and treatment more efficient, personalized, and easier for patients and physicians. 

However, the development of digital health apps and devices has specific flows and requirements, mostly related to secure data collection, storage, and transmission using digital solutions. These security regulations relate to medical device manufacturers and software engineers who build these systems. The DiGa certification dominating in Germany is one of them.

When a software company wants to list its healthcare app as Diga, it must pass the fast-track process - the review and approval conducted by the Federal Institute for Drugs and Medical Devices (BfArM). The review flow ensures the medical solution conforms with all required data security requirements and provides enough clinical evidence to be prescribed to certain patients. 

Not sure whether you need DiGa? We can guide you. Read this article to discover more about DiGa, or Digital Health Application, which stands for medical apps for prescriptions. 

What is DiGa?

The DiGa directory, widespread mainly in Germany, includes healthcare apps verified to treat patients effectively and safely. DiGa is a digital health application on prescription with the main task of supporting patients in disease detection and treatment. DiGa health apps help people make their treatment more effective, enabling self-management of their illnesses. These solutions are more reliable than publicly available digital health assistants and fitness apps that measure your daily activity, nutrition, and pulse. 

X-rays, CT scans, and ECGs are unrelated to DiGa devices as they don't detect, monitor, treat, or alleviate diseases, injuries, or disabilities. BfArM simplified the DiGa app development process for software engineers and medical device manufacturers by providing a detailed description of the DiGa technical requirements, which we will discuss next. 

How does the DiGa system work?

If you want your medical solution to become DiGa-compliant, you must go through a meticulous review process conducted by the Federal Institute for Drugs and Medical Devices (BfArM) to receive the BSI TR-03161 certification, which will officially be launched in a few years. A recent investigation shows only 45 healthcare applications can be classified as DiGa. Others are in the review process or were rejected due to non-compliance with the DiGa requirements. 

The official review process, called fast-track assessment, checks the digital healthcare device manufacturers' conformity to BSI requirements, particularly data security, interoperability rules, safety, and proven positive impact on the healthcare system. However, the DiGa-listed application can also be deleted if you must provide proof of a positive effect on the disease's treatment but haven't done it on time. The review process typically has two phases:

  • Approval  - the typical approval process takes about three months, after which your medical apps get into the DiGa directory.
  • Trial period - medical entities will test your healthcare solution for one or two years before approval if it lacks clinical evidence.

The eHealth applications certified as digital health applications can help patients with many diseases, such as cancer, depression, anxiety disorders, migraine, hormones & metabolism, sleep disorders, and others.

Characteristics of healthcare solutions that can be included in DiGa

Your healthcare app complies with DiGa if it conforms to the range of requirements that define its general purpose in healthcare. 

According to BfArM, the features that define the healthcare application as DiGa are the following:

  • Medical devices of I (low) and IIa ( low to medium) risk classes, for instance, bandages, hearing aids, catheters, and others;
  • The primary purpose and functions of the healthcare solution are medical, not informative or managing
  • The medical device supports the detection, monitoring, treatment, or mitigation of disease or the detection treatment, mitigation, or compensation of injury or disability
  • The medical device is not intended for primary preventive care
  • The medical solution serves patients on the prescription app and is helpful in the treatment process; its purpose is to help patients, not medical staff. 

It is worth noting that the main purpose of the DiGa application is to help patients overcome diseases faster and more effectively, having real positive effects on the illness course.

When is DiGa certification not necessary?

Medical devices that do not detect, monitor, treat, or alleviate diseases, injuries, or disabilities can not get DiGa certification. For instance, these are  X-rays, CT scans, and ECGs.

BfArM accurately described what healthcare apps could be submitted and listed as DiGa, which we mentioned earlier in this article. In turn, this simplified the DiGa app development process for software engineers and medical device manufacturers by providing a detailed description of the DiGa technical requirements, which we will discuss next. 

Why you need DiGa certification for your medical solution

It is quite complex to assess the real positive effect of DiGa applications based on user feedback. The eHealth solutions benefits must be based on the two main points: 

  • Medical - along with constant support, the DiGa app should impact the disease duration, treatment progress,  and patients' health condition improvements, equating to medications like pills and injections. 
  • Technological - it has to simplify the treatment process for patients by managing the treatment plan, ensuring safety, and providing access to care.

DiGa certification shows the high quality of your medical solution, ensuring proven clinical evidence and tangible positive effects and results on treatments. Further, we would like to highlight the benefits the DiGa certification introduces intro treatment plans and the healthcare system in general, which are not available for uncertified medical apps and devices.


Let's start with outlining the DiGa benefits for patients first. As we have already mentioned, DiGas are apps on prescription, meaning they are available only for patients who require certain kinds of treatment and health monitoring. Along with following the data security standards, the DiGa applications must positively impact the treatments of diseases and help introduce innovative ways to care for patients. 


DiGa certification apps are integrated with insurance companies, so patients can get access by contacting insurers. But there have always been many questions about prescribed medications and supplements, how and where patients can quickly get them, how to reach their doctors, etc. Currently, each patient receives a personal code from their insurer, which gives them access to download the digital health application on their devices and use it on purpose. 

What are the requirements for apps to be DIGA certified?

Entering into force in a couple of years, BSI TR-03161 is a detailed technical guide for software developers, including all data security requirements for health applications built for medical devices. The data security measures must be completed as they contain fundamental information about health data protection standards to certify the solution as a digital health application. 

Despite being created for software engineers, BSI TR-03161 can help you find a credible development partner for your project. The certifications for software development companies prove their healthcare expertise and compliance with data security standards to follow with developing eHealth applications. These security regulations are mandatory to list an app in the DiGa directory.

Here are the main standards a DiGa app must follow:

  • ISO 27001 - an international data standard that provides software developers with a framework for continuous improvements in information security management systems (ISMS). Data security is crucial in healthcare applications since they process sensitive health information that requires the highest security measures and risk prevention. Besides, ISO 27001 ensures the software company complies with HIPAA and GDPR data security regulations.
  • ISO 13485 - quality management regulation for building medical devices, including hardware and firmware, that indicates the implementation of the quality management system (QMS) that must meet regulatory requirements for designing, developing, and integrating healthcare software;
  • CE certification - the assessment process for medical devices to ensure their conformity with EU healthcare software development regulations. It ensures patient safety by designing and developing systems according to quality management and regulatory requirements. 

When you start looking for a potential software provider to build a digital health application for your needs, you must ensure they comply with the abovementioned regulations.

Fast-track process: key requirements to get DiGa certification

It is always time-consuming to prove that an eHealth application is DiGa and positively affects the healthcare system and patients. That’s why BfArM launched a faster way to evaluate the conformity of healthcare applications to the DiGa directory requirements. DiGa's fast-track process is the rapid reviewing, testing, and approval of new medical digital solutions that want to enter the healthcare system. You can see how it happens in the image below:

Diga article scheme - Lemberg Solutions

To include your medical device or app in the reimbursable DiGa directory, the Federal Institute for Drugs and Medical Devices must check it. Typically, the fast-track process takes three months from the moment you fill in the application, asking to evaluate your eHealth solution. BfArM will analyze whether your healthcare app really has the qualities and capabilities you declare. These indicators include the app UI/UX design, data protection measures, and proven evidence of the positive effects on healthcare.

The positive impact is fundamental for being approved for DiGa. So if this requirement is not met, but all others are, you get provisional access to the directory, a trial period of one or two years that gives time to extend clinical evidence. 

Challenges of getting a health app DiGa compliant

Getting into the DiGa directory is time-consuming due to the vast range of data security requirements to consider when developing an eHealth solution. Check out the widespread challenges medical device manufacturers and software developers face below. 

Lack of clinical evidence

The assessment of DiGa's positive healthcare effect is quite controversial, primarily based on the clinician's expert opinions, patient feedback, and approval by the DiGa directory. However, more is needed to prove the necessity of apps on prescriptions that help detect and overcome diseases. 

Long testing and approval process

The testing and approval process can take about 1 to 2 years, and some DiGa apps can be excluded from the directory after the fast-track process due to the absence or lack of clinical evidence. However, your solution is not instantly rejected. During the trial period, you can receive enough information regarding clinical evidence and get your app DiGa certified.

Data security and protection

Digital healthcare solutions contain patient health information (PHI) that requires following many data security standards and predicting potential security threats. With DiGa, everything gets even tougher. DiGa solutions differ in their mandatory data security requirements according to the BSI official guideline. These data security regulations relate to digital systems architecture, source code, third-party integration, and interoperability rules.

DiGa development with Lemberg Solutions

To get your healthcare application into the digital health application directory without obstacles, you can find a credible software development partner who has done it before. 

Lemberg Solutions complies with ISO 27001 and ISO 13485, following the fundamental data security regulations from the BSI TR-03161 list, GDPR, and HIPAA. The availability of these certifications ensures you get the industry-complaint solution that can be reviewed and approved as DiGa. 

We provide full-cycle development services, including web and mobile app development, Internet of Things development services, cloud, and AI engineering, to build and deliver a robust DiGa-compliant healthcare application from scratch. You can contact our experts for more details about our healthcare development experience and the cooperation scenario we can offer according to your project requirements. 

Article CTA - DiGa - Lemberg Solutions


  • What do you need to know about the approval process for digital health apps?

DiGa or digital health app approval is a complex process of reviewing the medical solution to conform to the data security and clinical evidence requirements. The Federal Institute for Drugs and Medical Devices checks the proven clinical evidence and positive effects of the medical solution. These apps are typically prescribed just like medications to increase treatment effectiveness. 

  • What do manufacturers have to do to obtain DiGA approval?

Medical device manufacturers must follow the BSI TR-03161 guide that includes all mandatory technical and data security requirements for developers to ensure that the final product will be DiGa compliant and positively affect the healthcare system stakeholders. 

  • How can DiGA digital security be ensured?

It is essential to select a software development partner who is ISO 27001 and ISO 13485 certified and aware of the TR-03161 and TR-03139 regulations that indicate security compliances and requirements for software engineers. 

Article Contents: