DiGA – practitioner knowledge for digital health applications on DUX Healthcare

BfArM Data Protection Criteria – the Practical Deep-Dive

Wed, 22 Apr 2026 00:00:00 +0000

By Thomas Wolters · CTO, DUX Healthcare · As of 17 April 2026

The BfArM Data Protection Criteria are the instrument with which the Federal Institute for Drugs and Medical Devices operationalises the GDPR for Digital Health Applications. Since 1 August 2024, DiGA manufacturers have been obliged under DiGAV § 4 Abs. 8 to implement the catalogue determined by the BfArM under § 139e Abs. 11 SGB V. The current version 1.0 was published on 24 April 2024 and contains around 150 testable individual requirements across twelve test areas. Unlike the GDPR’s general clauses and unlike the purely cybersecurity-oriented BSI TR-03161, the BfArM criteria are explicitly tailored to the DiGA-specific situation: pseudonymous use, purpose-bound processing under § 4(2) DiGAV, strict third-country rules, separate consents, electronic withdrawal routes, grace period after the end of the prescription. This article walks the catalogue in detail – with verbatim-cited requirement IDs, from an engineering perspective, for teams not looking for the checkbox but for the architectural decision.

DiGA AbEM 2026 – the Application-Accompanying Performance Measurement

Wed, 22 Apr 2026 00:00:00 +0000

By Christoph Eberhardt · CEO, DUX Healthcare · As of 17 April 2026

The application-accompanying performance measurement (AbEM) is mandatory from 1 July 2026 for all permanently listed DiGAs with at least one demonstrated medical benefit. The first data delivery to the BfArM follows on 15 April 2027. The most common mistake teams currently make is reading AbEM as a reporting obligation – as a dashboard bolted on at the end of a sprint. AbEM is an architectural decision: it reaches into account model, usage telemetry, in-app survey logic, consent architecture, and data protection concept at the same time – and, through the 20% rule under § 134 SGB V from 2026, it couples a fifth of the reimbursement price to measurable product behaviour. Teams treating AbEM as if it were a dashboard are building the wrong vessel. This article explains why – and what a clean AbEM data model actually requires.

DiGA Approval 2026 – the Practical Guide for Manufacturers

Wed, 22 Apr 2026 00:00:00 +0000

By Christoph Eberhardt · CEO, DUX Healthcare · As of 17 April 2026

A DiGA application to the BfArM is not a form you fill out on an afternoon. It is a dossier – 26 data blocks under DiGAV § 2 Abs. 1, with CE documentation, clinical evaluation, certificates for information security and data security, data protection concept, evidence study or evaluation concept, liability insurance proof, price statement, and interoperability evidence. Teams touching the regulatory framework for the first time regularly underestimate two things: first, how much of this must be produced before the BfArM is even involved, and second, how quickly the BfArM actually works once the dossier is complete. This guide walks through the application stage by stage, shows which components teams regularly recognise too late, what realistic timelines look like, which cost blocks are not on the BfArM website – and what actually happens after the decision. The regulatory backbone sits in the pillar hub DiGA – Practical Knowledge; this article is the practical addendum.

BSI TR-03161 Certification – A Practitioner's Guide

Sun, 19 Apr 2026 00:00:00 +0000

By Thomas Wolters · CTO, DUX Healthcare · 17 April 2026

BSI TR-03161 – the Technische Richtlinie (Technical Guideline) of the Bundesamt für Sicherheit in der Informationstechnik (BSI – Germany’s Federal Office for Information Security) titled “Anforderungen an Anwendungen im Gesundheitswesen” – is the regulatory artefact that decides whether a DiGA (Digitale Gesundheitsanwendung) can be filed at the BfArM (Bundesinstitut für Arzneimittel und Medizinprodukte) or not. Since 1 July 2025, a TR-03161 certificate is a formal precondition for application completeness: no certificate, no listing, full stop (DiGA Guide v3.6 Sec. 3.4). International DTx teams entering Germany routinely treat TR-03161 as a side-track they can handle in a final quarter. In practice it is one of the load-bearing architectural decisions of a DiGA project – the cybersecurity standard against which five DiGAs on our mHealth Suite platform have been individually tested. This article is a practitioner’s guide to what TR-03161 actually demands, what certification really costs, where teams stumble, and how the “ohne Auflagen” (without conditions) vs. “mit Auflagen” (with conditions) outcome is decided.