Who Qualifies as DiGA Applicant – Legal Manufacturer Bar

By Christoph Eberhardt · CEO, DUX Healthcare · 17 April 2026

“We built the product in Boston, we got our 510(k), and now we want to list it as a DiGA in Germany.” Some version of this sentence comes up regularly in inbound conversations, and the answer is almost never “that works”. Not because the product is wrong – but because the applicant named on a DiGA filing has to be the legal manufacturer of a CE-marked medical device under the MDR, and the MDR requires that legal manufacturer to be established in the EU, or to appoint an EU authorised representative who assumes specific legal duties. This is the applicant-identity question: a frequent reason foreign DTx teams stall on their German market-entry plan at month eight, because the entity that is supposed to sign the BfArM application does not exist yet and cannot be built in a quarter. This article walks through who qualifies, why non-EU companies hit a structural wall, what the three realistic routes into Germany look like, what they actually cost in weeks, and where teams consistently underestimate the work.

The formal rule – the applicant is the MDR legal manufacturer

The starting point is a single sentence from the German DiGA ordinance. DiGAV § 2 para. 1 sentence 1 names the application as the one “to be filed by the manufacturer of a digital health application with the BfArM”. The ordinance does not allow a distributor, importer, or local commercial partner to be the applicant – it names the manufacturer.

The BfArM (Bundesinstitut für Arzneimittel und Medizinprodukte – the Federal Institute for Drugs and Medical Devices) confirms this in the DiGA-Leitfaden glossary: the Antragsteller (applicant) is “the manufacturer of a DiGA or its authorised representative for filing”, and the Hersteller (manufacturer) is the “natural or legal person that manufactures a medical device or develops one as such and places it on the market under its own name” – verbatim from the MDR.

This is the bridge to EU medical-device law. A DiGA is by statute a CE-marked medical device. The manufacturer in DiGAV § 2 is therefore the manufacturer as the MDR (Medical Device Regulation – Regulation (EU) 2017/745) defines one in MDR Art. 2(30): the entity that signs the EU Declaration of Conformity under Annex IV (MDR Art. 10(6)), keeps the technical documentation and declaration available for at least ten years (MDR Art. 10(8)), operates the QMS (Quality Management System, typically to ISO 13485) required under MDR Art. 10(9), and maintains financial coverage proportionate to risk class and size under MDR Art. 10(16). The DiGAV § 2 para. 1 fields all presume that concrete entity. There is no parallel “DiGA applicant role” that escapes the MDR definition.

Why “legal manufacturer” trips up foreign companies – MDR Article 11

For a company headquartered in the EU, the legal-manufacturer question is almost a non-question: the entity that holds the technical file also holds the DiGA application. For a company headquartered in the US, the UK (post-Brexit), Israel, Switzerland (not EU or EEA for this purpose), Singapore, or Japan, the question is structural.

The governing rule is MDR Article 11 (authorised representative). Under MDR Art. 11(1), where the manufacturer is not established in an EU Member State, the device may only be placed on the Union market if the manufacturer designates a sole authorised representative. Under Art. 11(2) the designation is valid only when accepted in writing by the representative and must cover at least all devices of the same generic device group. Art. 11(3) enumerates mandatory tasks – verifying that the EU Declaration of Conformity and technical documentation have been drawn up, keeping a copy at competent authorities’ disposal, registration under Art. 31, forwarding requests, and terminating the mandate if the manufacturer violates obligations. Critically, Art. 11(4) states that the mandate shall not delegate the manufacturer’s own obligations under Art. 10(1), (2), (3), (4), (6), (7), (9), (10), (11) and (12) – meaning the authorised representative does not become the manufacturer and cannot substitute for the manufacturer’s QMS, technical-documentation, clinical-evaluation, conformity-assessment, UDI, labelling, PMS, or corrective-action duties. Under MDR Art. 11(5), where the manufacturer has not complied with Art. 10, the authorised representative is jointly and severally liable with the manufacturer for defective devices. This is not a mail-forwarding function – it is a regulatory role with legal teeth.

Two adjacent MDR mechanics are easy to overlook:

• Person Responsible for Regulatory Compliance (PRRC) – MDR Art. 15. Under Art. 15(1), the legal manufacturer must have at least one PRRC within its organisation with defined qualifications. Under Art. 15(2), micro and small enterprises may have one “permanently and continuously at their disposal”. Under Art. 15(6), the authorised representative must also have its own PRRC.
• Importer and distributor duties – MDR Art. 13 and MDR Art. 14. These are not applicant roles. German distribution partners who misread themselves as “applicants” because they touch the product are making a category error.

The BfArM’s glossary anticipates the confusion. It distinguishes the Bevollmächtigter zur Antragstellung (“authorised representative for filing”) from the Bevollmächtigter nach Artikel 2 Absatz 32 MDR (the EU representative of a non-EU manufacturer). The DiGA-Leitfaden is explicit: “The authorised representative for filing is not necessarily the authorised representative under Art. 2 para. 32 MDR.” A regulatory consultant can be authorised to click “submit” on the BfArM portal – that does not change who the legal manufacturer is.

One DiGA-only rule compounds the Article-11 problem. DiGAV § 4 para. 3 limits processing of the DiGA’s personal data to Germany, another EU member state, an EEA-equivalent country, or a third country under an EU adequacy decision under Article 45 GDPR. The US is currently covered by the EU–US Data Privacy Framework – but only for entities that have joined it. The DiGA-Leitfaden Sec. 3.3 Q&A is explicit: “A US manufacturer based solely in the US that has not joined the EU–US Data Protection Framework is, in principle, excluded. A constellation with a European subsidiary and a corresponding authorised representative would be conceivable under the conditions described above.”

Non-EU applicants – three entry routes into Germany

Route 1: Keep the non-EU legal manufacturer, appoint an EU authorised representative

The minimum-footprint route. The US, UK, or APAC company stays the MDR legal manufacturer; an EU-established company is appointed as the authorised representative under MDR Art. 11(1), with a written mandate (Art. 11(2)) scoped to at least a full generic device group and registered with the competent authority.

The caveat is narrow scope. Under Art. 11(4) the non-EU manufacturer still carries the non-delegable Art. 10 obligations – QMS, technical file, declaration of conformity, PMS, corrective actions – and the authorised representative and the manufacturer are jointly and severally liable for defective devices under Art. 11(5). Most authorised-representative shops also prefer to limit mandates to Class I; for Class IIa/IIb they ask for additional liability structuring before accepting. In practice this route works where a US or UK company already has EU/EEA cloud infrastructure, an existing ISO 13485 QMS audited to MDR, and a Notified Body. That combination is uncommon among foreign teams.

Route 2: Establish an EU subsidiary that becomes the legal manufacturer

The clean-but-slow route. The non-EU parent founds or uses an existing EU subsidiary that assumes the legal-manufacturer role: incorporation in an EU member state (Ireland, the Netherlands, and Germany are common), its own ISO 13485 QMS, a PRRC under MDR Art. 15(1), its own Notified Body relationship for Class IIa/IIb, its own technical file, its own signatory on the EU Declaration of Conformity.

Realistic standup: 9–18 months. Incorporation and banking 2–4 months, QMS build and ISO 13485 certification 6–12 months, PRRC hiring 2–6 months in a tight EU regulatory labour market, Notified Body slot 3–9 months. The subsidiary is an ongoing operation, not a sunk cost – budget low-to-mid six figures annually. This is the route most European VC-backed DTx companies take, and the most durable long-term; rarely the fastest to a first DiGA filing.

Route 3: Partner with an EU legal manufacturer

The fastest of the three. The non-EU DTx company retains product IP and operational control; an existing EU-established legal manufacturer takes on the MDR legal-manufacturer role for the DiGA – holds the technical documentation, runs the QMS, signs the declaration of conformity, files the BfArM application, carries the product-liability posture.

The partnership is commercially intense. The partner owns substantial liability, so a competent EU legal manufacturer will do serious due diligence on the product, require visibility into the IEC 62304 software lifecycle, insist on a QMS interface, and typically take commercial participation rather than a flat fee. Terms are negotiated. (DUX Healthcare offers a legal-manufacturer partnership through a partner structure – terms are discussed transparently with any team that asks.) Time to filing-ready: 3–6 months if the product is already CE-marked under MDR and the transfer is contractual.

Which route suits which company

Investors tend to prefer the subsidiary for durability, regulatory-affairs leaders for control, founders under revenue pressure prefer the partnership for speed. Early-stage companies with a single DTx product rarely have a business case for a subsidiary until the DiGA is listed and reimbursing – the partnership route buys that proof. There is no universally correct answer, only a decision that should be made explicitly in month one of a German market-entry plan.

Documentation requirements for the applicant

Separate from medical, clinical, and security documentation required for the DiGA itself, the applicant-entity carries a documentation set specific to who it is. Working from the 26 content blocks of DiGAV § 2 para. 1:

• Identification of the legal manufacturer – official company name, legal form, EU Handelsregister (commercial register) extract or equivalent, registered-office address, and the EUDAMED SRN (Single Registration Number) where issued. For a non-EU manufacturer, the EU authorised representative’s registration and mandate appear alongside.
• EU Declaration of Conformity under MDR Annex IV (drawn up under Art. 10(6)), signed by an authorised signatory of the legal manufacturer.
• Notified Body involvement (Class IIa/IIb) – four-digit number, certificate reference, and scope under DiGAV § 2 para. 1 no. 3. Class I DiGAs are self-declared.
• QMS certification – accredited ISO 13485 per MDR Art. 10(9), scope covering the DiGA. In a partnership, the partner’s QMS covers the joint operation.
• PRRC designation under MDR Art. 15(1) – name, qualifications, contractual relationship to the legal manufacturer.
• Product-liability insurance (DiGAV § 2 para. 1 no. 23) – coverage amount filed in the application.
• Data-processing locations (DiGAV § 2 para. 1 no. 20) – a legal-manufacturer-level representation of compliance with DiGAV § 4 para. 3.
• ISMS certification – accredited ISO 27001, per company, mandatory since 1 April 2022.
• BSI TR-03161 per-DiGA certificate – mandatory since 1 January 2025, application-relevant since 1 July 2025. Issued per DiGA, not per company (§ 139e para. 10 SGB V); details in BSI TR-03161 certification.

None of this is individually hard. All of it presumes a legal manufacturer that exists and is ready to sign.

Timing and cost

Teams that solve the applicant-identity question in month one of a German market-entry plan save roughly 3–9 months over teams that solve it in month eight. That saved time rarely translates to a faster BfArM decision – the statutory clock is three months from a complete application (DiGAV § 16 para. 1↗) regardless of applicant origin – but it compresses the critical path that sits in front of filing.

Ordinal comparison across the three routes (qualitative; partner terms are commercially negotiated):

The decision that matters weighs speed-to-reimbursement against long-term entity control. A partnership wins on speed, a subsidiary on control, an authorised representative on minimum footprint but rarely on DiGA specifics.

Common pitfalls for international teams

Recurring patterns:

1. Treating the authorised representative as an administrative vendor. Under MDR Art. 11(5) the authorised representative is jointly and severally liable. A cheap vendor-style representative is the wrong partner for a Class IIa/IIb DiGA and will often decline the mandate once they see the scope.
2. Assuming the distribution partner solves the applicant question. A German commercial distributor is not a legal manufacturer. “Our German partner will handle the paperwork” is almost always a category error.
3. Confusing a legacy CE mark with MDR posture. A device CE-marked under the old Medical Device Directive (MDD) is not valid for new placements under MDR.
4. Starting the legal-manufacturer conversation after the evidence study is funded. The evidence study is about the product. The legal-manufacturer question is about who is entitled to file. Different projects, both need to run from month one.
5. Underestimating the PRRC gap. The EU PRRC market is tight. For non-EU companies trying to hire a PRRC in month twelve, the answer is usually “not within the quarter”.
6. Forgetting that German localisation sits with the legal manufacturer. Product, intended use, instructions for use, consent language, customer support – all in German at a BfArM-recognised quality, owned by the legal manufacturer.
7. Assuming a single DiGA listing makes the entity ready for a second. A partnership structured for one DiGA is not automatically a partnership for three. Scalability is a design choice, not an emergent property.

The DUX legal-manufacturer partner model – a note

DUX Healthcare operates the mHealth Suite, a platform of pre-validated software modules engineered for CE-marked medical-device software and DiGA-compliant operation. Through a partner structure, DUX offers a legal-manufacturer partnership to international DTx companies entering Germany: the partner takes on the MDR legal-manufacturer role for the DiGA, operates the ISO 13485 QMS scope covering the joint operation (MDR Art. 10(9)), provides the PRRC under MDR Art. 15(1), holds the technical documentation, signs the EU Declaration of Conformity under Annex IV, and files the BfArM application. The team retains product IP, clinical content ownership, brand, and commercial direction in markets outside Germany – and co-owns DiGA economics in Germany under terms negotiated jointly.

This is not a generic regulatory-services offering. The partnership only works where the product fits the mHealth Suite platform (so the BSI TR-03161 engineering and the BfArM data-protection criteria live in shared infrastructure rather than per-project rebuilds) and where the partner is prepared to accept shared liability on the basis of competent diligence. DUX says “no” to partnership requests where the fit is not there.

The structural point: the two heaviest market-entry blockers – MDR/DiGAV engineering and the EU-established legal-manufacturer requirement – are solvable together in this model, rather than serially. Platform mechanics and partnership context sit at /go-beyond/.

Frequently asked questions

Where to read next

For the operational detail of what happens after the applicant-identity question is solved, the DiGA knowledge area covers the BfArM process, evidence requirements, BSI TR-03161, AbEM, and pricing. The sibling Market Access Germany frames the broader inbound journey around evidence, pricing, and post-market obligations. For the regulatory stack beneath the DiGA ordinance, Medical Software is the cross-area companion. For teams comparing DiGA against the regulatory routes they already know, DiGA vs. FDA SaMD sits adjacent.