Germany operates the most developed statutory reimbursement pathway for digital therapeutics (DTx) in the world. Through a regulatory category called DiGA (Digitale Gesundheitsanwendung – digital health application), prescription-grade software is reimbursed by statutory health insurance for 73 million insured citizens. No other single market offers reimbursement for pure software at this scale today.
For international DTx companies – in the United States, United Kingdom, France, Israel, the Netherlands, the Nordics, and APAC – this creates both an opportunity and a puzzle. The opportunity is obvious: one listing, one price, one reimbursement decision, and your product is payable across the entire German statutory health insurance system. The puzzle is that the DiGA pathway was designed by German regulators for the German market. It assumes a European CE-marked medical device, German-language product and support, data processing in the European Union, and a legal manufacturer accountable under European law. None of these are impossible for a foreign company – but each requires deliberate planning.
This guide is written for the international team evaluating whether and how to enter Germany via DiGA. It covers the market opportunity, the legal architecture, the prerequisites, the application process, the evidence requirements, pricing, post-listing obligations, and an honest comparison against the regulatory pathways you may already know – FDA SaMD, NHS DTAC, PECAN in France, mHealthBelgium. It is not a substitute for legal advice. It is what an experienced platform provider would tell you over a long coffee: the shape of the problem, the decisions that matter, and the pitfalls that catch foreign applicants most often.
Why Germany? The Scale of the DiGA Opportunity
Germany runs a dual-payer health system. The statutory insurance system (Gesetzliche Krankenversicherung, GKV) covers approximately 73 million people – roughly 87% of the population. The remainder are privately insured through supplementary carriers that, in practice, tend to mirror GKV reimbursement decisions. When a DiGA is listed in the DiGA-Verzeichnis (the official directory maintained by the Federal Institute for Drugs and Medical Devices, BfArM), statutorily insured patients can either obtain a prescription from a physician or psychotherapist and have the app dispensed through their insurer, or – if they present documentation of a matching indication – receive it directly from their health insurance without a prescription. Either way, the insurer pays the listed price directly to the manufacturer.
There is no equivalent pathway at this scale anywhere else. The United States has coverage decisions, but coverage for digital therapeutics is fragmented across Medicare, Medicaid, commercial payers, and PBMs. The NHS in the UK funds digital therapeutics through regional Integrated Care Systems, not a unified national listing. France’s PECAN is closer in spirit but smaller, with early-access characteristics. Belgium’s mHealthBelgium framework works but covers a fraction of the German population. Japan, Korea, and Australia are moving in the direction Germany took in 2019, but none have arrived.
The market is well past pilot stage. As of December 2025, the DiGA directory lists 58 reimbursable digital therapeutics. Since the pathway opened in late 2020, statutory insurers have dispensed approximately 1.6 million DiGA prescriptions at a cumulative cost of roughly €400 million. Volumes accelerated sharply in 2025: nearly 700,000 prescriptions that year alone, at a cost of €171 million – a 62% year-over-year increase in spending. Whether this pace continues or contracts depends substantially on policy debates currently underway (see the pricing section), but the direction so far has been steady expansion.
For an international DTx company with clinical evidence, a CE-marked product, and the operational maturity to handle a formal regulatory submission, the DiGA pathway is the single most leveraged market-access decision available in Europe today. A single successful listing turns your product into a reimbursable therapeutic option across the largest homogeneous digital-health payer market on earth.
What a DiGA Is, Legally Speaking
DiGA is a legal category, not a marketing label. It was created by the Digitale-Versorgung-Gesetz (Digital Health Care Act, DVG), which came into force on December 19, 2019, and is now codified primarily in §33a and §139e of the Fifth Book of the German Social Code (SGB V). The implementation details live in the Digitale Gesundheitsanwendungen-Verordnung (DiGAV), the ordinance issued by the Federal Ministry of Health (BMG). BfArM publishes a detailed procedural guide – the DiGA-Leitfaden (current version 3.6, December 2025) – that interprets how the ordinance will be applied in practice.
Three defining features matter for international applicants:
A DiGA must be a CE-marked medical device. The DiGA category sits on top of European medical device regulation (MDR). A product cannot enter the DiGA pathway without first qualifying as a medical device under MDR and carrying a CE mark. Eligible risk classes are I, IIa, and – since the DigiG came into force on March 26, 2024 – IIb. Class III is excluded. Class IIb DiGA face two additional constraints: they must demonstrate at least one medical benefit (the patient-relevant structural and procedural improvements category alone is not sufficient), and the provisional “fast-track” listing is not available – Class IIb can only enter via a full permanent listing with a completed comparative study.
A DiGA must be a “digital” health application with the product’s medical purpose realized essentially through its digital functions. Accessories to non-digital medical devices do not qualify. Nor do purely administrative, lifestyle, or prevention products that lack a regulated medical purpose. BfArM examines this qualification explicitly as part of the application.
A DiGA serves a specific set of users. The law defines the user as either the patient alone or the patient together with their treating professional. Products designed purely for professional use (clinician workflow tools, decision support that the patient never touches) do not fit.
The DiGA category is distinct from three adjacent reimbursement paths you should know about – DiPA (digital care applications under SGB XI, for long-term care), the Hilfsmittelverzeichnis (HMV, a directory of reimbursable medical aids that includes some software), and the ZPP certification (a separate track for digital prevention courses). These are not DiGA alternatives in any strict sense, but they matter when scoping whether DiGA is the right pathway for your product or whether a different German reimbursement track fits better. We treat this decision in detail in our Beyond DiGA cluster – the short version is: if your product is a clinically regulated medical device intended for patient use alongside or without a physician, DiGA is likely the right target. Otherwise, check the alternatives before investing.
Who Can Apply – The Legal Manufacturer Question
The DiGA applicant must be the legal manufacturer of the medical device, as that term is defined in MDR. This is the single requirement that most often derails international companies, and it deserves careful attention.
Under MDR, the legal manufacturer is the entity that takes responsibility for placing the medical device on the European market. The legal manufacturer must maintain a compliant quality management system (typically ISO 13485-certified), hold the technical documentation, conduct post-market surveillance, and accept liability for the product’s safety and performance. For manufacturers established outside the European Union, MDR additionally requires an Authorized Representative (EC REP) inside the EU. None of this is DiGA-specific – it is EU medical device law that applies to every CE-marked product. But it has two practical consequences for DiGA applicants:
First, personal health data processing must reside in permitted jurisdictions. Under DiGAV §4 Abs.3, processing is allowed in Germany, EU member states, EEA-equivalent countries (including Switzerland), and third countries covered by a European Commission adequacy decision under Article 45 GDPR. The latter includes the United States under the EU-US Data Privacy Framework, subject to specific contractual and technical controls. In practice, many US-origin DTx companies arrive with AWS us-east-1 in production and migrate to AWS Frankfurt or comparable EU-region infrastructure that also meets C5 or equivalent audit standards – not because EU hosting is strictly mandated, but because it materially simplifies the BfArM review and reduces ongoing compliance friction.
Second, the product must be operable in German – not merely translated, but localized for the German healthcare context. This includes UI, patient education content, consent language that matches German medical law, clinical terminology aligned with German coding systems, and customer support available in German. BfArM examines localization as part of the review.
A foreign company can become the legal manufacturer itself if it meets MDR requirements and operates with a competent EU Authorized Representative. Alternatively, many international DTx companies enter Germany through a partnered legal manufacturer model: the foreign company retains ownership of the product and the clinical asset, while a German or EU-based partner assumes the legal manufacturer role, the QMS, and regulatory liability. This is the model DUX Healthcare supports through a certified partner, and it materially shortens the path to a German listing for companies that do not yet have – or do not want to build – a European legal entity and QMS of their own.
The Prerequisites – What You Must Have Before You Apply
The DiGA application is the final step, not the first. By the time you file, the product must already be a certified medical device, operated on compliant infrastructure, built on a documented software lifecycle, and certified against a DiGA-specific security standard. A realistic prerequisite list looks like this:
CE marking under MDR. Class I, IIa, or IIb (Class III is excluded from DiGA), with full technical documentation, clinical evaluation, risk management file (ISO 14971), and – for Class IIa and IIb – a Notified Body audit. See our Medical Device Software Foundation cluster for the full regulatory stack.
ISO 13485-certified QMS. The quality management system under which the legal manufacturer operates. For a foreign manufacturer, this is either the company’s own certified QMS or the QMS of a partnered legal manufacturer.
IEC 62304 software lifecycle compliance. The standard that governs how medical device software is specified, designed, verified, validated, and maintained. IEC 62304 requirements flow into the MDR technical documentation and are audited as part of the CE mark, but BfArM will also expect evidence of lifecycle discipline in the DiGA application.
ISO 27001 information security management. Mandatory for all DiGA since April 1, 2022. The applicant must hold an accredited ISO 27001 certificate covering the processes relevant to the DiGA – this is a separate requirement from BSI TR-03161 and from the hosting provider’s own certifications.
BSI TR-03161 security certification. This is the DiGA-specific security standard set by the Federal Office for Information Security (BSI). Since January 1, 2025, holding the BSI certificate has been a substantive requirement for listing, and since July 1, 2025, it is a formal requirement for application completeness – BfArM will not process an application without it. The testing is conducted by accredited testing laboratories; the certificate itself is issued by BSI. Preparation and testing typically take six to nine months with costs in the €30–50k range for a focused product. There are three parts: TR-03161-1 for mobile applications, TR-03161-2 for web applications, and TR-03161-3 for background systems (backends and infrastructure). Most DiGA involve all three.
BfArM Datenschutzkriterien. A specific data protection criteria catalog published by BfArM covering approximately 150 individual criteria across 12 thematic areas – including data minimization in clinical workflows, consent mechanisms, data portability, and third-party processor controls. These criteria go beyond GDPR and are separate from the BSI TR-03161 criteria. Every criterion must be evidenced in the application.
Interoperability readiness. German digital health law imposes specific interoperability requirements on DiGA – readiness to export data to the electronic patient record (elektronische Patientenakte, ePA) under §6a DiGAV and §355 SGB V, support for the German health identity (GesundheitsID) under §291 and §327 SGB V, a human-readable data export for patients, and – where relevant – standardized interfaces to wearables and medical data sources. The requirements have been phased in with statutory deadlines; a DiGA that is not interoperability-ready by its applicable deadline risks delisting.
German localization. Product, documentation, consent, support – all in German, localized for the German healthcare context rather than machine-translated.
This is the realistic prerequisite list. For an international company starting without a CE mark and a compliant European infrastructure, reaching the point where you can file a DiGA application is typically an 8–14 month engineering and regulatory effort if everything is built from scratch. For companies starting with a CE-marked product certified in another region, migrating to meet all German-specific requirements (BSI TR-03161, BfArM Datenschutzkriterien, EU data residency, German localization) typically takes 4–8 months. A platform approach materially compresses this – which we return to below.
The Application – Fast-Track vs. Permanent Listing
BfArM offers two paths to the DiGA-Verzeichnis, and choosing between them is one of the most consequential strategic decisions an applicant makes.
The permanent listing path (endgültige Aufnahme) is for products that already have sufficient evidence of a positive care effect (see the next section). The applicant files a complete dossier including the comparative study that demonstrates the effect. BfArM has 3 months from receipt of a complete application to decide, with a statutory option to extend the decision period by up to another 3 months in justified individual cases. In practice, the clock also pauses and restarts through feedback rounds – BfArM frequently requests clarifications or supplementary evidence, and the elapsed time from first submission to listing is typically 4–7 months for a well-prepared application.
The provisional listing path (vorläufige Aufnahme – colloquially “fast-track”) is for products that meet all the product-quality, security, and data protection requirements but do not yet have sufficient evidence of a positive care effect. The applicant files with a study concept and a plausibility demonstration that the claimed effect is achievable. BfArM reviews on the same 3-month clock. If provisionally listed, the product is reimbursable immediately and the manufacturer has up to 12 months to complete the comparative study, with a one-time extension of up to a further 12 months in justified cases (so 24 months maximum). Note that the provisional listing path is only available for Class I and IIa medical devices – Class IIb DiGA must enter through permanent listing with study results in hand. At the end of the trial period, BfArM evaluates the study result and decides on permanent listing or removal from the directory.
The provisional path is attractive for three reasons: it generates revenue during the trial period, it provides real-world data for study execution, and it allows smaller companies to access the market without front-loading a full study’s cost. But it carries real risk: if the study fails to demonstrate the claimed effect, the product is delisted and the manufacturer has no fallback. As of end-2025, 16 of the 74 DiGA ever listed (22%) had been removed from the directory – all of them originally provisional listings. Among the 60 DiGA that entered via the provisional path, 34 have transitioned to permanent listing, 10 remain in their trial period, and 16 were delisted after failing to demonstrate a positive care effect. Framed as a success rate across completed trials, that is roughly a 70/30 split in favor of permanent listing – a number the industry trade association (SVDGV) emphasizes, while the payer side (GKV-Spitzenverband) advocates abolishing the provisional path altogether. The decision depends on how confident you are in your evidence base, how much capital you have to absorb study costs upfront, and whether your pricing strategy requires the trial-period revenue to fund the study.
Regardless of path, the application dossier covers the same content areas: product description and medical purpose, evidence of the positive care effect (or study concept for the provisional path), quality and safety evidence (including CE documentation), data protection and data security (including BSI TR-03161 and BfArM Datenschutzkriterien), interoperability evidence, usability and accessibility evidence, and the manufacturer’s declarations. The dossier is filed electronically through BfArM’s portal.
Evidence – Proving the Positive Care Effect
The core substantive question in every DiGA application is whether the product produces a positive care effect (positiver Versorgungseffekt). The DiGAV defines this in two ways, and a DiGA must demonstrate at least one:
Medical benefit (medizinischer Nutzen) – an improvement in the patient’s health status, reduction in disease duration, improvement in quality of life, or extension of survival. This is the classic clinical efficacy framing.
Patient-relevant structural and procedural improvements in care (patientenrelevante Struktur- und Verfahrensverbesserungen) – improvements in care coordination, adherence, patient empowerment, health literacy, shared decision-making, reduction in treatment burden, or coping with illness. This is the category that distinguishes the DiGA framework from classical drug and device evaluation and makes many DTx propositions viable here that would struggle in a pure efficacy framing.
The evidence standard is comparative. The DiGA is compared either to no intervention, to standard of care, to waitlist control, or – in more sophisticated designs – to an active comparator. DiGAV §10 recognizes two accepted designs: retrospective comparative studies (including intraindividual comparison designs) under Abs.1, and prospective comparative studies under Abs.2. Neither is a default; both are available and must be justified by the clinical question and expected effect. In practice, randomized controlled trials have become the de facto standard for permanent listing: according to the DiGA industry trade association, every permanently listed DiGA as of end-2025 had submitted at least one prospective RCT, even where DiGAV would have permitted a retrospective design. Sample sizes depend on the expected effect magnitude; typical DiGA studies run with several hundred participants over an intervention period of 3–6 months, plus follow-up.
For international applicants, three evidence-specific pitfalls recur:
Evidence generated outside Germany does not transfer automatically. A study conducted in a US or UK population may be cited, but BfArM typically expects evidence that the effect replicates in the German healthcare context, or at least a convincing argument for generalizability. Many foreign applicants plan a German study regardless.
The endpoint must match what BfArM and the GKV-Spitzenverband will accept as relevant. Process endpoints – clicks, engagement, session count – are not sufficient. The outcome must be clinically meaningful and ideally tied to established patient-reported outcome measures, validated disease-specific instruments, or hard clinical endpoints.
Study registration is mandatory. Under DiGAV §10 Abs.6, the comparative study must be registered in a public trials registry (such as the German Clinical Trials Register DRKS or ClinicalTrials.gov) before it starts. The protocol and statistical analysis plan must be pre-specified. This is a legal requirement, not just good practice – unregistered or retrospectively registered studies are not accepted.
Designing a study that satisfies BfArM, the GKV-Spitzenverband (for subsequent price negotiation), and international regulators simultaneously is a strategic exercise that is best started in parallel with the early MDR work – not after the product is CE-marked.
Pricing and Reimbursement
DiGA pricing operates in two distinct phases, and the gap between them is the single most important economic fact an international applicant needs to understand.
Year 1 – Manufacturer-set price. For the first 12 months after listing, the manufacturer sets the price freely. This is the Herstellerabgabepreis (manufacturer’s list price) and applies uniformly across the statutory insurance system. The manufacturer invoices the insurer directly through the standardized DiGA reimbursement process. As of end-2025, manufacturer-set prices across the directory range from €119 to €2,077 per 90-day prescription, with an average of roughly €550.
From Month 13 – Negotiated price. Before the end of the first year, the manufacturer and the GKV-Spitzenverband (the federal association of statutory health insurance funds) enter formal price negotiation. The outcome becomes the reimbursement price from month 13 onward. If the parties do not agree, the dispute is referred to an arbitration board (Schiedsstelle) that sets a price.
In practice, negotiated prices are substantially lower than year-1 prices. Across the 40 DiGA with completed negotiations as of end-2025, the average negotiated price was €227 per 90-day period – a 59% reduction from the average manufacturer price. Individual reductions range from around 7% (for a DiGA with an already-modest first-year price) to nearly 90% (for the highest-priced listing in the directory). DiGA that fail to demonstrate their positive care effect at the end of the provisional trial period are removed from the directory and cease to generate reimbursement at all. Revenue per patient therefore depends heavily on timing: at manufacturer prices, annual revenue per patient can exceed €2,000; at negotiated prices, it typically lands near €900.
The DigiG (Digital Act, effective March 26, 2024) and the second DiGAV amendment introduced additional pricing mechanics – most notably, from January 1, 2026, at least 20% of the reimbursement amount must be structured as success-dependent pricing components tied to measurable outcomes from the post-market evidence program (see AbEM below). A framework agreement between GKV-SV and industry additionally defines indication-group maximum prices (Höchstbeträge) – for example, approximately €551–599 per 90 days for psychological indications and around €796 for metabolic indications. Small DiGA with under €750,000 in annual revenue fall under a simplified threshold arrangement (currently €77.40 per 90 days) and skip formal negotiation entirely.
Typical economics at scale: the top-performing DiGA serve chronic-disease populations (metabolic disorders, including obesity, recently overtook psychiatric indications as the largest category by prescription volume). Highly adopted listings can generate six-figure monthly GKV revenue; the single largest DiGA in 2025 (Oviva Direkt, for obesity) generated approximately €5.6 million per month – demonstrating that seven-figure monthly revenue is achievable for category leaders, though such concentration is rare. The top 10 DiGA account for roughly 75% of prescriptions and 67% of spending.
Private insurers (PKV) are not bound by the DiGA listing but often reimburse voluntarily, and self-pay is permitted for non-listed products – though without DiGA listing, the addressable market shrinks from over 73 million to a few million.
A note on interpretation. The numbers above are drawn from official payer statistics (GKV-Spitzenverband) and industry reporting (SVDGV, the DiGA manufacturer trade association). Both are organized political interest groups. The GKV-SV is actively advocating to abolish the free-price first year and have negotiated prices apply from day one; it characterizes first-year prices as systematically inflated. The SVDGV defends the two-tier structure as the mechanism that enables innovation financing and points to the negotiated framework (including the Höchstbeträge caps) as adequate control. International applicants should read German-language DiGA commentary with this political framing in mind, and plan their unit economics around the negotiated price – not the first-year price – because that is where the listing’s long-term value ultimately settles.
Post-Listing Obligations
Listing is not the end of regulatory engagement – it is the beginning of a different phase. The most important ongoing obligations:
Anwendungsbegleitende Erfolgsmessung (AbEM). The DigiG and the second DiGAV amendment introduced a post-market outcomes-measurement obligation. AbEM applies specifically to permanently listed DiGA that have demonstrated at least one medical benefit – provisionally listed DiGA and DiGA listed on the basis of patient-relevant structural/procedural improvements alone are not covered. Affected manufacturers must collect and report evidence of real-world use, adherence, and effect, with the precise methodology determined for each listing. The first AbEM data submissions to BfArM are scheduled for April 15, 2027. AbEM data feeds directly into subsequent price negotiations (including the 20% success-dependent pricing component effective 2026) and can influence relisting decisions. Both the payer side (GKV-Spitzenverband) and the industry side (SVDGV) have publicly criticized the current AbEM design as bureaucratically disproportionate – a rare point of alignment between two lobbies that otherwise disagree on almost every aspect of DiGA policy. International applicants should expect the detailed AbEM requirements to evolve between now and the 2027 data deadline.
Annual reporting. Manufacturers file annual reports on usage, reported issues, security incidents, and any changes to the product or its operational parameters.
BSI TR-03161 re-certification. Security certification is not one-time. Material updates to the product trigger recertification scope review; independent of that, periodic recertification cycles apply.
Change notification. Significant changes to the product – new indications, major feature additions, material changes in clinical risk – must be notified to BfArM and may trigger a re-review. Minor iterations (bug fixes, UI refinements) flow through the manufacturer’s QMS without BfArM notification. The line between “minor” and “significant” has been the source of many clarifying feedback rounds.
Security incident reporting. Vulnerabilities, breaches, or misuse must be reported through established channels, with specific timelines depending on severity.
Delisting risk. A DiGA can be delisted for repeated non-compliance, failure to meet interoperability deadlines, failure to demonstrate the positive care effect at the end of the trial period (for provisional listings), or material issues uncovered in AbEM. Delisting is not common but is a real risk for under-maintained products.
The operational cost of meeting these obligations is often underestimated. A realistic budget for a listed DiGA includes ongoing regulatory, security, and platform maintenance in the low six figures per year at minimum, scaling with product complexity and usage volume.
DiGA vs. Your Home Market – What Translates, What Doesn't
For international applicants, the most useful frame is: what from my existing regulatory position translates to the DiGA pathway, and what has to be built fresh?
| Your existing position | Translates to DiGA | Must be built or adapted |
|---|---|---|
| FDA 510(k) clearance (US) | Clinical evidence partially reusable; intended-use framing often reusable | CE mark under MDR (the hard gate); BSI TR-03161; BfArM data privacy criteria; EU data residency; German localization |
| FDA De Novo authorization | Stronger evidence base but same regulatory-framework gap | Same as above |
| NHS DTAC assessment (UK) | Overlapping clinical and data-protection evidence; useful for dossier shortcut | CE mark under MDR (DTAC is not a CE substitute); BSI TR-03161 (DTAC cybersecurity criteria overlap but do not substitute); BfArM-specific data privacy criteria; German localization |
| PECAN listing (France) | CE mark already in place; overlapping evidence and localization disciplines | BSI TR-03161 (not required under PECAN); BfArM Datenschutzkriterien (different from French requirements); German localization |
| mHealthBelgium validation | CE mark in place; partial overlap on data-protection and interoperability | BSI TR-03161; BfArM Datenschutzkriterien; German-specific interoperability (ePA export under §6a DiGAV, GesundheitsID under §291 SGB V); German localization |
| Nothing yet – pre-market | N/A | Everything – typically 12–24 months of regulatory and engineering work |
Three practical observations from this mapping:
CE under MDR is the hard gate regardless of your home-market status. US-only FDA clearances do not substitute. The CE-mark preparation itself is typically the longest single workstream for a US-origin applicant.
The BSI TR-03161 security certification has no equivalent outside Germany. This is usually the most-underestimated item on the list for international applicants: it is specific to the DiGA framework, the testing laboratory must be accredited for it, and it cannot be shortcut by prior cybersecurity certifications (SOC 2, ISO 27001, HITRUST) though some evidence may be reusable.
The BfArM Datenschutzkriterien are DiGA-specific and exceed both GDPR and MDR. Teams arriving with a mature GDPR posture often still face a month or two of work mapping their controls to the BfArM criteria.
The country-by-country comparisons cluster goes through each home-market translation in detail.
Common Pitfalls for International Applicants
Patterns repeat. The most frequent failure modes for foreign DTx companies entering via DiGA are:
Treating CE-MDR as a formality. It is the foundation of everything else. A rushed or under-documented CE mark creates compounding problems in the DiGA review – BfArM can and does ask deep questions about clinical evaluation, risk management, and IEC 62304 evidence that trace back to CE.
Underestimating German localization. “We’ll translate the UI” is not the same as localizing for German clinical workflows, consent language, data-protection norms, and patient-support expectations. BfArM reviewers notice.
Building on non-EU infrastructure and planning to migrate later. Migration is expensive, slow, and risks downtime at exactly the moment the German rollout is most fragile. EU-first from day one is materially cheaper.
Skipping the BSI TR-03161 preparation. This is the longest item on the critical path after CE mark. It cannot be compressed below approximately 4 months in practice. Starting it late delays the whole application.
Designing the evidence base for the home market only. A study that satisfies FDA for a US label may not satisfy BfArM for a DiGA listing – different endpoints, different comparator expectations, different population generalizability questions. Design once for both markets where possible; plan a second German study where not.
Ignoring the GKV price negotiation until month 11. The negotiation is a formal process with documentation requirements as demanding as the BfArM application itself. Manufacturers who begin preparation only after listing consistently achieve worse negotiated prices.
Underestimating the legal manufacturer obligation. The accountability that comes with the legal manufacturer role is real – liability, post-market surveillance, QMS operation, regulatory reporting. Foreign companies that assume this role without a mature European regulatory function routinely struggle. This is why partnered legal manufacturer models are common.
Planning for launch, not for AbEM. The post-market obligations under DigiG add ongoing operational cost that must be budgeted from day one, not discovered at month 18.
A Realistic Timeline and Budget
The honest version – not the fastest theoretical path, but the one that actually produces a sustainable listing:
For a company starting from zero (no CE mark, no European operations):
- CE mark preparation (Class IIa): 8–12 months
- BSI TR-03161 certification: 4–6 months (can run in parallel with later CE stages)
- BfArM data privacy and interoperability readiness: 2–4 months (parallel)
- Application preparation: 2–3 months
- BfArM review: 3 months nominal, 4–7 months realistic
- Total to listing: 18–30 months. Budget range: €1.2M–€3M, depending on clinical study scope.
For a company with an existing CE-marked product (e.g. already sold in UK/France):
- BSI TR-03161 certification: 4–6 months
- BfArM-specific requirements (Datenschutzkriterien, interoperability, German localization): 3–5 months
- EU data migration (if not already EU-hosted): 2–4 months (often parallel)
- Application preparation: 2–3 months
- BfArM review: 3 months nominal, 4–7 months realistic
- Total to listing: 8–14 months. Budget range: €400k–€1.2M.
For a company using a platform approach with pre-validated modules and a partnered legal manufacturer:
- Configuration and clinical content integration: 2–3 months
- BSI TR-03161 (platform is pre-certified; product-specific scope): 1–2 months
- BfArM-specific application preparation: 2 months
- Application: dossier reviewed in parallel with final integration
- BfArM review: 3 months nominal, 4–7 months realistic
- Total to listing: 6–10 months. Budget range: €200k–€600k subscription plus clinical evidence costs.
Every number here assumes competent execution and responsive feedback from the applicant. Delays beyond these ranges are common and usually traceable to issues with clinical evidence, BSI recertification scope, or feedback-round turnaround.
How DUX Healthcare Supports International DiGA Applicants
DUX Healthcare is a German technology provider that operates the mHealth Suite, a modular platform of 80+ pre-validated software modules specifically designed for building CE-marked DiGA and related digital health products. DUX is the first company audited against BSI TR-03185 (formal certificate pending), and the DiGAs on our platform have passed BSI TR-03161 without conditions. For international DTx companies entering Germany, we offer three things that are hard to assemble separately:
Platform approach
Compress 12 months of foundation work into 2
Legal manufacturer via partner
Enter Germany without building a German legal entity and QMS
Transparent subscription model
Predictable economics instead of capital-intensive custom development
We work with pharmaceutical companies launching companion apps, DTx startups from North America and Israel entering Europe, and established European DTx companies expanding into Germany. Our typical engagement starts with a scoping conversation – understanding the product, the clinical evidence, the existing regulatory position, and the timing – before proposing a concrete path.
Frequently Asked Questions
Can a company based outside the EU apply for a DiGA listing?
Does FDA clearance shorten the path to DiGA listing?
What is the minimum realistic timeline from decision to DiGA listing?
Can we host a DiGA on AWS US or other non-EU infrastructure?
What is BSI TR-03161 and how does it compare to SOC 2 or ISO 27001?
Do we need to support integration with the German electronic patient record (ePA)?
Can we use a study conducted in the US or UK to support a DiGA application?
What are typical DiGA prices?
What happens if the study fails at the end of the provisional listing period?
Can DUX act as our legal manufacturer in Germany?
Is the mHealth Suite a self-service platform?
What is the typical engagement model?
Go Deeper – Cluster Articles
This guide is the overview. Each section links to a deeper cluster article that goes into the operational detail:
- Who qualifies as a DiGA applicant – legal manufacturer, EU representative, partnership models
- DiGA vs. FDA SaMD – what translates and what must be built fresh
- DiGA vs. NHS DTAC – UK applicants’ perspective
- DiGA vs. PECAN – France applicants’ perspective
- The BfArM application process – step-by-step procedural guide
- BSI TR-03161 for international applicants – plain-English explainer
- BfArM Datenschutzkriterien – data protection deep dive
- Positive care effect – evidence design – study design for DiGA
- GKV price negotiation – how the process actually works
- Common pitfalls – patterns from real applications
- Realistic timeline and budget – honest numbers