MedTech Industry
Medical device registration, GDPR in healthcare, AI in medicine and diagnostics. Your product knows the answers before the questions are asked.
Trusted by
We know your business model
Medical devices, a telemedicine clinic, software for healthcare providers, secondary use of data, or the use of AI in diagnostics. Each of these areas raises different regulatory challenges. A lawyer who doesn't know the difference will slow you down rather than speed you up.
You're developing a product for the European market. The right classification of your device, its technical documentation, and its labeling are key to your safety. A wrong classification at the start can delay market entry by many months. Handling this area properly is key to business success.
Telemedicine combines two legal regimes at once: medical law and digital law. The Healthcare Activities Act, GDPR in the healthcare sector, cybersecurity, and liability for medical error in telemedicine services. The right legal architecture lets your clinic operate safely and focus on what matters most, helping patients.
HIS, RIS, PACS, EMR, or LIS. Every system that processes patient data requires special attention. Licensing agreements, implementation and maintenance agreements, risk assessments, cloud use, and cybersecurity matters. All of this requires attention when software is to run within a healthcare provider. The agreements should reflect that.
AI systems that influence clinical decisions may fall under the AI Act and at the same time be medical devices. Your AI system can have a complete compliance path before it ever reaches the doctor's office.
Problems we know
Before a product reaches the market, it has to be classified. A wrong classification delays the launch by months.
Health data requires special care. Every potential breach carries significant risk for patients and for the entities that process such data. The right architecture for processing patient data is key to success. From agreements with healthcare providers to internal policies, risk assessments, and staff training.
AI systems in diagnostics, treatment, and prediction. Secondary use of medical data. Developing your own solutions and deploying third-party ones. Before the AI Act and EHDS take full effect, you'll know your obligations and how to do it sensibly.
A contract with a hospital or clinic is not a standard SaaS agreement. Liability, patient data, scope of implementation, termination terms. Agreements that genuinely protect both sides of the deal, rather than being negotiated endlessly.
The healthcare sector is especially exposed to cyberattacks. Internal policies, audits, training, compliance with NIS2 and the National Cybersecurity System Act. A cybersecurity framework that increases the safety of your business and its key decision-makers.
Why dotlaw
We're your partner. We don't describe legal risk in the abstract and we don't leave you with "on the one hand... on the other hand." We close every matter with a concrete recommendation. Our legal solutions are meant to grow your business.
We support MedTech and HealthTech companies in a model that fits their stage of growth: from project-based support on a specific agreement, through ongoing subscription-based service, to a fractional in-house setup that works like an internal legal department. A form of cooperation tailored to you.
We've backed our services with GenAI from the very start. In line with the European guidelines we helped author, we shift efficiency into sixth gear. This lets us work effectively even on the most complex matters.
We design agreements, manuals, and guidelines so your team can read and understand them without trouble. Legal documents no one understands will never be effective.
How we start
No briefs, no forms. You tell us what you do and what hurts. We tell you straight whether and how we can help.
Whatever the scale, within 48 hours you'll know how we'll define the scope of work, how we'll approach the problem, and when you'll get a quote. No dragging things out. No "we'll get back to you."
A week from signing the agreement. Our lawyers are fully up to speed on your business and we start working. There's no warm-up period.
FAQ
Software becomes a medical device under the MDR when its intended purpose includes diagnosing, monitoring, treating, or alleviating disease. What matters is the intended purpose, not the technology. An appointment management app is not a medical device. A system that analyzes test results and suggests a diagnosis already is one. The line is thin and requires analysis before you start designing the product.
The MDR divides medical devices into four risk classes: I, IIa, IIb, and III. The higher the class, the more rigorous the certification path. For class I, the manufacturer can issue a declaration of conformity on its own. Classes IIa, IIb, and III require assessment by a notified body. Classification depends on the device's intended purpose, the duration of contact with the patient, and the degree of invasiveness.
Health data is a special category under the GDPR, so processing it requires a clear legal basis, most often the patient's consent or a provision of law. Any entity that processes this kind of data must implement appropriate internal policies, carry out risk assessments, and properly manage its chain of suppliers and subcontractors.
It depends on the scope of services. If the platform directly employs doctors and enables them to provide healthcare services, for example medical consultations, issuing prescriptions, or making diagnoses, it probably has to be registered as a healthcare provider. However, simply offering software that connects a patient with a doctor or enables appointment management is not a healthcare activity.
AI systems that support disease diagnosis are high-risk systems under the AI Act. This means an obligation to register in the EU database, to create technical documentation for the AI system, to carry out a conformity assessment, and to provide post-market monitoring. If the system also qualifies as a medical device, it is subject to the MDR as well. Both regulatory regimes apply in parallel.
Beyond the standard provisions, an implementation agreement with a hospital or clinic must include: a precise scope of implementation and acceptance criteria, rules for processing patient data, and a suitably detailed data processing agreement. Depending on the type of healthcare provider, the agreement may also require cybersecurity provisions.
The manufacturer is liable for a device that does not meet its declared intended purpose or is defective. It is not liable for the clinical decisions of a doctor who uses the device in accordance with the instructions. That is why it is essential to precisely define the device's intended purpose, the scope of indications and contraindications, and the instructions for use. In practice, these documents set the scope of the manufacturer's liability. Imprecise documentation can broaden that liability.
ISO 13485 is a quality management system dedicated to medical devices and is required for MDR certification. It covers the design, manufacturing, and post-market surveillance of the device. ISO 27001 is an information security management system, required when you process sensitive data, including health data. Companies that process patient data and place medical devices on the EU market may often need both certifications at once.
Ongoing regulatory support pays off when you: bring a second or further medical device to market, expand into additional EU countries, process health data at a scale above several thousand patients per month, or plan to bring on an investor who will require regulatory due diligence. Before that threshold, dedicated project-based support is usually more cost-effective.
You tell us what you're building and what's blocking you. You get a clear answer. Go or No-Go.
Get in touch