In June this year, the EU regulatory framework for medical device software saw the adoption of two significant Medical Device Coordination Group guidelines (i) MDCG 2019-11; and (ii) MDCG 2025-4. These guidelines have brought forward a regulatory framework for mobile apps and the online platforms through which they are made available (“app stores”), as such mobile apps and app stores can now fall within the scope of the EU medical device framework. This will be unchartered territory for regulators in Ireland and across the EU, who must now consider investigations of app stores rather than just developers alone.
While the Medical Device Regulation ("MDR") has been applicable since 26 May 2021, until this recent guidance, there has been little clarity on how it applied to online app stores. This regulatory gap has been addressed and digital distribution channels may now be considered to be regulated under the MDR. There was no previous classification of app stores under the Medical Devices Directive rules, and therefore, the transition provisions which apply to medical devices specifically (for example general software previously classified as Class I), are unlikely to apply. General efforts towards compliance may therefore expected in the coming months, as regulators consider how best to oversee and enforce these new obligations.
What has changed?
MDCG 2019-11 may be read as an update to the 2019 guidance on medical device software (“MDS”) qualification and classification, but MDCG 2025-4 is the guidance that has pushed app stores onto regulators’ radar. It details the instances in which an app store may be treated as a distributor, an importer, or an intermediary, thereby specifying which regulatory obligations will be applicable to a given app store.
MDCG 2025-4 carves out the role and responsibilities of online operators such as app store providers under the MDR and In Vitro Diagnostic Regulation (“IVDR”), outlining specific obligations for safe market entry and post-market compliance. It further specifies what information app stores must obtain from each developer, and encourages app stores to ensure clear, transparent labelling for app users.
How it works in practice
Under the MDR, market surveillance and enforcement is primarily the responsibility of Member State’s competent authorities, who have the primary responsibility for evaluating devices suspected of presenting unacceptable risk and taking corrective action. However, where necessary, Member States are required to coordinate market surveillance.
Where a the regulatory authority in a Member State identifies an issue, they must issue a notification to the Commission and other Member States via EUDAMED (as prescribed under the MDR). This process opens a two month window for objections, and where none are raised, the national measures can be applied across the EU.
In Ireland, the Health Products Regulatory Authority (“HPRA”) is designated as our national competent authority and market surveillance authority for medical devices and in vitro diagnostic medical devices and is responsible for the enforcement of MDR and IVDR in Ireland. With many online operators and marketplaces based in Ireland, the HPRA has within its remit the power to oversee market surveillance of the latter, where it is considered that they are caught under the MDR and IVDR.
Entities subject to the Digital Services Act (the “DSA”) may have additional obligations, but these do not displace the core requirements under MDR and IVDR, and entities may be regulated under both. Effective action against an app store would likely require parallel engagement of the competent authority for medical devices; and the national DSA enforcement authorities. The MDCG 2025-4 guidance explicitly addresses the overlap and notes the importance of close cooperation between MDR/IVDR competent authorities and DSA enforcement authorities.
Irish regulatory oversight could have far reaching consequences
Ireland is home to the European operations of major app-platform companies, which gives the HPRA significant responsibility over the practical implementation of this new guidance. This is particularly relevant where the HPRA has previously shown its commitment to treating standalone software as being within scope of the MDR.
Practically, this could mean that the HPRA would act as the originating competent authority and open investigations into specific apps and / or app stores, thereafter notifying the Commission and other Member States and asking for joint action / coordination across the EU. The specific competency of the HPRA as against that of the CCPC (the Irish Competition Regulator) or Coimisiún na Meán (the Irish Media Regulator) (“CnaM”) is likely to be an area of contention as the regulatory authorities aim to disentangle platform conduct subject to the DSA from MDR compliance.
Under the DSA, the responsibility to supervise Very Large Online Platforms (“VLOPs”) and Very Large Online Search Engines (“VLOSEs”) established in Ireland is shared between the Commission and CnaM. The Commission has direct supervisory powers over the activities of VLOPs, with the capacity to investigate suspected breaches of DSA obligations. While CnaM does not directly enforce against VLOPs, it is responsible for procedural and cooperation functions. It acts as a first national contact point and coordinator for complaints and notifications from Irish users or regulators such as the HPRA who identify non-compliance. Under Article 67 of the DSA, CnaM may be required to assist the EC with any investigations
Where an app or an app store is considered to be non-compliant, enforcement outcomes could be significant, including orders to remove the relevant content, or potential fines of up to 6% of the platform’s global annual turnover. For example, a non-compliant medical or health app could be faced with a domestic withdrawal under the MDR by the HPRA, or the Commission could compel removal of the app across the EU under the DSA.
Takeaways
The MDCG 2025-4 guidance makes clear that app stores may come under the MDR, and that national competent authorities in this area (such as the HPRA) have the ability to investigate, and where necessary take corrective action to remedy a regulatory breach. The system is intentionally decentralised but there are well-worn paths to the EU, paved by the MDCG, EUDAMED, and general joint surveillance to ensure that an originated investigation could be lead at the EU level under the banner of the HPRA.