Back to the list

New MDCG 2025-4 Guidance: Requirements for Medical Device Software Apps on Online Platforms

Medical devices regulation

Software applications in healthcare have significantly transformed our relationship with care. From monitoring blood glucose levels to interpreting MRI scans or detecting skin lesions, these tools are now directly accessible on our smartphones, through major online platforms like the App Store or Google Play.


But one recurring question among medical device manufacturers has been: what are my regulatory obligations when I make a medical device software app available on a platform? And even more puzzling: what responsibilities lie with the platform itself?


Published on June 16, 2025, the MDCG 2025-4 guidance finally provides some much-needed clarity. It outlines the respective responsibilities of manufacturers and platforms, bridging the Medical Device Regulation (EU) 2017/745 (MDR) with the Digital Services Act (DSA).


Here’s a plain-language overview of what you need to know — minus the jargon, but covering the essentials.



1. Why this guidance? What issue does it address?

Since the MDR came into force, software intended for medical purposes — whether standalone or connected to a physical device — qualifies as a medical device. This means full compliance with MDR, including for apps made available through digital platforms.


Until now, the exact role of platforms (Apple, Google, etc.) in the distribution chain was unclear. Are they distributors? Mere hosts? Importers when the manufacturer is outside the EU? The lack of clarity posed a real compliance risk for manufacturers.


The MDCG 2025-4 guidance addresses three main issues:

  • Clarify responsibilities when MDSW apps are made available on the EU market via platforms.
  • Align MDR/IVDR requirements with the Digital Services Act (DSA), in effect since February 2024.
  • Prevent unintentional regulatory breaches due to confusion about the platform’s legal role (passive hosting vs. active distribution).

In short, this guidance sheds light on a grey area that had many manufacturers concerned, providing a long-awaited MDR × DSA interpretation.



2. Two scenarios for platforms: host or economic operator?

The core of MDCG 2025-4 is built on one key distinction: the actual role played by the platform in making the app available. Two cases are considered, each with very different regulatory consequences.



Case 1 – The platform acts as an intermediary service provider (DSA)

Here, the platform has a passive, technical role. It simply hosts the app provided by the manufacturer, without actively distributing, modifying, or promoting the product. It’s the digital equivalent of a shelf.


In this case:

    • The platform is not considered an economic operator under MDR/IVDR (i.e. not a distributor or importer).
    • It falls under the Digital Services Act (DSA), which requires:
    • mechanisms for reporting illegal content,
    • transparency on the origin and nature of the products offered,
    • minimum verification of traders’ identity (i.e. the app manufacturer).

This is a relatively favourable scenario for manufacturers — provided that they supply all mandatory regulatory information in a visible, structured way.



Case 2 – The platform is a distributor or importer (MDR/IVDR)

If the platform takes a more active role, for example:

  • it uploads the app on behalf of the manufacturer,
  • or it is EU-based and works with a non-EU manufacturer,

then it becomes part of the official distribution chain.


In this case:

    • The platform is considered a distributor or importer, with full obligations under Articles 13 and 14 of the MDR/IVDR.
    • It must:
    • verify CE marking and supporting documentation,
    • cooperate with competent authorities,
    • remove or suspend non-compliant apps.

Note: under this scenario, the DSA no longer applies. MDR takes precedence.



3. What are the obligations for MDSW manufacturers?

MDCG 2025-4 confirms that manufacturers remain fully responsible for the regulatory compliance of their medical device software, even if distributed via third-party platforms.



Required information to provide to platforms (and users)

Manufacturers must share all the necessary data to ensure the app’s traceability, identification, and regulatory transparency — directly via the platform (not just in the eIFU or on an external website).


Mandatory fields include:

  • App name or trade name
  • Manufacturer name, address and SRN
  • UDI-DI (Unique Device Identification – Device Identifier)
  • Clear intended purpose
  • Regulatory symbols (MD or IVD)
  • Warnings or precautions
  • Link to the eIFU
  • CE certificate number and Notified Body name (if applicable)
  • Authorized Representative details (if outside the EU)
  • Technical requirements (hardware compatibility, connectivity, cybersecurity…)


Clear categorization on the platform

Manufacturers must also clearly identify their app as a medical device. MDCG recommends that platforms allow for separate categories:

  • Medical Device
  • Health App (non-medical purpose)
  • Lifestyle / Wellness

This ensures users (and regulators) don’t confuse clinical apps with fitness or wellbeing tools.


Important: this categorization is only valid if all required information is provided by the manufacturer.



4. What are the responsibilities of app platforms?

The MDCG 2025-4 guidance also outlines what platform providers (e.g. Apple, Google) must do when enabling access to software apps classified as medical devices.



4.1 Pre-publication checks

Platforms that allow users to enter into contracts with manufacturers (e.g. downloads, purchases) must:

  • Verify that all required data (manufacturer details, CE status, labeling info, etc.) is provided before publishing the app.
  • Conduct random checks on official databases (e.g. EUDAMED, national registers) to detect illegal or non-compliant apps.

These obligations stem from Article 31 of the DSA — as long as the platform remains a technical host.



4.2 Transparent interface design

Platforms must structure their interfaces so that manufacturer-provided information is:

  • Clearly visible and understandable to patients, including legal disclaimers and IFU links.
  • Easily accessible before download, without navigating through secondary menus or external sites.


4.3 Mandatory categorization options

Platforms must enable manufacturers to declare their app as a medical device, and display this category prominently for users.


The goal: prevent confusion and ensure regulatory transparency.



4.4 Specific duties for Very Large Online Platforms (VLOPs)

Platforms designated as VLOPs by the European Commission have additional obligations:

  • Annual systemic risk assessments, including risks of illegal or non-compliant app dissemination.
  • Implementation of proportionate, documented risk mitigation measures.
  • Oversight of algorithmic systems that influence app visibility or prioritization.


5. Summary: What should manufacturers expect?

The MDCG 2025-4 guidance does not introduce new legal requirements — but it clarifies a regulatory overlap that no MDSW manufacturer can ignore.


Key takeaways:

  • You offer an MDSW app on a platform? You are responsible for all MDR-required information (identification, CE marking, UDI, eIFU link…)
  • The platform is a passive host? It falls under the DSA and must:
  • ensure information transparency,
  • verify manufacturer identity,
  • enable proper categorization.
  • The platform acts on your behalf, or you’re based outside the EU? It becomes a distributor or importer, with MDR obligations.
  • Very Large Platforms (e.g. Apple, Google) must comply with risk management frameworks and regulatory controls.


Conclusion

This guidance fills a gap that many in the industry have long been concerned about: the shared responsibility between manufacturer and platform, at the crossroads of medical device law and digital regulation.


If you’re developing or marketing a medical device software app, reading the MDCG 2025-4 is no longer optional — it’s a strategic compliance document for bringing apps to market via digital channels.



Mini FAQ – MDCG 2025-4 & MDSW apps

What’s the difference between “placing on the market” and “making available”?

Placing on the market = when the manufacturer uploads the app to the platform. Making available = the period during which the app is accessible to users on that platform.



Does the platform automatically become a distributor?

No. If it only hosts the app passively, it is considered a service intermediary (DSA). It only becomes a distributor/importer if it plays an active role in the app’s delivery.


Does the DSA apply to all medical apps?

Yes, if the platform acts as a digital intermediary. But if it qualifies as a distributor or importer under MDR, the DSA no longer applies — MDR takes precedence.



Can a non-EU manufacturer rely on the platform as importer?

Only with caution. If the platform is EU-based and accepts this role, it becomes an importer. But the manufacturer still must appoint an EU Authorized Representative.



What information must be shown with the app?

Manufacturer name, UDI, CE marking, intended use, warnings, eIFU link, SRN, and other MDR/IVDR data.




Need help?

Are you developing or marketing a medical device software app? Not sure where you stand when it comes to platforms? Wondering if your app interface truly meets MDR and DSA requirements?


At CSDmed, we support medical device manufacturers with:

  • Regulatory compliance for MDSW (MDR, IVDR, FDA),
  • Setting up software-adapted QMS (ISO 13485, IEC 62304),
  • Market access strategies for app stores (App Store, Google Play),
  • Managing relationships with platforms, authorized reps, and authorities.

Because you have better things to do than decode EU legal texts, we’ll do that for you.


Contact us to discuss your projects

Link to the MDCG guide