Jamie Gallagher and Michaela Herron

The business law firm this week published its digital health annual review, which examines legal developments from 2025 that will continue to reshape compliance obligations through 2026 and beyond.

The publication focuses on regulatory changes with direct operational impact.

These include proposed reforms to EU medical device and IVD rules, new cyber security obligations under NIS2, and the practical reach of the European Health Data Space Regulation.

Michaela Herron, partner and head of life sciences at Mason Hayes & Curran, said: “Regulatory frameworks exist on paper, but success depends on how digital health companies translate these rules into practice.

“Businesses must now understand how product safety, data governance and cyber security requirements interact, and factor that into their commercial strategies.”

The NIS2 Directive will push cyber security firmly into the boardroom, with tougher oversight and enforcement across the EU. For companies operating in multiple countries, compliance will be shaped by differing national rules and timelines.

The review examines the European Health Data Space Regulation, which will require certain health data to be shared for secondary use. Although key obligations apply from 2029, early system and governance changes will be needed.

New guidance under the EU AI Act is also covered, clarifying which AI systems fall within scope and what this means for product design and oversight. Additionally, the publication considers recent case law on telemedicine, which confirms that fully digital services are regulated by the law of the provider’s home state.

Jamie Gallagher, life sciences regulatory and product liability partner at Mason Hayes & Curran, said: “Digital health businesses are now dealing with several changing EU regulatory frameworks at the same time.

“New cyber security, data governance and AI rules are coming into force alongside proposed changes to medical device and IVD product safety rules, and an updated product liability regime.

“Companies must plan for all of these developments simultaneously, and each requires multi-year planning and investment.”