Skip to content

News

Proof of data security: BSI TR-03161 mandatory for DiGA & DiPA manufacturers from 2025

In order to be listed in the DiGA or DiPA directory, operators and manufacturers of digital health and care applications must, among other things, provide proof of the data security of their application. In future, this must be based on the BSI Technical Guideline TR-03161. The deadline was 1 January 2025.

Eine medizinische Fachkraft und eine Patientin sitzen auf einer Couch und schauen auf ein Tablet.
07/05/2024 | Essen

Data security: BSI TR-03161 as a new basis for verification

For three years now, patients have been able to obtain so-called "apps on prescription". To ensure that they can use them safely, digital health applications (DiGA) must fulfil the IT security, data protection and data security requirements set out in the Digital Health Applications Ordinance (DiGAV).

Previously, the DiGA guidelines stipulated with regard to the aspect of data security that fulfilment of the requirements in accordance with Section 139e (10) SGB V must be proven by means of a corresponding certificate. The Federal Institute for Drugs and Medical Devices (BfArM) has now officially announced that the technical guideline BSI TR-03161 will in future be the basis for new certificates that can be used to prove the data security of an application. Proof of data security in accordance with the technical guideline must be submitted by manufacturers from 1 January 2025 at the latest. It is therefore advisable to prepare for testing and certification in accordance with BSI TR-03161 at an early stage.

When the data security criteria for DiGA were updated, the requirements for digital care applications were also revised at the same time. BSI TR-03161 will also apply here in future - and will be mandatory from 1 January 2025 - as a basis for verifying the data security of an application. In addition, the Federal Office for Information Security (BSI) has revised parts of the technical guideline so that it is available in an updated version.

As a recognised testing body, TÜV Informationstechnik (TÜVIT) offers both manufacturers of digital health and care applications the necessary tests in accordance with the security requirements of TR-03161.

Additional update of the data protection criteria

In addition to BSI TR-03161, the test criteria for the data protection requirements for DiGA and DiPA have also been updated. According to the DiGA guidelines, these are mandatory from 01/08/2024. They include the requirements of the European General Data Protection Regulation (EU GDPR), but supplement these with additional requirements specifically for DiGA and DiPA.

As the specific data protection certificate is currently still being developed by the BfArM, there are currently no accredited certification bodies to carry out certification in accordance with the data protection criteria pursuant to Section 139e (11) SGB V and Section 78a (8) SGB XI. Furthermore, there may still be changes to the test criteria. Consequently, the presentation of the data protection certificate will only be officially requested once the technical and organisational requirements have been met.

Nevertheless, it is advisable to familiarise yourself with the published data protection criteria as early as possible and prepare for them accordingly, as they exceed the pure GDPR requirements. These can be found on the BfArM website. TÜVIT supports manufacturers with optimal preparation in the form of data protection maturity assessments based on the data protection criteria.

Learn more about BSI TR-03161.