Skip to content

TR-03161 - discovered, explain

BSI TR-03161

The IT security of your healthcare application tested in accordance with BSI TR-03161

Healthcare applications store and process a lot of sensitive and particularly sensitive data. It is therefore particularly important for manufacturers of healthcare applications to consider basic security standards - as defined in the BSI Technical Guideline TR-03161 - from the outset and implement them accordingly.

What is the BSI TR-03161?

The BSI Technical Guideline TR-03161 aims to protect the confidentiality, integrity and availability of medical data collected by digital health applications.

It was developed by the German Federal Office for Information Security (BSI) and serves as a guideline for developers of healthcare applications when creating secure solutions. It defines the minimum requirements for the IT security of mobile applications, web applications and/or background systems used in the healthcare sector.

Special features of BSI TR-03161

  • Refers to any application that processes or stores sensitive data
  • Acts as a guide for application developers to help them create secure solutions
  • Contains a range of test aspects and typical threat scenarios
  • A certificate in accordance with BSI TR-03161 is one of the necessary requirements for DiGA manufacturers and operators to be included in the DiGA directory

We will support you – no matter what

Get started at last!

We advise you


TÜV NORD IT Secure Communication I Berlin
Goal achieved?

We check that


TÜV Informationstechnik I Essen

Frequently Asked Questions (FAQ)

What you need to know about BSI TR-03161

BSI TR-03161 is primarily aimed at manufacturers of applications in the healthcare sector. It can also be regarded as a guideline for applications that process or store sensitive data.

In order to be listed in the DiGA directory of reimbursable digital health applications, the following requirements must be met:

  • Approvable penetration tests for all risk classes
  • Proof of an information security management system (ISMS) - ISMS certification
  • Proof of data security - certificate in accordance with TR-03161
  • Interoperability of DiGA with the ePA
  • Secure authentication
  • Proof of data protection (since 1 April 2023) - certificate in accordance with Article 42 GDPR

A certificate in accordance with BSI TR-03161 has a formal validity of 5 years, but a certificate issued in accordance with this certification programme is only valid for the version of a product tested as part of the conformity test.

If changes are made to a certified product, new versions/configurations are created for which the issued certificate is not valid. If conformity with the requirements of BSI TR-03161 is also to be confirmed for the modification or further development of a certified product, an application for re-certification or maintenance can be submitted to the BSI.

Depending on the object of the evaluation, the customer may require various additional services/information for the evaluation, including, for example

  • (Technical) descriptions / documentation
  • If applicable, entry URLs and IP addresses of the systems to be tested
  • If role concepts/authorisation components are also to be tested, at least 2 test accounts (with different authorisations) are required.
  • For mobile app evaluations: release version of the app as a compiled and installable (APK / IPA) file; debug version of the app, with deactivated security measures (such as certificate pinning, jailbreak/root detection) as a compiled and installable (APK / IPA) file

The 3 parts of TR-03161 each essentially describe the (technical) requirements and testing aspects (e.g. architecture, cryptographic implementation, network communication, etc.) of a digital health application.

Part 1: Mobile applications

Part 1 of BSI TR-03161 is aimed at applications on mobile devices and describes the minimum requirements for secure operation. The standard is based on international standards such as the "Smartphone Secure Development Guidelines" [SSDG] and the "Mobile AppSec Verification Standard" [MASVS].

Part 2: Web applications

Part 2 of BSI TR-03161 contains threat scenarios and testing aspects relating to web applications in the healthcare sector. The standard section takes into account international standards, such as the "Application Security Verification Standard" [ASVS] and the "Web Security Testing Guide" [WSTG], and defines minimum requirements for the secure operation of web applications.

Part 3: Background systems

Part 3 of BSI TR-03161 contains requirements for background systems - in particular for the use of cloud computing - in the healthcare sector. The standard part covers the BSI's general recommendations for securing background systems as well as international standards such as the OWASP Top 10.