Medical Device Apps on App Stores

Introduction

Welcome to the new regulatory frontier. App developers can no longer treat app stores as neutral grounds for distributing health-related software. With the release of MDCG 2025-4, the European Union has officially deputized platforms like Google Play and Apple’s App Store as watchdogs over medical device software (MDSW). Whether you’re an indie dev, digital health startup, or a multinational AI-powered diagnostics firm, this guidance just redefined how your app enters—or stays on—the EU market.

MDCG 2025-4: What Changed and Why It Matters

Published in June 2025, MDCG 2025-4 provides clear and detailed guidance on the obligations of both app developers and platform providers under:

• EU Medical Device Regulation (MDR 2017/745)

• In Vitro Diagnostic Regulation (IVDR 2017/746)

• Digital Services Act (DSA 2022/2065)

It reflects the shift from passive distribution to shared liability, assigning concrete responsibilities to app stores and developers alike. Most importantly, it defines how software qualifies as a medical device and what it means to “place it on the market” through a platform.

Who Does This Affect?

This guidance directly applies to:

• Developers of software classified as medical devices (MDSW) under MDR or IVDR.

• App platform providers, like Apple, Google, Huawei, etc., distributing apps in the EU.

• Importers and distributors of apps developed outside the EU.

• Very Large Online Platforms (VLOPs) designated under the DSA.

If your app assists with diagnosis, therapy, monitoring, or prediction of medical conditions—even indirectly—it likely qualifies.

Medical Device Software (MDSW): Definitions You Must Know

Straight from MDR and DSA law, here are essential definitions clarified by MDCG 2025-4:

• Manufacturer: You—if you design, build, or brand the app.

• Distributor: Any party in the EU that makes your app available (excluding the developer and importer).

• Importer: An EU-based entity that places a non-EU-developed app onto the EU market.

• Online Platform: A hosting service that stores and disseminates user-provided content (e.g., Apple App Store).

• Intermediary Service: Platforms that provide access or host third-party content.

These definitions determine your responsibilities and liabilities.

Placing vs. Making Available vs. Putting into Service

Three core legal milestones:

• Placing on the Market: Uploading the app to a store = first market entry.

• Making Available: App is live and downloadable = ongoing availability.

• Putting into Service: A patient uses the app for its intended medical purpose.

Each step invokes different compliance duties.

App Stores: Distributors, Importers, or Hosts?

MDCG 2025-4 breaks this down into three roles:

1. Intermediary Service Providers (under DSA)

If the platform simply hosts third-party apps without altering them or claiming ownership, it’s considered an intermediary and is covered by the DSA’s hosting rules:

• Must implement “notice and action” systems for illegal/non-compliant content.

• Required to ensure transparency of trader info (Article 31 DSA).

• Obligated to conduct risk assessments and apply mitigation measures if classified as VLOPs.

2. Distributors (under MDR)

If the platform transfers ownership, modifies the listing, or is involved in commercial activity, it becomes a distributor. Obligations include:

• Ensuring the app is CE-marked

• Verifying the UDI-DI and SRN

• Cooperating with competent authorities

3. Importers (under MDR)

If the developer is non-EU based and the platform facilitates EU distribution, the platform may be legally seen as the importer, which brings the highest level of responsibility under MDR Article 13.

Mandatory Information for App Listings

To comply with the MDR/IVDR and DSA, platforms must collect and display the following before your app is published:

✅ Essential Fields:

• Manufacturer’s name, address, and contact info

• Single Registration Number (SRN)

• Unique Device Identifier (UDI-DI)

• CE Certificate Number

• Notified Body name and number (if applicable)

• App’s intended purpose

• Warnings and precautions

• Link to the electronic Instructions for Use (eIFU)

• MD symbol clearly visible

✅ Operating Requirements (if applicable):

• Hardware dependencies (e.g., wearable devices)

• OS and device compatibility

• Network or security requirements

✅ Legal and Safety Info:

• Authorized Representative (for non-EU devs)

• Symbols or trademarks

• Classification (MD or IVD)

Failure to include this data? Your app may never go live—or could be pulled at random.

Mandatory Category Labeling: MD vs. Wellness vs. Lifestyle

Platforms must clearly distinguish medical device apps from general wellness or fitness apps. This means:

• You cannot self-label without evidence.

• “Medical Device” should be a protected category in the app store.

• Access to this label requires full data disclosure listed above.

Random Compliance Checks: Are You Ready?

Platforms must randomly validate app data against public EU databases. These checks are:

• Unannounced

• Mandatory

• Linked to systemic risk assessments for VLOPs

Being non-compliant is no longer just risky—it’s traceable and actionable.

New Responsibilities for Apple, Google, and Others

If platforms act only as hosts, the DSA shields them—but only if:

• They respond to takedown notices.

• They verify trader identity and CE data.

• They conduct random compliance checks.

If platforms curate, modify, or promote MDSW apps directly, they assume MDR-level liabilities.

Practical Steps for Developers

To ensure compliance and avoid takedown:

1. Classify your app properly under MDR.

2. Register in EUDAMED and get your SRN.

3. Obtain UDI-DI and CE certification.

4. Prepare a eIFU in all supported EU languages.

5. Create a listing that includes all required fields.

6. Coordinate with platforms to confirm classification.

Bonus: Keep your technical documentation (including Clinical Evaluation Reports) ready for audit.

What Happens If You Ignore MDCG 2025-4?

• Takedowns without appeal.

• Fines from national competent authorities.

• Delisting from app stores.

• Potential civil or criminal liability for harm caused by non-compliant apps.

FAQs About MDCG 2025-4

Is my wellness app affected?
If it makes medical claims or assists with diagnosis/treatment—yes.

Do I need to display a CE mark?
Yes, plus the MD symbol and the UDI-DI on the listing.

Can platforms refuse my app if I’m non-EU based?
Yes, unless you appoint an Authorized Representative and fulfill all importer obligations.

Is this enforced yet?
Yes. MDCG 2025-4 is already in force, and random compliance checks have begun.

What if my app is free?
Doesn’t matter. “Free of charge” still counts as commercial activity under MDR.

Can my listing get flagged even after approval?
Yes. Platforms must do ongoing surveillance and can remove apps at any time.

Final Thoughts: The Sheriff Has Arrived

MDCG 2025-4 is not just another guideline—it’s a game-changer. For years, health-related apps lived in a gray area, immune to the rigor of medical regulation. But no more. Whether you’re a garage developer or a global brand, if your software touches patient care, it’s time to act like a medical device manufacturer.

This isn’t about stifling innovation. It’s about protecting lives. And yes—this new world might be messier. But it’s also clearer, safer, and more equitable.

PS:  For more information, subscribe to my newsletter and get access to exclusive content, private insights, and expert guidance on MDR compliance and CE marking: Subscribe Here

✌️ Peace,
Hatem Rabeh, MD, MSc Ing
Your Clinical Evaluation Expert & Partner
Follow me for more insights and practical advice!