A guide to safe health applications (DiGA)

The Technical Guideline TR-03161 contains detailed requirements for applications in the healthcare sector, in particular for digital health applications (DiGA).
The aim of this guideline is to provide DiGA manufacturers with a comprehensive guide to implementing secure solutions.
Because DiGAs store sensitive and personal data, compliance with a high security standard is essential.

Structure of the TR-03161 guideline

TR-03161 is divided into several documents that focus on different types of applications:

Mobile applications

Web applications

Background systems

These documents contain a large number of test aspects that are divided into different areas.
The guideline not only describes the methodology of the test, but also provides detailed test characteristics for each aspect.

These test characteristics explain how the requirements are evaluated by testers.
The topics range from checking the source code and data architecture to authenticating users and securely setting up the necessary infrastructure and communication between the systems.

There are currently only a few test centers that can carry out TR-03161 tests.

Implementation of the directive

DiGA manufacturers must recognize at an early stage which requirements have already been met and where there is still a need for action.
The first step is to carry out a GAP analysis to document the current status.
This enables them to take targeted measures to close gaps.

All requirements should be documented and traceable.
This makes it easier for both manufacturers and inspectors to assess whether all aspects have been met.

According to the specifications of the Federal Institute for Drugs and Medical Devices (BfArM), certification in accordance with TR-03161 must be available by January 1, 2025 at the latest.
Early preparation for testing and certification is therefore crucial and should be planned in good time.

Changes due to the TR-03161 directive

TR-03161 brings some important changes and requirements for manufacturers of DiGA and healthcare applications:

  • AUTHENTICATION

    Among other things, two-factor authentication and re-authentication are required for certain app functions.

  • USER ACCOUNT

    User accounts must be able to be reset via the user name and the DiGA activation code.
    Customers should keep their DiGA codes for any long prescription periods (up to 12 months).

  • SAFETY INSTRUCTIONS

    If insecure login procedures are used, a corresponding dialog must be displayed to inform the user of the insecurity.
    This also applies to widely used biometric authentication methods.

  • USABILITY

    Some measures may impair user-friendliness, but are necessary to ensure security.

  • DEVICE INFORMATION

    Customers are informed about the use of unsafe devices.

  • USER SESSIONS AND CONSENTS

    There are detailed guidelines for viewing user sessions and obtaining consent within the DiGA.

  • STORAGE AND COMMUNICATION

    The requirements for the storage and communication of user data are much stricter.

TR-03161 – not that complicated, is it?

Are you unsure how to implement the requirements of directive TR-03161 for your DiGA or do you need a readiness check?

We are happy to support you in meeting all the requirements of the directive – whether in an advisory capacity at your side or as your partner who implements your DiGA in compliance with the standard.

Here you will find an overview of our DiGA-service – or simply contact us directly.

How the certification process is progressing until the deadline on January 1, 2025?
We will continue to share our findings with you.