Key legal aspects of implementing digital therapeutics (DTx) in Norway

Norway, being a member to the EEA Agreement, must implement all relevant EU secondary legislation similarly to as any EU Member State and will with some exemptions interpret the directives and regulations using the same legal sources of law. There may at times be a delay in taking new EU legislation into the EEA agreement. There is also no direct effect, meaning that the EU legislation does not take effect in Norway before it is implemented in Norwegian law. When new legislation enters into force in EU member states, there are thus situations where the old legislation still applies in Norway. 

The Norwegian Act relating to medical devices (law 2020-05-07-37) incorporates Regulation 2017/845 on medical devices (MDR) and Regulation 2017/746 on in vitro diagnostic medical devices (IVDR) into Norwegian law as such. 

The legal framework for the product qualification is the MDR and the definition of “medical device” that follows in MDR article 2, as well as the MDCG 2019-11 (Guidance on Qualification and Classification of Software in Regulation (EU) 2017/745 – MDR and Regulation (EU) 2017/746 – IVDR). We are not aware of relevant jurisprudence or guidance in Norway. 

The differentiation between a medical device and a consumer product – which does not fall within the scope of the MDR – can largely be influenced by the manufacturer who defines the intended purpose of the respective product. Mere lifestyle/everyday apps (e.g., for fitness tracking, nutritional recommendations, resilience exercises, meditation training without a medical purpose) are generally not intended for therapeutic purposes.  

Not only is the explicitly described intended purpose relevant but so are the instructions for use and the promotional materials (e.g., website, information in App Store) regarding the specific product. Possible indicative terms in connection with the intended purpose and corresponding functions can be, for example: alarming, analysing, calculating, detecting, diagnosing, interpreting, converting, measuring, controlling, monitoring, amplifying. Indicative functions for classification as a medical device can be, amongst others, the following: Decision support or decision-making software, e.g., regarding therapeutic measures; calculation, e.g., of dosing of medicines (as opposed to mere reproduction of a table from which users can deduce the dosage themselves); monitoring patients and collecting data, e.g., by measurements if the results thereof have an influence on diagnosis or therapy. Pure data storage, archiving, lossless compression (i.e., using a compression procedure that allows the exact reconstruction of the original data), communication, or simple search functions do not in themselves result in classification as a medical device. 

The Norwegian Medicines Agency has the authority to determine whether a product shall be considered a medical device (regulation 2021-05-09-1476).  

Medical devices are — generally speaking — assigned to risk classes. The classification is decisive for the conformity assessment procedure that the respective product must undergo. The classification is mainly based on the vulnerability of the human body (invasiveness) and takes into account the potential risks associated with the release or exchange of energy (activity) and the duration of use of the medical device. They are assigned to Classes I, IIa, IIb or III, whereby Class I comprises those products with the lowest risk potential. 

The classification rules for software devices are listed under annex VIII chapter III, rule 11 MDR. Software can fall into risk class I. However, due to the new interpretation rules this will likely be an exception only. Most software as medical device will be classified as class IIa or higher. This is important from a practical point of view because such software then needs to undergo a conformity assessment procedure applied by a notified body. 

The alternative medicine act (Act 2003-06-27-64) bans non healthcare personnel from providing invasive treatment, treatment that can cause a serious risk, treating infectious diseases or serious illness apart from treatment with the sole purpose of relieving symptoms. The act provides regulation of alternative medicine.  

If the offer is to be considered as provision of healthcare, an assessment must be made as to what sort of healthcare is provided, and the requirements that follow from this.  

If Software processes personal data of the users/patients, it must comply with the applicable data protection regulations, in particular with the EU General Data Protection Regulation (“GDPR”). 

In general, Norway has adopted GDPR. The same rules as for the EU is therefore applicable also in Norway. Data storage outside EU/EEA is complicated as this needs a thorough risk assessment when it comes to health data. 

Key points regulated under the GDPR are: 

When processing personal data, the principles contained in art. 5 GDPR, such as the lawfulness and purpose limitation of data processing, data minimization, and the integrity and confidentiality of processing, must be taken into account. 

These rules only apply to the processing of data of individuals (regardless of citizenship) residing in the European Union (art. 3 GDPR). If they use the app outside of their jurisdiction, GDPR will still apply if the provider is a company established in the EU.  

If data is stored on the device or if data is collected from the users' device and if this is not necessary for providing the service, users must provide additional consent according to the EU “Cookie Directive” (Art. 5 (3) of Directive 2002/58/EU). The Cookie Directive is not just covering cookies but any scenario where the provider stores data on or collects data from a device. 

In addition, location tracking is also subject to consent provided it is not an essential part of the service provided. 

The GDPR always applies in B2C scenarios. The GDPR also applies in B2B scenarios if the business user is a natural person or if the user is processing personal data of other individuals via the app. If the business user is processing personal data of other individuals (e.g., patients), he or she must ensure that this complies with the GDPR (the legal ground for which will usually be a contract with the individual or consent). 

If data is stored on the device or if data is collected from the users' device and if this is not necessary for providing the service, users must provide additional consent according to the EU “Cookie Directive” (Art. 5 (3) of Directive 2002/58/EU). The Cookie Directive is not just covering cookies but any scenario where the provider stores data on or collects data from a device. 

A consent is required in accordance with Art. 9 para. 2 letter a) in conjunction with Art. 7 GDPR. It should be noted, however, that according to Art. 7 para. 1 GDPR, the person responsible for data processing must be able to prove the consent of the data subject – regardless of any formal requirements. Since recordings of the video consultation hour are not permitted, at least electronic documentation of the declaration of consent will be required if the written form is not used. 

Special requirements exist in relation to DiGA. In order to qualify as DiGA, the software must fulfill additional criteria in relation to data protection and data security, which goes beyond the GDPR requirements. These include the use of servers located primarily in Germany or in the European Union, but not in the US and the adherence to strict standards of data security. Companies in this field are well advised to carefully check early on in the product design phase whether these conditions are met. 

There is currently no Norwegian legislation for implementation and specific to DTx. 

It is allowed to promote medical devices, including software, to both health care personnel (HCP) and the public, including consumers.  

The promotional material must if applicable comply with article 7 in Regulations MDR and IVDR. In other words, the promotional materials must not contain any misleading information, fail to inform of any likely risks associated with the use of the software, or suggest other uses than stated as part of the conformity assessment.  

The relevant legislation regarding promotional materials for medical devices in Norway are MDR and IVDR, article 7. If it is considered as provision of healthcare, other rules apply. 

Otherwise, general marketing legislation applies to marketing in consumer relations. 

The essential requirements for free samples are the same as for other medical devices.  

The general rules regarding anti-corruption will also apply, which is especially important if the promotion is addressed to HCP's. HCP's may not on behalf of themselves or on behalf of others accept gifts, commission, service or other benefits that are suitable to affect the services provided by health personnel unduly, according to article 9 in the Norwegian Health Personnel Act. 

The use of partnering and cooperation would depend on the purpose of the DTx and hence whom would be the customer.  

Healthcare in Norway is provided by the government. Primary care by the approximately 360 municipalities, secondary healthcare by the health trusts (each responsible for a region) and for some medicines for particular diseases by the national government. To a limited extent some healthcare is paid for privately (partly through insurance). The appropriate distribution channel would depend on the purpose of the DTx. 

There is to a limited extend private healthcare in Norway, but some companies are starting to have employment benefit programmes and employment insurance providing faster treatment to get employees back to work as quickly as possible.  

As described above healthcare is in Norway provided by the government through municipalities, the health trusts or for some medicines directly by the national government. Depending on the purpose of the DTx, the reimbursement has to come from the relevant of these three sources.  

As described above the public healthcare is provided through the municipalities (primary care), the health trusts (secondary care) and some medicines directly be government (in general medicines not prescribed or used in hospitals). 

Procurement to the municipalities and health trusts is done by public tender. Test of products on a small scale may be done without a tender.  

There is an ongoing debate regarding how and what mechanisms should be implemented including „app on prescription“ . Some german reimbursement mechanisms have been mentioned as examples on how it should be implemented in Norway as well, however no specific mechanisms have been introduced.