Digital health apps and telemedicine in Sweden

Software as a medical device

Software in the form of a digital health app may be considered as a medical device if it is intended for medical purposes (as elaborated below).

MDR and IVDR

The primary legislation for medical devices in Sweden is Regulation (EU) 2017/745, also known as the Medical Device Regulation (“MDR”), applicable since 26 May 2021.

For In Vitro Diagnostic (“IVD”) medical devices, the In Vitro Diagnostic Regulation (EU) 2017/745, (“IVDR”) applies.

Software in the form of a digital health app may be classified as a medical device if it is intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the following medical purposes detailed in Article 2 of the MDR, including:

• diagnosis, prevention, monitoring, treatment or alleviation of disease;
• diagnosis, monitoring, treatment, alleviation or compensation of injuries or disabilities; or
• investigation, replacement or modification of the anatomy or of a physiological process.

In addition, devices for control or support of conception also qualify as medical devices.

National supplementary regulation

• The Act (2021:600) on supplementary rules to the MDR, is available (only in Swedish) here;
• The Ordinance on supplementary rules to the MDR (2021:631) is available (only in Swedish) here;
• The Swedish Medical Products Agency (Swe: Läkemedelsverket) regulation (HSLF-FS 2022:42) regarding National Medical Information Systems, available (only in Swedish) here, regulates software that is similar to software which would be considered medical devices but that are not in the scope of the MDR and the IVDR.

Classification

If the software qualifies as a medical device under the MDR or the IVDR, it will be classified in a category according to its purpose and inherent risk (Article 51 of the MDR and Article 47 of the IVDR respectively) in light of the MDR or IVDR.

Medical devices shall be divided into Classes I, II a, II b or III. Class I is for the products with the lowest risk potential.  For (IVD) devices, the classes are A, B, C and D (class A represents the lowest risk and class D the highest risk).

All medical devices require CE marking, but the requirements vary based on the Classes.

CE marking

A CE mark is a certification mark that indicates that a product complies with the EU safety, health and environmental protection standards.

The lower risk classes, i.e., Class I in the MDR, require that the producer of the medical device concludes the CE marking process by themselves.  The higher classes require that a notified body quality checks the medical device.

Digital health apps that are CE marked are intended to be used for medical purposes, and they are therefore medical devices according to the MDR.

Currently only physical products and electricity are considered products under the Swedish Product Liability Act (1992:18), implementing the EU Product Liability Directive (85/347/EEC). However, following Dir. 2024:127, available (only in Swedish) here, software products will be expressly included in this legislation with the implementation of the directive.  There is an ongoing investigation regarding how the directive will be implemented in Sweden, and the outcome is to be published, at the latest, 10 October 2025.

N/A.

Yes, digital health apps should, as far as processing of personal data occurs, comply with data protection and privacy regulations. In Sweden, the EU General Data Protection Regulation (GDPR) applies.  Article 9 GDPR imposes strict obligations for processing special categories of personal data, including health data. There is no specific data or privacy regulation for digital health software.

Further, local sector specific regulations may apply, including:

• The Patient Data Act (2008:355);
• The Patient Data Ordinance (2008:360);
• The Pharmacy Data Act (2009:367);
• The Patient Safety Act (2010:659); and
• The Act (2022:913) on Shared Health and Care Documentation.

Moreover, the National Board of Health and Welfare (Swe: Socialstyrelsen) has issued regulations and general advice (Swe: allmänna råd) concerning record-keeping and processing of personal data in healthcare, available (only in Swedish) here. There is also guidance on how to follow these provisions, available (only in Swedish) here.

The GDPR applies.  Under Article 3(1) GDPR, the regulation applies when the controller or processor is established within the EEA, regardless of whether the app user is located in the EEA or not.  Additionally, under Article 3(2), the GDPR applies to non-EEA entities if they process personal data of EEA residents in connection with offering goods/services or monitoring their behaviour.

• The GDPR always applies in B2C scenarios.
• The GDPR also applies in B2B scenarios if the business user is a natural person or if the user is processing the personal data of other individuals via the app.  If the business user is processing the personal data of other individuals (e.g., patients), he or she must ensure that this complies with the GDPR (the legal ground for which will usually be a contract with the individual or consent).

If data is stored on the device, or if data is collected from the user’s device, and if this is not necessary for providing the service, users must provide additional consent, according to the EU “Cookie Directive,” Article 5(3) of Directive 2002/58/EU, as implemented in Swedish law by way of Chapter 9 Section 28 of the Electronic Communications Act (Swe: lagen om elektronisk kommunikation). The Cookie Directive is not just covering cookies, but any scenario where the provider stores data on or collects data from a device.

The healthcare provider (Swe: vårdgivare), such as a region, municipality, or private healthcare institution, is responsible for establishing clear divisions of responsibility to ensure that all personnel understand how to handle medical devices properly. Physicians are responsible for ensuring proper use of medical devices in accordance with both the developer’s instructions and the care provider’s internal safety protocols.  However, the overall responsibility for ensuring that only medically safe products are used in patient care lies with the healthcare provider. 1

When a medical device is used in a clinical setting, the responsible physician needs to ensure correct and safe use of the device.

The Swedish Medical Products Agency (Swe: Läkemedelsverket) is the authority responsible for ensuring compliance with the MDR and IVDR in Sweden. It oversees the manufacturing, distribution, and market surveillance of CE marked medical devices. Additionally, the Swedish Health and Social Care Inspectorate (Swe: Inspektionen för vård och omsorg) supervises the use of medical devices within healthcare settings.

The legal consequences for non-compliance are regulated in chapter 5 of Act (2021:600) with supplementary rules to the MDR.  These include administrative and criminal penalties such as:

• Fines
• Imprisonment
• Seizure of goods

Claims for damages may also arise in accordance with Article 82 GDPR.

In case of breaches of data protection law and if the manufacturer is the “controller” of processing of personal data, the manufacturer can be subject to fines (Article 83 GDPR).

Sweden is a Member State of the European Union.  As such, legal developments are expected due to the AI Act, regulating the use of AI systems and the European Health Data Space Regulation (EHDS), inter alia empowering individuals to take control over their health data and also allowing for the sharing of health data.

There is a regulatory framework for healthcare and physicians in Sweden that includes the following:  the Swedish Health and Medical Services Act (Swe: Hälso- och sjukvårdslag (2017:30)), the Swedish Patient Act (Swe: Patientlagen (2014:821)), the Swedish Patient Safety Act (Swe: Patientsäkerhetslagen (2010:659)), and the Swedish Patient Data Act (Swe: Patientdatalagen (2008:355)), as well as additional regulations from the National Board of Health and Welfare (Swe: Socialstyrelsen) on inter alia quality management systems (Regulation SOSFS 2011:9), and medical records and processing of personal data (Regulation HSLF FS 2016:40).

The Swedish Medical Association (Swe: Läkarförbundet) has also published ethical rules which serve as professional guidelines for physicians.  These are available (only in Swedish) here.

The Swedish Health and Social Care Inspectorate (Swe: Inspektionen för vård och omsorg) (IVO) carries out the supervision.

In Sweden, there is no specific legal framework governing telemedicine.  As such, the same rules that apply to physicians in general also apply to physicians regarding telemedicine (cf. our response to Q 8 above). 

The following applies where patients are treated, regardless of whether telemedicine is used or not:

• The principles of science and proven experience as required by the Patient Safety Act (1998:531) on Professional Activities in the Health and Medical Care Sector, 2^nd chapter 1^st .
• Record keeping according to the Patient Data Act.
• License requirements, such as having a medical degree.

However, the National Board of Health and Welfare has, in 2018, published guidelines regarding digital healthcare (Swe: Digitala vårdtjänster Övergripande principer för vård och behandling) available (only in Swedish) here.  According to these guidelines, the following principles should be fulfilled for digital healthcare services to be suitable:

1. Current regulations or existing knowledge management do not require a physical meeting.
2. The digital service is adapted to the individual patient's needs and ability to use the service.
3. The healthcare provider has access to sufficient information about the patient's health condition and medical history to provide good and safe care.
4. Necessary follow-up and coordination with other actors are possible.

In accordance with the Swedish Patient Act, healthcare activities (digital or physical) may not be carried out without the patient’s consent, unless certain regulated exceptions are in hand (such as the emergency care of an unconscious person).  As for notices, the GDPR applies.

No, not as long as the telemedicine services are rightfully used (e.g., where no physical examination is required).

Since telemedicine may only be used where applicable law or medical experience do not implicate that a physical visit is required, prescriptions that require a physical examination cannot be made in a digital healthcare meeting.  This applies to. medicine that is classified as a narcotic.

Sweden has a decentralized healthcare system.  As such, the Swedish Regional Councils and, in some cases, municipalities are responsible. Healthcare providers can be public or private and telemedicine is used by both types.

Public healthcare and private healthcare contracted with for example, Regional Council or a municipality, is mainly funded by the Swedish Regional Councils and municipalities. The reimbursement models and levels for telemedicine may however differ between the Regional Councils. For private healthcare providers without a contract with a Regional Council or municipality, the patient is responsible for the cost of treatment and care.

All Swedish healthcare providers, including those who provide telemedicine services, must hold a patient insurance policy under the Swedish Patient Injuries Act (Swe: Patientskadelagen (1996:799)).

In addition to the foregoing, doctors and psychotherapists can charge a patient fee for video consultation/digital healthcare visits.  These are included in the public health system, which is funded mainly by taxes levied by county councils or municipalities, but also through user charges and state subsidies.  The Swedish Association of Local Authorities and Regions (Swe: Sveriges kommuner och regioner (SKR)) has recommended a cost level, available (only in Swedish) here.  The fee does, however, vary depending on in what county council (region) the health care provider is located.

 No, there are no special provisions about the reimbursement/coverage of costs regarding the use of mobile apps that can combine digital health and telemedicine . The costs for these services vary between regions, and some regions have incorporated specific reimbursements for e-health while some have not. 2

N/A.

Medical confidentiality is applicable for the telemedicine counselling provided by a healthcare provider.

Please see also our response to Q2 above, regarding data protection. 

As of right now there are no proposals for legislations regarding telemedicine in Sweden.

However, over the last few years, Sweden has aimed at becoming world-leading in e-health.  Good digital health solutions are highly encouraged, and relevant authorities work to provide a great landscape for e-health.  3