Navigating Germany's BSI cybersecurity requirements for digital health applications (DiGAs)

Digital healthcare application (DiGA) providers in Germany now face a fresh challenge. From January 1, 2025, if you’re an organization offering a DiGA to users in the German market, you must meet the updated data security requirements set by the Bundesamt für Sicherheit in der Informationstechnik (BSI).

The updated rules apply to new apps seeking certification as well as the 64 apps that have already been approved by the Federal Institute for Drugs and Medical Devices (BfArM).[1] This mandate was established through the Datenschutzkonferenz (DSK) resolution.

With the compliance requirements, DiGA developers face significant pressure in mobile app security. If you don’t comply, your app will not only suffer financial and reputational damage but could also be taken off the market until you achieve compliance. With that in mind, finding a timely solution to meet the enhanced security requirements is a top concern for digital healthcare companies.

Here's a closer look at the steps you can take to secure your app and comply with the regulations.

The Digital Care Act (DVG) and fast track procedure

In 2019, Germany passed the Digital Care Act (DVG) which marked an important milestone in eHealth. It aimed to improve access to app-based care by integrating them into mainstream healthcare through prescription and reimbursement of digital therapeutics. The DiGA designation was created to clearly differentiate certified medical apps from general health and fitness apps.

But the BSI’s new requirements mark a major shift in how DiGAs were previously evaluated for security. Since 2019, DiGAs were assessed under the "Fast Track" procedure managed by the BfArM. This process allowed you to bring mobile products to market within three months by undergoing a streamlined evaluation, including a data security review. The focus was on ensuring that apps met baseline criteria for functionality, safety, and data security.

The process also required apps to demonstrate positive care effects through clinical studies. Depending on the strength of evidence, apps were granted either a 24-month provisional approval (during which time they’d have to produce additional clinical data) or a permanent approval. Approved apps were published in a database that clinicians could search.

For example, for help with insomnia and mental health challenges, a patient could receive a prescription for the relevant app from their provider and insurers could issue the activation code.

While this approach helped in getting digital health innovations to users swiftly, it left some security gaps, especially as cyber threats became more sophisticated.

Today, even if you’ve been certified through the Fast Track procedure, you’re subject to the new regulations and must demonstrate compliance with the new BSI requirements.

Why the new regulations are critical for the DiGA market

The BSI’s new guidelines highlight how important data security is for digital health apps. With the healthcare industry becoming increasingly digitized, a single breach could expose patients' private health information, leading to identity theft or financial fraud. The ripple effect of such a breach can be devastating, not just for the affected individuals but also for the trust that users place in digital health solutions and the organizations behind them.

If your DiGA doesn’t meet these new security standards, the consequences are serious. Non-compliance may result in your app being pulled from the market. But the impact doesn’t stop there. Your company’s reputation can be impacted, especially in an industry where trust is paramount.

It’s also important to consider the long-term impact of the erosion of trust. Healthcare providers rely on these apps to deliver care and manage patient data securely. If your app is perceived as a weak link, it could jeopardize partnerships and your industry standard.

An in-depth look at the new BSI security requirements

While digital health apps have always undergone a security review, the new BSI requirements emphasize data security evaluations for web apps, mobile apps, and backend systems. Since almost two-thirds of DiGA offerings are mobile apps[2], securing these platforms is more critical than ever.

The BSI’s new guidelines emphasize a more rigorous testing process, particularly in areas where apps are vulnerable to cyber attacks. So, instead of a quick security check as part of the broader Fast Track evaluation, your app will now undergo a dedicated and thorough examination focused solely on data security. This will ensure that your app is not just functional but also resilient against cyber threats.

The examination process for mobile apps is divided into eleven test aspects, with each one including recommended, mandatory, and optional factors. To test these, the BSI framework is divided into two main phases: Check and Examine.

Check: The Check phase involves a plausibility assessment of your app’s documentation and security claims by a BSI examiner who audits manufacturer-provided documentation. The examiner ensures your app’s security features are sound on paper.

Examine: During the second phase, each app must undergo extensive penetration testing conducted by a BSI-accredited examiner. They verify that all the security measures you’ve implemented can withstand real-world cyber attacks.

The BSI’s updated guidelines emphasize that data security isn’t just an afterthought—it’s a core requirement that must be integrated into your app’s design and development. By focusing on both the documentation and the practical implementation of security measures, the BSI ensures that only the most secure apps make it to the market.

While your app must pass each of the eleven penetration tests, Test Aspect 11 focuses on a critical area for developers that many may find difficult to solve on their own: app hardening against growing risks like reverse engineering and tampering.

Focus on test aspect 11: Resilience of mobile health apps

Test aspect 11 of the BSI's Technical Guideline TR-03161 is one of the most critical components of the BSI’s guidelines that focuses on the resilience of mobile health apps. This aspect requires DiGAs to implement advanced hardening measures that go beyond standard security features like encryption and authentication.

During the Examine phase of Test Aspect 11, the following app hardening measures must score a pass by the BSI examiner’s penetration testing. The DiGA app must:

1. Respond to the manipulation of the operation system like a rooted/jailbroken device.
2. Prevent startup in a debugging or development environment.
3. Detect startup with unusual or compromised user rights.
4. Operate in a secure runtime environment while regularly verifying device integrity for issues like operating system security, custom firmware, and hooking frameworks.
5. Protect against man-in-the-middle attacks and remain secure against attempts to circumvent certificate pinning or bypass authentication.
6. Perform an integrity check each time the app starts and during sensitive operations.
7. Obfuscate code effectively (including strings, file names, classes, and methods) that could provide the basis for reverse engineering.

Effective app hardening against these threats is complex, and implementing the measures to pass the tests isn’t easy. The process requires specialized knowledge and resources, which many DiGA developers might not have in-house. Ready-to-implement solutions are limited, and even if you develop an in-house solution, keeping up with BSI requirements, emerging threats, and effective app hardening techniques takes time and effort.

Often, the organizations developing the apps rely on software partners to develop these apps. The reality is that while they can assist with developing an app hardening solution to meet these needs, agency partners quickly propose expensive and lengthy projects for bespoke solutions. These are often untested and the costs can quickly add up for development and maintenance.

As a result, DiGA teams are left exploring what other options exist for compliance.

Common challenges DiGAs face as they look for solutions

The journey to compliance is anything but straightforward, and according to many organizations in the space, several key challenges are making this process even more difficult:

• Risk estimation differences: One of the primary hurdles you may be facing is the difference in how your development team assesses risks compared to the BSI requirements. While developers may have their own perspectives on data security and the potential impact of a breach, these often don’t align with the stringent expectations set by the BSI. This misalignment can lead to underestimating the level of security required, leaving apps vulnerable to threats and potentially failing the rigorous penetration tests.
• Lack of expertise: Implementing the necessary app hardening measures isn’t just a technical challenge—it requires specialized expertise. Whether in-house or through external partners, many developers simply don’t have the deep security knowledge needed to ensure that apps will pass the BSI’s penetration tests. This lack of expertise can result in inadequate security implementations, which might not hold up under the BSI’s detailed scrutiny.
• Cost efficiency issues: For many DiGA developers, developing in-house app hardening solutions can be unfeasible due to the high costs involved. Once you begin to investigate this route, it becomes clear how cost-prohibitive it may be at the beginning as well as maintaining the solution over time. Building a robust security solution from scratch isn’t just expensive—it’s time-consuming and resource-intensive. Often, the investment required simply doesn’t match your available budget or the expected return, leading you to seek alternative solutions.
• Unsatisfactory external solutions: External app hardening solutions might not be able to meet your specific needs. Many of them are complex and take as long as six weeks to implement—which is far too long when there are testing processes to complete. The cloud-based options process data outside the EU, raising concerns about data sovereignty and compliance with European Union regulations. And yet others come with high licensing costs that don’t fit within the DiGA business model. Suitable open-source software is hard to find, making it tough for developers to meet the new requirements without significant investment.
• Time constraints: Not complying with the new guidelines can take down your app from the market, and meeting the security requirements takes significant time. Developers face a time constraint in implementing these critical measures.

To meet the BSI’s new data security requirements, you need to act quickly and upgrade your app hardening to prevent reverse engineering, tampering and other threats. Manufacturers who meet these stringent requirements are likely to increase trust with physicians and patients and stand out from the competition. Conversely, failure to comply could lead to significant financial and operational setbacks—or take your health app off the market altogether. But the right partner can help you reach your compliance goals quickly and cost-effectively.

Simplify compliance with app hardening

Promon SHIELD® offers a proven solution that simplifies the compliance process and ensures your app is ready for the BSI’s rigorous examination. Our team of experienced experts understands the German DiGA market and partners with your team to develop a roadmap that fits your unique needs. Here’s why leading DiGA developers like you are choosing it:

• Market knowledge: Other DiGA developers working to comply with BSI requirements appreciate our team of cybersecurity experts who understand the German market, the changing regulations and speak both German and English. They work as an extension of your project team to help you meet compliance goals.
• Proven technology: With over 17 years of experience in mobile app security, some of the largest companies in the world trust our technology. Promon SHIELD® has protected apps used by over 2 billion users globally, so you can be sure that your apps will not just pass BSI’s penetration tests but also withstand the ever-evolving cyber threats.
• Fast implementation: A standout feature is the ease with which you can integrate our app shielding technology into your app. You can implement Promon SHIELD® in minutes to secure your mobile app without extensive downtime. This quick deployment is particularly beneficial when you are racing against the clock to meet compliance requirements.
• Easy to implement: Promon SHIELD® integrates seamlessly with your existing development processes so that you don’t have to alter your coding workflow. Whether you’re working with Android or iOS, Promon SHIELD® helps you add a security layer without disrupting your app’s development cycle, developers, patients, or clinicians.
• Cost-effective solutions: Promon understands the financial pressures that DiGA developers face. Our pricing model aligns with the DiGA business model to offer you fair and transparent pricing that doesn’t compromise on quality. Promon SHIELD® gives you top-tier, proven protection that fits your budget.
• Comprehensive support: Whether you need help understanding the BSI’s guidelines or troubleshooting issues during the penetration testing phase, our expert technology and support team is there to guide you from integration to certification in both German and English.