Virtual and Digital Health Digest – December 2025

By Alexander Roussanov, Eleri Abreo, Sofia Holmquist & Ana Gonzalez-Lamuno on January 30, 2026

Posted in AI, Data protection, Digital Health, EU Legislation, EU Regulatory Framework, IVDR, MDR, MHRA, Product Liability

Welcome to the latest installment of Arnold & Porter’s Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during December 2025 and early January 2026 from the the United Kingdom, and European Union.

December 2025 saw a significant wave of regulatory, policy, and technological developments across the UK and EU that will shape the digital health landscape in 2026 and beyond. The UK advanced its focus on safe and effective AI integration in health care through the Medicines and Healthcare products Regulatory Agency’s (MHRA) open call for evidence on AI regulation, and the publication of the AI Security Institute’s (AISI) Frontier AI Trends Report, which underscores both the promise and risks of rapidly advancing AI capabilities. In parallel, the EU proposed substantial amendments to the Medical Devices Regulation (EU) 2017/745 (MDR) and In Vitro Diagnostic Regulation (EU) 2017/746 (IVDR) — introducing new rules for software, cybersecurity, and digital compliance — alongside publishing the first part of the Biotech Act and a new Code of Practice on transparency for AI-generated content, each reinforcing expectations for trustworthy and innovation supportive digital health ecosystems. Globally, the International Medical Device Regulators Forum’s (IMDRF) 2026-2030 strategic plan emphasized harmonization in response to emerging technologies. Finally, product liability frameworks are also being modernized, as the UK Law Commission launched a comprehensive review of the Consumer Protection Act to ensure it adequately captures risks associated with AI-enabled technologies, including iterative updates and latent defects.

Regulatory Updates

UK MHRA Publishes an Open Call for Evidence on the Regulation of AI in Healthcare. This invites responses from both UK-based and international stakeholders. The responses gathered will help to inform the recommendations of the National Commission into the Regulation of AI in Healthcare (launched in September 2025 and discussed in the October 2025 Digest) when advising the MHRA on the regulation of new AI technologies in the NHS and wider health care system. The main topics covered are: how the UK regulatory framework covering AI in health care should be improved, how issues around the safe use of AI can be addressed, and the distribution of responsibility between regulators, companies, and health care organizations. The call for evidence closes on February 2, 2026.

European Commission Publishes Proposals To Amend the MDR and IVDR. The proposal marks a significant step in the reform of the EU medical devices regulatory framework. For medical devices and biotech companies, key elements of the proposals include: (1) revised classification rules for certain software medical devices, which could fall into lower risk classes with less onerous obligations; (2) new EU and national regulatory sandboxes to support innovative digital health technologies, including software medical devices; (3) new cybersecurity safety and performance requirements; and (4) further digitalization of compliance processes, including the possibility to submit EU declarations of conformity in digital form. The proposals have been submitted to the European Parliament and the Council of the European Union for review, and a public feedback period is open from January 7 to March 5, 2026. Further details on the proposals can be read in our December 2025 BioSlice Blog.

European Commission Publishes Proposal on the EU Biotech Act — Part 1. While primarily focused on the pharmaceutical sector, with a broader biotech initiative expected in 2026, the proposal includes certain elements relevant to medical device and biotech companies. These include (1) expanded EU and national regulatory sandboxes, which could extend to medical devices and novel health biotechnology products and therapies; (2) the possibility to submit a single application for authorization through the Clinical Trial Information System for combined studies (i.e. studies involving clinical trials of medicinal products alongside clinical investigations of medical devices or performance studies of in vitro diagnostic medical devices (IVDs)); (3) the possibility for AI-enabled IVDs or AI medical devices used in combined studies to be subject to a coordinated assessment for authorization; and (4) the obligation for the European Medicines Agency to issue guidance on the use of AI across the lifecycle of medicinal products. The proposal will now be discussed by the European Parliament and the Council of the European Union.

European Commission Publishes First Code of Practice on Transparency of AI-Generated Content. The code is intended to support companies placing AI systems on the market (AI deployers) and companies using AI systems to generate or manipulate content (AI providers) in complying with the transparency obligations under the EU AI Act, which will come into effect on August 2, 2026. The code clarifies the responsibilities imposed on AI providers and AI deployers by the EU AI Act. In particular, AI providers must ensure that any AI-generated or materially manipulated content is marked and detectable using layered technical measures, such as including the provenance information and watermarking. Separately, AI deployers must disclose the level of AI involvement in the content that has been generated or manipulated by AI where it could mislead the public, using an immediately visible indicator, with the code suggesting a linguistic acronym pending an EU-wide solution. Although voluntary, the code provides a useful guide for medical device companies on regulatory expectations. The final version of the code, which has been subject to a public consultation that is now closed, is expected to be published in 2026.

UK AI Security Institute (AISI) Frontier AI Trends Report Published. The report highlights rapid advances in frontier AI systems that are directly relevant to digital health. Models now surpass PhD level expertise in biology and chemistry, which signals new potential for digital health initiatives, such as AI enabled diagnostics, clinical decision support, and drug-disease modelling. The report also shows significant gains in autonomous task completion and cybersecurity capabilities, underscoring both opportunities for improving workflows and the need for robust safeguards as industries, including health care systems, adopt increasingly powerful AI tools.

International Medical Device Regulators Forum Publishes Strategic Plan for 2026-2030. The plan highlights that the advancement of innovative technologies, including AI and machine learning, may require the development of new procedures, which presents an opportunity for harmonization of risk-based and resource-proportionate approaches. To this end, the priorities of the IMDRF include publishing new technical documents on innovative technologies and continuing with joint workshops with the IMDRF industry group.

Privacy Updates

The UK Information Commissioner’s Office (ICO) Publishes Response to the Cyber Security Resilience Bill. The bill, which was introduced to Parliament in November 2025, was prepared following public consultation and calls for views on proposals to improve the UK’s cyber resilience. The response highlights efforts to strengthen the UK’s cyber defense framework and improve the resilience of essential digital services. Although digital health is not directly named, the update is relevant since digital health systems — such as cloud based clinical platforms, remote care services, diagnostic AI tools, and electronic health records infrastructure — rely on the same digital service providers (e.g., cloud computing, online services, and managed service providers) that fall under the bill’s expanded regulatory oversight. The reforms also include extending the scope of what is considered essential services — for example, suppliers to the National Health Service may be considered designated critical suppliers. The ICO has indicated a need for additional clarification of the criteria for assessing “critical suppliers” and further details on the duties involved.

European Commission Renews the UK Adequacy Decisions. Following Brexit, the UK is considered a “third country” to the EU, and as such, the transfer of personal data without an adequacy decision would ordinarily be prohibited. The adequacy decisions, originally made in 2021 and now renewed in December 2025, allow personal data to flow freely between the UK and the EU under the General Data Protection Regulation and under the Law Enforcement Directive.

Product Liability Updates

UK Law Commission Publishes Terms of Reference for Product Liability Law Review. The Law Commission notes that the current regime under the Consumer Protection Act does not sufficiently address challenges posed by technological advancement, such as AI. The issues that will be considered in the review include the definitions of “product” and “defect,” to ensure that any harm that may be caused by the use of AI is taken into account. The Law Commission will also review the possibility of amending the “State of the Art” defense, that the defectiveness of a product is determined by the knowledge and the market at the date of supply, to take account of the fact that some technologies can be updated iteratively. Finally, the possibility of bringing latent defects (arising after the date of supply) in scope will also be considered.