Welcome to the latest installment of Arnold & Porter’s Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during May and early June 2026 from the United Kingdom and European Union.

May 2026 saw continued momentum across the European Union (EU) and United Kingdom (UK) toward modernizing and streamlining the regulatory landscape for digital health, with a particular focus on accommodating AI-enabled technologies while reducing unnecessary complexity. A central development was the provisional agreement on the Digital Omnibus package, which seeks to simplify the application of the EU AI Act by clarifying overlaps with sector-specific legislation, deferring key obligations, and introducing more proportionate requirements.

In parallel, regulators on both sides of the Channel are advancing reforms to ensure that medical device frameworks remain fit for purpose in an increasingly software-driven and data-centric environment. In the EU, the activation of key European Database on Medical Devices (EUDAMED) modules marks a major step toward enhanced transparency and traceability, while ongoing discussions on the Medical Devices Regulation 2017/745 (MDR)/In Vitro Diagnostic Regulation 2017/746 (IVDR) revisions highlight a strong policy drive toward simplification and better integration of AI. In the UK, the Medicines and Healthcare products Regulatory Agency’s (MHRA) proposed pre-market reforms and broader thinking on AI regulation signal a shift toward more flexible, lifecycle-based oversight, with greater emphasis on post-market monitoring and innovation support.

Data governance and cybersecurity also remain high on the agenda. Industry and regulators alike are emphasizing the need for coherent, proportionate frameworks that avoid duplication while enabling innovation, particularly in light of expanding AI use cases and global supply chains. Together, these developments reflect a broader trend toward risk-based, innovation-friendly regulation, coupled with increasing expectations around transparency, accountability, and data protection in digital health.

Regulatory Updates

Council of the European Union (Council) and European Parliament Reach Provisional Agreement on the Revised EU AI Rules. On May 7, 2026, the Council and European Parliament reached a provisional political agreement on the EU AI Act component of the EU Digital Omnibus package, which aims to simplify the implementation of harmonized rules on AI under the EU AI Act (see our April 2026 Digest and our February 2026 Advisory for more details on the EU Digital Omnibus). The agreement would postpone the application of obligations on high-risk AI until December 2, 2027 for standalone high-risk AI systems and until August 2, 2028 for high-risk AI systems embedded in products subject to EU sectoral legislation, including medical devices and in-vitro diagnostics (IVDs). The agreement also introduces measures intended to reduce overlaps between the AI Act and sector-specific legislation, narrows the definition of “safety component” potentially limiting the scope of certain high-risk obligations, and introduces more proportionate requirements for small and medium enterprises (SMEs) and small mid-cap enterprises. The text remains subject to formal adoption by both institutions before entering into force. Read our May 2026 BioSlice Blog for more details on the agreement.

MHRA’s Call for Evidence on Draft Pre-Market Medical Devices Regulation. The MHRA launched a call for evidence in the form of a stakeholder impact survey on newly proposed changes to UK legislation on pre-market medical device and IVD requirements, as set out in the draft Medical Devices (Amendment) Regulations 2026. The survey closed on June 19, 2026 and is intended to inform the government’s future implementation of these reforms, which aim to introduce more proportionate, patient‑centered requirements while supporting access to innovative technologies. In particular, the proposals integrate software within the broader active device classification rules (rather than there being a designated classification rule on software as there currently is within the EU rules), propose additional Unique Device Identification requirements for software, and introduce the concept of “pre-determined change control plans” as a mechanism to describe future modifications to devices, including for software, and how they will be assessed. Read about some of the key proposals in our recent May 2026 BioSlice Blog

EUDAMED Registration Obligations Become Applicable. On May 28, 2026, four of the six modules of the EUDAMED, the EU centralized database for medical devices and in vitro diagnostics, became mandatory. This triggered the application of certain transparency and registration obligations under the MDR and IVDR that had been deferred until those modules became mandatory. In particular, manufacturers (including non-EU manufacturers), importers, and EU authorized representatives are now required to register in EUDAMED, obtain a Single Registration Number (SRN), and register their devices in EUDAMED before placing them on the EU market. Devices already placed on the market before May 28 must be registered in EUDAMED by November 27, 2026. In addition, notified bodies are now required to upload certificate information to EUDAMED, and EU Member States must conduct certain market surveillance activities through EUDAMED. Read our May 2026 BioSlice Blog for more details on the obligations.

Team-NB Publishes Statement on Provisional Agreement Reached by the Council and European Parliament on the Revised EU AI Rules. Team-NB (the European association of notified bodies) clarified in their statement that the provisional agreement reached between the institutions does not alter the integrated conformity assessment procedure for AI-enabled medical devices under the AI Act, and that AI Act requirements would remain directly applicable to AI-enabled medical devices and IVDs alongside the MDR and the IVDR. Additionally, Team-NB raised concerns that the extended timelines for high risk AI obligations may be insufficient to allow for the designation of AI notified bodies and completion of conformity assessments. Team-NB further warned that delays in the adoption of implementing measures and harmonized standards could create capacity constraints and lead to inconsistent implementation of the AI Act across EU Member States for AI-enabled medical devices and IVDs.

MedTech Europe Publishes Position Paper on the Revisions of the EU MDR/IVDR. In its position paper, MedTech Europe sets out that it broadly supports the proposed revisions to the MDR and IVDR, particularly the focus on simplification, risk-based oversight, and international cooperation. It also identifies several areas where further changes are needed, including a clear implementation process for integrating AI requirements into MDR and IVDR conformity assessment procedures and for consistent oversight of AI-enabled medical technologies within existing medical device market surveillance systems. In relation to software as a medical device, MedTech Europe supports the proposed amendments to the classification rules that would allow certain lower-risk software devices to remain classified as Class I. Read our December 2025 BioSlice Blog and our February 2026 Advisory for more details on the Commission’s proposals.

COCIR position paper on revisions to software medical device classification. COCIR, the European Trade Association representing the medical imaging, radiotherapy, health ICT, and electromedical industries, has published a position paper on the Commission’s proposal to revise MDR Rule 11 on the classification of medical device software. COCIR warns that several key terms remain too open to interpretation. In particular, it argues that the distinction between “informing” and “driving” clinical management in the proposal is unstable. The paper proposes alternative wording that it says addresses the challenges with the Commission’s proposals. COCIR suggests removing the words “confer a clinical benefit” from Rule 11, referring instead to whether the software is intended to “diagnose or treat patients without healthcare professional oversight.” It says the advantage of using health care professional oversight as a classification criterion is that it can be practically assessed, and it collapses the “semantically fragile ‘inform/drive’ dichotomy” in the current proposal. 

UK’s MHRA and National AI Commission Share Views on the Regulation of AI in Health Care. In a webinar on May 20, 2026, the two agencies outlined emerging views on a UK framework for regulating AI in health care. The discussion emphasized that AI challenges traditional medicines regulation given faster development, lower barriers to entry, and continuously evolving systems, and will require a more flexible regulatory framework with greater emphasis on post‑market monitoring and proportionate controls at market entry. Stakeholder engagement has highlighted four core priorities: ensuring safety and oversight; distinguishing between lower‑risk administrative uses and higher‑risk clinical applications; improving transparency and patient awareness; and establishing ongoing monitoring with clear accountability. The National AI Commission‘s recommendations are expected in autumn 2026, alongside further MHRA guidance on AI as a medical device. 

UK’s HRA Publishes Two‑Year Plan for Safe Use of AI in Health Research. The UK Health Research Authority (HRA) has published a new two-year plan on how it will help researchers use AI and new technologies to improve patient care. The plan is structured around three priorities: (1) being clear where AI development, evaluation and implementation activities qualify as research, (2) clarifying the circumstances in which health information can be accessed using AI-enabled and data driven approaches to identify and contact people about research options relevant to them, and (3) taking action to ensure that review of AI-enabled and data-driven research is appropriately informed, rigorous and consistent. Each of these priority areas is supported by workstreams with certain deliverables; for example, the HRA intends to update, as first priority, the ‘is my study research’ decision tool and supporting guidance that defines when AI activity is research. The HRA says these changes will make it simpler and faster to do health and social care research enabled by safe, AI-powered innovation. 

UK Consultation on New Standard for Digital Mental Health Technologies. The MHRA has sponsored the British Standards Institution (BSI) to develop a new standard for digital mental health technologies. The BSI has now launched a consultation on the draft standard, which provides recommendations for performing studies to generate clinical evidence involving digital mental health technologies. The standard applies to the pre-market phase and real-world data in the early implementation post-market phase. It covers factors such as controls, sample characteristics, safety, effectiveness, engagement end points, and follow-up periods. The consultation is open until June 29, 2026.

Court of Justice of the European Union (CJEU) Rules on the Prohibition of Online Pharmacy Sales. The CJEU has delivered a preliminary ruling in the case FARMAKEIO YZ & SIA O.E. v. Ypourgos Anaptyxis kai Ependyseon and Ypourgos Ygeias. (C 604/24), clarifying the limits of EU Member States’ discretion to restrict online sales of non prescription medicines under Article 85c of Directive 2001/83/EC. The case arose from Greek rules which, in practice, limited online sales of medicines to a narrow subcategory of over-the-counter medicinal products, effectively excluding most non prescription medicinal products. The CJEU held that such a restriction is incompatible with Article 85c(1) of Directive 2001/83/EC, which requires EU Member States to permit distance sales of non prescription medicinal products by authorized pharmacies, and the rules cannot be justified under Article 85c(2) on public health grounds because the conditions deprived Article 85(c)(1) of its effectiveness. The CJEU held that EU Member States may make a specific category of non-prescription medicinal products subject to conditions (for example, on account of their particular therapeutic characteristics) but only insofar as those conditions do not call into question the possibility of offering those medicinal products for sale.

Council of Europe Committee of Ministers Adopts Recommendation CM/Rec(2026)7 on the Remote and Online Provision of Medicine Products. The recommendation sets out best practices for remote and online providers of medicinal products, non-pharmacy outlets (i.e., any retail business that is authorized to sell approved non-prescription medicinal products), EU Member States, and health care professional regulatory and representative bodies. Among other measures, it recommends that remote and online providers ensure that automated medicine-selection processes, including those using AI, be evaluated against relevant standards, regularly updated, and designed to ensure patient safety. It also recommends that non-pharmacy outlets take account of the limitations of the communication channels used when designing and delivering their services. While non-binding, the recommendation serves as a framework for EU Member States to consider and implement through national policies, legislation, and regulatory practice.

Privacy Updates

MedTech Europe Publishes Feedback on the European Commission Consultation on Revised EU Cybersecurity Act. While broadly supporting the revision of the EU Cybersecurity Act, MedTech Europe calls for a more coherent and proportionate framework tailored to highly regulated sectors such as health care. In particular, they emphasized that, while strengthening the EU cybersecurity resilience is critical, any revised regime should avoid regulatory fragmentation and overlapping cybersecurity requirements for medical devices already regulated under the MDR and IVDR, while remaining practical for industry to implement. Given that medical technologies often rely on globally integrated supply chains (e.g., for software modules), MedTech Europe also called to prioritize international recognition of voluntary cybersecurity certification schemes and for the centralized EU-level publication of cybersecurity certification schemes to reduce fragmentation. Read our January 2026 Digest for more details on the Commission proposal.

MedTech Europe and Other Industry Associations Urge EU Member States to Preserve the Ambition of the Digital Omnibus. Following the publication of the Council’s compromise texts on the Digital Omnibus, a coalition of industry associations, including MedTech Europe, expressed concerns that the direction of ongoing Council negotiations could undermine key simplification measures proposed by the European Commission as part of the Digital Omnibus in relation to the General Data Protection Regulation (GDPR), cybersecurity incident reporting, cookies, and the Data Act. In particular, the joint statement calls to maintain the Commission’s targeted amendments to the GDPR (including more workable conditions for the use of personal data for AI and an innovation-enabling definition of scientific research), support for an EU-wide single-entry point for cyber incident reporting, and a more innovation-friendly approach to data and cookie rules. The joint statement notes that certain elements of the Council’s compromise texts risk weakening the proposal’s simplification objectives and urges Member States to preserve the ambition of the Digital Omnibus as discussions on the Council’s position continue.

DUAA Data Protection Complaints Requirement Takes Effect in UK. On June 19, 2026, the data protection complaints handling requirement introduced by the Data (Use and Access) Act 2025 (DUAA) came into force (read our February 2026 Advisory for more details). From that date, all controllers must have a process in place to handle data protection complaints from anyone who is unhappy with how their personal information has been handled. Controllers must provide a way for people to make complaints directly to them; for example, via an electronic complaints form or a dedicated email address, and must acknowledge complaints within 30 days and respond without undue delay. This is the last major data protection provision of the DUAA to come into force, with most of the remaining provisions having commenced on February 5, 2026. The ICO updated its guidance on handling data protection complaints on May 8, 2026. Any business processing personal data in the UK that does not already have a formal complaints process in place should treat this as an immediate priority.

UK’s ICO Consults on Draft Guidance on Automated Decision-Making. The ICO consultation on draft guidance about automated decision-making (ADM) closed on May 29, 2026. This serves to update existing guidance on automated decision-making and profiling, following the introduction of the Data (Use and Access) Act 2025. The draft guidance identifies three points when organizations must provide information about their ADM activities: when they first collect personal data; when individuals make a subject access request; and when they engage in ADM. It also notes the likely need to conduct a data protection impact assessment when engaging in ADM and emphasizes the importance of adequate mechanisms for diagnosing quality issues. Final guidance is expected in Summer 2026 and is directly relevant to life sciences companies deploying AI-enabled tools in clinical, diagnostic, or patient-facing contexts.

European Data Protection Supervisor (EDPS) Publishes Its 2025 Annual Report. The Annual Report highlights a year of increased regulatory activity, particularly in the area of AI. This includes the establishment of a dedicated AI Unit, which will serve as the market surveillance authority and notified body of the EU’s AI systems under the AI Act, the launch of an AI regulatory sandbox pilot project, and more scrutiny of international data transfers and large-scale IT systems. The report notes the growing regulatory focus on AI and data‑driven technologies, signaling heightened expectations around compliance, governance, and the handling of sensitive health data. 

IP Updates

The UK Government Responds to House of Lords’ Report on Copyright and AI. On May 15, 2026, the UK government published its formal response to the House of Lords Communications and Digital Committee’s (CDC) report on copyright and AI and the UK government’s earlier report and impact assessment (see our April 2026 Digest). While the response largely reiterates the government’s existing position, it identifies four areas of near-term focus:

  • Digital replicas: The government will launch a consultation this summer on protecting individuals against unauthorized digital replicas, recognizing that existing legal routes, including “passing off,” may offer limited protection, particularly for lesser-known artists.
  • LabelingA task force will be established to develop best practice proposals for labeling AI-generated content, with an interim report expected in autumn 2026. The government acknowledges that voluntary measures alone may be insufficient.
  • Transparency: The government will publish a review of mechanisms enabling creators to control the online use of their works, including standards, technical solutions and best practice transparency, with a view to identifying regulatory gaps. 
  • Licensing support: A working group will consider whether additional government assistance is needed to support smaller creative organizations in licensing their content and securing fair remuneration.

On the broader question of copyright reform, the government reiterates that it will not introduce legislative change unless it is confident that reform would deliver tangible economic and societal benefits. It also stops short of definitively ruling out a broad text and data mining exception, despite the CDC’s recommendation to do so.