Why your DiGA now needs the BSI TR-03161 certificate

Digital health applications (DiGA) must meet data security criteria in accordance with Section 139e (10) SGB V and Section 78a (7) SGB XI – and be certified with the BSI TR-03161 certificate by 2025. This is intended to protect patient data even more effectively. This obligation applies equally to DiGAs that are already listed and to current or new applications for inclusion in the DiGA directory, although the verification deadlines differ. Does my DiGA really meet all the requirements of the data security criteria? Anyone who already has an application listed in the directory must act quickly. This is because a BSI TR-03161 certificate must confirm correctness by January 1, 2025.

These deadlines apply to the BSI TR-03161 certification for DiGA

  • January 01, 2025

    DiGAs that are already listed must have a BSI TR-03161 certificate by this date to prove that they meet the data security requirements.

    If the deadline cannot be met, the Federal Institute for Drugs and Medical Devices (BfArM) must be contacted in advance.

    If the deadline is not met and no contact is made, the DiGA may be removed from the list.

  • June 30, 2025

    Current or new applications must also submit a BSI TR-03161 certificate from January 1, 2025 in order to prove the completeness of the application and thus data security. However, there is a transitional period for new applications until the end of June 2025, during which the certificate can be submitted later in the review process. The prerequisite for this is an appointment confirmation from the responsible certification body when the application is submitted.

Your gap analysis and advice

Do you want to take matters into your own hands, but don’t know exactly how to get through the process safely? Our specialized team will guide you through all the requirements of BSI TR-03161 and ensure that your systems meet the strict security standards.

From initial assessment to full implementation, we support you in complying with this BSI Technical Guideline to protect your data and increase the trustworthiness of your DiGA.