With TR-03161, the Federal Office for Information Security (BSI ) is implementing a comprehensive guideline for increasing the security standards and data integrity of Digital Health Applications (DiGA) and Digital Care Applications (DiPA).

This is intended to increase user confidence in digital health applications in the long term. Since January 1, 2025, certification in accordance with TR-03161 has been mandatory for all DiGAs and DiPAs in accordance with Section 139e SGB V. Certificates are currently required from all DiGAs seeking new inclusion in the register. A valid BSI certificate must also be submitted for formal completeness.

DiGAs already in the register do not have a fixed transition period, but should complete the procedure as quickly as possible and report to the BfArM .

The average certification process takes 8-12 weeks, whereby the preparation time depends heavily on the initial situation. In addition, there is a backlog at the accredited test centers (currently TÜV IT, Secuvera and PWC) due to the large number of DiGAs in the BfArM portal and in the application process.

The testing body discusses the conformity of the product with TR 03161 in accordance with the guidelines and delivers a test report to the BSI. The BSI in turn allows itself an average of 3 weeks for testing – a test should be planned accordingly and budgeted with sufficient time.

The directive is divided into three documents:

Some of these documents list far-reaching requirements for source code, architecture, security and infrastructure. They contain a large number of test aspects that are assigned to the requirements and must be implemented by the DiGA manufacturers.

TR-03161 integrates international standards such as OWASP ASVS, MASVS and WSTG to ensure a high level of security.

TR-03161 structures its security specifications into technical requirements and associated test aspects. While the requirements represent concrete technical specifications for implementation, the test aspects define specific criteria for checking fulfillment of the requirements.

The key audit aspect categories include:

• Architecture and design of the application
• Cryptographic implementation and key management
• Secure network communication
• Authentication and authorization
• Data protection, data security and data integrity
• System availability and reliability

The technical implementation of these requirements is tested using the following test procedures, among others:

The certification process is carried out by accredited test centers such as TÜV IT and results in a BSI certificate that is valid for 5 years. Nevertheless, as things stand at present, every change to the product must be reported to the BSI, which checks whether this could lead to security changes, whereupon a gap or recertification could become necessary.

Vendor associations are already criticizing this approach due to the lack of flexibility in the agile software development process – the BSI has not yet issued a final statement. In addition, a C5 type 2 certificate is required for cloud hosting.

TR-03161 takes a holistic approach to testing that encompasses all components of the DiGA. Depending on the architecture of your application, different parts of the directive must be implemented:

• Need mobile apps with backend part 1 and part 3
• Hybrid solutions with web components require all three parts
• Implementing pure web applications part 2 and part 3

Thanks to our expertise in all three areas, we offer end-to-end support from the initial analysis to successful certification – so that your DiGA is not only compliant, but also sustainably secure.

We have practical experience with TR-03161-compliant applications and have already developed a DiGA project entirely according to these standards. This expertise enables us to support you with in-depth know-how and identify typical challenges in advance.

In order to ensure the conformity of your DiGA, we provide support after an introduction to TR-03161 (if necessary) in the area of requirements management, in the creation of a gap analysis, in project planning and in the implementation and closure of existing gaps to TR-03161.

DiGA manufacturers must recognize at an early stage which of these requirements are already fulfilled and where there is still a need for action. With a systematic and detailed analysis of existing security measures, data processing procedures and user interactions, we provide the basis for effective and efficient adaptation to TR-03161.

We draw on our experience in implementing TR-03161 to close identified weaknesses and meet the test criteria. Our structured approach to closing gaps includes: