The question isn't whether digital therapeutics (DTx) will reshape clinical practice. It's which regulatory framework you'll navigate first, and whether your organisation is prepared for the complexity beneath the headlines.
By mid-2025, 13 FDA-cleared prescription digital therapeutics existed in the United States. Across the Atlantic, Germany's DiGA system had amassed 56 listed applications and 209,000 prescriptions in just three years. Yet many practitioners still treat regulatory approval as a black box: something that happens to software, not something they need to understand. That's a costly misunderstanding.
Regulation isn't a barrier to adoption. It's the architecture of trust. As reimbursement codes expand, international frameworks mature, and payers demand evidence, knowing the landscape has become part of clinical competence. This guide cuts through the noise and gives you what you actually need to know.
The United States: FDA Momentum, Reimbursement Acceleration
FDA Clearance: The Numbers You Need
By mid-2025, the FDA had cleared 13 prescription digital therapeutics. The clearance pathway matters more than the total.
61.5% arrived via 510(k) pathway, meaning they demonstrated substantial equivalence to an existing device or DTx. These tend to be faster and less resource-intensive. The remaining 38.5% went through de novo classification, establishing new product categories when no suitable predicate existed. De novo clearances take longer but can establish competitive advantage if your DTx creates a genuinely novel category.
The FDA's TEMPO pilot (Technology-Enabled Meaningful Patient Outcomes) has begun guiding how digital health submissions are reviewed. Rather than forcing DTx into traditional medical device pathways, TEMPO recognises that software generates continuous data streams and can be updated post-launch in ways physical devices cannot. This flexibility is reshaping expectations.
Reimbursement: From Pilot to Standard Practice
Here's where regulatory clarity meets real-world adoption. In January 2025, the Centers for Medicare and Medicaid Services (CMS) introduced CPT codes G0552, G0553, and G0554 for remote patient monitoring involving prescription digital therapeutics. G0553 pays $20.06 per 20-minute evaluation period. G0554 pays $19.73. Modest numbers, perhaps, but the infrastructure matters.
By November 2025, CMS expanded these codes to cover ADHD digital therapeutics specifically. This signals a pattern: payers will gradually add disease categories rather than open a floodgate. If your DTx targets depression, ADHD, or substance use disorder, reimbursement conversations are worth having now.
The uptake trajectory is steep. In Q1 2025, practitioners reported billing these codes for 99 patients. By Q3 2025, that figure reached 446 patients. The graph is climbing.
Beyond CMS, Cigna announced coverage of FDA-approved digital therapeutics in September 2025, and others will follow. Private payers move faster than government programmes once a regulatory pathway is proven. This matters for your clients' out-of-pocket costs and for the commercial case you make to purchase digital tools.
The Access to Prescription Digital Therapeutics Act (H.R.3288, introduced in 2025) aims to ensure Medicare beneficiaries can receive prescribed DTx without burden of prior authorisation. It hasn't passed into law at time of writing, but its presence signals congressional intent. Advocacy momentum is real.
HIPAA Compliance: The Technical Baseline
For any therapy app or DTx handling patient data, HIPAA isn't optional. It's the floor.
Encryption is non-negotiable. AES-256 standard or equivalent protects data at rest. All data in transit requires TLS 1.2 or higher. These aren't suggestions; the Office for Civil Rights (OCR) expects them.
Business Associate Agreements (BAAs) must be in place if the DTx vendor is handling protected health information on your behalf. Many practitioners skip this step, falsely assuming a consumer app is exempt. It isn't, if it touches patient data and you're processing it in a clinical context.
Audit trails matter. Every access to patient records must be logged, timestamped, and reviewable. The OCR investigates breaches by examining whether staff could have identified unusual access patterns.
Perhaps the least obvious requirement: psychotherapy notes must be separated from the medical record. If you're using DTx for mental health treatment, session notes and clinical assessments live in a different file than other health information. This granular access control isn't bureaucratic theatre; it reflects a deliberate privacy hierarchy.
Breach notification follows a 60-day timeline. If you discover a breach affecting 500+ individuals, media notification is required. These aren't theoretical scenarios; they're part of operational governance for any digital health vendor or practitioner using digital tools at scale.
The European Union: MDR, GDPR, and Fragmentation
Medical Device Regulation and DTx Classification
The EU's Medical Device Regulation (MDR, enforceable since 2022) treats digital therapeutics as Software as a Medical Device (SaMD) under Rule 11. The framework doesn't classify all DTx equally.
Class IIa devices: those providing diagnosis or therapeutic advice based on input data. This is where most behavioural health and monitoring DTx land.
Class IIb devices: those managing serious health conditions or where failure could pose significant harm. An ADHD management app sitting here.
Class III devices: those involving decision-making on life-or-death interventions, or where failure could cause irreversible harm. Few DTx reach this class, but it's theoretically possible for intensive interventions.
Classification determines your evidence burden. A Class IIa device requires technical documentation and clinical validation, but a single clinical trial may suffice. Class IIb devices demand more robust clinical data and usually require a Notified Body (independent third-party reviewer) to assess your dossier. The timeframe expands from months to years. The cost balloons from tens of thousands to hundreds of thousands of euros.
The EU HTAR (Health Technology Assessment Regulation) is worth monitoring. Starting in 2026, this framework enables joint clinical assessments for select high-risk devices across member states. For a DTx developer seeking EU-wide adoption without repeating health technology assessment submissions country-by-country, HTAR offers a potential shortcut. For practitioners, it means future DTx entering the European market will have been vetted to a higher, harmonised standard.
GDPR: Privacy Without Compromise
Strictly speaking, GDPR isn't a medical device regulation. It's something more fundamental: a law that assumes your DTx is harvesting personal data, and you must justify every field you collect.
Mandatory Data Protection Impact Assessments (DPIAs) are required before you deploy any DTx that processes sensitive health data. This isn't a checkbox exercise. A genuine DPIA identifies risks, proposes mitigations, and documents your thinking. If you can't articulate why you're collecting menstrual cycle data, social media usage patterns, or location information, you're collecting too much.
Breach notification must occur within 72 hours of discovery. This is faster than HIPAA's 60-day window. If a vendor can't commit to 72-hour notification protocols, that's a red flag.
The right to erasure is absolute. Any individual can request their data be deleted, with limited exceptions for legitimate legal obligations. Your DTx must have built-in data deletion functionality, and your vendor agreements must guarantee this can happen. Cold storage systems that make deletion difficult are a problem.
For practitioners using DTx, these aren't abstract compliance issues. They're the foundation of informed consent conversations. Your clients need to understand what data is collected, where it's stored, who can access it, and how long it persists. GDPR forces you to have those conversations explicitly.
Germany's DiGA: The Mature Model
Germany's Digital Health Applications (DiGA) scheme is the world's most mature regulatory pathway for prescription digital therapeutics. It's also the most instructive model for understanding how DTx adoption scales.
DiGA By the Numbers
As of late 2025, 56 applications were listed on the DiGA register. Of these, 48 hold permanent status (post-launch evidence has met ongoing performance criteria), and 8 remain provisional (still gathering evidence to demonstrate continued benefit).
The mental health category dominates. Depression, anxiety, and PTSD applications outnumber other therapeutic areas by a factor of roughly 3:1. This isn't incidental; it reflects the evidence base and the lower regulatory burden for behavioural health compared to medical diagnoses.
Prescriptions tell the adoption story. In 2020/21, the year DiGA launched, practitioners issued 41,000 prescriptions. By 2022/23, that number had grown to 209,000. A fivefold increase in two years suggests that once practitioners become aware of reimbursed digital options, adoption accelerates.
Pricing and the Reimbursement Model
DiGA apps launch at practitioner-set prices. Initial pricing ranged from €200 to €700, with a median of €514. That's higher than most consumer apps but lower than traditional medical devices.
Here's the wrinkle: statutory health insurance funds (Krankenkassen) negotiate prices downward post-launch. After negotiation, the median price fell to €221. Some apps accepted steeper cuts; others fought to maintain higher pricing by demonstrating superior evidence.
Starting in 2026, the model changes. DiGA reimbursement will now include mandatory outcomes monitoring. Practitioners must contribute data on whether clients are actually benefiting. Class IIb devices (the higher-risk category) become eligible for DiGA listing for the first time, expanding the pathway beyond lower-risk behavioural health applications.
The game-changing change: minimum 20% of reimbursement will be tied to performance metrics. If an app fails to demonstrate client improvement on agreed outcomes, the payer reduces payment. This transforms DiGA from "pay once and we're done" to "pay based on results."
For practitioners evaluating DTx, this is crucial context. German-listed apps have survived market testing. They've demonstrated not just regulatory compliance but actual clinical utility at scale. That track record transfers some confidence internationally.
UK, France, and the Patchwork Beyond
United Kingdom: NICE Standards Without Regulatory Teeth
The UK's NICE Evidence Standards Framework (originally 2018, updated in August 2022 specifically for AI and digital health) provides tiered guidance for evaluating digital applications. Rather than approving or rejecting DTx, NICE offers a risk-based assessment framework that the NHS uses when deciding whether to fund or recommend tools.
This is elegant in theory. Risk is tiered. A low-risk DTx for self-monitoring needs less evidence than a high-risk diagnostic tool. Practitioners and commissioners can quickly see what bar each category must clear.
In practice, the framework shows its age. It lacks adaptability for the pace of software innovation. A DTx that performs well in last year's evidence standard might need re-evaluation if a newer competitor arrives. The framework also relies heavily on randomised controlled trials, which remain the gold standard for evidence but can be slow and expensive for software-based interventions. Real-world evidence (RWE) from continuous deployment and use data gets incorporated, but cautiously.
For practitioners in the UK, this means DTx adoption depends heavily on whether local integrated care boards (ICBs) have adopted specific tools or whether they're willing to fund via existing pathways. Reimbursement is fragmented and slower than in Germany or the US.
France: PECAN and the 90-Day Model
France's PECAN (Parcours d'Évaluation et de Couverture des Applications Numériques) launched in March 2024. It's an interesting middle path between the FDA's regulatory approval and Germany's live market testing.
PECAN offers a 90-day evaluation window followed by potential early access coverage for up to 12 months while ongoing data collection occurs. If the DTx demonstrates benefit, permanent reimbursement follows. If not, it exits the programme.
Reimbursement figures are specific: €435 for the initial setup plus €38.30 per month, with an annual cap of €780. This is meaningful reimbursement, unlike nominal codes that don't cover actual delivery costs.
Early results are sobering. By early 2025, only 11 dossiers had been submitted to PECAN. Of those completed, 7 received opinions, and only 3 were favourable. The pathway isn't a rubber stamp; it's genuinely evaluating benefit.
This tells practitioners something important: just because a DTx passes regulatory review in one country doesn't guarantee reimbursement in another. Reimbursement bodies want locally relevant evidence of clinical utility. One-size-fits-all adoption is a myth.
FDA and AI: The Emerging Frontier
In November 2025, the FDA's Digital Health Advisory Committee convened to discuss AI-powered mental health devices. These aren't simple algorithms running a predefined intervention; they're systems that learn, adapt, and generate responses in real time.
The committee raised concerns that practitioners and vendors should take seriously. Algorithmic bias: if training data underrepresents certain demographics, the DTx will perform worse for those populations. Hallucination: generative AI systems sometimes produce plausible-sounding but false recommendations. Sycophancy: AI models trained to optimise for user satisfaction might agree with harmful ideation rather than challenge it therapeutically.
These concerns aren't regulatory obstruction. They're the beginning of real governance for AI-powered therapy. The FDA will likely require vendors to submit evidence of bias testing across demographic groups, validation that the AI doesn't generate dangerous misinformation, and safeguards against misuse.
For practitioners considering AI-powered DTx, ask vendors directly about these tests. If they haven't conducted demographic bias analysis, they're not ready for deployment in a real population.
What Practitioners Should Ask Vendors
Regulatory compliance is necessary but not sufficient. When evaluating a DTx, here are the questions that separate mature vendors from early-stage ones.
On regulatory status: Has this DTx been cleared or approved by relevant regulatory bodies in the jurisdictions where you'll use it? FDA clearance, CE mark, or DiGA listing? Don't accept promises of future approval; you need proof of current compliance.
On reimbursement: What CPT codes or equivalents does this DTx use? Has the vendor worked with payers? Is there a direct reimbursement pathway, or will you be billing for clinical time rather than the DTx itself? What's the expected client out-of-pocket cost?
On data handling: What encryption standards are in place? Who's the Business Associate, and is a BAA signed? Where is data stored geographically, and does it meet GDPR or HIPAA? How is psychotherapy content separated from other health data? What's the data deletion timeline if a client requests erasure?
On evidence: What clinical trial data supports this DTx? Is it published in peer-reviewed journals? Have real-world outcomes been collected, and is that data available? For AI-powered DTx, has demographic bias testing been conducted?
On updates: How often is the software updated, and what's the update process? Does the vendor conduct post-market surveillance? Are there version control protocols so you know what changed between releases?
On practitioner workflows: Does this DTx integrate with your existing electronic health record system? What's the onboarding process for your team? Is training provided, and is it evidence-based or marketing?
These conversations take time, but they're cheaper than discovering compliance gaps after deployment.
The Horizon: 2026 and Beyond
The regulatory landscape for digital therapeutics in 2026 is simultaneously more mature and more fragmented than it was five years ago.
In the US, the combination of FDA TEMPO guidance, expanded CMS codes, and private payer adoption suggests that practitioners will have access to more reimbursed DTx options than they do today. The barrier isn't regulatory approval; it's keeping up with which tools meet which criteria.
In the EU, the HTAR framework may finally offer a harmonised pathway for serious DTx, reducing the burden of country-by-country submissions. But until it's operational, fragmentation persists. A DTx that's approved in Germany may require separate evidence for France, which requires separate processes for the UK.
Germany's mandatory outcomes monitoring and performance-linked reimbursement (2026 onwards) will reshape the entire European market. Only DTx that genuinely improve client outcomes will survive. This is good news for practitioners; it means digital tools reaching the market have been stress-tested.
Generative AI continues to blur the boundary between DTx and general consumer apps. Regulators are still grappling with how to oversee systems that learn and adapt. Expect more guidance from the FDA, EMA, and national bodies before the end of 2026.
The biggest shift isn't technical; it's cultural. Five years ago, practitioners treated DTx as experimental extras. Today, they're asking which tools to prescribe and how to integrate them into clinical workflows. Reimbursement is normalising adoption. Regulation is formalising the evidence bar.
For organisations considering digital therapeutics, the time for "wait and see" has passed. The regulatory clarity is sufficient. The evidence base is building. The reimbursement infrastructure exists. What remains is deciding which tools fit your client population, understanding the compliance requirements, and building the workflows to make between-session engagement real.
References
- Centers for Medicare and Medicaid Services (2025). "Remote Patient Monitoring with Prescription Digital Therapeutics." CPT Codes G0552, G0553, G0554. CMS.gov.
- Cigna Healthcare (September 2025). "Coverage Announcement: Prescription Digital Therapeutics." Press Release.
- European Commission (2017, updated 2022). "Regulation (EU) 2017/745: Medical Device Regulation (MDR)." EUR-Lex.
- European Commission (2024). "Health Technology Assessment Regulation (HTAR): Joint Clinical Assessment Framework." Press Release.
- FDA Digital Health Advisory Committee (November 2025). "Summary Minutes: Artificial Intelligence in Mental Health Devices." FDA.gov.
- FDA Centre for Devices and Radiological Health (2024). "TEMPO Pilot Program: Technology-Enabled Meaningful Patient Outcomes." Guidance Document.
- French Ministry of Health (2024). "PECAN Programme: Digital Health Applications Evaluation and Coverage." ANSM Documentation.
- German Federal Institute for Drugs and Medical Devices (BfArM) (2025). "DiGA Register and Reimbursement Data: 2020-2025." DiGA Register Database.
- HIPAA Security Rule, 45 CFR Parts 160 and 164 (2003, updated 2024). U.S. Department of Health and Human Services.
- NICE (National Institute for Health and Care Excellence) (2022). "Evidence Standards Framework for Digital Health and Care Technologies." NICE.org.uk.
- Office for Civil Rights, U.S. Department of Health and Human Services (2021). "Security Risk Assessment Tool and Guidance." HHS.gov.
- Regulation (EU) 2016/679: General Data Protection Regulation (GDPR). EUR-Lex.
- U.S. Congress (2025). "Access to Prescription Digital Therapeutics Act." H.R.3288. Congress.gov.