Software as a Medical Device — when does MDR Rule 11 apply?

Under Regulation (EU) 2017/745 (MDR) Annex VIII Rule 11, software providing information for diagnostic or therapeutic decisions is by default Class IIa, escalating to Class III when an irreversible health impact or death is possible, Class IIb when serious health deterioration or surgical intervention is possible. Software monitoring vital physiological parameters is Class IIa, Class IIb if variations could pose immediate danger. The classification decision tree follows MDCG 2019-11 guidance. Class IIa or above requires a notified body — CE certification project takes 6-14 months.

What is EUDAMED and what's the 2026 deadline?

EUDAMED is the EU's central database for MDR / IVDR medical devices. Per Commission Decision (EU) 2025/2371 (27 November 2025), four modules become mandatory from 28 May 2026: Actor registration, UDI/Devices, Notified Bodies + Certificates, Market Surveillance. New devices must be registered before being placed on the EU market; devices already on the market must be registered by 28 November 2026. This applies even to software-only devices (SaMD).

GDPR — what does Article 9 mean for healthcare software?

GDPR Article 9 treats health data as a special category of personal data. Processing is forbidden by default and only allowed under specific legal bases — for example Art. 9(2)(h) (healthcare or social care provision), explicit consent (Art. 9(2)(a)), legal mandate (Art. 9(2)(b)). The architectural consequences are strict access control, audit logs, row-level encryption, pseudonymisation in test environments, EU-region data. Hungary's NAIH supervises strictly. Maximum fine: EUR 20M or 4% of global turnover.

How does the software integrate with NEAK code systems?

NEAK (Hungary's National Health Insurance Fund) maintains two main code systems: BNO-10 (the Hungarian ICD-10) and OENO (Orvosi Eljárások Nemzetközi Osztályozása — procedure codes). Regulation 9/2012. (II. 28.) NEFMI defines outpatient specialist financing including the OENO competence list. We ship a coded-dictionary module by default with BNO-10 and OENO lookup, validation, and output compatible with the monthly NEAK financing report.

How much does a healthcare project cost?

EESZT module (e-prescription, referral, episode catalogue): 8-14 weeks, HUF 4-12M. NEAK code system + financing report pipeline: 6-10 weeks, HUF 3-9M. SaMD (Class IIa) MDR project + Annex II technical documentation + EUDAMED registration: 6-12 months, HUF 28-75M (notified body fees separate). Class IIb SaMD: 9-18 months, HUF 50-130M. Telemedicine / clinical decision-support MVP: 4-7 months, HUF 18-45M. Exact quote after a 30-minute scoping call.

EESZT · MDR · EUDAMED · NIS2 · GDPR Art. 9

Software development for healthcare

EESZT integration, MDR Rule 11 SaMD certification, EUDAMED registration by 2026-05-28, GDPR Article 9 special-category data, EU-region deploy. Hungarian Kft. partner working with hospitals and private MedTech companies. Last updated 2026-05-04.

Request a healthcare scoping call

30-minute consultation

TL;DR

Hungarian EESZT connection mandatory since 1 January 2020 for public and private providers (39/2016 EMMI).
SaMD Class IIa+ requires a notified body audit under MDR Rule 11 — 6-14 month CE project.
EUDAMED 4 modules mandatory from 2026-05-28 (Commission Decision (EU) 2025/2371) — new devices register before placement.
Health data is a GDPR Article 9 special category — strict access control, EU-region deploy, audit log, encryption-at-rest.
Healthcare project ranges: HUF 3-130M depending on scope, with EESZT MITELL and EUDAMED registration support.

Pain map — hospital and MedTech reality

Concrete, documented problems we've met at customer level.

EESZT MITELL certification — 8-12 week audit

EESZT connection per regulation 39/2016. (XII. 21.) EMMI requires a MITELL certificate. The test environment is stable, but integration audit and reference testing depend on the ÁEEK / EESZT operations team — schedules slip.

MDR Rule 11 reclassification Class I -> Class IIa

Many older 'no-device' health apps became Class IIa under MDR. Notified body audit, clinical evaluation report (CER), Annex II technical documentation are now required — a dramatic uplift in time and cost.

EUDAMED registration push to 2026-05-28

Commission Decision (EU) 2025/2371 makes 4 EUDAMED modules mandatory from 28 May 2026 (Actor, UDI/Devices, NB Certificates, Market Surveillance). Many small MedTech companies aren't prepared.

GDPR Article 9 + EU-region data residency

Hungary's NAIH and the NIS2 essential-entity rule both require health PII in EU-region, audit-logged, encryption-at-rest storage — not AWS us-east, not Cloudflare global cache.

DICOM / HL7 FHIR / IHE XDS — ad-hoc integration

Legacy HIS (MedSol, GlobeNet, eMedSolution) speak DICOM and HL7 v2; new EESZT and EHDS interfaces are HL7 FHIR R4 + IHE XDS.b. You need pipe-shaped middleware between the two worlds.

Regulatory landscape for healthcare software

Regulation	Applicable	Scope	Penalty
MDR — Reg. (EU) 2017/745	Applicable 2021-05-26	Software-as-Medical-Device, Annex VIII Rule 11	Member-state sanctions, market withdrawal
EUDAMED mandatory use	2026-05-28 (4 modules)	Actor, UDI/Devices, NB Certificates, Market Surveillance	Cannot place device on market
GDPR — Reg. (EU) 2016/679	2018-05-25	Art. 9 special-category health data	<= EUR 20M or 4%
39/2016. (XII. 21.) EMMI regulation	In force (amended)	EESZT connection, public + private providers	Authority sanctions
NIS2 — Dir. (EU) 2022/2555	HU 2026-01-06	Healthcare = essential entity (Annex I)	>= EUR 10M or 2%
EU AI Act — Reg. (EU) 2024/1689	2026-08-02 high-risk	Clinical decision-support, emergency triage (Annex III)	<= EUR 15M or 3%

Healthcare integration matrix

System	Protocol	Note
EESZT (Episode catalogue, e-prescription, e-referral)	SOAP + IHE XDS.b	MITELL certification, regulation 39/2016 EMMI.
HL7 FHIR R4 / R5	REST + JSON	Next-gen interop, EHDS — European Health Data Space.
DICOM (PACS, modalities)	DICOM C-STORE / WADO-RS	Imaging data, modalities, archive systems.
HL7 v2.x (legacy HIS)	MLLP + ER7	MedSol, GlobeNet, eMedSolution and similar legacy HIS.
NEAK code system (BNO-10, OENO)	REST + CSV publication	9/2012. NEFMI regulation financing reports.
EUDAMED Actor / UDI modules	REST + SPOR	Mandatory registration from 2026-05-28.
GS1 DataMatrix UDI-DI / UDI-PI	GS1 standard	Device identification, traceability.

Why pick us for a healthcare project

EESZT MITELL + EUDAMED experience

Certification process per regulation 39/2016 EMMI, EUDAMED Actor/UDI registration — with project management, not just code.

EU-region deploy + on-prem

AWS Frankfurt / Azure West Europe / on-prem hospital data centre. GDPR Art. 9 audit log, encryption-at-rest, pseudonymised staging.

NIS2 + AI Act compliance built in

Healthcare is essential entity (NIS2 Annex I); clinical decision-support is high-risk (AI Act Annex III). We ship documentation templates by default.

DICOM + HL7 FHIR + IHE XDS

Both legacy (HL7 v2, DICOM C-STORE) and modern (FHIR R4, IHE XDS.b) interop — we've shipped both.

Healthcare project pricing

Our published project ranges (see /pricing.md). Notified body / clinical evaluation fees are separate.

· EESZT module: 8-14 weeks, HUF 4-12M
· NEAK BNO-10/OENO + financing report: 6-10 weeks, HUF 3-9M
· SaMD Class IIa MDR project + EUDAMED: 6-12 months, HUF 28-75M
· Class IIb SaMD (notified body audit): 9-18 months, HUF 50-130M
· Telemedicine / clinical decision-support MVP: 4-7 months, HUF 18-45M
· Compliance retainer: HUF 0.4-1.5M / month

Talk in person, near our office

Call +36 30 098 0767, email balint@appforge.hu, or drop in.

Budapest office: Bank Center, Szabadság tér 7., 1054 Budapest, 1st floor, office 112. Mon-Fri 9:00-18:00 by appointment.

Official sources

Last updated 2026-05-04. This page does not replace legal or clinical advice.

Related internal links: EU AI Act checklist · NIS2 checklist · Services.

GYIK

Healthcare — frequently asked

EESZT (Elektronikus Egészségügyi Szolgáltatási Tér) is Hungary's central electronic health platform under regulation 39/2016. (XII. 21.) EMMI. Since 1 January 2020 both publicly and privately funded healthcare providers are obliged to connect — submitting prescriptions, referrals, episode catalogues. A new EESZT connection (module build + MITELL certification + integration tests) typically takes 8-14 weeks depending on how deeply the existing hospital information system (HIS) supports SOAP / IHE XDS interfaces.

Kapcsolódó megoldások

Let's start the healthcare scoping call

In 30 minutes we map the EESZT / MDR / EUDAMED gaps and give you a tight estimate.

Request a healthcare scoping call →30 perc ingyenes konzultáció