With the rise of digitalization, medical information systems have become key components of healthcare infrastructure. These systems often manage sensitive patient data, control decision support and integrate with everything from medical record systems to national e-health services. At the same time, the requirements for how the systems are to be developed, managed and documented are tightening, not least through new regulations such as the Swedish Medical Products Agency's regulations on national medical information systems (NMI) and the recently published EU regulation on the European Health Data Space (EHDS).
For manufacturers and suppliers of digital healthcare systems, this means increased expectations for compliance, but also new opportunities for more efficient and safer healthcare services across borders. When does an information system become an NMI and what does it mean?
The Medical Products Agency's regulations HSLF-FS 2022:42, which entered into force in 2022, have raised questions for both private and public organizations that provide medical information systems at regional or national level. What actually counts as a national medical information system? Do the regulations also apply to private healthcare providers or regional solutions? What if only certain parts of a system fall within the definition?
In practice, the regulations mean that even systems previously considered as general IT solutions can now be covered by medical device regulations. Manufacturer responsibility is tightened and documentation requirements, quality management and risk management take on a whole new weight. It will be crucial to understand whether the system is classified as NMI, as medical device software or both.
EHDS - a new playing field for health data
With the EHDS Regulation (EU 2025/327), the EU is establishing a common digital structure for health data in Europe. The aim is to enable both primary use of data in healthcare and secondary use for purposes such as research, innovation and policy development.
This requires interoperability, transparency and secure access to data. Not least in systems that manage patient summaries, prescriptions or diagnostic information. From March 2029, this will be mandatory, but preparations should be made now. Understanding early on what types of data you handle and how they are affected by EHDS is a key to future-proof system development.
How to prepare your systems for EHDS
1. Map your data types in depth
The EHDS has different requirements depending on whether the data is used primarily (in care) or secondarily (e.g. research). A clear data inventory will help you understand what information is covered, what formats it takes, and what rights come with it.
2. design for interoperability, not just integration
Systems being able to talk to each other is no longer enough. Semantic interoperability is now required, meaning that data is not only transferred, but also understood in the same way. Use established standards like HL7 FHIR from the start.
3. think data security as an asset, not just an obligation
EHDS requires transparency around who has access to data and on what grounds. This makes robust access management, logging and traceability strategic tools, not just compliance requirements. Properly managed, it can build trust, both internally and externally.
It's about more than just compliance
Compliance with regulations is obvious, but the question is also: how do we build digital systems that contribute to trust, patient safety and an efficient flow of information in healthcare?
For those who want to be at the forefront, it is important to integrate quality management, information security and regulatory knowledge throughout the system lifecycle. It's not just about meeting requirements on paper, but about creating sustainable, secure and future-proof solutions that work in an increasingly complex healthcare ecosystem.
For those in the know, it becomes clear that regulations such as HSLF-FS 2022:42 require not only legal understanding, but also deep technical and operational knowledge. It is not enough to know what the regulations say, the crucial thing is to understand how the requirements affect the design, management and use of the system in practice. This requires the ability to navigate the intersection between technology, regulatory issues and everyday healthcare.
It is precisely in this space, between technology, operations and regulation, that the healthcare system of the future will be built.
Want to explore how regulation can be a driver, not a barrier? Get in touch and let's continue the conversation where it makes the most difference.
