By Marcelina Sługocka, attorney-at-law, TMT/IP, Addleshaw Goddard

AG_addlershaw-goddart_pole

 

Poland’s health tech market is expanding rapidly, in line with global trends. Worldwide, digital health is projected to surpass $300 billion by 2025, growing at a compound annual growth rate of 16–22%. With its large patient base and accelerating digitalisation, Poland is well-positioned to capture a meaningful share of this growth.

At the same time, health tech – or more broadly, digital health – is a highly regulated market. Data protection laws, medical device regulations, telemedicine standards, AI governance, and cybersecurity frameworks collectively shape the pathway of health tech innovations to patients. These regulations are a double-edged sword: while they build trust and market confidence, they also impose compliance costs and delays.

Data privacy
Digital health systems handle sensitive personal data, making compliance with data privacy laws fundamental. The EU General Data Protection Regulation (GDPR) applies and treats health information as a special category requiring strict safeguards, while Polish health regulations add another layer.

Health tech companies, as controllers, must implement robust security programmes, including:

  • Privacy by design: Collect only what is necessary, pseudonymise data where possible, and encrypt data both at rest and in transit
  • Documented risk assessments: Conduct data protection impact assessments (DPIAs) where processing poses high risks
  • Incident response plans: Have comprehensive plans in place to address data breaches

These measures are part of a broader commitment to GDPR compliance, which also includes ongoing staff training, implementing appropriate technical and organisational safeguards, and ensuring individuals’ rights are respected.

While compliance requires effort, it can also become an asset. A controller that demonstrates GDPR-compliant patient protection will inspire greater confidence from hospitals, insurers, and users than one that cuts corners. Moreover, compliance mitigates exposure to significant regulatory fines, which can reach up to €20 million or 4% of annual global turnover.

When software becomes a medical product
Medical device regulations can pose hurdles but also enhance product credibility. In the EU, the Medical Device Regulation (MDR) treats software intended for diagnosis, monitoring, or therapy as a medical device subject to conformity rules. All medical devices must be classified by risk (Class I for low risk to Class III for high risk) and, following a successful conformity assessment, carry a CE mark to be legally placed on the EU market.

In practice, this means many health tech apps and platforms require official certification. For instance, a mobile app that provides general wellness tips may qualify as a low-risk Class I device (which the developer can self-certify), whereas a machine-learning system that analyses X-rays or adjusts insulin doses would be Class IIa or IIb, requiring review by a notified body for approval.

In Poland, the Office for Registration of Medicinal Products, Medical Devices and Biocidal Products enforces these rules, and every medical device must be registered locally. The Polish Medical Devices Act also introduced mandatory online registries for device distributors and professional users, with penalties and other consequences for non-compliance. Although these procedures add time and expense to bringing a product to market, they also signal quality and reliability.

Cybersecurity
Cybersecurity is a growing focus in health tech. Poland’s 2018 Cybersecurity Act, which implemented the EU’s original NIS Directive, required many health networks to adopt cybersecurity risk-management measures and report significant incidents to national authorities. The new NIS2 Directive expands this framework, and Poland is currently in the process of transposing it into national law. Multiple draft versions of the legislation are in circulation, but the new rules will extend cyber risk-management and reporting duties to a broader range of sectors. It is likely that the updated framework will cover more digital service providers and selected tech companies, potentially encompassing many health tech enterprises. In short, the rules on cybersecurity in Poland are about to tighten.

Health tech firms should prioritise cybersecurity now, rather than later. Key measures include:

  • Encrypting patient data
  • Conducting regular security audits
  • Patching systems promptly
  • Establishing a clear incident-response plan

Health tech companies that can demonstrate strong cyber hygiene will have an edge with hospitals and investors, who are increasingly aware of the damage ransomware attacks can cause. In effect, legal compliance can become a competitive advantage – cybersecurity measures can serve as a selling point, showcasing a product’s trustworthiness in an age of hacking and data theft.

AI in Health Tech
The regulatory environment for artificial intelligence (AI) in health tech is evolving rapidly. The EU AI Act is the first comprehensive legal framework for artificial intelligence worldwide. It aims to ensure the safe development and use of AI systems while fostering trustworthy AI in Europe.

The EU AI Act introduces a risk-based framework, classifying AI tools from prohibited to minimal-risk. Solutions used for diagnosis, triage, or clinical decision support generally fall into the high-risk category, meaning they must meet rigorous requirements both before and after market entry. Companies need to focus on:

  • Lifecycle risk management with ongoing monitoring and timely updates
  • High-quality, representative training data to minimise bias
  • Comprehensive bias testing and validation
  • Effective human oversight to ensure accountability and safety

When AI systems are used for medical purposes – such as diagnosis or treatment – they must comply with both the AI Act and the MDR, creating a dual regulatory track with overlapping obligations. By proactively integrating these compliance measures, health tech businesses can reduce regulatory risk and signal their commitment to quality and safety.

Conclusion
Poland offers fertile ground for digital health innovation, but success requires legal savviness. Regulations on data protection, device safety, cybersecurity, and reimbursement can pose genuine hurdles, potentially slowing a project if overlooked. At the same time, these rules build market trust – a secure and compliant product is more likely to gain acceptance.

Savvy companies will integrate compliance into their product strategy from the outset. By planning ahead, health tech businesses can turn Poland’s regulatory framework into a competitive advantage. While these investments require time and money, they enhance trust, improve procurement opportunities, and increase valuation, transforming compliance into a growth enabler.