Written by Technical Team | Last updated 10.10.2025 | 11 minute read
If the 2010s were about “there’s an app for that”, 2025 is about proving that your digital product is safe, effective, interoperable and trusted enough to sit at the heart of real care. The regulatory goalposts have moved decisively. In Europe, the EU Artificial Intelligence Act has entered its phased application, with transparency obligations for general-purpose AI models commencing in 2025 and the tougher high-risk requirements due in 2026. That matters for digital health because clinical decision support, diagnostics and workflow automation increasingly rely on AI components. Teams that treat regulation as a design input, not an afterthought, will move faster and with less risk.
The United Kingdom has set its own tone. The Medicines and Healthcare products Regulatory Agency (MHRA) has been running an “AI Airlock” sandbox since 2024, giving innovators and regulators a shared space to test risk controls for adaptive algorithms before widescale deployment. In parallel, the MHRA’s broader Software and AI as a Medical Device programme is modernising rules across the lifecycle—from qualification and classification through to post-market surveillance—so developers have a clearer route to market. This is not “lighter touch” regulation; it is smarter regulation geared to AI’s realities.
On the ground, developers shipping into the NHS face a defined baseline in the Digital Technology Assessment Criteria (DTAC). It pulls clinical safety, data protection, technical security, interoperability, and accessibility into one procurement-time checklist. For many companies this is the first proper lens through which their security model, FHIR usage, and clinical safety case are assessed by buyers. If your product doesn’t meet DTAC, it doesn’t enter the system—simple as that.
Outside the UK, regulators have also leaned into AI’s iterative nature. In late 2024 the US FDA finalised its “predetermined change control plan” (PCCP) approach, and in August 2025 it issued guidance tailored to AI-enabled device software functions. The headline for product leaders: you can now pre-authorise certain future model updates within your original clearance, provided you tightly specify the boundaries, performance monitors and rollback triggers. This validates an operating model where quality, MLOps and regulatory are welded together from day one.
The strongest signal in 2025 is the move away from standalone apps to connected care platforms. These platforms orchestrate data, decisioning and workflow across settings—primary, secondary, community and home—so care feels continuous to the patient and operationally coherent to the system. The NHS’s own direction of travel shows the pattern: the NHS App has become a national front door for repeat prescriptions, results, referrals and messaging; the government’s 10-year plan puts an “online hospital” on the roadmap; and AI-enabled ambient documentation, virtual wards and discharge automation are being industrialised into routine practice.
Practically, an AI-driven care platform bundles a handful of capabilities that used to live in separate products. The common building blocks include:
Why is this architecture winning? Because it is the only way to scale access without endlessly adding manual effort. Platforms collapse hand-offs, close loops and make good data the default. They also provide a single place to enforce privacy, security and clinical safety controls. In an environment where cyber threats are systemic and the cost of outages can be catastrophic for patient care, consolidating around resilient platforms is a patient safety strategy as much as a technology choice.
Interoperability is finally maturing from a standards conversation to an operational requirement. FHIR use in national programmes continues to expand and the NHS explicitly references FHIR as its integration standard, with GP Connect and Transfer of Care APIs enabling record access and structured messaging between settings. That consistent backbone is what lets an “app” turn into a front end on a shared care record, rather than a silo.
Across the Atlantic, the US “network of networks” called TEFCA is live, with designated QHINs providing nationwide exchange for providers, payers and public health under a common trust framework. This matters globally because vendors that operate in the US are building to TEFCA-ready APIs and trust policies—raising the floor for interoperability and information governance everywhere they sell.
Inside the EU, the European Health Data Space (EHDS) became law in March 2025, ushering in a transition phase that sets out how health data should flow for primary care and for secondary uses like research and innovation. For multinationals and cross-border studies, EHDS aligns consent, access and technical services across Member States. For developers, it signals a future in which data portability and standardised access aren’t optional extras.
The UK has, meanwhile, passed the Data (Use and Access) Act 2025—the most significant reform of domestic data law since Brexit—which aims to streamline lawful data use while preserving protections. For health and care organisations, the Act dovetails with the NHS’s interoperability and open-standards agenda and points towards clearer duties to make patient information accessible to patients and professionals. It also arrives alongside the expiration of the emergency COPI notices, a reminder that COVID-era flexibilities are gone and sustainable lawful bases are essential.
For product and data teams, the practical work now looks like this:
This is not theory. The NHS App’s scale is now material: over 37 million people are registered and more than 11 million log in each month to manage their health, including tens of millions of repeat prescriptions and results views annually. That usage isn’t just convenience—it is a demand-shaping lever and a foundation for a more proactive, data-driven relationship with patients.
At the clinical coalface, two AI-enabled patterns are moving from pilot to platform. First, ambient clinical documentation is being mainstreamed, with NHS guidance describing how these tools can improve data quality and productivity, and a London-wide trial led by Great Ormond Street Hospital demonstrating meaningful time savings and experience gains—enough to justify at-scale roll-out. Second, virtual wards continue to expand with monthly national statistics tracking capacity and occupancy, reflecting a permanent shift of appropriate care from hospital to home. Together they show how AI and remote care can collapse waiting times if embedded into pathways rather than bolted onto them.
Anchor the problem framing in clinical and system value. The strongest digital products in 2025 do not start with features; they start with bottlenecks. Where is time lost? Where are hand-offs unsafe? Where is demand unmanaged? The NHS’s 10-year plan is explicit about shifting from analogue to digital and from hospital to community, and the announced “online hospital” is a system-level answer to exactly those bottlenecks. Design briefs should trace directly back to these macro shifts. If a feature doesn’t move a queue, free bed days, or improve experience in measurable ways, it’s scope creep.
Build for platforms, not products. Apps that live or die on a single micro-interaction are fragile. Platforms, by contrast, share identity, consent, eventing and APIs across multiple experiences. In the NHS context, that means using the NHS App and NHS Login where appropriate, publishing and consuming national APIs (FHIR-based), and designing your own APIs like citizens—well-documented, versioned, monitored. The point is not to hoard data but to trade it safely for better care. TEFCA and EHDS reinforce the same direction internationally: interoperability is a constraint you should embrace, because it makes your product plug-and-play.
Treat regulation as a product surface. In an AI-heavy roadmap, your clinical safety case, your DTAC pack and your post-market surveillance plan are part of the user experience—because clinicians and procurement teams are your users too. The MHRA’s AI Airlock shows that UK regulators want to collaborate on novel risk questions; the FDA’s PCCP framework shows that iteration is possible with the right guardrails. The teams that “design for change” by instrumenting models, bounding their use, and pre-authorising drift plans will ship faster and sleep better.
Double-lock privacy and security. In health, one breach can knock out claims, pharmacies, elective lists—the lot. The 2024–2025 Change Healthcare incident in the US remains a cautionary tale: a single supplier compromise rippled across the entire system and ultimately affected data for an unprecedented share of the population. NIS2’s governance expectations, zero-trust architectures, and real incident rehearsal are not compliance box-ticking; they are essential patient-safety controls for digital services. Make supplier security due diligence, MFA everywhere, network segmentation and immutable backups part of your definition of done.
Design AI as a clinical colleague, not a black box. The World Health Organization’s guidance on large multimodal models stresses transparency, risk management and equity: clinicians must know what a system is (and isn’t) doing, and patients must not be disadvantaged by data gaps or bias. In practice that means human-in-the-loop review for high-stakes tasks, clear audit trails, calibrated uncertainty, and “off-ramps” back to standard pathways. It also means that ambient scribing, discharge summarisation and triage models should be designed to be helpful first, impressive second. When the right humans remain accountable, AI augments care rather than distorting it.
Measure what matters and publish it. The most credible digital programmes are now run like clinical services: they publish usage, outcomes and safety metrics, and they iterate. The NHS App’s monthly management information, the virtual wards statistics and the publicly reported benefits and uptake for the Federated Data Platform are examples of this transparency culture. Digital leaders should do the same—define leading and lagging indicators up front (time-to-treatment, bed days saved, DNA rates avoided, staff time released) and report them with the same rigour as clinical outcomes.
Architect for equity and inclusion. Digital should reach the people who struggle most to access care. That means designing for low digital literacy and low bandwidth, building inclusive data pipelines to reduce bias in AI models, and always offering a high-quality non-digital route. It also means involving patients and frontline staff from the beginning, not as a PR exercise at the end. The equity lens is not only ethical; it is the only way to avoid creating new failure modes where the “digital default” quietly excludes those who most need help. The policy climate in 2025—across WHO guidance, UK law and EU regulation—expects nothing less.
Make the business case boringly clear. Commissioners and boards fund outcomes, not promises. Fortunately, the evidence base is accumulating. NHS-sponsored work has shown ambient scribing can release meaningful clinician time; the NHS App’s growth has translated into large volumes of digital prescriptions and results views; and national programmes are quantifying the benefits of data platforms. Tie your bid to those levers, price against the savings, and share risk where you can.
Be relentless about change management. The blocker is rarely technology; it’s workflow. Treat roll-outs as service redesign. Train. Shadow. Fix the two clicks that frustrate clinicians. Agree who does what when the AI is unsure. Celebrate early adopters and publish small wins weekly, not just glossy end-of-pilot PDFs. The teams that succeed in 2025 behave less like app vendors and more like partners in operational improvement.
Keep an eye on the horizon. The road ahead is already visible: the NHS’s “online hospital” vision aims to make digital specialty care routine by 2027; EU AI Act obligations will continue phasing in; the EHDS transition will clarify secondary data use at scale; and the UK’s data reforms will keep evolving in step with the health system’s open standards push. For developers and provider organisations alike, the message is consistent—build for platforms, govern for trust, and measure real-world impact.
Is your team looking for help with digital health development? Click the button below.
Get in touch