ComplyOne-Pulse
Patient data requires more than good intentions.
Healthcare companies face GDPR for patient data and NIS2 for digital infrastructure — both are actively enforced. Add AI Act for clinical algorithms and the regulatory surface is wider than most providers realise.
Why healthcare cannot rely on consent and good faith
Health data is the most sensitive category of personal data under GDPR — and it is exactly what healthcare and medtech companies must process to deliver care. Add NIS2 cybersecurity obligations for digital infrastructure, AI Act high-risk classification for clinical decision support, and an unforgiving enforcement environment, and the cost of a non-compliant programme is measured in millions, plus the reputational damage that compounds for years.
What's included in ComplyOne-Pulse
The regulations that matter most for healthcare and medtech companies — covered, mapped to your business, and tracked over time.
GDPR
Special-category health data — explicit lawful basis required, mandatory DPIAs, strict retention rules. Article 9 sets a much higher bar than ordinary personal data.
NIS2
Healthcare is named as an essential sector. Hospitals, clinics, diagnostic providers and major medtech vendors face direct NIS2 obligations from October 2024.
EU AI Act
AI used in medical devices, clinical decision support, triage and diagnostics is high-risk. Annex III explicitly lists access to essential health services as a high-risk category.
Swiss FADP
Swiss healthcare providers face FADP with its high-risk profiling provisions and personal liability up to CHF 250 000. Cross-border data flows trigger additional rules.
How ComplyOne-Pulse works
Onboard in minutes
Answer 5 questions about your business — sector, locations, data flows. No account needed for the free check.
Get your compliance map
See exactly which regulations apply to your business, where the gaps are, and what severity each carries.
Act on it
A prioritised task list, document templates, and an audit-ready evidence pack — guided through to a defensible compliance baseline.
Daily regulatory horizon scanning
ComplyOne scans EU regulatory sources every day — directives, implementing acts, regulator guidance, enforcement notices. When something changes that affects your obligation map, you get a structured alert: what changed, why it applies to you, and what you need to do. No more discovering enforcement deadlines from a news headline.
How to approach healthcare and medtech companies compliance
Run a DPIA for every patient-data flow
Article 9 health data effectively always meets the high-risk threshold for a Data Protection Impact Assessment. This is not optional best practice — it is a documented legal requirement, and it is the first thing a regulator asks to see.
Classify clinical AI under the AI Act
Software intended to inform a clinical decision is high-risk under both the AI Act and the Medical Device Regulation. The two frameworks have overlapping but distinct obligations — risk management, human oversight, technical documentation, post-market monitoring, EU database registration.
Lock down your NIS2 cyber risk programme
Healthcare is essential under NIS2 Annex I — meaning the highest tier of cybersecurity obligations: documented risk management, incident reporting (early warning within 24 hours, full report within 72), supply-chain security, and management-body liability for failures.
Manage processor and joint-controller relationships
Healthcare workflows typically involve a chain of processors — EHR vendors, lab systems, billing services, imaging archives, telemedicine platforms. Each needs a documented Article 28 contract, sub-processor controls and breach-notification commitments tight enough to satisfy the 72-hour GDPR window.
Document data flows for cross-border and research scenarios
Multi-site clinics, cross-border telemedicine, research collaborations, registry submissions — all create transfer scenarios that need Standard Contractual Clauses, Transfer Impact Assessments, and explicit lawful basis. Get this wrong and a research grant becomes a regulatory incident.
Swiss-hosted
All data hosted in Switzerland — outside US data-access frameworks.
10 EU regulations
GDPR, AI Act, NIS2, DORA, FADP, UK GDPR, Data Act, CSRD, AMLR, CRA — one platform.
Daily horizon scanning
Regulatory changes alerted, mapped to your obligations, every day.
Frequently asked questions
Are we automatically NIS2-essential because we are a hospital?+
Most hospitals are essential under NIS2 Annex I, yes. The thresholds vary by member state but cover any healthcare provider that meets the size criteria — typically larger than a small clinic. Even smaller providers may be classified as 'important' rather than 'essential', which still carries substantial obligations. National competent authorities maintain the registers.
Does the AI Act apply if our AI is already a CE-marked medical device?+
Yes — both regimes apply. The AI Act provides for a degree of integration with the Medical Device Regulation framework, but it adds additional obligations: AI risk management, human oversight design, post-market AI monitoring, and EU AI database registration on top of MDR. ComplyOne maps the dual-regime obligations and helps avoid duplicated effort.
What lawful basis covers patient data processing?+
Multiple bases run in parallel. Provision of healthcare and management of health-or-social-care systems (Article 9(2)(h)) covers most direct care. Public interest in public health (Article 9(2)(i)) covers some scenarios. Research has its own basis (Article 9(2)(j)). Consent is rarely the right basis for primary clinical care, despite being the most commonly assumed.
How does ComplyOne handle the 24-hour and 72-hour reporting timelines?+
ComplyOne provides incident-report templates aligned to the NIS2 timelines (24-hour early warning, 72-hour full notification, 1-month final report) and the GDPR 72-hour breach window. Structured workflows ensure you capture every required field before submission, avoiding the late-amendment scenarios that compound regulator scrutiny.
How quickly can a healthcare provider get started?+
The compliance check takes about 5 minutes and produces your applicable-regulations map. Healthcare programmes typically take longer than other sectors to reach a defensible baseline because of DPIA depth and clinical-AI documentation — plan for 4 to 6 weeks of structured work, with ComplyOne tracking progress and surfacing the highest-risk gaps first.
See where you stand — in 60 seconds
Free compliance check, no signup required. Get your obligation map and gap report instantly.