In 2026 the European Medicines Agency (EMA) continues to refine its pharmacovigilance requirements for digital therapeutics (DTx), demanding that developers integrate robust safety reporting with ISO 14971 risk management. This article presents a step‑by‑step compliance blueprint that aligns EMA safety reporting with ISO 14971, ensuring that digital therapeutic products meet both regulatory and patient safety expectations. Whether you’re a clinical developer, a quality manager, or a regulatory affairs specialist, this guide offers actionable insight into harmonizing real‑time data collection, adaptive risk control, and post‑market surveillance.
Digital therapeutics have moved beyond static prescription apps to AI‑driven, cloud‑based platforms that learn from patient data in real time. The speed at which these systems adapt creates unique pharmacovigilance challenges: adverse events may emerge from algorithmic drift, user interface changes, or new data integrations. EMA’s guidance now treats digital therapeutic software as a medical device, mandating that safety reporting be embedded in a comprehensive risk management plan that follows ISO 14971 principles.
EMA’s 2026 pharmacovigilance framework requires that developers:
- Identify and classify the product’s medical purpose and risk profile.
- Establish a clear post‑market surveillance (PMS) plan that covers data collection, signal detection, and risk mitigation.
- Report safety incidents within the specified timeframes and maintain traceable records for audit purposes.
- Demonstrate that risk control measures are continuously monitored and updated in line with real‑time usage data.
ISO 14971, the international standard for medical device risk management, provides a systematic process for identifying hazards, estimating risks, and implementing control measures. For digital therapeutics, the standard’s emphasis on life‑cycle risk management dovetails with EMA’s safety reporting obligations. The convergence of these frameworks ensures that risk control is not a one‑off activity but a dynamic, data‑driven process that extends into the product’s post‑market life.
Step 1 – Define Scope & Product Classification
Begin by clearly defining the digital therapeutic’s scope: its intended medical use, target patient population, and the clinical context in which it will operate. Assign a device class per the EU Medical Device Regulation (MDR) – typically Class IIa or III for high‑risk interventions. Document the scope in a Scope Statement that also identifies any “adverse events” the product could generate, such as algorithmic misclassification or data privacy breaches.
Key Deliverables
- Scope Statement and Device Classification Sheet
- Stakeholder Matrix (clinical, technical, regulatory)
- Risk Management Plan (RMP) template
Step 2 – Hazard Identification & Risk Analysis
Perform a comprehensive hazard identification session using a multi‑disciplinary hazard matrix. For DTx, typical hazards include:
- Algorithmic errors leading to incorrect dosage recommendations
- Insecure data transmission causing patient data leaks
- User interface glitches that delay critical alerts
Apply risk analysis tools such as Failure Mode and Effects Analysis (FMEA) and quantitative risk metrics (e.g., expected exposure, severity index). In the risk analysis, estimate risk probability from real‑time usage logs, clinical trial data, and post‑market feedback. This dual approach satisfies ISO 14971’s requirement for both qualitative and quantitative assessment.
Step 3 – Risk Control & Residual Risk Evaluation
For each identified hazard, devise risk control measures aligned with the ISO 14971 risk control hierarchy:
- Elimination or substitution of the hazard (e.g., removing unnecessary algorithmic complexity)
- Engineering controls (encryption, secure APIs, redundancy)
- Administrative controls (user training, monitoring dashboards)
- Safety information (product labeling, patient consent forms)
After implementing controls, conduct a residual risk evaluation that compares the risk profile against an acceptable risk threshold defined by EMA’s risk classification matrix. Document the justification for remaining risks, and if they exceed acceptable limits, iterate control measures until compliance is achieved.
Step 4 – Post‑Market Surveillance & Real‑Time Safety Reporting
EMA mandates continuous post‑market surveillance (PMS) for digital therapeutics. Embed a PMS Plan within the risk management framework that details:
- Data sources for safety monitoring (device logs, cloud analytics, user surveys)
- Signal detection algorithms (statistical control charts, machine‑learning classifiers)
- Thresholds for safety event escalation (e.g., a 3‑fold increase in algorithmic misclassification over 30 days)
- Reporting timelines: Class IIa products require safety reporting within 15 days for serious events; Class III within 7 days.
Leverage real‑time dashboards that provide continuous visibility into key safety indicators. When a signal crosses a pre‑defined threshold, trigger an automated incident workflow that compiles an e‑report in the required EMA format and initiates a rapid risk assessment.
Step 5 – Documentation & Continuous Improvement
Maintain an integrated, electronic Risk Management File (RMF) that captures all steps from hazard identification to PMS. The RMF must be accessible to EMA audit teams and must include:
- Version‑controlled risk assessments
- Evidence of real‑time data collection and signal detection
- Documentation of risk control implementation and residual risk justification
- Records of safety incidents, corrective actions, and outcome assessments
Implement a Continuous Improvement Loop where lessons learned from safety incidents feed back into the risk management plan. Schedule regular reviews (e.g., quarterly) to update risk control measures, recalibrate safety thresholds, and ensure that the product remains compliant as new data emerges.
By following this compliance blueprint, developers can align EMA pharmacovigilance with ISO 14971 risk management in a structured, data‑driven manner. The result is a resilient digital therapeutic that not only meets regulatory expectations but also delivers safer, more reliable care to patients worldwide.
