The European intersection of the AI Act, MDR/IVDR, and the Digital Omnibus, can be a minefield for healthtech founders and investors alike. Jaroslav Menčík, Partner and Head of the Technology Team at Ambit, joins us to provide a legal roadmap through this challenging regulatory landscape, offering expert insight into why thorough compliance is not just a necessity – but also a pathway to new opportunities.
What are the main things you look for when conducting due diligence on healthtech startups?
When it comes to legal DD for healthtech, we generally focus on three pillars. First up is the regulatory framework. We need to know if the product falls under MDR or IVDR, what its risk class is, and whether the startup actually has a realistic roadmap to obtaining a CE mark. It’s surprisingly common for founders of software-based medical devices to underrate their classification, which can have a massive knock-on effect on both their go-to-market strategy and their overheads.
The second area is data architecture. Healthtech startups are usually handling health data governed by GDPR, so we inquire whether they’re dealing with medical, genetic, or other sensitive personal data. We look at the legal basis for processing – where the data is hosted, if they’ve completed a DPIA, and what their DPAs look like. In this area, there’s virtually zero error tolerance.
Finally, there’s Intellectual Property (IP). Just like with any tech startup, we check if the company properly owns its IP, how their supplier contracts are structured, and whether their trade secrets are airtight. For AI-driven products, we also need to see if the startup can justify how the model was built.
What would you advise healthtech founders to focus on right now to ensure their data collection, anonymisation, and storage are fully aligned with the new European AI regulations? What’s more – what should their long-term strategy look like?
My general advice to founders is to stop seeing compliance as a one-off box-ticking task. You need to treat it as the very architecture upon which your company and product are built – from day one. It’s crucial to map out exactly where your product sits within overlapping regulatory frameworks, whether that’s the AI Act, MDR/IVDR, GDPR, or the most recent Digital Omnibus.
When it comes to data, the best practice is stick to data minimisation, be honest about the distinction between anonymisation and pseudonymisation, and have rock-solid retention policies. Invest in a privacy-by-design architecture and document your decision-making processes. That’s precisely the trail a regulator will want to see down the line.
Long-term, I’d suggest founders focus on three main things. First, build an internal culture of compliance – don’t just leave it to one person to do all the heavy lifting. Second, keep a close eye on the harmonised standards under the AI Act and other regulations, as these will define the technical specs your product must meet. Most importantly, build a flexible architecture that allows you to adapt without having to rewrite your entire system. Startups that nail this will gain a massive competitive edge, as compliance is rapidly becoming a significant barrier to entry in the market.
The Digital Omnibus consolidates existing rules. What does this mean for investors? How will it help them assess the risk and the current stage of a healthtech investment?
From an investor’s perspective, the Digital Omnibus is particularly interesting because it brings much-needed clarity to what has been a very fragmented regulatory landscape – especially regarding AI, data, cybersecurity, and privacy. Ideally, investors should no longer have to navigate multiple overlapping frameworks and scrutinise each one in isolation; legislative consolidation simply creates a more transparent regulatory environment.
In practical terms, this means better comparability between startups in the same industry and a more accurate assessment of regulatory risk – which is one of the main drivers of valuation in healthtech. It also allows for a clearer distinction between different stages of a startup’s regulatory maturity. You can now ask more focused questions: Does the startup have a clear overview of its obligations? Do they have a plan? How much have they actually ticked off? The findings from this kind of analysis are becoming a standard part of the investment decision-making process.
Overall, I see the Digital Omnibus as a sign that the EU is shifting course toward a more predictable, and hopefully simpler, regulatory climate. For healthtech investors, this should mean less regulatory uncertainty – given, of course, that the startups they’re backing take compliance seriously.
