Connected Autoinjectors and Smart Pens: Regulatory Pathways for Digital Drug Delivery Devices in 2026
Connected autoinjectors and smart pen injectors are moving from concept to commercial reality. Ypsomed SmartPilot earned FDA 510(k) clearance in 2025, Medtronic's MiniMed Go cleared in January 2026, and Biocorp's Mallya holds CE mark as Class IIb. This guide covers the regulatory frameworks (FDA 510(k), De Novo, EU MDR classification), technical challenges (SaMD vs device accessory, cybersecurity, data integrity), human factors requirements, and strategic considerations for companies developing connected drug delivery platforms.
The Connected Drug Delivery Landscape in 2026
Drug delivery devices are getting a digital layer. Autoinjectors and pen injectors that once operated as purely mechanical systems now capture injection data, communicate via Bluetooth, pair with companion apps, and integrate with continuous glucose monitors. This shift from passive delivery to connected therapy management is driven by three forces: the demand for objective adherence data in both clinical trials and commercial settings, the explosive growth of the GLP-1 receptor agonist market, and the increasing expectation from regulators and payers that combination products demonstrate real-world outcomes.
The drug-device combination products market is projected to reach $379 billion by 2030, growing at a CAGR of 9.3% from 2024. Within that market, self-injection devices -- autoinjectors, pen injectors, and prefilled syringes -- are the dominant formats. Seventy-eight percent of FDA-approved monoclonal antibody combination products use high-concentration formulations exceeding 100 mg/mL, pushing the industry toward device platforms that can handle viscous biologics reliably. Connected add-ons that capture adherence, dosing accuracy, and user behavior are becoming a competitive differentiator.
This guide covers the products that have achieved regulatory clearance, the regulatory frameworks that govern them, the technical challenges unique to connected drug delivery, and the strategic considerations for companies developing these platforms.
Cleared and Marketed Connected Drug Delivery Devices
The connected drug delivery space has matured rapidly. The table below summarizes the products that have achieved regulatory clearance or are in active regulatory review as of May 2026.
| Product | Company | Type | Regulatory Status (US) | Regulatory Status (EU) | Key Capability |
|---|---|---|---|---|---|
| SmartPilot | Ypsomed | Autoinjector add-on | FDA 510(k) cleared (K243901), August 28, 2025 | Pending | Injection outcome, time/date, user errors |
| MiniMed Go | Medtronic | Smart MDI system (app + InPen + CGM) | FDA 510(k) cleared, January 12, 2026 | Pending | Real-time dosing guidance, dose calculator, missed dose alerts |
| Mallya | Biocorp (Novo Nordisk) | Smart pen cap | FDA 510(k) cleared | CE marked, Class IIb | Automatic dose, date, time capture |
| SoloSmart | Biocorp / Sanofi | Smart pen cap (Sanofi branded) | FDA 510(k) cleared | CE marked | Dose, date, time for SoloStar pens |
| InPen | Medtronic (Companion Medical) | Smart insulin pen | FDA 510(k) cleared | CE marked | Dose tracking, bolus calculator |
| Bigfoot Unity | Bigfoot Biomedical | Smart pen cap + CGM integration | FDA 510(k) cleared (2021), ages 12+ | Pending | Dosing recommendations on pen cap display, integrated with FreeStyle Libre 2 |
| Connected Pen Cap | medmix (Haselmeier) / AARDEX | Smart pen cap | Clinical trial use | Clinical trial use | Infrared dose detection, plunger position sensing |
Ypsomed SmartPilot: The First FDA-Cleared Autoinjector Connectivity Device
The Ypsomed SmartPilot earned FDA 510(k) clearance on August 28, 2025 (K243901) and represents a significant milestone: it is the first and only FDA-cleared connectivity device specifically designed for an autoinjector platform. Prior FDA clearances for injection data capture devices were limited to pen injectors, primarily used in diabetes.
Key regulatory details from the 510(k) summary:
- Classification: Piston Syringe, 21 CFR 880.5860, Class II, Product Code QOG
- Predicate device: Mally Injection Pen Adapter (K222689)
- Device name: SmartPilot YpsoMate NS-A2.25
- Compatibility: YpsoMate disposable autoinjector platform
- Drug compatibility: Initially indicated for use with Novartis/Sandoz secukinumab (Cosentyx)
The SmartPilot captures injection time and date, injection outcome (success/failure), and potential user errors. It transmits this data via Bluetooth to the patient's smartphone. A critical distinction from competing devices: SmartPilot does not capture dosing information. This is an intentional design choice that simplifies the regulatory pathway by avoiding the additional risk profile associated with dose measurement and dosing recommendations.
As Ulrike Bauer, Ypsomed Chief Business Officer, stated at the time of clearance: the device is "ready to support our partners in both clinical trials and commercial applications." The clearance also established SmartPilot as a predicate device for future FDA submissions in other therapy areas, which is strategically significant for any pharmaceutical company seeking to add connectivity to a YpsoMate-based combination product.
Medtronic MiniMed Go: Integrated Smart MDI System
Medtronic received FDA 510(k) clearance for the MiniMed Go app on January 12, 2026. The system integrates three components: the InPen smart insulin pen, Abbott's Instinct CGM sensor, and the MiniMed Go mobile application.
The MiniMed Go system provides:
- Real-time personalized dosing insights by combining insulin delivery data with continuous glucose data in a single app
- Missed dose alerts to help minimize hyperglycemic episodes
- A dose calculator that simplifies dose decision-making
- Action-oriented guidance when a user misses or miscalculates a dose
- CareLink software integration for healthcare provider reporting
The clearance covers insulin-requiring type 1 and type 2 diabetes for ages 7 and older, and ages 2 through 6 under adult supervision. Que Dallara, Medtronic Diabetes EVP and president (and MiniMed CEO-designate), described the product as "bringing the smarts of an AID [automated insulin delivery] system to individuals who prefer an insulin pen." The commercial launch in the US was expected in early 2026.
This clearance illustrates an important regulatory principle: when a connected drug delivery system integrates multiple device types (smart pen, CGM, mobile app) and provides dosing recommendations, the regulatory burden increases substantially compared to a simple data-capture add-on.
Biocorp Mallya: Cross-Platform Smart Cap
Biocorp's Mallya is a smart sensor cap that attaches directly to disposable insulin pens, converting them into connected devices. It automatically collects and records the selected insulin units, date, and time of each injection, transmitting data via Bluetooth to a dedicated mobile application.
Regulatory status:
- EU: CE marked as Class IIb medical device
- US: FDA 510(k) cleared, with initial version compatible with Sanofi SoloStar pen injectors
- Brazil: Approval anticipated
Mallya is reusable for approximately two years and is notable for its cross-platform ambition. Biocorp has signed partnerships with Novo Nordisk, Sanofi, and Roche Diabetes Care, positioning the Mallya platform as a device-agnostic connectivity layer. The Sanofi-branded version, SoloSmart, also received FDA 510(k) clearance, demonstrating that the same underlying technology can support multiple branded regulatory submissions.
Mallya becomes the first system cleared in the US capable of automatically connecting different types of insulin and GLP-1 drugs. This cross-therapy compatibility is increasingly important as GLP-1 receptor agonists expand from diabetes into obesity and cardiovascular indications.
Bigfoot Unity: CGM-Integrated Smart Pen Cap
Bigfoot Biomedical (now part of Abbott's ecosystem) received FDA clearance in 2021 for the Bigfoot Unity Diabetes Management System. The system features smart pen caps for disposable insulin pens that integrate directly with Abbott's FreeStyle Libre 2 iCGM sensor.
Unlike most competitors, Bigfoot Unity provides dosing recommendations directly on the pen cap's digital screen. The rapid-acting insulin pen cap scans the FreeStyle Libre 2 sensor and displays current glucose, trend arrows, and a recommended bolus dose based on healthcare provider-programmed parameters. The system is cleared for ages 12 and older with insulin-requiring diabetes on multiple daily injections.
The system includes separate caps for basal (black) and bolus (white) insulin, with only the bolus cap providing CGM integration and dosing recommendations. This design choice separates the risk profile of the two functions into distinct device components.
medmix-AARDEX Connected Pen Cap: Infrared Dose Detection
The medmix (Haselmeier) and AARDEX Group collaboration has produced a connected pen cap designed primarily for clinical trial use. The device uses a distinctive sensing mechanism: six infrared LEDs emit signals that are altered by the position of the pen's plunger, and 16 IR sensors detect the returning signal. By comparing plunger position before and after each injection, the system identifies the actual expelled dose.
This approach is technically significant because it measures dose delivery directly rather than inferring it from user input or dial setting. The system can also calculate and display the remaining volume in the cartridge. The device is currently positioned for clinical trial use rather than commercial therapy management, integrating with AARDEX's MEMS electronic monitoring platform.
Regulatory Framework: United States (FDA)
Classification Under 21 CFR 880.5860
Connected drug delivery add-ons are classified as Class II medical devices under 21 CFR 880.5860 (Piston Syringe), Product Code QOG, which covers injection data capture devices. This classification applies to devices that attach to or integrate with an existing drug delivery platform (autoinjector or pen injector) to capture and record injection information and provide feedback to the user.
The 510(k) pathway is the standard route for these devices, requiring demonstration of substantial equivalence to a legally marketed predicate. The Ypsomed SmartPilot (K243901) used the Mally Injection Pen Adapter (K222689) as its predicate. As more devices clear, the predicate chain strengthens, making subsequent submissions more straightforward for devices with similar functionality.
SaMD vs. Device Accessory: A Critical Distinction
One of the most consequential regulatory decisions for connected drug delivery devices is whether the software component is regulated as Software as a Medical Device (SaMD) or as an accessory to the parent device. The distinction depends on the intended use and functionality:
Regulated as a device accessory (lower regulatory burden):
- Software that captures and displays injection data (time, date, outcome)
- Software that provides reminders or adherence tracking
- Software that transmits data to a healthcare provider portal
Likely regulated as SaMD (higher regulatory burden):
- Software that provides dosing recommendations or dose calculations
- Software that integrates CGM data to generate insulin dosing advice
- Software that performs clinical decision support for therapy adjustment
This is why SmartPilot, which captures injection outcome but not dose information, has a simpler regulatory profile than MiniMed Go, which integrates CGM and insulin data to provide dosing guidance. Products that cross into dosing recommendations enter a higher-risk category that triggers additional requirements for clinical validation, human factors testing, and software documentation.
FDA Section 524B: Cybersecurity Requirements for Cyber Devices
Any connected drug delivery device that includes software and can connect to the internet meets the FDA's definition of a "cyber device" under Section 524B of the FD&C Act. Section 524B has been in effect since March 29, 2023, and the FDA has been refusing to accept premarket submissions lacking required cybersecurity documentation since October 1, 2023. Cyber devices must comply with the following statutory requirements:
Software Bill of Materials (SBOM): A comprehensive, machine-readable list of all software components, including third-party libraries, their versions, and dependencies. The SBOM must be provided in a standardized format (SPDX or CycloneDX).
Premarket cybersecurity documentation: Submissions must include a cybersecurity risk analysis, threat modeling documentation, security architecture description, and evidence of secure development practices.
Post-market vulnerability management: Manufacturers must implement and maintain a coordinated vulnerability disclosure process, monitor for vulnerabilities throughout the device lifecycle, and release patches on a defined schedule. Critical vulnerabilities must be addressed and communicated within 24 hours of identification.
Security controls: Devices must implement authentication and access controls, encryption of protected health information, integrity verification for software updates, and audit logging.
Testing requirements: Four categories of testing are required: security requirements testing, threat mitigation testing, proactive vulnerability hunting, and independent penetration testing.
For connected drug delivery devices specifically, the attack surface includes the Bluetooth communication channel between the device and the mobile app, the app-to-cloud data transmission, the cloud storage platform, and the device firmware itself. Threat modeling must address each of these vectors.
Failure to comply with Section 524B is now a prohibited act under Section 301(q) of the FD&C Act, and the FDA has authority to refuse acceptance of premarket submissions that lack required cybersecurity documentation. The Illumina $9.8 million False Claims Act settlement in July 2025 demonstrated that cybersecurity compliance failures can trigger significant financial penalties beyond FDA enforcement.
Human Factors Validation
Connected drug delivery devices require human factors validation per FDA guidance and IEC 62366-1. The validation must address two distinct user interfaces: the physical device interface (cap attachment, indicator lights, haptic feedback) and the digital interface (mobile app screens, notifications, data displays).
Key human factors considerations specific to connected devices:
- Pairing and connectivity: Users must be able to reliably pair the device with their smartphone and confirm successful Bluetooth connection. Pairing failures are a documented source of user frustration and data loss.
- Data interpretation: Users must correctly understand what the device is telling them -- for example, distinguishing between a confirmed injection, a partial delivery, and a failed attempt.
- Alarm fatigue: Connected devices generate notifications, reminders, and alerts. The design must prevent alarm fatigue while ensuring critical safety alerts (e.g., missed dose warnings) are not dismissed.
- Accessibility: Users with limited dexterity (common in the target populations for autoinjector therapies) must be able to physically interact with the connected add-on without impeding the injection process.
Regulatory Framework: European Union (EU MDR)
Classification Under EU MDR
In the EU, connected drug delivery add-ons are regulated as medical device accessories under MDR Article 2(2). An accessory is defined as an article which, while not being a medical device itself, is intended by its manufacturer to be used together with a medical device to specifically assist in the medical function of that device.
Classification depends on the specific functionality:
| Functionality | Likely Classification | Applicable Rule |
|---|---|---|
| Data capture and display (time, date, injection outcome) | Class IIa | Rule 12 (active device administering medicines) or Rule 9 |
| Dose measurement and recording | Class IIa or IIb | Rule 12, depending on risk |
| Dosing recommendations or clinical decision support | Class IIb or III | Rule 11 (software classification) |
| CGM integration with dosing advice | Class IIb or III | Rule 11 |
Biocorp's Mallya is CE marked as Class IIb, reflecting its dose capture capability. Devices that remain in the data-capture-only category may qualify for Class IIa, which has a somewhat less burdensome conformity assessment pathway.
Rule 11: Software Classification and the 2025 Revision Proposal
Rule 11 of MDR Annex VIII is the classification rule specific to software. Under the current text, software intended to provide information used to take decisions with diagnosis or therapeutic purposes is classified as Class IIa at minimum, with escalation to Class IIb or III depending on the impact of incorrect information.
In December 2025, the European Commission published a draft amendment to the MDR (often referred to as "MDR 2.0") that includes a complete rewrite of Rule 11. The proposed new wording would default software to Class I unless the output is intended for a disease or condition that could cause death, irreversible deterioration, or serious deterioration of health. This represents a potential down-classification for many connected drug delivery apps that provide information but do not make treatment decisions directly.
However, the proposed revision is in early legislative stages. Manufacturers should continue to classify under the current Rule 11 text while monitoring the legislative progress of the amendment.
EU Cybersecurity: MDR and the Cyber Resilience Act
EU requirements for connected medical device cybersecurity come from multiple sources:
- MDR Annex I (General Safety and Performance Requirements): Sections 14.2 through 14.5 require devices to be designed and manufactured to protect against unauthorized access, ensure data integrity, and maintain security of data transmission.
- MDCG 2019-16 (Revision 1, 2025): Guidance on cybersecurity for medical devices, covering risk management, secure development lifecycle, and post-market vulnerability handling.
- EU Cyber Resilience Act (CRA): Expected to apply to medical devices with digital elements, requiring vulnerability handling processes and security updates throughout the product lifecycle. The CRA will work alongside the MDR rather than replacing it.
- IEC 81001-5-1: Health software cybersecurity standard, increasingly referenced by EU Notified Bodies during conformity assessment.
- GDPR: Data privacy requirements for any device that collects and transmits patient health data in the EU.
EUDAMED Vigilance Module
The EUDAMED vigilance module is expected to become operational in Q2 2027. Once active, it will centralize post-market surveillance reporting for all medical devices in the EU, including connected drug delivery devices. Manufacturers should prepare for this by establishing robust post-market surveillance systems that can feed into EUDAMED's electronic reporting format.
Technical Challenges
Dose Detection Methods
Connected drug delivery devices employ several approaches to dose detection, each with different accuracy profiles and regulatory implications:
| Method | How It Works | Products Using | Accuracy Considerations |
|---|---|---|---|
| Plunger position (IR sensing) | Infrared emitters/sensors detect plunger displacement before and after injection | medmix-AARDEX connected cap | Direct measurement of expelled dose; can detect partial deliveries |
| Dial reading | Optical or magnetic sensing of the dose selector position | InPen, Mallya | Measures dialed dose, not necessarily delivered dose |
| Injection event detection | Mechanical or optical sensing of injection trigger and completion | SmartPilot | Confirms injection occurred but does not measure dose |
| User-reported | User manually enters dose in app | Bigfoot Unity (partial) | Lowest accuracy; subject to recall bias |
The regulatory risk profile differs significantly. A device that measures the actual delivered dose (like the medmix-AARDEX system) provides higher-confidence data but may face more rigorous validation requirements. A device that detects only whether an injection occurred (like SmartPilot) has a simpler regulatory path but provides less granular data.
Software Lifecycle: IEC 62304 and IEC 82304-1
Connected drug delivery devices must comply with IEC 62304 (medical device software lifecycle) for the embedded firmware and, where applicable, IEC 82304-1 (health software safety) for the mobile application and cloud components.
IEC 62304 requires software to be assigned a safety classification (A, B, or C) based on the risk of the software contributing to a hazardous situation. For connected drug delivery devices, the safety classification is typically Class B (non-serious injury possible) or Class C (death or serious injury possible), depending on whether the software influences dosing decisions.
Key documentation requirements:
- Software Development Plan
- Software Requirements Specification (including cybersecurity requirements)
- Software Architecture Design
- Software Design Specification
- Unit Implementation and Verification
- Software Integration and Integration Testing
- Software System Testing
- Software Release
- Software Maintenance Process (including patch management)
For the mobile app component, IEC 82304-1 provides additional requirements specific to health software that may not be embedded in a traditional medical device, covering aspects like app store distribution, mobile operating system compatibility, and consumer-grade platform security.
Data Integrity and Privacy
Connected drug delivery devices generate and transmit protected health information. Data integrity and privacy requirements differ by region:
United States (HIPAA): HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses -- not directly to device manufacturers. However, manufacturers must design their data systems to support HIPAA compliance for their customers. If the device transmits data to a cloud platform that healthcare providers access, the cloud platform may qualify as a business associate under HIPAA.
European Union (GDPR): GDPR applies directly to any entity that processes personal data of EU residents, including device manufacturers. Connected drug delivery devices must implement data minimization, purpose limitation, consent management, and data subject access rights. Bluetooth transmission of health data requires appropriate encryption. The device and app must support GDPR's right to erasure and data portability requirements.
Data integrity: Both IEC 62304 and 21 CFR Part 11 (for clinical trial data) require demonstrable data integrity. Connected devices must ensure that injection data is accurately captured, transmitted without corruption, stored reliably, and auditable. Any data loss during Bluetooth transmission or app crashes must be detected and flagged.
Bluetooth Low Energy: Technical Constraints
Most connected drug delivery devices use Bluetooth Low Energy (BLE) for data transmission. BLE presents several engineering challenges:
- Pairing reliability: BLE pairing failures are common, particularly for users who are not technologically proficient. The device must provide clear visual or haptic feedback confirming successful pairing.
- Battery consumption: Continuous BLE advertising drains the device battery. Most smart caps use a sleep-and-wake strategy, advertising only when injection data is ready to transmit.
- Range limitations: BLE range is typically 10-30 meters. Users who leave their phone in another room during injection may lose data. The device must buffer data locally and transmit when the phone reconnects.
- Compatibility: BLE compatibility across Android and iOS devices requires extensive testing. OS updates can break existing BLE implementations, requiring ongoing maintenance.
Human Factors Requirements in Detail
Human factors validation for connected drug delivery devices goes beyond traditional injection device usability testing. The user interface now spans two domains: the physical device and the digital ecosystem.
Physical Device Interface
The connected add-on must not interfere with the primary drug delivery function. If a smart cap makes the pen harder to hold, changes the injection force profile, or adds confusion to the injection workflow, it has failed its most basic usability requirement. Testing must demonstrate that:
- The add-on can be attached and detached (if applicable) without tools or excessive force
- The presence of the add-on does not change the injection experience in ways that affect dose delivery
- Visual indicators (LEDs, displays) are readable under expected lighting conditions
- Haptic feedback (if any) is detectable by users with neuropathy (common in diabetic populations)
Digital Interface
The companion app must be validated for:
- Task completion rates for core workflows (pairing device, viewing injection history, sharing data with provider)
- Error recovery when Bluetooth disconnection occurs during data transmission
- Comprehension of data displays (dose history, adherence metrics, trend graphs)
- Notification management (do users understand and act on alerts vs. dismissing them)
Validation Study Design
FDA expects human factors validation studies to use representative users (not company employees), in representative use environments (not laboratory settings), with production-equivalent devices. For connected drug delivery devices, this means testing with:
- Users who have the target condition (e.g., diabetes, autoimmune disease)
- Users spanning the expected age range
- Users with varying levels of technology comfort
- The complete system including the drug delivery device, the connected add-on, and the companion app
Sample sizes of 15-20 users per user group are typical for human factors validation of connected drug delivery devices.
Strategic Considerations
Clinical Trial Applications vs. Commercial Therapy Management
Connected drug delivery devices serve two distinct markets, each with different regulatory and commercial requirements:
Clinical trial use: Connected devices provide objective adherence data that replaces patient-reported diaries, which are notoriously unreliable. The medmix-AARDEX system and Ypsomed SmartPilot both target this application. Clinical trial use may have a lower regulatory bar because the device is used under investigator supervision and the data supports trial endpoints rather than direct patient treatment decisions.
Commercial therapy management: Devices used by patients at home for ongoing therapy management face the full regulatory burden of a consumer medical device. They must demonstrate safety and effectiveness for unsupervised use by lay operators, comply with cybersecurity requirements, and support post-market surveillance.
Many companies pursue a clinical-trial-first strategy: develop the connected device, gain initial regulatory clearance or CE mark for clinical trial use, and then expand the intended use to commercial therapy management. This approach generates clinical evidence and real-world performance data that supports the broader indication.
GLP-1 Market Dynamics
The GLP-1 receptor agonist market is the single biggest commercial driver for connected drug delivery innovation. The US GLP-1 market alone was valued at $26.6 billion in 2023 and is projected to reach $133.2 billion by 2030, growing at a CAGR of 25.9%. Global GLP-1 analogue sales could reach $268 billion by 2030 according to some estimates.
GLP-1 therapies are administered via subcutaneous injection, primarily using pen injectors. As the patient population expands from diabetes into obesity and cardiovascular disease, the demand for connected delivery devices that improve adherence and provide real-world evidence will grow proportionally. The injection experience -- including the connected layer -- is becoming a competitive differentiator in an increasingly crowded GLP-1 market.
Reusable vs. Disposable Device Platforms
Sustainability pressure is pushing the industry toward reusable device platforms. A disposable autoinjector with a connected add-on represents a compromise: the mechanical device is single-use, but the digital component is reusable. Ypsomed's approach with SmartPilot exemplifies this model -- the SmartPilot add-on is designed for repeated use across multiple YpsoMate injections.
Biocorp's Mallya extends this concept to pen injectors, with a reusable smart cap rated for two years of use across multiple disposable pens. The sustainability argument is straightforward: a single connected component serving hundreds of injections has a smaller environmental footprint than embedding electronics into every disposable device.
From a regulatory perspective, reusable connected components face additional requirements for cleaning validation, durability testing, and lifecycle management that disposable devices do not.
Post-Market Surveillance: Preparing for EUDAMED
The EUDAMED vigilance module, expected in Q2 2027, will require manufacturers to submit post-market surveillance data through a centralized electronic system. For connected drug delivery devices, this means:
- Establishing electronic adverse event reporting workflows that can interface with EUDAMED
- Collecting and analyzing real-world performance data from connected devices (a capability that connected devices uniquely provide)
- Maintaining periodic safety update reports (PSURs) in EUDAMED-compatible format
- Monitoring cybersecurity incidents as part of post-market surveillance, not just as an IT function
Connected devices actually have an advantage here: because they automatically capture usage data, they can provide more complete post-market surveillance data than passive devices that rely on voluntary reporting.
Regulatory Pathway Decision Framework
The following decision framework helps determine the appropriate regulatory pathway for a connected drug delivery device:
| Question | If Yes | If No |
|---|---|---|
| Does the device provide dosing recommendations or dose calculations? | Higher-risk pathway; likely SaMD classification; expect Class IIb (EU) or more rigorous 510(k)/De Novo (US) | Simpler accessory pathway; Class IIa (EU) or standard 510(k) (US) |
| Does the device integrate with another medical device (e.g., CGM)? | Combined system regulatory strategy; each component must be cleared/approved individually before integration | Standalone device pathway |
| Does the software make clinical decisions autonomously? | Highest risk; Rule 11 Class III (EU) may apply; FDA may require De Novo or PMA | Software supports user decisions; lower classification |
| Is the device for clinical trial use only? | May qualify for investigational device exemption (US) or reduced conformity assessment (EU) | Full regulatory clearance/approval required for commercial distribution |
| Does the device store or transmit patient health data? | Cybersecurity (Section 524B, GDPR) and data privacy requirements apply | Reduced cybersecurity scope, though still applicable if internet-connected |
Key Standards Reference
| Standard | Scope | Applicability |
|---|---|---|
| IEC 62304 | Medical device software lifecycle | All connected drug delivery device software |
| IEC 82304-1 | Health software safety | Mobile apps and cloud components |
| IEC 62366-1 | Usability engineering | Human factors for both physical and digital interfaces |
| ISO 14971 | Risk management | Overall device risk management including cybersecurity risks |
| IEC 81001-5-1 | Health software cybersecurity | Cybersecurity risk management for connected devices |
| ISO 13485 | Quality management systems | Manufacturing and design controls |
| IEC 60601-1 (if applicable) | Medical electrical equipment safety | If device includes active electronic components that contact patient |
Looking Ahead
The connected drug delivery device market is still in its early chapters. Several developments will shape the regulatory and commercial landscape over the next 18-24 months:
- MDR Rule 11 revision: The proposed simplification of software classification rules could lower the barrier to market for connected drug delivery apps in the EU, but the legislative timeline remains uncertain.
- EUDAMED vigilance module (Q2 2027): Will require electronic post-market surveillance reporting for all EU-marketed devices, including connected drug delivery products.
- FDA cybersecurity enforcement: With the Illumina FCA settlement establishing precedent and Section 524B compliance now a prohibited act, expect increased scrutiny of cybersecurity documentation in premarket submissions for connected devices.
- GLP-1 device differentiation: As GLP-1 therapies face biosimilar competition, the connected delivery device will become a differentiator. Companies that invest in connectivity now will have a competitive advantage as the market commoditizes.
- AI-enabled dosing algorithms: The next generation of connected drug delivery devices will incorporate machine learning algorithms that personalize dosing based on accumulated patient data. These algorithms will face the full weight of FDA's AI/ML framework, including Predetermined Change Control Plans (PCCPs) for adaptive algorithms.
The companies that will succeed in this space are those that treat connected drug delivery as a systems engineering problem -- integrating mechanical design, firmware, mobile software, cloud infrastructure, cybersecurity, regulatory strategy, and human factors into a coherent development program, rather than bolting connectivity onto an existing device as an afterthought.