Assessment: not medical device software (MDSW) and not a national medical information system (NMI). Fully aligned with Swedish regulatory expectations for administrative compliance tools.
This document establishes MediReady's formal classification and regulatory readiness for the Swedish market in relation to:
The document describes MediReady's intended use, functional limitations, and regulatory boundaries as the basis for the assessment that the product is not within the scope of MDR and not within the scope of the NMI framework, while remaining fully aligned with Swedish data protection expectations.
MediReady is an administrative tool for compliance documentation and workflow audit. The system is used by administrators, quality leads, and operations managers to:
MediReady does not process medical decisions, does not influence patient care, and does not provide recommendations on diagnosis, treatment, or clinical actions.
MediReady is intended for:
MediReady is not intended to:
Under MDR, software is classified as a medical device if it has a medical purpose, for example to:
MediReady meets none of MDR's medical purposes. The system:
“Software for administrative purposes is not covered.” — MDR interpretation per EU guidance
MediReady is not a medical device and is not within the scope of MDR.
NMI covers systems that:
HSLF-FS 2022:42 states that the following is not NMI:
“Generic software used in a care environment, except where the software has been adapted in a way that meets the definition of a national medical information system.”
MediReady:
MediReady does not meet the definition of NMI and is not within the scope of HSLF-FS 2022:42.
MediReady operates in Sweden under the following regulatory framework:
| Regulation | Reference | Relevance |
|---|---|---|
| GDPR | EU 2016/679 | Data protection framework |
| Patientdatalagen | 2008:355 | Swedish patient data law |
| HSLF-FS 2022:42 | Swedish National Board of Health and Welfare | Regulations on national medical information systems (NMI) |
| MDR | EU 2017/745 | EU medical device regulations (applicable in Sweden) |
| IMY Supervisory Practices | Integritetsskyddsmyndigheten | Swedish DPA guidance on AI, healthcare, and sensitive data |
Critical classification question for Swedish healthcare providers: Is MediReady a medical device (MDSW) or a national medical information system (NMI)?
The answer is no to both. MediReady is subject to GDPR but not to medical device or NMI-specific regulations.
Even though MediReady is neither MDSW nor NMI, the system is subject to GDPR.
| Aspect | MediReady Commitment |
|---|---|
| Data processing | Inputs are processed ephemerally in memory and discarded immediately |
| Data storage | No PHI is stored; stateless architecture |
| Collection | No background collection, telemetry, or profiling |
| Controller | The healthcare provider is the controller |
| Processor | MediReady is the processor |
| Agreement | A data processing agreement under Article 28 is required (provided separately) |
IMY (Integritetsskyddsmyndigheten) has published supervisory priorities for 2024–2025 that include:
MediReady's design aligns with IMY priorities as follows:
| Requirement | MediReady Commitment |
|---|---|
| Model disclosure | Mistral Large LLM with signed BAA (no training use) |
| Human oversight | Critical findings reviewed by qualified auditors |
| Input deletion | Stateless processing eliminates data retention risk |
| Aspect | MediReady Position |
|---|---|
| Data type | Administrative data only, not patient medical records or PHI |
| GDPR Article 9 | No categorization under special categories in normal use |
| Incidental sensitive data | Stateless architecture and immediate deletion mitigate risk |
MediReady assists the Company in responding to Data Subject Access Requests (DSAR) and other rights under GDPR Articles 12–22. (See §6 of the Data Processing Agreement.)
MediReady maintains:
Documentation is made available to IMY upon inspection request.
| Element | Commitment |
|---|---|
| Governing law | All disputes and legal questions governed by Swedish law |
| DPA jurisdiction | Swedish governing law and jurisdiction |
The EU NIS2 Directive (2022/2555) sets cybersecurity obligations for critical infrastructure operators and essential service providers.
NIS2 applies where a company:
| Question | Answer |
|---|---|
| Is MediReady automatically in scope for NIS2? | No |
| Why? | Not an EHR system; does not maintain national health-data infrastructure; does not directly deliver healthcare services |
If MediReady is used by a Swedish healthcare provider (e.g., region, clinic, hospital) that is itself a NIS2 essential actor, that provider's NIS2 obligations may extend to evaluating MediReady's security posture as part of their supply-chain risk management.
| Requirement | MediReady Commitment |
|---|---|
| Security measures | Comply with NIST Cybersecurity Framework (CSF) principles |
| Incident reporting | Align with NIS2 reporting timelines (72-hour breach notification) |
| Documentation | Available upon request for healthcare providers' NIS2 compliance assessment |
The EHDS Regulation (2023/2664) is under implementation.
| Question | Answer |
|---|---|
| Is EHDS currently applicable to MediReady? | No |
| Why? | Applies to EHR systems and national data-sharing infrastructure, not compliance-audit tools |
MediReady:
| Phase | Timeline | Primary Focus |
|---|---|---|
| Phase 1 | 2025–2026 | EHR interoperability |
| Phase 2 | 2027+ | Secondary use and data-sharing frameworks |
MediReady evaluation timeline: Q1–Q2 2026
| Commitment | Detail |
|---|---|
| Processing location | All processing of Company Personal Data occurs within the European Economic Area (EEA) |
| Inference location | Mistral AI occurs within EU data centers |
| Non-EEA transfer | No non-EEA data transfer without explicit Company written consent |
| Restricted jurisdictions | No data transferred to the United States, Asia, or any non-EEA jurisdiction |
This commitment applies to all Company Personal Data, including administrative records, policies, and workflow documentation provided to MediReady.
Based on intended use, functionality, and regulatory criteria, MediReady is assessed as follows:
| Regulatory Area | Status |
|---|---|
| Medical device (MDSW) under MDR (EU 2017/745) | ✓ Not a medical device |
| National medical information system (NMI) under HSLF-FS 2022:42 | ✓ Not an NMI |
| NIS2 Directive automatic scope | ✓ Not in automatic scope |
| EHDS current scope | ✓ Not in current scope |
| GDPR and Swedish data protection law | ✓ Subject to |
| Patientdatalagen (2008:355) | ✓ Aligned with |
| IMY supervisory authority | ✓ Subject to |
| Swedish data-protection expectations for healthcare software | ✓ Aligned with |
You can use MediReady as an administrative compliance and workflow tool. You must:
The tool does not substitute for legal or clinical counsel.
— End of document —