Since January 1, 2025, self-declarations are a thing of the past: DiGA manufacturers must prove compliance with data security requirements via an official certificate according to BSI TR-03161 to be included in the DiGA directory. This has turned a recommendation into a strict admission requirement – and for many teams, the critical path to reimbursement.

This article explains what the BSI TR-03161 is, what requirements it sets, how the certification works, and what specifically matters regarding authentication and identity management.

Almost every DiGA team faces the same question early on: "We know Keycloak / Auth0 – can't we just use that?" A valid consideration, as both are mature Identity & Access Management systems. The honest answer is: For the login of a standard web application, yes – for a regulated digital health application with GesundheitsID and BSI TR-03161 requirements, you will hit clearly identifiable limits.

This article categorizes what Keycloak and Auth0 do well, where they reach their limits in the healthcare context, and when a specialized Health IAM is the better choice.

Since January 2024, it has been mandatory for DiGA manufacturers to enable their users to authenticate via the GesundheitsID (Health ID). What sounds like a manageable "just another login method" turns out to be one of the more complex integration projects on the way to the DiGA directory – because behind it is not just an OAuth flow, but the entire sectoral identity federation of the telematics infrastructure (TI 2.0).

This article explains what the GesundheitsID is, why it is mandatory, how the integration works technically, where the real hurdles lie, and how you provide the proof required by the BfArM.