The rapid evolution of connected diabetes devices—such as continuous glucose monitors (CGMs), insulin pumps, hybrid closed-loop systems, and associated mobile applications—has fundamentally altered the management of diabetes mellitus. These devices provide individuals and clinicians with unprecedented access to real-time physiological data, enable automated insulin delivery, and support more personalized treatment decisions. However, the convergence of medical therapeutics, software, wireless connectivity, and data analytics introduces a complex regulatory landscape that demands rigorous oversight to ensure patient safety, data security, and clinical effectiveness. Navigating this landscape is critical for manufacturers, healthcare providers, and patients alike, as regulatory decisions directly influence market access, innovation timelines, and ultimately the quality of care for millions living with diabetes.

The Core Regulatory Authorities Governing Connected Diabetes Devices

Connected diabetes devices are subject to oversight by multiple national and regional regulatory bodies. The most influential of these include the U.S. Food and Drug Administration (FDA), the European Medicines Agency (EMA) in conjunction with national competent authorities, and other agencies such as Japan’s Pharmaceuticals and Medical Devices Agency (PMDA) and Health Canada. Each agency operates under its own legislative framework but shares common goals: to evaluate the safety and efficacy of new devices before they reach the market and to monitor their performance once in widespread use.

The U.S. Food and Drug Administration (FDA)

In the United States, the FDA oversees medical devices through its Center for Devices and Radiological Health (CDRH). Connected diabetes devices are generally classified based on risk. For example, a traditional blood glucose meter may be a Class II device subject to 510(k) premarket notification, while an automated insulin delivery system that includes sophisticated software algorithms is typically considered a Class III device requiring a Premarket Approval (PMA) application. The FDA has also developed specialized frameworks for digital health, including its Digital Health Center of Excellence, which addresses software as a medical device (SaMD), mobile medical applications, and cybersecurity. The agency’s approach to connected devices continues to evolve, with recent guidance on interoperability and the use of real-world evidence to support regulatory submissions.

The European Medicines Agency and National Competent Authorities

In the European Union, medical devices are regulated under the Medical Device Regulation (MDR) 2017/745, which replaced the prior Medical Device Directive. Connected diabetes devices must undergo conformity assessment procedures that include the involvement of a Notified Body—an independent organization designated to evaluate compliance. The classification system under MDR is similar to the FDA’s, with devices ranging from Class IIa (e.g., CGM receivers) to Class III (e.g., implantable sensors or software-driven insulin pumps). The EMA also plays a role in the evaluation of combination products (e.g., a CGM integrated with a drug delivery system) through the Committee for Medicinal Products for Human Use (CHMP) when medicinal components are involved. Post-market surveillance requirements under MDR are stringent, requiring manufacturers to maintain vigilance reports and periodic safety update reports. The European Commission’s medical devices webpage provides comprehensive details on current regulatory obligations.

Other National Regulators

Beyond the FDA and EMA, other authorities are equally important. Health Canada requires manufacturers of connected diabetes devices to obtain a Medical Device License under the Food and Drugs Act, with a licensing process that mirrors many elements of the FDA’s PMA and 510(k) pathways. Japan’s PMDA operates under the Pharmaceutical and Medical Device Act, which emphasizes clinical trial data and post-market surveillance specific to Japanese populations. The Therapeutic Goods Administration (TGA) in Australia similarly classifies devices and enforces conformity standards. For global manufacturers, harmonization through bodies such as the International Medical Device Regulators Forum (IMDRF) helps align regulatory expectations, though significant differences remain in submission requirements, labeling, and post-market reporting.

Key Regulatory Processes and Stages

Bringing a connected diabetes device from concept to market involves a structured series of evaluations. While the specific steps vary by jurisdiction, the core stages are universally recognized and include premarket review, risk classification, clinical evaluation, labeling, and ongoing surveillance.

Premarket Review and Risk Classification

Manufacturers must first determine the appropriate regulatory pathway based on the device’s risk classification. In the U.S., a device that is substantially equivalent to an existing legally marketed device may qualify for the 510(k) premarket notification process, which requires demonstrating that the new device has the same intended use and technological characteristics as a predicate device. For novel devices—such as an artificial pancreas system—the PMA pathway is mandatory. This involves submitting extensive clinical safety and effectiveness data, manufacturing information, and software validation documentation. In the EU, the MDR introduces stricter classification rules; for example, a CGM used to adjust insulin dosing is now considered Class III, requiring the highest level of scrutiny. The risk classification process is crucial because it determines the level of evidence required and the involvement of external assessors.

Clinical Evaluation and Evidence Generation

A robust clinical evaluation is a cornerstone of regulatory submissions. Manufacturers must provide evidence that the device performs its stated functions safely and effectively in the target population. For connected diabetes devices, this often involves clinical trials that measure outcomes such as time in range, HbA1c reduction, hypoglycemia incidence, and user satisfaction. The FDA and EMA encourage the use of real-world evidence, including data from electronic health records and patient registries, to supplement clinical trials. The FDA’s Real-World Evidence Program provides guidance on how such data can be used to support regulatory decisions. Additionally, for software-driven devices, validation of algorithms—such as the predictive models used in artificial pancreas systems—must follow established standards for software verification and validation (e.g., IEC 62304).

Labeling, Instructions for Use, and Training

Clear, accurate, and patient-friendly labeling is essential for safe use. The regulatory review process scrutinizes all labeling material, including the instructions for use, user manuals, quick-start guides, and any mobile app interfaces. For connected devices, labeling must address topics such as data transmission intervals, battery life, alarm settings, interference from other wireless devices, and troubleshooting connectivity issues. The FDA requires that labeling for insulin pumps and CGMs include specific information about the risk of software errors, cybersecurity vulnerabilities, and the need for routine calibrations. In the EU, MDR mandates that labeling be available in the language of the member state where the device is marketed, and that it be designed for the intended user—often including patients with limited technical literacy. Training programs for healthcare providers and patients may also be reviewed as part of the submission.

Post-Market Surveillance and Vigilance

Regulatory oversight does not end with market authorization. Connected diabetes devices are subject to continuous monitoring through post-market surveillance systems. In the U.S., manufacturers must report adverse events and device malfunctions to the FDA’s Manufacturer and User Facility Device Experience (MAUDE) database. For EU MDR, rigorous post-market clinical follow-up (PMCF) plans are required to collect ongoing safety and performance data. Additionally, any significant changes to the device—such as a software update that alters the algorithm—may require a new submission or notification to the regulator. The FDA has issued a guidance on postmarket management of cybersecurity in medical devices, emphasizing that manufacturers must monitor and patch vulnerabilities throughout the device’s lifecycle. The ability to rapidly update firmware over the internet introduces both convenience and risk, making robust post-market surveillance a non-negotiable element of regulatory compliance.

Major Challenges in Regulating Connected Diabetes Devices

The dynamic nature of digital health technology presents significant challenges for regulators who must balance the need for innovation with the imperative of patient safety. These challenges are particularly acute for connected diabetes devices, where software-driven features, wireless connectivity, and data handling create novel vulnerabilities.

Rapidly Evolving Software and Algorithm Updates

One of the most persistent challenges is the pace of software iteration. A continuous glucose monitor’s algorithm may be updated every few months to improve accuracy or add new features. Under traditional regulatory paradigms, such updates could require full re-review, which would stifle innovation and delay access to improvements. In response, regulators are developing total product lifecycle (TPLC) approaches. The FDA’s Pre-Cert for Software program (pilot) aimed to streamline premarket review for SaMD manufacturers who demonstrate a culture of quality and organizational excellence. In the EU, MDR allows for “significant changes” to be identified and evaluated through a supplementary assessment, but the criteria for what constitutes a significant change remain subject to interpretation. Manufacturers often face uncertainty about whether a software update will trigger a new conformity assessment, creating a regulatory bottleneck.

Cybersecurity Vulnerabilities

Connected diabetes devices are increasingly linked to smartphones, cloud platforms, and healthcare networks, exposing them to potential cyberattacks. A malicious actor could theoretically intercept or alter data from a CGM, or remotely change insulin delivery settings—posing a direct threat to patient safety. The FDA has issued several alerts and guidance documents focused on cybersecurity, including recommendations for secure software development, encryption of data in transit and at rest, authentication mechanisms, and incident response plans. Under the Consolidated List of Laws and Regulations for medical devices, manufacturers must now incorporate cybersecurity risk management into their overall quality management system (per ISO 27001 and IEC 62443). Yet the adversarial landscape evolves rapidly, and a device that passed regulatory review at launch may later be found vulnerable. Coordinated vulnerability disclosure programs and collaboration with cybersecurity researchers are becoming essential components of regulatory compliance.

Data Privacy and Interoperability

Connected diabetes devices generate vast amounts of personal health data, including glucose readings, insulin doses, activity levels, and meal information. This data is often stored in the cloud and shared with healthcare providers, caregivers, and sometimes third-party apps. Regulatory frameworks must ensure that strict privacy protections are in place. In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) applies to covered entities and business associates, but device manufacturers that only collect and store data without being directly involved in healthcare delivery may not be fully covered. The FDA recommends that manufacturers follow privacy-by-design principles and provide clear consent mechanisms. In Europe, the General Data Protection Regulation (GDPR) imposes stringent requirements on data controllers and processors, including mandatory data breach notification and users’ rights to access and delete their data. Interoperability is another contentious issue: patients and clinicians increasingly expect that devices from different manufacturers can seamlessly share data. However, proprietary data formats and security protocols can hinder interoperability. Regulators encourage the use of open standards such as HL7 FHIR and the IEEE 11073 family of standards to facilitate data exchange while maintaining security and privacy.

Balancing Innovation with Rigorous Oversight

The regulatory process must guard against both under-regulation—which could expose patients to harm—and over-regulation, which could delay or prevent the availability of life-improving technologies. Small startups developing innovative diabetes solutions often lack the resources to navigate complex PMAs or MDR conformity assessments. The result can be a market dominated by large incumbents, reducing patient choice. Regulators have responded with programs designed to accelerate access to breakthrough devices. For instance, the FDA’s Breakthrough Device Designation offers priority review and iterative feedback for devices that provide more effective treatment or diagnosis for life-threatening or irreversibly debilitating diseases. The EMA offers PRIority MEdicines (PRIME) for combination products. These initiatives aim to shorten the development timeline without compromising safety evidence. However, tension remains: the speed of technological advancement sometimes outpaces the speed of regulatory adaptation, requiring ongoing dialogue between industry, regulators, and clinical communities.

Looking ahead, regulatory frameworks for connected diabetes devices are likely to become more agile, data-driven, and harmonized internationally. Several trends are already emerging that will shape the next generation of oversight.

Increased Use of Real-World Evidence (RWE)

Regulators are increasingly recognizing that real-world data—collected from routine clinical care, patient registries, and device cloud platforms—can complement traditional clinical trials. The 21st Century Cures Act in the U.S. explicitly encouraged the FDA to use RWE for monitoring post-market safety and supporting new indications. For connected diabetes devices, data from thousands of users over months or years can reveal rare adverse events, long-term performance trends, and patterns of use in diverse populations. The FDA and EMA are developing frameworks for acceptable RWE, including requirements for data quality (e.g., completeness, accuracy) and analytical methodologies. This shift will reduce the burden of additional trials and allow continuous evaluation of device performance as updates are deployed.

Harmonization of International Standards

The global market for connected diabetes devices requires manufacturers to meet multiple sets of requirements, increasing costs and time to market. The International Medical Device Regulators Forum (IMDRF) continues to promote convergence on key topics such as software as a medical device (SaMD) classification, cyber risk management, and adverse event reporting. The IMDRF’s documentation on “Software as a Medical Device: Possible Framework for Risk Categorization and Corresponding Considerations” has been adopted by many countries. Similarly, the Global Harmonization Task Force (GHTF) legacy documents still inform national regulations. In the future, we may see mutual recognition agreements that allow a device approved by the FDA to be marketed more quickly in other jurisdictions, provided similar safety and performance standards are met. However, political and economic factors make full harmonization a long-term goal rather than an immediate reality.

Focus on Interoperability and Open Platforms

As patients adopt multiple connected devices from different vendors, the ability to combine data into a single management platform becomes critical. Regulators are beginning to mandate or encourage interoperability. The FDA released a guidance document on interoperability of medical devices in 2017, emphasizing the need for manufacturers to document assumptions about data exchange and to test interfaces realistically. In Europe, MDR requires that devices intended to interoperate with other devices must demonstrate that such interaction does not compromise safety or performance. Future regulations may establish minimum interoperability standards for connected diabetes devices, similar to the frameworks used for electronic health records. This would empower patients to mix and match CGMs, pumps, and apps without being locked into a single ecosystem.

Cybersecurity as a Continuous Compliance Requirement

Regulatory expectations around cybersecurity are evolving from one-time assessments at the time of approval to continuous lifecycle management. The FDA’s 2022 draft guidance on “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” outlines a risk-based approach throughout the device’s total product lifecycle. Similarly, the EU’s MDR requires manufacturers to implement a cybersecurity management system that includes vulnerability detection, risk mitigation, and incident response. In the future, we can expect regulators to require software bill of materials (SBOM) for all connected devices to facilitate rapid assessment of vulnerabilities. Additionally, post-market surveillance will likely include automated monitoring of cybersecurity incidents, with mandatory reporting windows.

Conclusion: Navigating a Complex but Essential Landscape

The regulatory landscape for connected diabetes devices is intricate and continuously evolving. Manufacturers must engage with multiple authorities, each with distinct expectations and procedures. The burden of compliance is significant, but it is undeniably essential: robust regulation protects patients from unsafe devices, ensures data integrity, and fosters trust in innovative technologies. For healthcare providers involved in recommending or prescribing these devices, a solid understanding of regulatory status—such as whether a device has FDA clearance or CE marking under MDR—is crucial for clinical decision-making. Patients, too, benefit from transparency about the oversight their devices have undergone.

As the field advances, regulators are adapting by embracing real-world evidence, encouraging interoperability, and strengthening cybersecurity mandates. Collaboration among all stakeholders—industry, regulators, clinicians, and patient advocates—will be essential to strike the right balance between innovation and safety. The ultimate goal remains clear: to enable the widest possible access to safe, effective, and secure connected diabetes devices that improve the quality of life for people living with diabetes. By staying informed about regulatory changes and proactively engaging with oversight bodies, manufacturers can navigate this complex environment successfully and bring life-changing technologies to those who need them.