As your business grows, the number of compliance frameworks you need to manage often increases as well. This can happen for several reasons: expanding into new markets, adapting to evolving regulations, or keeping pace with industry developments. This is particularly true in the digital health sector, where compliance requirements can change almost yearly, and entering a new market means navigating an entirely new set of regulatory guidelines.
Last year, we conducted our first-ever State of Compliance Survey, asking digital health innovators about their biggest compliance challenges, the standards they currently meet, and the ones they’re prioritising this year. The goal? To uncover where the industry is heading – whether that’s towards new markets, heightened security measures, or the adoption of AI standards.
We also tapped into insights from our customers to bring you a comprehensive look at the frameworks other innovators are focusing on in 2025. Curious to see the full dataset? You can download our survey report here.
Here are the compliance standards digital health innovators are focusing on in 2025, ranked by popularity and relevance from our survey data:
ISO 42001 (55%)
What It Is:
ISO 42001 is an emerging standard focused on AI management systems. It provides a framework for organisations to manage their AI technologies responsibly and ethically. The standard outlines best practices for developing, implementing, and maintaining AI systems, ensuring they are transparent, fair, and accountable. It also addresses risk management, bias mitigation, and security measures, helping organisations deploy AI in a way that safeguards its users.
Why It’s Relevant:
With AI becoming a key driver of healthcare innovation, it’s no surprise that 55% of innovators we surveyed are prioritising ISO 42001 this year. Implementing the standard allows organisations to lay a solid compliance foundation, ensuring they are well-prepared when formal AI regulations, such as the EU AI Act or future UK frameworks, come into effect.
While there are currently no specific UK AI regulations, ISO 42001 aligns with many of the principles outlined in the EU AI Act. This makes it a strategic choice for innovators who are also considering EU expansion.
Additionally, as AI adoption accelerates, there is a growing appetite for guidance on how to implement AI securely, responsibly, and effectively into digital health solutions. For now, this standard is serving that need until more prescriptive regulation arrives.
For more on this topic, check out the highlights from our recent AI compliance webinar, where experts discuss the implications of AI governance and how innovators can prepare for upcoming regulations.
🔗 Watch our webinar summary here
ISO 27001 (53%)
What It Is:
ISO 27001 is the internationally recognised standard for information security management, often referred to as the “gold standard” in certifications for safeguarding sensitive data. The standard provides a framework for establishing, implementing, and maintaining a robust Information Security Management System (ISMS) to manage risks and protect critical information assets.
Why It’s Relevant:
With rising cyber threats in the healthcare sector, more digital health organisations are choosing ISO 27001 to strengthen their defences and demonstrate their commitment to cybersecurity to customers, partners, and stakeholders.
Certification is thorough and often takes 5–9 months to achieve, making it one of the most involved standards on this list. However, the prevalence of high-profile data breaches, particularly supply chain-related incidents, has driven a shift in mindset. Innovators are moving beyond simply ticking the box for compliance, focusing on building robust systems that instil confidence and reduce their security risks.
Additionally, ISO 27001 holds significant value in international markets. As a globally recognised standard, it provides consistency and credibility across borders. Many private organisations, both within the UK and internationally, are increasingly requesting ISO 27001 certification as a benchmark for cybersecurity assurance.
🔗 Read more: Why 50% of digital health innovators opt for ISO 27001
Cyber Essentials Plus (52%)
What It Is:
Cyber Essentials Plus is the advanced certification within the UK’s Cyber Essentials scheme, designed to protect organisations from common cyber threats. While Cyber Essentials is a self-assessed certification, Cyber Essentials Plus requires an independent audit to verify that security controls are properly implemented and functioning effectively.
What It Entails:
Both Cyber Essentials and Cyber Essentials Plus focus on five key security controls:
- Firewalls: Protecting your network with boundary defences.
- Secure Configuration: Ensuring systems are set up securely to reduce vulnerabilities.
- Access Control: Limiting user access to only what is necessary for their role.
- Malware Protection: Installing and maintaining anti-virus and anti-malware software.
- Patch Management: Keeping systems up to date with the latest software and security patches.
The key difference is that Cyber Essentials Plus includes a hands-on technical audit, where external assessors test your systems and processes to confirm the effectiveness of these controls.
Why It’s Relevant:
Much like ISO 27001, the rise in cybersecurity awareness has led to an increase in digital health innovators pursuing Cyber Essentials Plus as part of their overall security strategy. At 52%, it’s clear that innovators are taking steps to strengthen their defences in a rapidly evolving threat landscape.
While Cyber Essentials is required for the NHS Data Security and Protection Toolkit (DSPT), a prerequisite for DTAC, Cyber Essentials Plus is not mandatory but is often requested for higher-risk contracts or where sensitive data is involved.
Key Tip:
If you’re planning to achieve Cyber Essentials Plus, remember it must be completed within three months of obtaining Cyber Essentials certification. To streamline the process, it’s often a good idea to think about booking your Cyber Essentials Plus audit as you’re preparing to submit your self-assessment to IASME.
ISO 9001 (40%)
What It Is:
ISO 9001 is a globally recognised quality management standard designed to provide a framework for organisations to consistently improve their processes and deliver high-quality products and services. The standard focuses on customer satisfaction, driving operational efficiency, and continual improvement.
Why It’s Relevant:
ISO 9001 might seem like an unexpected focus for digital health innovators since it isn’t directly tied to healthcare or is usually requested as part of bids and pilots. However, this broad applicability makes it increasingly relevant for organisations that want to demonstrate their commitment to quality.
While medical device manufacturers often pursue ISO 13485 for quality management, digital health organisations whose solutions don’t qualify as medical devices are increasingly opting for ISO 9001 certification. It signals to customers and partners that your organisation is dedicated to consistently delivering quality services – a competitive differentiator in any market.
Similar to ISO 27001, ISO 9001’s global recognition makes it particularly appealing for organisations looking to expand internationally.
Naq is the only compliance platform which enables digital health innovators to achieve, manage and scale their compliance with all of the frameworks listed in this blog.
From establishing compliance foundations like Cyber Essentials and DTAC to meeting ISO 27001 and HIPAA requirements, Naq simplifies your regulatory burden, saving you time and costs. Discover why 150+ innovators trust Naq’s platform to simplify their compliance. Click here to book a demo.
HIPAA (37%)
What It Is:
The Health Insurance Portability and Accountability Act (HIPAA) sets the benchmark for protecting sensitive patient health information in the United States. It covers everything from privacy controls, giving patients more control over how their data is used, to robust security measures, including encryption, access controls, and secure facilities to protect electronic PHI (ePHI). HIPAA also applies to third-party vendors, such as IT providers, ensuring everyone handling PHI adheres to the same strict standards.
Why It’s Relevant:
For many UK-based digital health SMEs, the US is the primary target for market expansion, making HIPAA compliance essential. According to ABHI’s 2024 Pulse of the Sector report, nearly 70% of respondents view the US as having a regulatory environment that fosters innovation, compared to just under 20% for the UK. It’s no surprise, then, that HIPAA ranks as a top priority for digital health innovators in 2025.
It’s important to note that many of HIPAA’s requirements overlap with other established frameworks, such as Cyber Essentials, ISO 27001, and the NHS DSPT. If your organisation has already achieved compliance with these standards, you’re likely well-positioned to meet many of HIPAA’s requirements. However, conducting a detailed gap analysis will help identify any additional steps needed to bridge the differences.
When seeking HIPAA compliance support, be sure the costs account for any work you’ve already completed under other frameworks!
SOC 2 (29%)
What It Is:
SOC 2 (System and Organization Controls) evaluates how organisations manage customer data, focusing on privacy and security. While primarily a US-based standard, SOC 2 has gained some international recognition for its ability to assess how companies protect sensitive information, particularly in cloud environments and SaaS operations.
What It Entails:
SOC 2 audits are built around five Trust Service Criteria:
- Security: Ensures systems are protected against unauthorised access and data breaches.
- Availability: Confirms systems remain reliable and accessible as promised.
- Processing Integrity: Verifies that system processes are accurate, valid, and complete.
- Confidentiality: Ensures sensitive information is accessible only to authorised parties.
- Privacy: Evaluates how personal data is collected, used, retained, and shared.
SOC 2 audits are flexible and tailored to each organisation’s specific operations, allowing businesses to focus on the criteria or scope most relevant to their services. However, achieving certification still requires a robust demonstration of compliance with these standards, making it a thorough and often complex process.
Why It’s Relevant:
SOC 2 complements HIPAA’s requirements for safeguarding Protected Health Information (PHI). While HIPAA ensures organisations meet legal requirements, SOC 2 demonstrates the operational and technical controls necessary to maintain that data safe.
For digital health innovators targeting the US market, especially those processing sensitive patient data, SOC 2 certification can be a critical differentiator, helping to build trust with US-based partners and clients.
Key Difference Between SOC 2 and ISO 27001:
The key difference between SOC 2 and ISO 27001 lies in their scope:
- ISO 27001 provides a comprehensive framework for implementing and maintaining an Information Security Management System (ISMS), ensuring security risks are managed systematically across the entire organisation.
- SOC 2, by contrast, focuses more narrowly on auditing the effectiveness of specific data security controls already in place, with fewer documentation requirements compared to ISO 27001.
Which Should You Choose?
- SOC 2: Best suited for organisations focused primarily on the US market. While SOC 2 is recognised outside the US, it remains predominantly a US standard.
- ISO 27001: A stronger option for businesses targeting multiple international markets or seeking a more comprehensive security framework.
If you’re already ISO 27001 certified, much of the groundwork for SOC 2 will be complete. Both frameworks share overlapping controls, particularly around security and risk management, allowing you to save time and reduce costs when pursuing either certification.
This year’s compliance priorities reveal a lot about where digital health is headed. The focus on security frameworks like ISO 27001 and Cyber Essentials Plus reflects a growing urgency to protect sensitive data in a sector that’s increasingly under threat. At the same time, the growing interest in US-specific standards like HIPAA and SOC 2 reflects a clear ambition to break into the US healthcare market, where the regulatory environment seems to be perceived as more innovation-friendly and supportive of growth.
But perhaps the most interesting trend is how interconnected these standards are becoming. Many of the frameworks above share overlapping requirements, making it clear that a well-planned compliance strategy could save innovators both time and money. On the other hand, new challenges are looming. With AI playing an ever-larger role in healthcare, the need for robust AI governance frameworks like ISO 42001 is growing, and we can expect more regulatory developments on this front soon.
As the compliance landscape becomes more intricate, finding a solution that can adapt and grow with your business is critical. Whether you need to simplify your compliance stack, enter new markets, or stay ahead of regulatory changes, Naq is the only compliance platform that keeps up with the pace of digital health. By automating most of the manual work required to meet, maintain, and scale compliance, Naq saves innovators over 200 hours per standard, per year and thousands in compliance costs.
In fact, we’ve already helped over 150 digital health innovators do just that. Ready to simplify compliance? Book a demo with our team to learn more.
Discover more about Naq:
Navigating regulatory compliance presents a significant hurdle for emerging health innovators. These entrepreneurs are often faced with a stark choice: either engage costly consultants or brave the journey alone, diverting focus from product development.
Founded by GDPR lawyer Nadia Kadhim and ex-Nato Cyber Security expert Chris Clinton, Naq is the market’s first automated healthcare compliance platform. With its ability to automate over 80% of compliance tasks, Naq offers innovators a faster, simpler, and more cost-effective approach to achieving, monitoring, and managing their digital health compliance, enabling them to get their solutions to market faster.
