Foreword

The resources presented here are a collaborative result of the global team at MedXRSI. The infographic and commentary deliver strategic analysis of policies in selected key regions–USA, UK, EU, Canada, and India. The state of the XR healthcare ecosystem is assessed on the dimensions of market readiness for XR in healthcare and the maturity of the regulatory environments. The information covers major policies about consumer privacy, medical regulation, and XR relevant policies. The research and analysis serves as a resource to those building emerging technology solutions at the intersection of healthcare and Medical XR.

Table of Contents

Introduction

Medical extended reality (Medical XR), encompassing technologies like virtual reality (VR) and augmented reality (AR), is no longer a futuristic concept confined to cutting-edge research labs or specialist clinics. Medical XR is now a part of present day healthcare, from routine vision assessments using eye-tracking tools¹ to advanced surgical planning² and patient rehabilitation³. Whether by guiding a physician’s hand during a minimally invasive procedure or by helping patients visualize treatment outcomes, Medical XR is becoming increasingly integrated into medical practice, often in ways that feel as ordinary as a digital thermometer or a blood pressure cuff.

Unique risks demand purpose built oversight

As the technology becomes adopted at scale, the need for appropriate regulation for the specific risks and vulnerabilities associated with the technology needs to be aligned⁴. The considerations for medical XR are different from consumer use of the technology because the functionality of the devices is being used to generate sensitive health information. A VR headset may be used to implement cognitive tests to support the diagnosis or staging of Alzheimer’s Disease⁵. An AR device may be used to model movement patterns to determine fitness to return to work after an injury⁶. Often the functionalities are expanded when biosensors (eye-tracking, EEG, heart rate) and artificial intelligence (AI) inference engines are added to the functionalities⁷. These data types act like stars that form constellations. Individually they shine a light, but when you look at the collection with context (via AI) it forms a whole new meaning. Consequently, tabulation and evaluation of the current state of regulation acts as the starting point for movement towards aligning technology uses and regulation to protect patients.

Global policy assessment: USA, UK, EU, India and Canada

The research conducted is summarized in the Medical XR Regulatory Global Landscape infographic. The regions of USA, UK, EU, India, and Canada were assessed because each has established policies that partially classify XR-generated data as health information, thereby making it subject to patient privacy laws, medical record data management rules, and information technology (IT) compliance standards with health-specific regulations. Inclusive of scope in this analysis was personal health information (PHI) policy, medical device regulations, and digital health regulations.  However, not all sensitive data falls within protected health information classification at this time. To complete the analysis, the research included consumer data policies, which govern how non-medical personal data is collected, used, and shared.

Healthcare-consumer data convergence and oversight gap

The most challenging aspect of medical XR is that it blurs the boundaries between health data and consumer data, capturing everything from biometric identifiers to behavioral and environmental information in real time. This unique convergence makes it difficult to rely solely on existing regulatory frameworks, which were not designed for such immersive, data-rich technologies. As a result, the regulation of Medical XR sits at the intersection of health law and consumer protection, raising complex questions about privacy, security, and the future of digital health oversight worldwide. The research concludes with a survey of any existing medical XR guidance and an opinion on risks posed by the regulatory landscapes in their current state of maturity.  

As a companion to the infographic, the following sections provide a comparative analysis between regions and proposed strategies to address the gaps between regulatory jurisdictions.

Across all the five regions, medical XR and digital health technologies are currently regulated under existing medical device and software frameworks rather than through dedicated XR-exclusive policies. While no region has developed XR-specific classification systems yet, traditional medical device frameworks are being adapted to accommodate emerging immersive technologies.

The United States of America

In the United States, the Food and Drug Administration (FDA) classifies XR products according to traditional risk-based categories for medical devices, applying standards such as the Quality Management System Regulation (QMSR) and ISO 13485:2016. Class I devices represent the lowest risk category and include basic XR applications such as patient education software or simple wellness applications that do not directly influence medical decision-making⁸. Class II devices encompass the majority of therapeutic XR applications, including VR-based rehabilitation systems for stroke recovery, and AR surgical guidance tools that overlay medical images during procedures⁹. Class III devices represent the highest-risk category and include XR systems that are life-supporting or life-sustaining, such as AR-guided surgical robots or VR systems used for critical psychiatric interventions. The FDA’s Quality Management System Regulation (QMSR), effective February 2026, will harmonize device manufacturing standards with ISO 13485:2016, providing clearer guidance for XR device manufacturers¹⁰.

The United Kingdom

The United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA) and the European Union’s Medical Device Regulation (MDR) similarly categorize XR technologies as medical devices or software as a medical device (SaMD), with risk classes determining the level of oversight required. The UK’s MHRA regulates XR technologies under the Medical Device Regulations 2002, utilizing a four-class system (Class I, IIa, IIb, and III) based on risk and invasiveness criteria¹¹. All software, including XR applications, is considered an active medical device due to its reliance on external energy sources. Class I devices include low-risk XR applications such as basic patient education platforms or simple diagnostic aids that do not directly influence treatment decisions. Class IIa devices encompass XR applications with low-to-medium risk, including therapeutic VR for anxiety disorders, AR applications for medical training, and immersive rehabilitation platforms for physical therapy; Class IIb devices include medium-to-high risk XR systems such as AR surgical navigation tools, VR applications for treating PTSD, and immersive diagnostic platforms that significantly influence clinical decision-making. Class III devices represent the highest risk category, including XR systems that are life-critical or involve invasive procedures, such as AR-guided cardiac surgery systems.

The European Union

The European Union’s Medical Device Regulation (MDR 2017/745) establishes the most comprehensive framework for XR device classification, requiring CE marking for market access. The MDR’s SaMD provisions specifically address XR technologies, requiring conformity assessment for higher-risk classifications¹². Class I devices include basic XR wellness applications and simple patient information systems that pose minimal risk; these require manufacturer self-declaration and technical file compilation. Class IIa devices comprise of XR applications intended for controlling or influencing medical device performance, including AR systems that provide real-time guidance for medical procedures and VR platforms for basic therapeutic interventions. Class III devices represent the highest-risk category, including XR systems that are life-supporting or involve critical therapeutic interventions, such as AR-guided neurosurgery platforms.

India

In India, the Central Drugs Standard Control Organization (CDSCO) regulates medical XR under the Medical Devices Rules 2017 (amended in 2020), implementing a four-class system (A, B, C, D)¹³. Class A devices include low-risk XR applications such as basic patient education platforms and simple wellness applications. Non-sterile, non-measuring devices require only Class A registration, while sterile or measuring devices require MD5 licensing. Class B devices encompass moderate-risk XR applications including VR rehabilitation systems, AR training platforms for healthcare professionals, and immersive diagnostic aids. These require MD5 licensing with enhanced documentation requirements. Class C devices include moderate-to-high risk XR systems such as AR surgical guidance platforms, VR applications for treating serious mental health conditions, and immersive systems that significantly influence medical decision-making. These require MD9 licensing with comprehensive technical documentation. Class D devices represent the highest-risk category, including life-supporting XR systems, AR-guided critical surgical procedures, and VR platforms for life-threatening condition management. These require MD9 licensing with the most stringent regulatory oversight. As of October 2023, all Class C and D devices require mandatory licensing, representing a significant tightening of regulatory requirements.

Canada

In Canada, Health Canada applies its Medical Devices Regulations under the Food and Drugs Act, utilizing a four-tier classification system (Class I, II, III, IV)¹⁴. The Digital Health Review Division provides specialized oversight for XR technologies. Class I devices include basic XR wellness applications and simple patient information systems. Manufacturers require a Medical Device Establishment Licence (MDEL) but can self-certify device compliance. Class II devices encompass moderate-risk XR applications such as VR rehabilitation platforms, AR medical training systems, and immersive diagnostic aids. These require a Medical Device Licence (MDL). Class III devices include higher-risk XR systems such as AR surgical guidance platforms and VR applications for treating serious medical conditions. These require comprehensive MDL applications with clinical data. Class IV devices represent the highest-risk category, including life-supporting XR systems and critical therapeutic platforms. These require the most extensive regulatory review with comprehensive safety and efficacy data. Canada’s approach also emphasizes Software as Medical Devices (SaMD) principles, utilizing classification rules to determine the appropriate oversight levels for XR technologies.

In all regions, XR devices, when utilized for a health application (software), can be classified as medical devices. Risk is primarily assessed in terms of patient physical safety and health. Data privacy risk is not fully encompassed within this assessment. Consider a behavioral therapy classified as moderate risk, but gathers very sensitive personal information as a function of the therapy. PHI policies would be the next step in safeguarding XR SaMD, such as this. What is debatable, is which data generated by the XR system is classified at PHI. For example, the diagnostic classification produced from the application when entered into the medical record will be protected. However, if that classification was based on data types that are not PHI (e.g. controller tracking data), then those data would not be covered by the same privacy rules. If it does not meet the established criteria, then it falls to the lower level of protections of consumer data.

Regulations develop in response to novel threats from technological innovation and expanded use cases. Consequently, depth and comprehensiveness of regulation differs by region based on the level of XR advances and market growth. The content of the regulation is shaped by existing laws and cultural expectations of protection and privacy. Here we provide a high level comparative analysis of regulation maturity for medical XR (Figure). Maturity is based on medical regulatory pipeline and consumer privacy standards on a scale from nonexistent, emerging, foundational, established. Medical XR readiness is based on inclusion of XR in regulation, scale of XR adoption in healthcare by the same four level scale.  

In the United States, the FDA’s centralized authority and risk-based classification system provide flexibility for emerging technologies. While lacking XR-specific frameworks, the agency leverages existing medical device regulations and digital health guidance to evaluate XR applications. Rapid FDA clearance pathways enable faster market entry for moderate-risk devices. As of June 2025, 84 XR solutions are cleared by the FDA. However, fragmentation persists, as there are no federal XR-specific privacy laws, with health data governance split between HIPAA and consumer protections. HIPAA final ruling updates have been stalled for years, and thus do not adequately cover novel data risks that emerged post 2002. Consumer protections also vary by state, with California often leading novel legislation, such as the California Right to Privacy Act. 

XR is explicitly included in the digital tools category for UK MHRA. The Digital Technology Assessment Criteria (DTAC) is a development guide for digital applications that captures the common elements across web, mobile, and XR in clinical safety, data protection, technical security, interoperability criteria, usability, and accessibility. DTAC evaluation is required for entry to the NHS. Guidance is also provided via NICE¹⁵, which instructs evidence-based recommendations by use case. The UK has also introduced stringent post market surveillance ¹⁶ of digital technologies, inclusive of XR. All UKCA- and CE-marked devices must actively, rather than passively, track the safety and performance of products.

The MDR 2017/745 establishes the most comprehensive framework in the European Union, requiring CE marking and clinical evaluations for XR devices as medical devices. Consumer privacy is defended by GDPR’s strict data protection standards that ensure uniformity across member states. The challenge lies in the decentralized enforcement through 25+ notified bodies, which assess the conformity of medical devices, causing interpretation variances for XR as SaMD. The inconsistencies encourage “regulation shopping” similar to US states. The leading countries in use of XR are Germany and France where examples of surgical training, patient rehabilitation, mental health therapies, and diagnostics can be readily cited. 

India is emerging as a regulatory reformer with the 2023 Digital Personal Data Protection Act and National Medical Device Policy. However, enforcement across states is inconsistent, and XR-specific guidance remains absent. The testing of the regulatory structure is yet to be seen as medical XR is largely in the pilot and clinical trial stage and has not been adopted widely enough to observe the efficacy of regulation or patient benefit. 

Like other regions, medical XR regulation by Health Canada falls under device and digital technology regulations. Consumer privacy in Canada is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), which is a consistent regulation for the whole country, and is well-aligned with the EU GDPR. The regulations focus on meaningful consent, data use transparency, and data breach notifications. Canada technology readiness is similar to the US with documented use of XR for medical education, surgical simulation, pain management, and telemedicine.

Based on this analysis, The EU is most prepared for implementation of XR SaMD, followed by the UK and Canada. The US ranks next as having established policies that are not comprehensive in data protections. Lastly, India is at an emerging stage with forward looking, yet untested, policies.

Comprehensive Approach

Ultimately, the global regulatory landscape for medical XR and digital health is in transition. Repeatedly, XR-specific guidance is found lacking. The solution to this is not to create a new class for regulation. Rather to expand the definition and scope of digital health data to be inclusive of the array of data types generated in XR systems. Medical XR has demonstrated unique and powerful value to solve care, treatment, and diagnostics challenges where other technologies were unsuccessful. It will become as commonplace as a digital tablet that is used for heterogeneous assessments. Effective regulation can anticipate that eventuality and consequently accelerate the adoption. The uncertainty in regulation and guidance create friction to adoption and implementation. Providers and healthcare systems take actions in a conservative manner to protect the patient and the organization. Thus if there is known risk with unknown safeguards, the common decision is not to adopt. 

In the meantime as regulatory policies mature, there are several resources to guide developers and companies in their preparedness for implementation in healthcare systems. The VA Immersive publishes specific IT and cybersecurity guidelines for potential vendors. These compliance standards define the requirements to enter the system. XRSI has developed frameworks to assess risk in numerous contexts, including medical guidelines in a forthcoming manuscript for the Journal of Medical Extended Reality. The FDA¹⁷ and the NHS provides public facing information on medical XR and high level guidance on implementation. A consortium of medical schools called MIXR¹⁸ are studying effective implementation methods for XR technologies in healthcare systems. The active research in risk management and implementation will benefit smoother adoption of XR SaMD broadly. Regulatory advisors¹⁹ that specialize in medical XR are also emerging to support the industry.

AI and XR Interdependency

The other factor not directly addressed in this current analysis, but will in forthcoming updates, is the implications of regulation of AI in the medical context. In most regulatory frameworks, AI falls within SaMD. Yet new guidance will need to be tailored to novel risks posed by this generation of AI. This work is in progress²⁰ for all regions of the world as the methodology and capabilities of AI rapidly evolve. The forethought to define the principles of evaluation that are robust to these changes lie in the reliance of human oversight at every stage of the product life cycle. Responsible use of AI will connect the stars of XR to draw constellations. And it is in the constellations that we find meaningful and actionable data for patient benefit.

References

1. https://doi.org/10.1097/opx.0000000000002088 ↩︎
2. https://infusemed.com/augmented-reality-transforming-surgical-planning-and-navigation/ ↩︎
3. https://doi.org/10.3389/frvir.2025.1517402 ↩︎
4. https://itif.org/publications/2021/03/04/balancing-user-privacy-and-innovation-augmented-and-virtual-reality/ ↩︎
5. https://doi.org/10.3389/fpsyg.2024.1406167 ↩︎
6. https://doi.org/10.2196/50200 ↩︎
7. https://doi.org/10.3390/bios14040183 ↩︎
8. https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance/overview-device-regulation ↩︎
9. https://www.fda.gov/medical-devices/digital-health-center-excellence/augmented-reality-and-virtual-reality-medical-devices ↩︎
10. https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance/quality-and-compliance-medical-devices ↩︎
11. https://www.gov.uk/government/consultations/consultation-on-the-future-regulation-of-medical-devices-in-the-united-kingdom/chapter-2-classification ↩︎
12. https://www.eurodev.com/blog/medical-device-software-in-the-european-market ↩︎
13. https://www.emergobyul.com/sites/default/files/2024-07/RLC24CS1578348-India-Medical-Device-Whitepaper.pdf ↩︎
14. https://www.canada.ca/en/health-canada/services/drugs-health-products/medical-devices/application-information/guidance-documents/software-medical-device-guidance-document.html ↩︎
15. https://www.nice.org.uk/guidance ↩︎
16. https://www.legislation.gov.uk/uksi/2024/1368/contents/made ↩︎
17. https://www.fda.gov/medical-devices/digital-health-center-excellence/augmented-reality-and-virtual-reality-medical-devices ↩︎
18. www.mixrcenter.org ↩︎
19. https://healthinnovationnetwork.com/resources/mindset-xr-online-learning-resources-innovators/ ↩︎
20. https://doi.org/10.3390/healthcare12050562 ↩︎