Regulation in women’s health is often treated as an obstacle. It is said to be too slow, too costly, too complex. For Cécile van der Heijden, attorney-at-law at Axon Lawyers, it is the opposite: “Regulation brings clarity. And clarity leads to power.”
In this interview, she shows how MDR, IVDR, GDPR, the AI Act and the EHDS are not just legal regimes but the architecture that decides who will gain solid footing on Europe’s women’s health market. She argues that only companies embedding robust compliance into their design, evidence and and data strategy will gain trust, attract investment, and scale sustainably.
From device classification and evidence requirements to bias in AI systems and the governance of intimate health data, van der Heijden connects frameworks that most lawyers treat in isolation. Her message is direct: compliance is not paperwork; it is the foundation of credibility. And in women’s health, credibility wins you the market.
What perspective do you bring to women’s health and FemTech in today’s EU regulatory debates?
Many lawyers work in silos. My practice has always been different: I build legal architecture across these regimes. I began my career in healthcare law, then specialised in data protection in relation to product regulation and now also AI. That has granted me an integrated perspective very few others have and that is essential for FemTech where product and data cannot be separated. It allows for compliance that holds from end-to-end instead of collapsing under scrutiny because only one silo was considered.
Is strict regulation killing innovation in FemTech, or is it the foundation that makes the market credible?
Strict regulation slows market access and raises the bar for compliance. That bar is also the differentiator: the burden creates credibility. Regulation protects patients. It forces companies to take design and data seriously and prevents products with unsustainable medical claims from reaching the market. It also means that investments will go to products that actually deliver patient care. The legislative burden filters out unserious players in the market that are only after a quick win.
How do MDR and IVDR shape FemTech, and where do you see the biggest gaps for women’s health?
The MDR and IVDR determine whether a product is allowed to call itself medical. Most FemTech products qualify as medical devices or IVDs, not just as lifestyle products. That brings obligations such as classification, conformity assessments, CE-marking, clinical evidence and risk-benefit assessments.
The problem is that the legislation may have been written in a (gender-)neutral way, but this does not necessarily result in a truly neutral evidence base. Women are regularly underrepresented in clinical research, leading to limited data gathering on female-specific end points. Device guidance rarely addresses the reality of women’s health, such as the impact of perimenopause, pregnancy or gender-related comorbidities. This means that there still is a default male baseline in practice. Strategically, this systemic gap leads to a gap in the market for products and companies that take their products for female health specifically to a higher standard.
Why do so many companies underestimate regulation from day one, and what are the consequences for growth and investor confidence?
Because they think they’re building just an app when in fact they’re creating a medical device. I also see a lot of companies that treat data protection as a tick-box at the very end of product design and development. Both are legally problematic and can have brutal consequences: late discovery of device status, reclassification, redesign requirements, absence of the right clinical evidence, delays, unusable data sets, regulators asking questions the device company cannot answer and loss of investor confidence. Ignoring regulatory reality is wishful thinking. In the EU market, wishful thinking leads to market failure.
How can companies in female health balance innovation, trust, and compliance when dealing with intimate data under GDPR and the coming EHDS Act?
Legally, health and genetic data are seen as highly sensitive. Many women also experience this distinction. Fertility records or data on a genetic predisposition for breast cancer feel much more sensitive than a broken arm, even though legally, there is no differentiation between various categories of health data. Not taking the sensitive nature of this data seriously from the very start of the design process of the product, leads to both non-compliance, potential issues with market access, and loss of patient trust.
The GDPR sets strict rules for the use of data that can (indirectly) identify a natural person. It requires explicit legal bases, data minimisation, transparency, etc. Contrary to popular belief, GDPR is not designed to block data use. When done right, the GDPR brings credibility, because patients understand what a company is doing with their data and why, leading to trust. That makes strategic data governance an asset.
The upcoming European Health Data Space Act (EHDS Act) will drastically change the data landscape. Secondary use of health data will become possible on an unprecedented scale for, among other things, scientific research, product development of medical devices and training of medical AI-systems. The EHDS Act could be a breakthrough for women’s health research, but only if data quality holds and companies provide access without blocking competitors. At the same time, the EHDS raises hard questions: how will confidential information be protected, and will mandatory sharing expose product secrets alongside health data? These are questions I answer for my clients.
Bias in women’s health isn’t theoretical. What are the regulatory and liability implications under the AI Act, and how can bias-mitigation become a competitive advantage?
Most FemTech algorithms qualify as “high-risk AI systems” under the EU AI Act because they are medical devices. That means a dual compliance burden under MDR/IVDR and the AI Act. Under the AI Act, the provider (manufacturer) of the high-risk AI system must prove data representativeness and bias-mitigation. Bias-mitigation is non-negotiable under the AI Act. Failure to comply leads to potential regulatory rejection as well as liability if patients are harmed by the output of the AI system.
In my opinion, these requirements under the AI Act also have a very real strategic upside. The AI Act requires the provider of the AI system to show that the training, validation and testing data representative of the intended patient population. If the dataset reflects not only male/female differences but also real diversity, such as age, ethnicity, life stage by design, the provider of the AI system stands out and compliance becomes part of the market story. On a crowded market, being the product that can truly prove bias mitigation is a differentiator.
What should evidence generation in women’s health look like to ensure representativeness, not only between men and women, but across age, ethnicity, and life stages?
While the precise need differs per product, evidence has to reflect the actual user population. A menopause product cannot rely on healthy 25-year-olds. Fertility tools cannot generalise from small, homogeneous cohorts. MDR and IVDR already require that the clinical evidence is suitable for the intended patient group. That means, for example, stratified recruitment, subgroup analysis, and post-market follow-up targeted at filling evidence gaps from market entry onward. Anything less is not credible, not compliant, and not fit for purpose.
What are the liability risks if a FemTech product misclassifies itself or provides misleading advice?
Misclassifying a medical device as a lifestyle product means that the product is on the market illegally. This regularly leads to enforcement actions. If the product gives incorrect advice (i.e., it tells a woman that she isn’t pregnant when she is), that will lead to product liability. The law will treat it as negligence on the side of the manufacturer and the law protects the patient / user of the product.
For investors and partners, compliance can look like cost. How can a strong regulatory strategy become a differentiator in FemTech?
Regulatory strategy signals defensibility, scalability, and staying power in a difficult market. The MDR/IVDR classification defines the evidence burden, the GDPR defines whether the data governance model survives long-term, and the AI Act defines whether your algorithm is certifiable.
Strong compliance proves durability. Investors and partners want defensibility instead of liability risks. Partners also want products that won’t drag them into non-compliance and that improve or ease provision of patient care. For investors, regulatory clarity is the line between investable and unviable.
Looking ahead: what will define the winners in FemTech five years from now?
In my opinion, the winners will be the companies that treat compliance as design, not as an afterthought. That means accounting for what bodies are missing from the research population, data governance that builds long-term trust, and regulatory clarity from the first instance of product design. Companies who see regulation only as paperwork and hassle will not last. In five years, the winners will be the companies that have built on regulation as infrastructure as a basis for a long-term strong position on the market. The winners will be the companies that stop treating compliance as defence and start using it as strategy from day one.