The rise of digital twins in healthcare: some legal insights
Cécile Théard-Jallu
De Gaulle Fleurance, Paris
ctheardjallu@dgfla.com
Kevin Ishac
De Gaulle Fleurance
kishac@dgfla.com[1]
Introduction
The market for digital twins, currently valued at between $17 and $19bn, is booming and could reach over $90bn by 2029[2] (certain estimates are as high as $259bn by 2032).[3]
And, thus, we can be enthusiastic about what advantages digital twins present. Broadly speaking, a digital twin can be defined as ‘a representation of a physical object or system in the form of data, information and associated models’.[4] This replica is updated, ideally in real time, with data from its physical counterpart, enabling continuous analysis and performance optimisation. Digital twins are particularly useful in projecting complex environments, predicting results, identifying potential failures, improving processes without posing a physical risk and eventually reducing the level of risk or instances of non-compliance.
When applied to healthcare, the joint development of biological sciences, on the one hand, and digital technologies, bioengineering and the processing of data, on the other, is paving the way for increasingly sophisticated digital twins. Today, the creation of virtual replicas of organs or segments of the body is possible and, tomorrow, there is the potential to replicate the entire human body.[5] Combining genetics, medicine and data analysis, these models provide a dynamic and personalised representation of a person’s state of health, which goes far beyond simple generic modelling. The human digital twin is structured around seven fundamental components. Four relate to the representation of the human body: DNA, cellular and tissue modelling, a 3D model of the body and the inclusion of cerebral and emotional mechanisms. Added to these four components are the real-time capture of life events through the use of sensors and technological components associating the creation of databases linked to the person and the processing of these data, which are generally simulations managed by artificial intelligence (AI).[6]
As a means of anticipating, optimising and following-up on diagnosis and treatment, this innovation is gradually establishing itself in the healthcare sector[7] as a tool to boost performance and innovation. However, this technological advancement poses several legal challenges, particularly in terms of data protection, intellectual property (IP) and compliance with relevant regulations tailored to the healthcare sector.
Digital twins: a developing digital tool for enhanced performance and innovation in healthcare
Virtual reality and augmented reality offer fertile ground for the integration of digital twins.[8] These technologies open up new horizons for medical training, preparation and remote consultations. Virtual reality enables medical students and healthcare professionals to simulate surgical or treatment procedures in realistic conditions without the potential to harm real patients. This approach is even more immersive and effective when digital twins are incorporated that recreate conditions that are very close to reality. Siemens and NVIDIA, for example, are collaborating to create a metaverse[9] using the Siemens Xcelerator and NVIDIA Omniverse platforms, which could be used to create high-fidelity digital twins to simulate industrial processes in real time.[10] Such technology could be adapted for the medical sector, enabling complex and accurate simulations of medical interventions, offering an unprecedented space for experimentation.
In clinical trials, the introduction of synthetic patients and cohorts is being used to support the development of virtual control arms.[11] Similarly, the use of digital twins in the design of medical devices is proving crucial. Digital twins of the devices themselves may be used, while possibly coupled with twins of organs and/or active ingredients to optimise research and outcomes.[12]
In cardiology, for example, digital twins make it possible to halve the number of and decrease the risks associated with interventions carried out in the operating theatre, but also have the potential to improve the quality of care. PrediSurge, a spin-off from the biomedical and healthcare laboratory at the French top tier engineering school, Ecole des Mines,[13] has developed a digital twin for the arteries in the heart. It supports cardiovascular surgeons by modelling the patient's organs around the heart, based on pre-operative medical imaging. According to the PrediSurge website, ‘It not only has the same shape, but also similar biomechanical properties as the actual organ. This digital twin is used to simulate accurately device implantation, taking into account how devices interact with the anatomy.’
Digital models can indeed be used to simulate the biomechanical behaviour of arteries and valves, significantly reducing surgical risks.[14] More broadly, the continuous integration of patient data enhances these models, reinforcing their role in medical monitoring and the personalisation of medical practice.
Numerous other applications demonstrate the positive impact of digital twins on health.[15] One example is the neurotwin consortium, which models a digital twin of the human brain to detect risks associated with Alzheimer's disease.[16] In orthopaedic surgery, 3D models of bones and joints are being created to plan and simulate operations, reducing errors and improving post-operative results.[17] In cancer research, digital twins of tumours are used to virtually test the effectiveness of different treatments, avoiding the need to embark on lengthy and costly clinical trials.[18] These simulations can speed up the development of new therapies and adapt them to the specific characteristics of patients, increasing the chance of success, with less risks to patients.
Generally speaking, ‘the digital twin [...] applies concepts straight from industry to the human body’.[19] Faced with this constantly evolving crossroads between the worlds of industry and health, the applicable legal framework may seem to be vague, at times inadequate or, paradoxically, particularly dense.
Legal challenges around digital twins and the need to identify a legal framework in line with recent technological advancements
The digital twin is a mass of personal data. As a result, compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) is essential, particularly when it comes to health data, which the GDPR considers to be sensitive data. The European regulations impose strict obligations on the collection, processing and storage of personal data. Among others, Articles 5 and 6 of the GDPR specify the principles for processing personal data, including lawfulness, fairness, transparency and data minimisation, which must shape the design and deployment of digital twins of patients’ organs. Collaborations around digital twin research and development (R&D) or use (for instance between the creator of the digital twins and the hospital where the patient is being treated) may also give rise to ad hoc joint data controllership agreements, which need to comply with the provisions in Article 26 of the GDPR. Another challenge is that data often needs to be reused to train and enhance the digital twin, meaning that there is a need to guarantee the compatibility between the initial purpose of the processing (such as diagnosing or treating the patient’s illness in the scope of a clinical trial, for instance) and its secondary purpose (such as training and/or ameliorating the twin model for subsequent configuration or replication activities in the scope of the R&D activities by the creator or even for the treatment of other patients). This secondary use is now supported by the European legislator (including through the new European Health Data Space Regulation (Regulation (EU) 2025/327) published on 5 March 2025),[20] but the purpose compatibility test remains hard to anticipate and to qualify for healthcare stakeholders, in particular for a lot of healthcare centres whose primary purpose is not for profit.
An alternative could be found through the use of synthetic data, which consists of data generated artificially by an AI algorithm trained on a real dataset. The aim is to reproduce the properties and statistical patterns of an existing dataset, by modelling its probabilistic distribution and sampling it. The algorithm generates new data that have the same characteristics as the original data, and therefore provide the same answer, but above all, it is impossible to reconstruct the original data, either using the algorithm or from the synthetic data it has created. As a result, the synthetic dataset has the same predictive capacity as the original data, but it avoids the privacy issues that limit the use of a lot of original data, as such this new synthetic data might be considered to be anonymised data within the meaning of GDPR. However, anonymisation is still hard to qualify, while data protection authorities’ recommendations tend to favour data pseudonymisation, which means that the data are still personal data and, hence, are still within the scope of the GDPR.[21]
Furthermore, the use of DNA, as the case may be, for digital twins falls within the scope of bioethics and genomic medicine, ie, the use of full or partial genome sequencing for diagnostic, prognostic or therapeutic purposes, which is strictly regulated by a number of pieces of national legislation, such as the French Public Health Code.[22] In addition, compliance with physical and cybersecurity standards for the hosting and protection of medical data through the application of standards, such as the certified hosting services provider (Hébergeurs de Données de Santé or HDS) certification,[23] is justified by the increasing number of cyberattacks targeting the infrastructure in hospitals, industry players or other stakeholders in the health arena. As for the integration of AI to carry out simulations with digital twins, this necessarily raises questions about the application of the EU AI Act (Regulation (EU) 2024/1689) and possible national legislation (such as the French human warranty governing the deployment and use of AI-based medical devices) to AI digital twins that could be considered high risk or even prohibited by the EU AI Act depending, among others, on their purpose, safety guarantee level and possible impact on individual rights and the fundamental freedoms of citizens.
Given the wide range of sectors in which digital twins are used, a number of international players are positioning themselves as leaders for each component of the system, raising questions around data governance. For instance, DNA sequencing may be financed by governments[24] and certain private companies, the pharmaceutical industry has biological expertise, while 3D modelling may be dominated by global companies (eg, Dassault Systèmes). Physiological data is mainly collected by major digital companies (Apple, Samsung), and IT infrastructure is managed either by public initiatives (such as the shared patient medical file (Dossier Médical Partagé or DMP)) or by private companies. In this respect, the EU’s open data policy (supported by the Data Governance Act (Regulation (EU) 2022/868) and the Data Act (Regulation (EU) 2023/2854)) represents an opportunity for innovation.[25]
This multiplicity of players involved not only in the creation, but also in regard to the use of digital twins, also raises questions about IP. To ensure that everyone's rights are effectively protected in this context, it is essential that the relevant technical, operational, regulatory and contractual aspects are clarified (including when sourcing the data from third-party databases to feed a digital twin). This would help to avoid potential disputes, particularly between software developers, medical device manufacturers and data providers. As such, the classification of digital twins as a possible medical (software) device is also crucial in determining the applicable regulatory requirements. Regulation (EU) 2017/745 on the clinical investigation and sale of medical devices for human use (MDR) states that software is considered a medical device if it is intended for specific medical purposes, such as diagnosis or treatment. The entry and output of data, which is unique to a patient, contributes to qualifying the product as a medical device. Manufacturers of digital twins constituting medical devices must demonstrate that their products meet the essential safety and performance requirements set out in the MDR. However, digital twins, due to their evolving and interactive nature, require regulations that take into account their ability to continuously integrate data in real time and to simulate a variety of scenarios. A regulation specific to digital twins would ensure that these devices comply with the relevant safety and efficiency standards that have been adapted to their specific features.
In parallel to EU regulation, the United States Food and Drug Administration (FDA) has published guidelines on the use of computer simulations in the development of medical devices, recognising the importance of digital twins.[26] Similarly, in 2020, the World Health Organization (WHO) launched a global strategy for digital health, aimed at providing clear guidance on the assessment and approval of digital medical technologies.[27] However, despite the wide range of standards, there are currently no specific international regulations governing digital twins. This lack of specific rules may be seen as a significant limitation to their adoption and integration. In addition to this, initiatives such as the EU’s ‘Destination Earth’, which aims to create an accurate digital replica of the Earth to monitor and model natural and human activities, demonstrate the widespread commitment to advanced modelling despite this gap in the regulation.[28] This initiative could serve as a model for the development of specific standards or datasets for digital twins in the medical field. That being said, healthcare stakeholders are already highly, some say excessively, regulated, particularly in Europe, meaning that other solutions should be found to accompany the development of digital twins. The publication of consistent practical guidelines by the authorities could be part of the answer.
Conclusion
Digital twins represent a promising technological advancement in the medical sector, offering significant opportunities for innovation and improved care provision. However, particular attention must be paid to these promises for the future, while some healthcare professionals remain reluctant to integrate digital technology into clinical practice, with some professionals believing that screens constitute a barrier to their relationship with the patient. This perception is changing as new generations of practitioners are involved in clinical practice, who are more inclined to integrate these tools into their daily working life. Digital twins would allow, at the very least, all healthcare stakeholders to have a common vision in regard to the same individual at the same time.
However, their use raises significant legal challenges, in particular, in terms of data protection, IP and sectoral and cross-sectoral regulations. If not through the adoption of a new specific piece of legislation, which would increase the volume of the regulatory burden placed on this sector that is already very high, it is crucial to specifically and objectively map out the context, purposes and players involved, as well as the operational, financial and data flows around digital twins in healthcare in order to properly understand the legal and regulatory implications that apply to them and to ensure a clear and secure framework for their development and use, which guarantees their integrity and reliability in medical applications. The relevant regulatory authorities should join forces to guide stakeholders in this regard
Notes
[1] Thanks are given to Gauthier Soufflard and Leila Said Cherif for their help in the preparation of this article.
[2] Mordor Intelligence https://mordorintelligence.com/fr/industry-reports/digital-twin-market last accessed on 4 May 2025.
[3] Fortune Business Insights https://www.fortunebusinessinsights.com/digital-twin-market-106246 last accessed on 4 May 2025.
[4] Benveniste, Albert, et al., ‘The digital twins of systems’, Annales des Mines - Enjeux numériques, 2024/4 n° 28, 2024. p 57-87.
[5] Peter Coveney and Roger Highfield, ‘Virtual You: How Building Your Digital Twin Will Revolutionize Medicine and Change Your Life’, Princeton University Press, 2023, 336 pages. Regards, 2023/2 N° 62, 2023. P 214-214.
[6] Soudoplatoff Serge, ‘Le jumeau numérique en santé’, Fondapol, 2023 https://www.fondapol.org/etude/le-jumeau-numerique-en-sante/ last accessed on 4 May 2025.
[8] On the subject see Soufflard Gauthier, ‘Approche juridique de la réalité étendue’, University of Rennes, 2023.
[9] On the notion of metaverse, see Soufflard Gauthier, ‘Premier plongeon dans le Métavers’, 2021, https://www.academia.edu/113981489/Premier_plongeon_dans_le_Metavers last accessed on 4 May 2025.
[10] Siemens https://newsroom.sw.siemens.com/fr-FR/siemens-xcelerator-nvidia-omniverse-industrial-metaverse/ last accessed on 4 May 2025.
[11] Servier https://servier.com/en/newsroom/synthetic-control-arms-revolutionize-clinical-trials/ last accessed on 4 May 2025.
[12] See n 4 above.
[13] PrediSurge https://www.predisurge.com/about-us/ last accessed on 4 May 2025.
[14] Les Echos https://www.lesechos.fr/pme-regions/innovateurs/predisurge-lance-ses-jumeaux-numeriques-a-lassaut-des-blocs-operatoires-2089344 last accessed on 4 May 2025.
[15] Dumas Mathilde, Fay Anne-Florence, et al. ‘Le jumeau numérique en santé, État des lieux et perspectives d’application à l’hôpital’, Med Sci (Paris), Volume 39, Number 12, December 2023, pp 953 – 957; Bertezene Sandra, ‘Le jumeau numérique en santé - Apports organisationnels et limites épistémologiques dans un contexte de crise sanitaire’, Med Sci, Volume 38, September 2022, pp 663-668.
[16] Neurotwin https://www.neurotwin.eu/ last accessed on 4 May 2025.
[17] Yoshii, Yuichi et al. ‘Correlations between 3D preoperative planning and postoperative reduction in the osteosynthesis of distal humeral fractures’ Journal of orthopaedic surgery and research, vol. 18,1 283. 8 April 2023.
[18] UBC Robson https://www.digitalsupercluster.ca/fr/projects/accelerating-cancer-trials-with-digital-twins/ last accessed on 4 May 2025.
[19] See n 6 above.
[20] European Commission https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space-regulation-ehds_en last accessed on 4 May 2025.
[21] European Data Protection Board https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/guidelines-012025-pseudonymisation_en last accessed on 4 May 2025.
[22] French Public Health Code, art. L. 1130-1 to L. 1130-5.
[23] French Public Health Code, art. L..1111-8.
[24] See the SeqOIA and AURAGEN platforms in France.
[25] Publication Office of the European Union https://op.europa.eu/en/web/about-us/about-publication-office-of-the-european-union last accessed on 4 May 2025.
[26] Cosmetic Obs https://cosmeticobs.com/fr/articles/reglementation-57/mocra-la-fda-consulte-sur-lenregistrement-des-etablissements-et-des-produits-7556 last accessed on 4 May 2025.
[27] WHO https://iris.who.int/bitstream/handle/10665/344250/9789240027558-fre.pdf last accessed on 4 May 2025.
[28] European Commission https://france.representation.ec.europa.eu/informations/la-destination-terre-un-nouveau-jumeau-numerique-de-la-terre-aidera-lutter-contre-le-changement-2022-03-31_fr last accessed on 4 May 2025.