Europe’s innovators are full of ambition — but often struggle to navigate the maze of regulations that govern digital and health technologies. As new frameworks like the AI Act, Data Act, and European Health Data Space (EHDS) take shape, the need for clear, accessible, and practical regulatory literacy has never been greater.
We had a talk with Heikki Pitkänen, CEO and Founder of Lean Entries, a company that translates complex regulations into digital guidance tools for innovators, startups, and SMEs. Drawing from his decades of experience in medical device regulation, Heikki shares his insights on how Europe can turn compliance into a competitive advantage — and why simplifying complexity is the next big step for innovation.
Read the full interview below:
Question: Many innovators feel “drowned in regulatory complexity.” From your experience, what are the most common misconceptions or challenges among startups in digital health and MedTech?
I think the main challenge is that there are numerous regulations. It is a maze, and despite all the simplification from the European Commission and the European legislator’s perspective, the maze will remain. In my opinion, the more foundational issue is clarity—regulatory clarity, and as a result, regulatory literacy—which should be established at the earliest possible stage of innovation. What happens very typically is that innovator teams do not have the knowledge or prior experience in compliance with regulations. They often assume it can be addressed later, but in fact, regulations and related standards hold critical inputs that need to be considered from the start to avoid costly re-design. When establishing a company and writing a business plan, the regulatory strategy should be part of that package. This helps innovators understand what they face, make informed decisions, manage risks, and estimate costs.
Question: According to Mario Draghi’s 2024 report on the future of European competitiveness, over half of European SMEs see regulation as their No.1 barrier. How can we close this gap?
The reason, I think, is that many innovators don’t realize early on how critical it is to understand the basics. We’ve seen rare cases where founders have prior experience in highly regulated fields, like medical devices. These companies already have systems in place for the Medical Device Regulations (MDR or IVDR), so adding AI Act requirements—such as an AI life cycle or change management protocol—is straightforward. For them, compliance is practical, even though it consumes a substantial amount of resources and requires adapting to the evolving requirements for AI systems. But most early-stage teams lack this experience and miss the opportunity to make educated decisions on compliance. In my experience, this causes many failures and losses, not only in Europe but globally. This is also an opportunity for Europe to lead by improving compliance with its own and global regulations. Beyond top-down simplification, we need to recognize the foundational importance of bottom-up regulatory clarity. That is the most effective means of closing the gap.
Question: The EU is introducing several landmark regulations — AI Act, Data Act, European Health Data Space (EHDS) — all of which will shape the future of digital health. What do these mean for innovators in practice?
These regulations are designed with good intentions and offer clear benefits. For example, the EHDS aims to enable harmonised secondary use of health data across Europe, supporting faster development of AI-driven health solutions. However, practical challenges remain: How will the data-sharing work? Are hospitals and other data holders ready? What are the timelines for compliance? In practice, innovators face a steep learning curve with the increased maze. For early-stage innovators, the biggest hurdle is the overlap and volume of regulations. Recertification cycles add unnecessary burden while unannounced audits already keep manufacturers sharp with their processes. Greater trust and smarter monitoring could reduce this workload and the spending of resources.
Question: Lean Entries has developed e-tools that translate complex regulations like the Medical Device Regulation (MDR), In Vitro Diagnostic Regulation (IVDR), AI Act, Data Act, and European Health Data Space (EHDS) into step-by-step, no-code guidance. How do these tools work in practice, and how do they help innovators make compliance easier and faster from day one?
Our tools are delivered through partnerships with innovation hubs, universities, and clusters. These organizations provide the access free of charge to startups, SMEs, and public-sector teams, including translational researchers and even students. The platform applies a unique step-engine questionnaire that guides users through the myriad of regulatory requirements in a structured and personalized way. It builds on a fully referenced breakdown of regulations and related guidance documents, combined with examples, terminology, and guidance from those sources embedded directly in the interface, where innovators need it. The platform helps innovators navigate complex frameworks like the MDR or the AI Act, explore classification options, and find justification for whether a product qualifies as a medical device or not.
This approach addresses the strong demand for regulatory clarity—critical for competitiveness and investor trust. Without regulatory literacy uncertainty remains and innovation slows. Today, Lean Entries offers the most nuanced and scalable tooling globally to establish regulatory clarity, covering multiple regulations and expanding to new ones like the Cyber Resilience Act and General Data Protection Regulation (GDPR). Furthermore, we are in the process of empowering the production of the tools with AI.
Question: How can we ensure that simplification doesn’t mean oversimplification — that innovators still internalize the “why” behind the rules?
Our experience shows that the Entries tools act as a wake-up call for innovators. They don’t solve all problems, but make them realize what they don’t know and where they need help. Unlike generic AI tools, like ChatGPT, which often give incomplete or unreferenced answers, the Entries platform provides structured guidance based on official sources and complete references. When innovators apply for support from a European Digital Innovation Hub (EDIH), university, or cluster, the Entries platform ensures they absorb essential knowledge. Compliance builds on that knowledge—setting up a regulatory strategy, Quality Management System (QMS) and implementing processes—but this first step is critical. Beyond guidance, Entries can be harnessed to collect valuable data points—currently over 800—from the five existing tools that could help universities, EDIHs, and the Commission understand what innovators are working on and where compliance hurdles exist. This way, we could serve innovators better and potentially match them directly through APIs to digital services and other service providers throughout their compliance journey. This enables the compression of value chains in innovation.
Question: Is Europe at risk of regulatory fragmentation — or can shared literacy frameworks, like those promoted through Lean Entries, help harmonize understanding across borders?
Regulatory fragmentation is a real challenge in Europe. While EU regulations aim for harmonization, many directives—such as NIS2 or the Machinery Directive—allow national deviations and interpretations. This means innovators often face 27 different variations layered on top of the core rules. Beyond safety, privacy and security regulations, there are additional administrative requirements like taxation, IP, and other compliance obligations, making cross-border expansion complex and costly. In my point of view, the European Commission should push for deeper harmonization, learning from best practices within EU Member States and aligning with global frameworks, including the U.S. and other regions.
Question: How do you see AI sandboxes and EDIHs contributing to regulatory readiness? What should be done to make them more effective in supporting innovators?
AI regulatory sandboxes are a promising initiative, heavily supported by EU funding, to be launched by national competent authorities in August 2026. The assumed sandbox operators, such as EDIHs, already serve as key resources for innovators in the digital and AI space. They provide a strong foundation, but being still young, they need best practices, knowledge sharing and harmonisation of services across Europe. For EDIHs, we propose integrating regulatory literacy at the gateway of each hub. This means offering innovators clear, structured guidance on essential regulations as part of their onboarding process. Our platform Entries can act as a regulatory due diligence tool. Innovators entering an AI sandbox would first complete a basic compliance check through Entries, ensuring they know the most critical requirements, followed by local coaching, training or workshops to confirm their findings. This approach would also feed valuable data back to EDIHs, improving their support services. National competent authorities, Notified Bodies and service providers would experience more straightforward, value-adding transactions with innovators.We suggest starting with a pilot program, which could operate at minimal cost per EDIH to maintain and scale the system. This approach would not only strengthen regulatory readiness but also create feedback loops and analytics to improve support for innovators over time.
Question: You’ve called for a “shared literacy baseline.” What would that look like in practice? Who should lead it – the EU, national authorities, or innovation networks?
All stakeholders need to be involved—the EU, national authorities, and innovation networks. While much of what I’ve explained applies here, I believe the Entries tooling could be the key element to establish a regulatory literacy baseline. At the same time, I’d like to emphasise that training, coaching, and advice remain essential. These should continue through local regulatory experts in workshops where I recommend the innovators pitch their regulatory strategies and learn from peers. Existing elements, such as those offered by EDIHs, universities and incubators, should stay in place. The digital learning component simply creates the wake-up call, possibility to boost efficiency and provide a stable and harmonised learning curve. Activities carried out nationally or by EDIHs, Testing and Experimentation Facilities (TEFs) or AI factories would then become more effective. The European Commission should be strongly involved, endorsing or branding the initiative to show its support. Open-source APIs from Entries should be expected to make this most effective. Unfortunately, the topic of regulatory clarity, as foundational as it has become for European competitiveness, mostly dissolves under other priorities like funding and regulatory simplification. It’s time to make it a visible, actionable and measurable goal for the sake of our innovation!
Question: Can European projects like EVOLVE2CARE or organisations such as the European Network of Living Labs play a role in testing and scaling such literacy tools?
Absolutely. The health sector is an ideal environment for piloting regulatory literacy tools. Entries was originally developed for health tech, and our existing tools already cover key regulations such as MDR, IVDR, AI Act, Data Act, and EHDS. Future tools—like those for the Cyber Resilience Act and GDPR—will also impact healthcare systems. Projects like EVOLVE2CARE could provide the perfect environment to test and scale these tools in real-world settings.
Question: Looking ahead to 2030, what does a “regulation-smart Europe” look like to you?
By 2030, regulatory literacy should be a true baseline for innovators across Europe, supported by AI and data-driven tools. It will be assumed that innovators know what regulations mean for them. If they cannot show their regulatory data—such as classification, applicable regulations, and their compliance pathway—they cannot expect to receive funding or services from EDIHs and other parties. This will become a basic requirement, easily achievable through tools like Entries. By then, the digital and health tech sectors will have strong regulatory sandboxes. Universities and EDIHs will be able to perform due diligence on regulatory basics, ensuring innovators start from a shared understanding of compliance. From there, everyone remains free to compete and innovate, but with shared clarity on compliance. This common understanding will benefit innovators, investors, universities, and authorities alike. Five years is enough to establish this baseline for health tech and digital sectors, measure the results and continue expanding it to other industries.
Question: What message would you share with young innovators or startups who see regulation as a burden rather than a guide?
I think the baseline is that innovators need to understand that safety and security are the baselines for business when it comes to regulated sectors. If an innovator is developing a medical device, safety is the baseline for business. Many startups try to avoid regulatory work or costly clinical investigations. My advice is to integrate regulatory strategy into their business plans and budgets early—and use clinical investigations not only for compliance but also to collect valuable business data, engage early adopters, and strengthen market entry.
Start with what I call the eight early principles. The first four apply broadly:
- Qualification – Determine which regulations apply to the product.
- Classification – Understand the risk class and the workload ahead.
- List your standards – Recognise the best practices instead of re-inventing the wheel
- Regulatory Strategy – Make it part of the business plan.
The next four are health tech-specific but can be adjusted to other sectors:
- Literature reviews reveal existing clinical practices, competitors and benchmarks and are a natural first step into clinical evaluation and investigations.
- Whenever a team member speaks of risks, start writing them down, and collect a good bunch of more from the regulations and standards. Then let a risk management professional help you expand it into a full-blown risk management system.
- Study the feasibility of your product with good knowledge of the eventual safety and documentation requirements (i.e., design controls) in mind.
- Assess your most critical suppliers for their regulatory competence and include compliance in quality agreements. You should only work with suppliers that make your path to market easier, not harder.
Ignoring these principles creates a high risk of failure. Starting early saves months in the process and ensures your compliance aligns with business goals and market success.
Question: In such a complex regulatory landscape, do innovators need to develop multitasking skills to balance compliance, product development, and business growth?
Yes, absolutely. And innovators need to include early regulatory advice in their budget. If they cannot hire an experienced regulatory professional right away, consider combining a young expert with a consultant who can mentor them. This way, their team builds internal expertise over time to own their compliance, a key business enabler. This also means the leadership team should understand the basics of regulation, and their regulatory people should speak the language of business. Bridging that gap is essential. We’ve seen this challenge in MedTech for years, and now it’s hitting digital health and AI sectors, which face high-risk classifications and complex systems. The sooner innovators build this capability, the stronger their foundation for growth!
As Europe races to build a digital single market grounded in trust and transparency, voices like Heikki Pitkänen’s remind us that innovation and regulation aren’t opposites — they are partners in progress.
