Clinical AI deployment in India (2026): how eCorpIT builds CDSCO- and DPDP-ready healthcare AI

India regulates AI cancer-detection software as Class C under CDSCO. eCorpIT builds clinical AI aligned with CDSCO and DPDP requirements for hospitals.

Read time
9 min
Word count
1.2K
Sections
11
FAQs
8
Share
Abstract medical imaging display with an AI overlay and a shield motif for governance
eCorpIT builds CDSCO- and DPDP-ready clinical AI.
On this page · 11 sections
  1. Clinical AI is now regulated software
  2. What CDSCO now requires
  3. DPDP and health data
  4. What compliant-by-design clinical AI needs
  5. How eCorpIT builds clinical AI
  6. Who it is for
  7. India-specific considerations
  8. The bottom line
  9. FAQ
  10. How eCorpIT can help
  11. References

Summary. Clinical AI in India is now regulated software. CDSCO released its Draft Guidance on Medical Device Software on October 21, 2025, and has classified AI-based cancer detection and diagnostic software as Class C, a moderate-to-high risk category that requires approval, safety validation and continuous monitoring before clinical use. The market is growing fast: India's AI in healthcare market was valued at about $435.7 million in 2025 and is projected to reach roughly $4,773.7 million by 2034, a 29.56% compound annual growth rate. Building a clinical AI product now means designing for CDSCO's risk classes, an Algorithm Change Protocol, and Digital Personal Data Protection Act data rules from the first line of code. eCorpIT, a Gurugram consultancy founded in 2021, builds clinical AI software aligned with those requirements.

The rules changed what "ship a healthcare AI tool" means. A diagnostic model that a hospital could once pilot informally may now be a Class C medical device that needs a defined regulatory pathway, an audit trail and post-market surveillance. That is not a reason to slow down; it is a reason to build correctly from the start. This article explains what CDSCO now requires, how DPDP applies to health data, what compliant-by-design clinical AI needs, and how eCorpIT delivers it.

Clinical AI is now regulated software

CDSCO's Draft Guidance on Medical Device Software, released October 21, 2025, sets a risk-based framework for software-based devices, including AI-enabled, cloud-hosted and network applications, per India Corporate Law. It separates Software in a Medical Device, embedded in hardware, from Software as a Medical Device (SaMD), which performs a medical purpose on its own. The most consequential move for AI teams: CDSCO classified AI-based cancer detection and diagnostic software as Class C, placing it under formal regulatory control with required approval, validation and monitoring, as reported on the notification.

What CDSCO now requires

SaMD is classified by three criteria: the medical purpose of the software, how significant its information is for clinical decisions, and the severity of the condition, per SaMD classification guidance. Class A and B software is licensed by state authorities, while Class C and D falls under CDSCO's Central Licensing Authority, with applications through the National Single Window System and the CDSCO Medical Device Online Portal.

Risk class Risk level Licensing authority
Class A Low State licensing authority
Class B Low to moderate State licensing authority
Class C Moderate to high CDSCO Central Licensing Authority
Class D High CDSCO Central Licensing Authority
AI cancer detection Class C CDSCO Central Licensing Authority

Two mechanisms matter most for AI. The Algorithm Change Protocol lets a manufacturer define in advance how model updates will be managed, so that once the protocol is approved, predefined updates can proceed without a separate approval for each change, per India Corporate Law. And post-market surveillance is central: manufacturers must keep performance records, run ongoing safety evaluations, submit periodic safety update reports, and report cybersecurity vulnerabilities, per the draft guidance analysis.

DPDP and health data

Regulation is not only CDSCO. India's Digital Personal Data Protection Act, 2023, sets strict standards for personal health data, requiring clear consent, strong security and data governance, which pushes privacy-by-design into healthcare AI, per India AI healthcare analysis. The government also moved to guide safe adoption: in March 2026 it introduced the Strategy for AI in Healthcare for India and the Benchmarking Open Data Platform for Health AI, per ARC Advisory Group. For clinical AI, CDSCO and DPDP are two requirements on the same system: one governs the device, the other the data.

What compliant-by-design clinical AI needs

The practical implication is that the regulatory and data requirements are architecture decisions, not paperwork you add at the end. A clinical AI system needs traceable data lineage, versioned models with an Algorithm Change Protocol plan, audit logs suitable for post-market reporting, and consent and access controls that meet DPDP from the first sprint. We build for these, and we are precise about scope: we build the software aligned with the requirements, while the legal manufacturer holds the CDSCO license and the clinical validation stays with the qualified clinical team.

Requirement What it means How eCorpIT designs for it
CDSCO risk class Correct SaMD class drives the pathway Classify early, build to the class's obligations
Algorithm Change Protocol Predefine how model updates are managed Versioned models and a documented update process
Post-market surveillance Performance and safety records over time Audit logs and monitoring built into the system
DPDP consent and security Lawful, secure use of health data Consent flows, access controls, data minimisation
Data residency Health data kept within required boundaries Region-aware data architecture

How eCorpIT builds clinical AI

eCorpIT is a Gurugram-based technology consultancy, founded in 2021, CMMI Level 5 and MSME certified, with partners including AWS, Microsoft and Google, and senior-led, multi-disciplinary engineering teams. Our clinical AI work starts by fixing the CDSCO risk class and the data model, because both shape everything downstream. We build the software with traceable data lineage, versioned models and audit logging, and we design data handling aligned with DPDP requirements from the first sprint. We use compliance-aligned language deliberately: we design systems to meet CDSCO and DPDP requirements, we do not claim certifications on your behalf, and we do not perform the clinical validation that qualified clinicians must own. For the deeper data view, see our note on clinical AI data architecture under CDSCO and DPDP and the common pitfalls in healthcare AI deployment mistakes in Indian hospitals.

Who it is for

This fits health-tech companies building a diagnostic or decision-support product that now falls under CDSCO, hospitals commissioning a bespoke clinical AI tool, and medical-device firms adding an AI feature to existing hardware. If you are early, the highest-value step is classifying the device correctly before building, because the class sets the obligations. If you already have a prototype, the work is usually retrofitting audit trails, consent and an Algorithm Change Protocol plan onto a system that was built without them.

India-specific considerations

Three points shape an Indian clinical AI build. The market is expanding quickly, with software the largest segment and hospitals the largest adopter, so demand is real but scrutiny is rising. Data residency and DPDP consent are not optional for health data, and they influence cloud-region and architecture choices. And reach matters: Indian deployments often need multiple languages and must work on the mixed infrastructure of real hospitals, not just a demo environment. For the step-by-step regulatory path, see our CDSCO and DPDP clinical AI deployment guide.

The bottom line

Clinical AI in India crossed from experiment to regulated medical device in late 2025, and 2026 is when teams have to build accordingly. The winning approach is compliant-by-design: fix the CDSCO class first, plan the Algorithm Change Protocol, and meet DPDP from the first sprint, rather than retrofitting under pressure. eCorpIT builds the software aligned with those requirements, honestly scoped so the license sits with the manufacturer and clinical validation with clinicians. Regulation raised the floor; building correctly is how you clear it.

FAQ

How eCorpIT can help

eCorpIT is a Gurugram-based technology consultancy, founded in 2021, CMMI Level 5 and MSME certified, with senior-led engineering teams and partnerships across AWS, Microsoft and Google. We build clinical AI software designed aligned with CDSCO risk-class obligations and DPDP data requirements, with traceable data lineage, versioned models and audit logging built in. If you are building a diagnostic or decision-support tool that now falls under CDSCO, talk to us about a compliant-by-design build.

References

  1. Medical Device As Software: Has CDSCO Guidance Changed The Rules, India Corporate Law
  1. CDSCO AI Cancer Diagnostic Software Regulation 2026: Class C Approval, Operon Strategist
  1. CDSCO Medical Device Registration in India: What's Changed in 2026, Qualio
  1. SaMD Regulation in India: CDSCO Classification (Class A-D), Freyr
  1. Navigating India's Medical Device Software Framework, India Briefing
  1. India Regulates AI Cancer Detection Tools Under CDSCO Norms, Court Kutchehry
  1. India AI in Healthcare Market Size and Outlook, 2026-2033, Grand View Research
  1. AI in Healthcare Market in India, IMARC Group
  1. AI in Healthcare Statistics 2026, Uvik Software
  1. AI Based Medical Devices In India: CDSCO Regulations, Diligence Certification
  1. India Medical Device Software Regulation 2026, Mavenrs
  1. AI in Healthcare in India, ARC Advisory Group

_Last updated: July 11, 2026._

Frequently asked

Quick answers.

01 Is clinical AI regulated in India now?
Yes. CDSCO released its Draft Guidance on Medical Device Software on October 21, 2025, setting a risk-based framework for software-based and AI-enabled devices. It has classified AI-based cancer detection and diagnostic software as Class C, a moderate-to-high risk category requiring approval, safety validation and continuous monitoring before clinical use.
02 What is Software as a Medical Device (SaMD)?
SaMD is standalone software that performs a medical purpose on its own or alongside hardware, as distinct from software embedded in a physical device. Under CDSCO, SaMD is classified by its medical purpose, how significant its output is for clinical decisions, and the severity of the condition it addresses, which together set the risk class.
03 What is an Algorithm Change Protocol?
An Algorithm Change Protocol lets a manufacturer define in advance how model updates will be managed across the product lifecycle. Once CDSCO approves the protocol, predefined updates can proceed without a separate regulatory approval for each change, which is important for AI systems that are retrained or improved over time.
04 How does DPDP apply to healthcare AI?
The Digital Personal Data Protection Act, 2023, sets strict standards for personal health data: clear consent, strong security and data governance. For clinical AI, this means privacy-by-design, consent flows, access controls and data minimisation built into the system. CDSCO governs the device while DPDP governs the data, so both apply to the same product.
05 Does eCorpIT guarantee CDSCO approval?
No. We build clinical AI software designed and aligned with CDSCO and DPDP requirements, but we do not claim certifications on your behalf or guarantee approval. The CDSCO license sits with the legal manufacturer, and clinical validation stays with qualified clinicians. Our role is to build the software correctly so your regulatory path is easier to walk.
06 What does compliant-by-design clinical AI need?
It needs traceable data lineage, versioned models with an Algorithm Change Protocol plan, audit logs suitable for post-market safety reporting, and DPDP consent and access controls, all built in from the first sprint. Retrofitting these onto a prototype is possible but slower and costlier than designing for them at the start.
07 Which class will my AI diagnostic fall under?
It depends on the medical purpose, how significant the output is for clinical decisions, and the severity of the condition. AI cancer detection and diagnostic software has been classified as Class C, under CDSCO's Central Licensing Authority. Classifying your specific device correctly, before building, is the single most important early step because it sets your obligations.
08 Why classify the device before building?
Because the risk class determines the licensing authority, the evidence required, and the post-market obligations, all of which shape the architecture. Building first and classifying later often means expensive rework to add audit trails, consent and an Algorithm Change Protocol. Fixing the class early keeps the build aligned with the pathway from day one.

About the author

Manu Shukla

Founder & Director

Founder of eCorpIT. Hands-on engineer leading senior-only delivery for AI apps, custom software, and cloud systems for global clients.

Subscribe

One engineering note a week. No fluff, no spam.

Senior-architect playbooks on AI agents, mobile apps, cloud, security, data, and marketing — delivered every Wednesday.

Past the reading

Read enough. Let's build something.

A senior architect responds in 24 working hours with scope, indicative cost, and a timeline. NDA before any technical conversation.