On this page · 11 sections
Summary. Clinical AI in India is now regulated software. CDSCO released its Draft Guidance on Medical Device Software on October 21, 2025, and has classified AI-based cancer detection and diagnostic software as Class C, a moderate-to-high risk category that requires approval, safety validation and continuous monitoring before clinical use. The market is growing fast: India's AI in healthcare market was valued at about $435.7 million in 2025 and is projected to reach roughly $4,773.7 million by 2034, a 29.56% compound annual growth rate. Building a clinical AI product now means designing for CDSCO's risk classes, an Algorithm Change Protocol, and Digital Personal Data Protection Act data rules from the first line of code. eCorpIT, a Gurugram consultancy founded in 2021, builds clinical AI software aligned with those requirements.
The rules changed what "ship a healthcare AI tool" means. A diagnostic model that a hospital could once pilot informally may now be a Class C medical device that needs a defined regulatory pathway, an audit trail and post-market surveillance. That is not a reason to slow down; it is a reason to build correctly from the start. This article explains what CDSCO now requires, how DPDP applies to health data, what compliant-by-design clinical AI needs, and how eCorpIT delivers it.
Clinical AI is now regulated software
CDSCO's Draft Guidance on Medical Device Software, released October 21, 2025, sets a risk-based framework for software-based devices, including AI-enabled, cloud-hosted and network applications, per India Corporate Law. It separates Software in a Medical Device, embedded in hardware, from Software as a Medical Device (SaMD), which performs a medical purpose on its own. The most consequential move for AI teams: CDSCO classified AI-based cancer detection and diagnostic software as Class C, placing it under formal regulatory control with required approval, validation and monitoring, as reported on the notification.
What CDSCO now requires
SaMD is classified by three criteria: the medical purpose of the software, how significant its information is for clinical decisions, and the severity of the condition, per SaMD classification guidance. Class A and B software is licensed by state authorities, while Class C and D falls under CDSCO's Central Licensing Authority, with applications through the National Single Window System and the CDSCO Medical Device Online Portal.
| Risk class | Risk level | Licensing authority |
|---|---|---|
| Class A | Low | State licensing authority |
| Class B | Low to moderate | State licensing authority |
| Class C | Moderate to high | CDSCO Central Licensing Authority |
| Class D | High | CDSCO Central Licensing Authority |
| AI cancer detection | Class C | CDSCO Central Licensing Authority |
Two mechanisms matter most for AI. The Algorithm Change Protocol lets a manufacturer define in advance how model updates will be managed, so that once the protocol is approved, predefined updates can proceed without a separate approval for each change, per India Corporate Law. And post-market surveillance is central: manufacturers must keep performance records, run ongoing safety evaluations, submit periodic safety update reports, and report cybersecurity vulnerabilities, per the draft guidance analysis.
DPDP and health data
Regulation is not only CDSCO. India's Digital Personal Data Protection Act, 2023, sets strict standards for personal health data, requiring clear consent, strong security and data governance, which pushes privacy-by-design into healthcare AI, per India AI healthcare analysis. The government also moved to guide safe adoption: in March 2026 it introduced the Strategy for AI in Healthcare for India and the Benchmarking Open Data Platform for Health AI, per ARC Advisory Group. For clinical AI, CDSCO and DPDP are two requirements on the same system: one governs the device, the other the data.
What compliant-by-design clinical AI needs
The practical implication is that the regulatory and data requirements are architecture decisions, not paperwork you add at the end. A clinical AI system needs traceable data lineage, versioned models with an Algorithm Change Protocol plan, audit logs suitable for post-market reporting, and consent and access controls that meet DPDP from the first sprint. We build for these, and we are precise about scope: we build the software aligned with the requirements, while the legal manufacturer holds the CDSCO license and the clinical validation stays with the qualified clinical team.
| Requirement | What it means | How eCorpIT designs for it |
|---|---|---|
| CDSCO risk class | Correct SaMD class drives the pathway | Classify early, build to the class's obligations |
| Algorithm Change Protocol | Predefine how model updates are managed | Versioned models and a documented update process |
| Post-market surveillance | Performance and safety records over time | Audit logs and monitoring built into the system |
| DPDP consent and security | Lawful, secure use of health data | Consent flows, access controls, data minimisation |
| Data residency | Health data kept within required boundaries | Region-aware data architecture |
How eCorpIT builds clinical AI
eCorpIT is a Gurugram-based technology consultancy, founded in 2021, CMMI Level 5 and MSME certified, with partners including AWS, Microsoft and Google, and senior-led, multi-disciplinary engineering teams. Our clinical AI work starts by fixing the CDSCO risk class and the data model, because both shape everything downstream. We build the software with traceable data lineage, versioned models and audit logging, and we design data handling aligned with DPDP requirements from the first sprint. We use compliance-aligned language deliberately: we design systems to meet CDSCO and DPDP requirements, we do not claim certifications on your behalf, and we do not perform the clinical validation that qualified clinicians must own. For the deeper data view, see our note on clinical AI data architecture under CDSCO and DPDP and the common pitfalls in healthcare AI deployment mistakes in Indian hospitals.
Who it is for
This fits health-tech companies building a diagnostic or decision-support product that now falls under CDSCO, hospitals commissioning a bespoke clinical AI tool, and medical-device firms adding an AI feature to existing hardware. If you are early, the highest-value step is classifying the device correctly before building, because the class sets the obligations. If you already have a prototype, the work is usually retrofitting audit trails, consent and an Algorithm Change Protocol plan onto a system that was built without them.
India-specific considerations
Three points shape an Indian clinical AI build. The market is expanding quickly, with software the largest segment and hospitals the largest adopter, so demand is real but scrutiny is rising. Data residency and DPDP consent are not optional for health data, and they influence cloud-region and architecture choices. And reach matters: Indian deployments often need multiple languages and must work on the mixed infrastructure of real hospitals, not just a demo environment. For the step-by-step regulatory path, see our CDSCO and DPDP clinical AI deployment guide.
The bottom line
Clinical AI in India crossed from experiment to regulated medical device in late 2025, and 2026 is when teams have to build accordingly. The winning approach is compliant-by-design: fix the CDSCO class first, plan the Algorithm Change Protocol, and meet DPDP from the first sprint, rather than retrofitting under pressure. eCorpIT builds the software aligned with those requirements, honestly scoped so the license sits with the manufacturer and clinical validation with clinicians. Regulation raised the floor; building correctly is how you clear it.
FAQ
How eCorpIT can help
eCorpIT is a Gurugram-based technology consultancy, founded in 2021, CMMI Level 5 and MSME certified, with senior-led engineering teams and partnerships across AWS, Microsoft and Google. We build clinical AI software designed aligned with CDSCO risk-class obligations and DPDP data requirements, with traceable data lineage, versioned models and audit logging built in. If you are building a diagnostic or decision-support tool that now falls under CDSCO, talk to us about a compliant-by-design build.
References
_Last updated: July 11, 2026._