Innovation is possible — and strategically necessary — despite strict regulation. IT leaders in healthcare — whether in hospitals, pharma, or medical devices — have to drive innovations like AI while staying compliant with strict regulations such as Good Practice (GxP), the Medical Device Regulation (MDR), and the GDPR.

For a long time, public cloud was seen as a risk in this space. But it’s now clear: it is the foundation of every digital strategy. The question is no longer if but how to use it securely and compliantly. Germany’s industry association Bitkom also confirms that the country is steadily expanding its cloud investments and workloads. Cloud is becoming the standard operating model for new digital capabilities and AI services.

Public cloud and regulation – do they go together?

In short: yes. Despite stringent demands — for example through EU Good Manufacturing Practice (GMP) Annex 11 — healthcare organizations continue to push cloud adoption forward. Back in 2021, Gartner predicted that by 2025 more than 85% of companies would pursue a cloud-first strategy and that without cloud they couldn’t reach their digitization goals. More recent forecasts expect that by 2028 more than 70% of IT workloads will run in cloud environments.

Doctor in front of a digital visualization with security icons and connected data points — compliance by design in healthcare
Compliance by design: data protection and residency can be reliably met in the public cloud — with European regions, end-to-end encryption, and GAMP5-conformant validation.

The key is “compliance by design.” Earlier concerns about multi-tenancy have been put into perspective. Shared cloud environments today often even offer a security advantage, as standardized protection mechanisms reduce cyber risk. European cloud regions and end-to-end encryption secure data protection and residency. When health data is processed in the cloud, GDPR’s strict requirements naturally apply. Combined with MDR, the result is in fact higher IT security standards. Using established best practices (e.g. Good Automated Manufacturing Practice, the GAMP5 guide), companies validate cloud systems in a GxP-conformant way. The compliance hurdle is shrinking, especially with experienced partners who implement GxP, data protection, and security from day one.

Cloud as the foundation for AI innovation

Scalable AI isn’t feasible without cloud: large data volumes and compute-intensive algorithms demand cloud elasticity. According to Forrester, around 20% of IT workloads in healthcare already run in public cloud environments on average. Organizations use cloud primarily for agility, scalability, and pace of innovation. Bitkom predicts that the share of companies sourcing AI from the cloud will rise from 17% to 34%.

Cloud dashboard with AI data and analytics panels — cloud platforms as the foundation for scalable AI in healthcare
Cloud platforms deliver near-unlimited compute and AI services on demand — a level of scalability that on-premises infrastructures can rarely match.

Dr. Ralf Wintergerst, president of Bitkom, points out that AI and cybersecurity are driving cloud adoption — and conversely, that cloud computing accelerates and strengthens AI use.

The EU AI Act defines the regulatory framework — especially where AI acts as part of a medical device or delivers clinically relevant results. Risk management, high-quality datasets, transparency, and human oversight are key. In practice, organizations combine these requirements with GxP validation and audit trails. For AI in GMP/GxP processes outside of products (e.g. for evaluating research data), differentiated obligations apply — but the technical implementation stays the same: cloud-based governance, versioned pipelines, monitoring, and traceable approvals.

Outlook: agent-based AI – the next evolutionary step

AI workloads keep evolving. In agent-based AI, models act as autonomous agents that flexibly access distributed data and act on their own. Examples include real-time patient monitoring and intelligent assistance in diagnostics and therapy. For agents to operate safely in regulated environments, standardized and auditable tool and data integrations are required. This is where the Model Context Protocol (MCP) comes in — an open standard often described as “USB-C for AI.”

MCP enables bidirectional, finely controlled connections between AI applications and external systems (Document Management System DMS, Laboratory Information Management System LIMS, Manufacturing Execution System MES, Quality Management System QMS). This reduces development effort and enables precisely controlled least-privilege access. Thanks to growing ecosystem support, MCP is evolving into a central building block for agent-based architectures in GxP contexts.

Shaping the transition

Cloud technologies give healthcare organizations the option to combine innovation and compliance. A systematic approach is decisive — from secure migration through building robust governance structures to integrating AI strategies into existing processes. Experience from regulated industries shows that public cloud infrastructures can be designed to reliably meet technical and regulatory requirements while also forming the foundation for new digital services.