The term gets used in EU funding bids, procurement requirements, and governance frameworks, but it is rarely explained in plain terms. An Ethical, Social and Legal Impact Assessment, commonly abbreviated to ESLIA or ELSI assessment, is a structured process for identifying and evaluating the ethical, social, and legal implications of a technology, product, or system before it is deployed or scaled.
In a digital health context, this means asking a set of questions that go beyond whether the product works as intended. Does it treat all users fairly? Could it produce different outcomes for certain groups, by age, ethnicity, disability status, or socioeconomic background? Does it respect individual autonomy and informed consent? Are the legal bases for processing sensitive health data clearly established? What happens to the people who rely on it if it fails or produces a harmful recommendation? Who is accountable when something goes wrong?
These are not abstract philosophical questions. They have direct consequences for product design, procurement readiness, clinical safety, and public trust.
Where the framework comes from
The concept of ELSI assessment has its roots in the Human Genome Project, where researchers recognised early on that the implications of genomic science extended well beyond the laboratory and required structured, multi disciplinary scrutiny. In health research and innovation, ELSI frameworks have since become embedded in major funding bodies' requirements, including Horizon Europe, which mandates ethics review and impact assessment as part of its grant conditions. A 2024 study published in PLOS Digital Health identified ELSI as a critical but underserved dimension of AI research reporting in healthcare, noting that many existing guidelines address some ethical considerations but lack systematic coverage of legal and social dimensions.
What an ESLIA covers
For digital health products specifically, an ESLIA typically covers several interconnected dimensions. The ethical dimension examines principles such as fairness, non maleficence, transparency, accountability, and respect for persons, asking how these principles are reflected in product design and deployment decisions. The social dimension looks at who benefits and who may be disadvantaged, how the product interacts with existing health inequalities, what effects it may have on communities and care relationships, and whether vulnerable groups have been considered in its design. The legal dimension maps the relevant regulatory landscape, GDPR, the EU AI Act where applicable, sector specific regulations such as the Medical Device Regulation, and any national legislation, and identifies where compliance obligations arise or gaps exist.
A good ESLIA is not a retrospective exercise. It is most useful when conducted early in the development or procurement cycle, when its findings can still shape design decisions rather than simply catalogue problems after the fact. This is increasingly recognised in regulatory guidance. The EU AI Act, for instance, requires fundamental rights impact assessments for certain high risk AI systems, and the timing expectation is clear: these assessments should inform how a system is built, not rubber stamp decisions that have already been made.
Does your product need one?
If your product uses AI, algorithmic decision making, or automated recommendations to influence health related outcomes, the answer is almost certainly yes. If it processes sensitive personal data at scale, yes. If it will be deployed in a population that includes vulnerable groups, older adults, people with disabilities, people experiencing disadvantage, yes. If it is seeking NHS procurement, partnership with a research institution or public body, or Horizon Europe funding, then some form of ESLIA is likely to be expected as part of your governance documentation.
For smaller companies, the concern is often one of proportionality. Whether a full ESLIA is a realistic undertaking given limited internal capacity. The answer is that the scope and depth of an ESLIA should be proportionate to the risk profile of the product. A lightweight mental wellness app designed for a general adult population carries different risk implications than a clinical decision support tool used in emergency triage. The assessment process scales accordingly. What matters is that the key questions are asked systematically and honestly, that the findings are documented, and that they lead to tangible actions, design changes, governance mechanisms, documentation, or mitigation measures, rather than sitting as a theoretical exercise in a compliance folder.
ESLIA and DPIA are not the same thing
An ESLIA is not the same as a DPIA, though the two overlap in the area of data protection and privacy. A DPIA is a legally mandated assessment under UK and EU GDPR for processing activities likely to result in high risk to individuals. An ESLIA is broader. It encompasses ethical and social dimensions that a DPIA is not designed to address. In practice, for AI enabled digital health products, both are typically needed, and conducting them in a coordinated way rather than as entirely separate exercises produces better outcomes and reduces duplicated effort.
Lemic Consulting designs and delivers Ethical, Social and Legal Impact Assessments for digital health and AI teams, including for EU funded research consortia and organisations preparing for NHS procurement or investor due diligence. If you would like to discuss whether your product needs one and what it would involve, get in touch.
Need independent input on a similar question?
We work with digital health, public sector and research teams who need clear, credible advice. New clients get a free initial consultation.
Book a consultation
