EU AI Act obligations for medical device AI, diagnostic systems, and clinical decision support. Covers MDR/IVDR interaction and Annex I dual compliance.
Why the EU AI Act Has Particular Significance in Healthcare
The EU AI Act (Regulation (EU) 2024/1689) creates its most demanding compliance obligations precisely in domains where AI errors carry life-or-death consequences. Healthcare and life sciences sit at the intersection of two such demands: the Act's structural classification of medical-device AI as high-risk under Art. 6(1), and the sector's existing regulatory density under MDR (EU) 2017/745, IVDR (EU) 2017/746, GDPR Art. 9, and the Clinical Trials Regulation (EU) 536/2014.
For health AI providers and deployers, this intersection is not merely additive. It creates layered obligation sets that must be designed, documented, and monitored together. An AI system embedded in a diagnostic imaging device must satisfy notified body conformity assessment under MDR and a separate conformity assessment under the EU AI Act. A hospital deploying an AI-driven triage tool becomes a deployer under Art. 26 with independent obligations that cannot be discharged by relying on the vendor's CE marking alone.
The stakes for non-compliance are correspondingly high. National supervisory authorities may impose fines of up to €30 million or 6% of global annual turnover for placing non-compliant high-risk AI on the market. Beyond financial penalties, market withdrawal orders, suspension of clinical use, and mandatory corrective actions can interrupt patient care at scale.
The Dual Regulatory Track
The defining structural feature of healthcare AI compliance is the simultaneous application of product-safety law and AI-specific law. Where an AI system constitutes a safety component of a medical device as defined in Annex I of the EU AI Act (cross-referencing the New Legislative Framework), it is automatically classified as high-risk under Art. 6(1) without any further assessment of probability or severity of harm. The classification is categorical.
This means organisations must maintain two parallel conformity assessment tracks — one under MDR or IVDR, one under the EU AI Act — and must demonstrate compliance with both in the EU database for high-risk AI systems (EUAI DB) prior to market placement.
High-Risk AI Use Cases — Medical Devices and Care Delivery
Diagnostic Imaging AI
AI systems deployed in radiology, pathology, and ophthalmology that analyse images to detect, classify, or characterise lesions, abnormalities, or disease states are, in virtually all clinically relevant configurations, safety components of medical devices under MDR Class IIa or higher. They are therefore high-risk under Art. 6(1) and must comply with Chapter III Section 2 of the EU AI Act, covering data governance (Art. 10), technical documentation (Art. 11, Annex IV), automatic logging (Art. 12), transparency (Art. 13), human oversight (Art. 14), and accuracy, robustness, and cybersecurity (Art. 15).
Clinical Decision Support Systems
Clinical decision support (CDS) tools span a wide risk spectrum depending on their functional role. The critical regulatory distinction is whether the system replaces or assists clinical judgment:
- Autonomous or near-autonomous output: A CDS system that generates a prescription recommendation, determines a patient's medication dosage, or classifies a patient as requiring emergency intervention without requiring clinician review before the output is acted upon is likely to be high-risk under Annex III and potentially constitutes a medical device under MDR.
- Filtered output for clinician review: A CDS that presents ranked differential diagnoses or flags lab results as abnormal, where a qualified clinician reviews and approves each recommendation before it affects patient management, may not qualify as high-risk, provided it does not independently meet Annex III criteria on other grounds.
This distinction must be documented in the AI system's intended purpose statement, which forms part of both the AI Act technical documentation and the MDR technical file.
Patient Triage Prioritisation in Emergency Settings
AI systems that prioritise the order in which emergency patients receive attention — including sepsis prediction models and ICU monitoring systems that trigger escalation protocols — operate in conditions of time pressure and clinical complexity that make human oversight under Art. 14 particularly demanding. Deploying organisations must ensure that the oversight mechanism is genuinely effective: the clinician assigned oversight responsibility must have the technical understanding, access to the AI's reasoning, and time in the workflow to intervene before the system's output affects patient outcomes.
Mental Health Screening AI
AI tools used to screen populations or individual patients for mental health conditions — depression risk scores, suicide risk stratification, burnout screening — engage both the AI Act's high-risk provisions (where they influence access to care or resource allocation) and GDPR Art. 9 in an especially sensitive dimension. Mental health data is health data for GDPR purposes; its processing for AI training or inference requires a lawful basis under Art. 9(2) and appropriate safeguards under Art. 22 (automated individual decision-making).
Surgical Robotics and AI-Guided Procedures
AI components integrated into surgical robotic systems that adapt procedural parameters in real time — instrument positioning, haptic feedback modulation, tissue classification — are safety components of active implantable devices or Class III medical devices under MDR. The conformity assessment burden is accordingly the highest available: notified body assessment under MDR Annex IX or X, combined with EU AI Act conformity assessment under Art. 43. Post-market surveillance obligations under both frameworks must be integrated into a single clinical follow-up and performance monitoring system.
Annex III Category 5(a) — Access to Essential Healthcare Services
Beyond the medical device pathway, Annex III, point 5(a) of the EU AI Act separately classifies as high-risk AI systems used to determine access to essential public services, including healthcare. An AI system that determines whether a patient qualifies for a reimbursed treatment, is included in a transplant waiting list, or is eligible for a clinical trial is high-risk under this provision even if it is not embedded in a medical device.
Provider vs. Deployer Obligations in Healthcare
Provider Obligations
Organisations that develop, place on the market, or put into service a high-risk health AI system as providers under Art. 16 must:
- Establish and implement a quality management system (QMS) under Art. 17, covering design controls, risk management aligned with ISO 14971 (harmonised for MDR), and post-market monitoring procedures.
- Prepare technical documentation under Annex IV, including the intended purpose, risk management file, training data descriptions, validation and testing results, and post-market monitoring plan.
- Register the system in the EU database prior to market placement (Art. 49).
- Ensure the system carries a CE marking and provide an EU Declaration of Conformity.
- Appoint an EU Authorised Representative if established outside the EU.
- Maintain the technical documentation and logs for 10 years after market placement (Art. 18).
Deployer Obligations
Hospitals, clinics, pharmacy networks, and other healthcare institutions acting as deployers of third-party high-risk AI systems bear obligations under Art. 26 that are independent of the provider's compliance:
- Implement the system within the scope of the provider's instructions for use — any use outside that scope potentially re-classifies the institution as a provider.
- Assign human oversight responsibilities to staff with the competence, authority, and tools to monitor and intervene in system operation.
- Maintain operational logs for at least six months, or longer where applicable sector legislation (MDR vigilance, hospital record-keeping laws) requires it.
- Report serious incidents or malfunctions to the provider promptly, and where patient safety is implicated, to relevant health authorities under MDR Art. 87 vigilance procedures.
- Conduct fundamental rights impact assessments (FRIAs) under Art. 27 where the AI system is used to make or assist decisions affecting individual patients at scale.
Interaction with MDR, IVDR, and GDPR
MDR and IVDR: The Dual Conformity Assessment Regime
Art. 6(1) of the EU AI Act, read with Annex I, establishes the safety-component pathway. Where an AI system is a safety component of a product regulated under MDR or IVDR, the EU AI Act conformity assessment must be integrated into the existing MDR/IVDR procedure. Art. 8(1) of the EU AI Act gives precedence to MDR/IVDR sector-specific rules where they impose equivalent or stricter obligations, but does not eliminate AI Act obligations — it adjusts the procedure, not the requirement.
For Class IIb and Class III medical devices with embedded AI, a notified body assessment under MDR Annex IX (quality management) or Annex X (type examination) is mandatory. The same notified body, if designated under the AI Act, may conduct the AI Act conformity assessment as part of an integrated procedure. For Class I SaMD (software as medical device), manufacturers must independently assess whether the AI system qualifies as high-risk under the AI Act on grounds other than Art. 6(1).
GDPR Art. 9 and Training Data
Health data used to train, validate, or test AI models is special category data under GDPR Art. 9(1). Processing is prohibited absent one of the derogations in Art. 9(2), most relevantly:
- Art. 9(2)(a): explicit consent of the data subject
- Art. 9(2)(h): processing necessary for medical diagnosis or provision of health care, subject to professional secrecy
- Art. 9(2)(j): scientific research, subject to Art. 89 safeguards
The EU AI Act's Art. 10 data governance obligations — which require documentation of the origin, collection methods, representativeness, and known limitations of datasets — must be satisfied in a manner consistent with the applicable GDPR legal basis. Retrospective use of clinical datasets without explicit consent requires a research derogation and, typically, ethics committee approval under the Clinical Trials Regulation or applicable national research law.
Post-Market Surveillance Integration
Both MDR (Art. 83, Post-Market Clinical Follow-Up) and the EU AI Act (Art. 72, post-market monitoring) require ongoing collection and analysis of real-world performance data. Where both apply, a single integrated post-market surveillance system can satisfy both frameworks, provided it captures the data points required by each — including MDR's clinical evidence requirements and the AI Act's requirements for automatic logging of AI system operation.
Enforcement Authorities
European Medicines Agency and National Medicines Agencies
The European Medicines Agency (EMA) has no direct enforcement role under the EU AI Act for non-medicinal-product AI, but its guidance on AI in medicinal product development and pharmacovigilance is authoritative for life sciences companies. National medicines agencies — including ANSM (France), BfArM (Germany), and their equivalents — exercise MDR and IVDR market surveillance authority and may investigate AI systems embedded in medical devices as part of their post-market surveillance mandate.
Notified Bodies
For high-risk AI systems that are safety components of medical devices, notified bodies designated under MDR/IVDR and, separately or jointly, under the EU AI Act conduct conformity assessments. Their certificates are a prerequisite for CE marking. Notified bodies may suspend or withdraw certificates where post-market surveillance reveals non-conformities.
National AI Supervisory Authorities
Each EU member state has designated or is designating a national AI supervisory authority (competent authority under Art. 70 of the EU AI Act). In the healthcare sector, coordination between the AI supervisory authority and the national medicines agency is required where jurisdiction overlaps. The AI supervisory authority has powers to request documentation, conduct audits, impose corrective measures, and refer cases for financial penalties.
Compliance Roadmap — Priorities for Health AI
Step 1: Classification and Scope Assessment
Map all AI systems in development or deployment against Art. 6(1) (safety component of a medical device) and Annex III, point 5(a) (access to essential services). Document the intended purpose of each system with sufficient precision to support both AI Act and MDR/IVDR classification decisions. Engage regulatory counsel to assess borderline CDS tools.
Step 2: Dual Conformity Assessment Planning
For each high-risk AI system that is also a medical device, identify the applicable MDR/IVDR conformity assessment route and determine whether the designated notified body is also accredited under the EU AI Act. Plan the conformity assessment as an integrated procedure where possible to reduce duplication.
Step 3: Data Governance and GDPR Alignment
Audit training and validation datasets for health AI systems. Document legal bases under GDPR Art. 9(2) for all health data used in model development. Establish data governance procedures under Art. 10 of the EU AI Act and ensure these are reflected in the technical documentation required by Annex IV.
Step 4: Human Oversight Protocols
Design and implement human oversight mechanisms under Art. 14 for each high-risk AI deployment. Oversight must be operationally realistic: it requires trained staff, accessible intervention mechanisms, and workflow integration — not a pro forma checkbox. For emergency settings with time pressure, the oversight design requires particular care.
Step 5: Post-Market Surveillance Integration
Design a post-market surveillance system that satisfies both MDR Annex III (PMCF) and EU AI Act Art. 72 requirements. Establish incident reporting procedures that align with MDR vigilance timelines (Art. 87: serious incidents reported within 15 days) and AI Act serious incident reporting under Art. 73.
Step 6: Deployer Due Diligence
Healthcare institutions procuring third-party AI diagnostic or CDS tools should require providers to produce the EU Declaration of Conformity, the instructions for use, and a summary of the technical documentation. Procurement contracts should specify log retention obligations, incident reporting responsibilities, and the boundaries of the permitted use scope to avoid inadvertent re-classification as a provider.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
No. MDR and IVDR conformity assessments and EU AI Act conformity assessments are distinct legal obligations that run in parallel. An AI system embedded in a Class IIb medical device must satisfy both regulatory frameworks independently. Where a notified body is already involved under MDR or IVDR, that body may also be designated as a notified body under the AI Act, enabling coordinated assessment, but full compliance with both frameworks remains mandatory.
Not automatically. The classification depends on the tool's function and autonomy. If the AI system replaces or substantially overrides clinical judgment — for example, autonomously determining a diagnosis or prescribing a treatment — it is more likely to qualify as high-risk under Annex III or as a safety component of a medical device under Art. 6(1). If the system merely flags or filters information for a clinician who retains full decision-making authority, it may fall outside the high-risk definition, provided it does not meet other Annex III criteria.
Art. 10 of the EU AI Act requires that training, validation, and testing datasets be subject to data governance practices covering origin, collection methods, known biases, and representativeness. For health AI, this obligation intersects with GDPR Art. 9, which classifies health data as special category data and requires an explicit legal basis — typically explicit consent or a derogation under Art. 9(2)(h) or (j) — for processing. Providers must document dataset composition in the technical documentation required by Annex IV and demonstrate that training data does not introduce systematic bias that could compromise diagnostic accuracy across patient subpopulations.
Hospitals acting as deployers of high-risk AI systems under Art. 26 must: verify that the AI system bears a CE mark and has an EU Declaration of Conformity; implement the provider's instructions for use; assign human oversight responsibilities to qualified clinical staff; maintain logs of system operation for a minimum of six months; and report serious incidents or malfunctions to the provider and, where patient safety is affected, to competent health authorities under applicable MDR vigilance rules. Deployers may not modify high-risk AI systems in ways that alter their intended purpose without triggering re-assessment obligations.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.