Does AI clinical decision support software require FDA approval?

It depends on whether the software meets all four criteria under the 21st Century Cures Act. AI CDS that does not allow healthcare professionals to independently review the basis for recommendations is typically regulated as a medical device requiring FDA review.

How does the EU AI Act classify healthcare AI systems?

The EU AI Act classifies AI systems intended for healthcare use as high-risk under Annex III, Category 5(b), applying to AI systems used as safety components in healthcare facilities and AI for diagnostic and therapeutic purposes.

What is a predetermined change control plan?

A PCCP is an FDA framework allowing manufacturers to describe planned modifications to their AI/ML-based medical device and obtain authorization in advance, enabling iterative improvement without repeated premarket submissions.

Do healthcare organizations need to comply with both EU MDR and AI Act?

Yes, AI-powered medical devices must comply with both frameworks. The MDR governs safety and performance as a medical device, while the AI Act adds requirements for data governance, transparency, human oversight, and risk management.

What clinical evidence is required for AI CDS?

Regulators expect clinical validation demonstrating safe and effective performance in real clinical settings, including evidence of clinical benefit, documentation of populations studied, and identification of limitations.

Quick answer

AI clinical decision support systems must comply with FDA guidance on CDS software, EU MDR classification rules, and the EU AI Act's high-risk requirements for medical AI under Annex III.

Updated June 2026 · MmowW AI Compliance

AI Clinical Decision Support Compliance: FDA and EU Regulatory Guide (2026)

Understanding AI Clinical Decision Support Compliance

Clinical decision support (CDS) systems powered by artificial intelligence are transforming how physicians diagnose conditions, recommend treatments, and monitor patient outcomes. These systems sit at the intersection of multiple regulatory frameworks that healthcare organizations must navigate carefully.

The regulatory landscape for AI-driven CDS has evolved significantly. In the United States, the FDA distinguishes between CDS software that qualifies for enforcement discretion under the 21st Century Cures Act and CDS that functions as a medical device requiring premarket review. In the European Union, the Medical Device Regulation (MDR) and the AI Act create overlapping obligations that manufacturers and deployers must satisfy simultaneously.

FDA Framework for AI Clinical Decision Support

The FDA's approach to CDS software centers on four criteria established by the Cures Act. A CDS function is exempt from device regulation only if it meets all four criteria: it is not intended to acquire, process, or analyze a medical image or signal; it is intended for displaying, analyzing, or printing medical information; it is intended for use by a healthcare professional; and it enables the professional to independently review the basis for the recommendation.

AI systems that fail any of these criteria are regulated as medical devices. Machine learning models producing recommendations without interpretable reasoning typically cannot satisfy the fourth criterion, making them subject to FDA oversight.

SaMD Classification

Healthcare Situation	Treat or Diagnose	Drive Clinical Management	Inform Clinical Management
Critical	Class III	Class III	Class II
Serious	Class III	Class II	Class I
Non-serious	Class II	Class I	Class I

EU MDR and AI Act Intersection

In the EU, AI-powered CDS systems face dual regulation. Under the MDR, software providing diagnostic or therapeutic recommendations qualifies as a medical device under Rule 11 of Annex VIII. The AI Act classifies AI systems intended for healthcare use as high-risk under Annex III, Category 5(b).

This dual classification means manufacturers must satisfy both the MDR's conformity assessment procedures and the AI Act's requirements for risk management, data governance, transparency, human oversight, and technical documentation.

Practical Compliance Steps

Determine whether your CDS system meets all four Cures Act criteria for FDA enforcement discretion
If regulated as SaMD, classify according to the IMDRF framework and identify the appropriate premarket pathway
For EU markets, classify under MDR Rule 11 and assess AI Act Annex III applicability
Establish a quality management system addressing both traditional device requirements and AI-specific obligations
Implement clinical validation protocols appropriate to the system's intended use and risk level
Document the AI model's training data, performance metrics, and known limitations
Create a post-market surveillance plan that monitors real-world AI performance
Establish a predetermined change control plan for iterative AI model updates

Post-Market Monitoring

Both the FDA and EU regulators expect ongoing monitoring of AI CDS performance after deployment. The FDA's predetermined change control plan (PCCP) framework allows manufacturers to define expected modifications and obtain premarket authorization for those planned changes. Under the EU AI Act, deployers of high-risk AI systems must monitor functioning and report serious incidents.

Clinical Validation Requirements

Regulators worldwide demand clinical evidence demonstrating that AI CDS systems perform safely and effectively in real clinical settings. This goes beyond technical validation to clinical validation showing improved patient outcomes or clinical workflows. Healthcare organizations deploying AI CDS should maintain documentation of clinical validation studies, including patient populations studied, clinical endpoints measured, and limitations identified.

Looking Ahead

The regulatory environment continues to evolve. Organizations should monitor developments in FDA guidance on AI/ML-based SaMD, EU AI Act implementation for healthcare AI, and emerging ISO/IEC standards addressing AI in health informatics. Building compliance infrastructure now positions organizations to adapt as requirements mature.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.