AI systems that qualify as medical devices or in vitro diagnostic medical devices under the Medical Devices Regulation (EU) 2017/745 (MDR) or the In Vitro Diagnostic Regulation (EU) 2017/746 (IVDR) are classified as high-risk under the EU AI Act by virtue of Annex I, Section A, points 11 and 12. Additionally, Annex III, Section 5 classifies AI systems intended to evaluate health risks or life and health insurance as high-risk. These systems must meet requirements of both the AI Act and applicable medical device legislation.
EU AI Act: High-Risk AI in Healthcare — Medical Devices, Diagnostics, and Patient Safety (2026) | MmowW
Healthcare AI Under the EU AI Act
The EU AI Act creates a dual regulatory framework for AI in healthcare. AI systems that qualify as medical devices are regulated through the intersection of the AI Act and the Medical Devices Regulation (MDR) or In Vitro Diagnostic Regulation (IVDR). AI systems used in health-related contexts that do not qualify as medical devices may still be classified as high-risk under Annex III.
This framework reflects the EU's recognition that AI in healthcare can deliver significant benefits, from improved diagnostic accuracy to personalised treatment planning, but also presents substantial risks when systems produce incorrect outputs that influence clinical decisions.
Classification Pathways for Healthcare AI
Pathway 1: Medical Device AI (Annex I)
AI systems that meet the definition of a medical device under Article 2(1) of the MDR or an in vitro diagnostic medical device under Article 2(2) of the IVDR are automatically classified as high-risk under the AI Act by virtue of Annex I, Section A, points 11 and 12. This covers AI-powered diagnostic imaging analysis systems, clinical decision support software that directly guides treatment decisions, AI systems for patient monitoring and alert generation, laboratory information systems that process diagnostic data, and AI-based pathology analysis tools.
The MDR defines a medical device broadly as any instrument, apparatus, appliance, software, or other article intended to be used for medical purposes. Software intended for one or more medical purposes that does not achieve its principal intended action by pharmacological, immunological, or metabolic means qualifies as a medical device (often called Software as a Medical Device, or SaMD).
Pathway 2: Health-Related AI (Annex III)
AI systems that do not qualify as medical devices but are used in health-related contexts may still be classified as high-risk under Annex III, Section 5. This covers AI systems intended to be used to evaluate the accessibility of emergency first response services, and AI systems used by health insurance providers to evaluate health risks and determine premiums or coverage.
Conformity Assessment for Medical Device AI
Where an AI system qualifies as a medical device, the conformity assessment follows the MDR or IVDR procedure, with AI Act requirements integrated. Article 43(3) of the AI Act establishes that for high-risk AI systems that are also medical devices, the conformity assessment under the relevant product legislation satisfies the AI Act's conformity assessment requirements, provided that the AI Act's specific requirements are addressed in that assessment.
For medical devices in higher risk classes (Class IIa and above under the MDR), this typically involves assessment by a Notified Body. The Notified Body must verify compliance with both MDR requirements and the AI-specific requirements of the AI Act, including risk management (Article 9), data governance (Article 10), technical documentation (Article 11), record-keeping (Article 12), transparency (Article 13), human oversight (Article 14), and accuracy, robustness, and cybersecurity (Article 15).
MDR Classification Rules for AI Software
Under the MDR, software qualifies as a medical device when it is intended to provide information used to make decisions about diagnosis or treatment. The MDR's classification rules assign software to risk classes based on the severity of the condition it addresses:
| MDR Class | Condition Severity | Example |
|---|---|---|
| Class IIa (Rule 11) | Non-serious conditions | Skin condition screening app |
| Class IIb (Rule 11) | Serious conditions | Cardiac arrhythmia detection |
| Class III (Rule 11) | Conditions leading to death or irreversible deterioration | Cancer diagnostic AI |
All classes above Class I require Notified Body involvement in conformity assessment.
Key AI Act Requirements for Healthcare AI
Clinical Data Quality (Article 10)
For healthcare AI, the data governance requirements of Article 10 have particular significance. Training and validation data must be clinically relevant, representative of the intended patient population, and validated for accuracy. In clinical contexts, this means ensuring adequate representation across demographic groups including age, sex, ethnicity, and comorbidity profiles, as well as representation of the clinical settings and equipment configurations in which the system will be deployed.
The use of patient data for AI training must also comply with the General Data Protection Regulation (GDPR) and, where applicable, national implementing legislation. Explicit consent or another valid legal basis under Article 9 GDPR is required for processing health data.
Clinical Human Oversight (Article 14)
Healthcare AI systems must be designed to support, not replace, clinical decision-making. Article 14 requires that healthcare professionals using AI diagnostic or treatment recommendation tools be able to understand the basis for AI outputs, exercise independent clinical judgement, override or disregard AI recommendations based on their professional assessment, and identify situations where the AI system may be operating outside its validated parameters.
This requirement aligns with established principles of clinical governance and professional responsibility. Healthcare professionals remain ultimately responsible for clinical decisions, regardless of AI system recommendations.
Post-Market Surveillance
Both the MDR and the AI Act require ongoing post-market surveillance. For medical device AI, this includes monitoring for performance degradation over time (model drift), tracking adverse events and near-misses related to AI outputs, regular re-validation against current clinical evidence and patient populations, and updating risk management documentation to reflect real-world experience.
The MDR's post-market clinical follow-up (PMCF) requirements and the AI Act's post-market monitoring requirements should be integrated into a single surveillance programme to avoid duplication and ensure comprehensive oversight.
Emerging Challenges
Several aspects of healthcare AI regulation remain evolving. The boundary between clinical decision support (potentially a medical device) and general health information tools (likely not a medical device) is not always clear. The use of large language models in clinical settings presents novel classification challenges. Additionally, the interaction between the AI Act, MDR, and the proposed European Health Data Space (EHDS) regulation will create further complexity for providers operating in this space.
Start your AI compliance journey to assess your healthcare AI systems against both EU AI Act and Medical Devices Regulation requirements.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.