The EU AI Act is the world's first horizontal law for artificial intelligence, and healthcare software sits right in its crosshairs. For teams building AI-enabled medical devices, the practical question isn't whether it applies — for most, it does — but how it stacks on top of the rules you already follow under the Medical Device Regulation (MDR). This guide breaks down what changes, when, and how to prepare without stalling your roadmap.
Not legal advice. This article is a practical orientation for product and engineering teams. Confirm your specific obligations with your notified body and regulatory counsel before making compliance decisions.
Why most medical AI is "high-risk"
The AI Act sorts systems into risk tiers. Anything used for diagnosis, clinical decision support, treatment recommendations, patient triage, or patient monitoring is classified as high-risk. In practice, if your product is Software as a Medical Device (SaMD) under the MDR and needs a notified body for conformity assessment, it is treated as a high-risk AI system. That single fact triggers the bulk of the Act's obligations.
The dates that matter
The headline deadline is August 2026, when the core obligations for high-risk AI systems apply in full. There is one important relief valve for medtech: AI systems already regulated as medical devices under the MDR or IVDR that require notified-body assessment get an additional year — to August 2027 — to meet the classification requirement in Article 6(1). Don't read that as a reason to wait. Conformity work for regulated devices takes many months, and notified-body capacity is finite.
Dual compliance: MDR and the AI Act together
The most important mindset shift is that you are no longer complying with one framework. AI-enabled devices face two conformity assessments: the MDR (or IVDR) for safety and clinical performance, and the AI Act for AI-specific requirements. The good news is that the June 2025 guidance from the Medical Device Coordination Group (MDCG 2025-6) defined how "Medical Device Artificial Intelligence" products are handled, and the two assessments can often be run together through the same notified body — so you document once and satisfy both, rather than building parallel evidence trails.
What high-risk actually requires
Strip away the legalese and the high-risk obligations come down to engineering and governance practices that good teams already aspire to:
- Data governance — documented training, validation, and test datasets, with attention to representativeness and bias in your target patient population.
- Risk management — a continuous process spanning the full lifecycle, aligned with your ISO 14971 work.
- Technical documentation and record-keeping — automatic logging of events so decisions are traceable and auditable.
- Transparency — clear instructions for use so clinicians understand the system's capabilities, limits, and intended context.
- Human oversight — the system must be designed so a qualified person can understand, override, or intervene.
- Accuracy, robustness, and cybersecurity — validated performance and resilience against error and attack, which also maps to your MDR General Safety and Performance Requirements.
- Post-market monitoring — ongoing surveillance of real-world performance, feeding back into risk management.
A practical prep checklist
If you want to move now, work through this order:
- Classify honestly. Confirm whether your intended use makes you SaMD, and therefore high-risk. Ambiguity here cascades into every other decision.
- Map the overlap. List AI Act requirements beside your existing MDR/ISO 13485/IEC 62304 evidence. Most teams find 60–80% already exists in some form.
- Fix your data lineage. Can you show where every training and validation dataset came from, and defend its representativeness? If not, start here.
- Instrument logging early. Retrofitting audit-grade event logs late in a build is painful and expensive.
- Design the human in the loop. Make oversight a real product feature, not a disclaimer.
- Talk to your notified body about a combined assessment. Capacity is the binding constraint, so book the conversation now.
Teams that treat the AI Act as a bolt-on scramble late and pay for it. Teams that fold it into how they build — data governance, logging, and human oversight designed in from day one — turn compliance into a selling point that shortens procurement and builds clinician trust.
Frequently asked questions
Is my AI-enabled medical software a high-risk AI system? If it is a medical device under the MDR or IVDR and requires a notified body, it is generally high-risk. Diagnostic, decision-support, triage, and monitoring uses are the clearest cases.
When do the rules apply? Core high-risk obligations apply from August 2026. Devices already regulated under the MDR/IVDR that need notified-body assessment have until August 2027 for the Article 6(1) classification requirement.
Do I really have to satisfy both the MDR and the AI Act? Yes — but they can frequently be assessed together, so plan for one evidence base that serves both rather than two separate programs.
Building or scaling an AI-enabled clinical product? Neurova AI designs custom medical software with compliance, security, and human oversight built in from the first sprint. See also our guides to SaMD under the MDR and the European Health Data Space.