AI Act compliance for healthcare and medical devices

What counts as high-risk in healthcare

Two independent triggers can each bring a clinical AI system into the high-risk regime:

• Annex I path (Article 6(1)). If the AI is a medical device or is a safety component of one under the Medical Devices Regulation (EU) 2017/745 or the In Vitro Diagnostic Regulation (EU) 2017/746, it is high-risk by default. A diagnostic image classifier, a sepsis early-warning model, an arrhythmia detector — all sit here.
• Annex III §5(a) path (Article 6(2)). AI used by public authorities (or on their behalf) to determine access to essential public benefits and services — including healthcare — is high-risk independent of MDR/IVDR. A triage scoring tool used to allocate appointments in a publicly funded clinic is captured even when the tool is not itself a medical device.

Provider obligations (the manufacturer)

Providers carry the heaviest compliance load. Before placing the system on the EU market, they must:

• Build and maintain a risk management system across the lifecycle (Article 9), aligned with the device manufacturer's existing MDR ISO 14971 process.
• Govern training, validation, and testing data — including representativeness across patient populations and bias mitigation (Article 10). Sensitive health data carries an additional layer under GDPR Article 9.
• Produce technical documentation per Annex IV (Article 11) and keep automatically generated logs (Article 12).
• Provide clinicians with intelligible instructions (Article 13) and design for human oversight (Article 14).
• Run an integrated MDR/IVDR + AI Act conformity assessment (Article 43(3)), draw up an EU declaration of conformity (Article 47), and affix the CE marking.
• Register the system in the EU AI Database (Article 49).
• Operate post-market monitoring and serious-incident reporting (Articles 72 and 73), coordinated with MDR vigilance.

Deployer obligations (the hospital)

Hospitals, clinics, and other healthcare providers that use AI rather than make it are deployers. Under Article 26 they must:

• Use the system in accordance with the provider's instructions for use.
• Assign human oversight to staff with the necessary competence, training, and authority.
• Ensure input data is relevant and representative for the intended purpose.
• Monitor operation, suspend use if serious incidents arise, and report to the provider and the market surveillance authority within the deadlines in Article 73.
• Keep automatically generated logs for at least six months.
• Inform workers and their representatives before deploying high-risk AI in the workplace (Article 26(7)).

Public-sector deployers — most public hospitals — additionally complete a fundamental rights impact assessment under Article 27 before first use.

Where AI Act and MDR collide in practice

The two regimes overlap on risk management, post-market surveillance, technical documentation, and notified-body involvement. Article 43(3) and Recital 64 require a single integrated conformity procedure and one technical file that addresses both. In practice:

• The MDR Class IIa/IIb/III route absorbs the AI Act conformity requirements; no separate AI Act notified-body assessment is needed for devices already taking the MDR route.
• MDR vigilance reports and AI Act serious-incident reports converge — but the AI Act's 15-day clock for serious incidents (Article 73) is shorter than some MDR timelines, so the AI Act timing controls.
• Data governance under AI Act Article 10 is stricter and more explicit than the MDR's clinical-evaluation requirements; expect to extend, not replace, your existing MDR data-governance controls.

Enforcement: who actually inspects

National market surveillance authorities are designated by each Member State (Article 70). For medical AI, most Member States are pairing the AI Act enforcement with the existing competent authority for medical devices — for example BfArM in Germany, ANSM in France, the MHRA-equivalent national authority in each jurisdiction. The European AI Office coordinates cross-border cases. Health data is jointly regulated by national DPAs (CNIL, BfDI, Datatilsynet, AP, Garante, AEPD) under GDPR.

Fontvera also analyses closely related obligations, including AI Act automotive obligations, AI Act critical infrastructure obligations, AI Act education obligations, AI Act fintech and credit scoring obligations, AI Act insurance obligations, AI Act law enforcement obligations, and AI Act recruitment and HR obligations.