Side-by-side
| Dimension | AI Act | MDR / IVDR |
|---|---|---|
| Trigger | System is AI under Art 3, and falls in Annex I (medical device) or Annex III. | Product is a medical device (MDR Art 2) or IVD (IVDR Art 2) and is placed on the EU market. |
| Conformity route | Integrated under Art 43(3) — uses the MDR/IVDR procedure. | Class I self-declared; Class IIa/IIb/III via notified body (MDR Annex IX/X/XI; IVDR Annex IX/X/XI). |
| Technical file | Annex IV. | MDR Annex II + III; IVDR Annex II + III. |
| Risk management | Art 9 — lifecycle, integrated with sector practice. | ISO 14971 reflected in MDR Annex I GSPRs; IVDR equivalent. |
| Post-market surveillance | Art 72. | MDR Art 83–86; PMCF under Annex XIV. |
| Vigilance / serious-incident reporting | Art 73 — 15 days general, 10 days for death/serious harm; 2 days for widespread breach. | MDR Art 87 — 15 days general, 10 days for death/serious deterioration, 2 days for serious public-health threat. |
| Maximum fine | EUR 15M / 3% (Art 99(2) high-risk). | National administrative penalties (Member-State-set). |
Article 43(3) — one notified body, one assessment
Article 43(3) directs that for AI in scope of Annex I product legislation, the conformity assessment runs under the sectoral procedure and the AI Act requirements are checked there. For medical AI:
- Class IIa/IIb/III devices with AI components remain on the MDR notified-body route. The notified body's MDR designation absorbs the AI Act check.
- Class I self-declared devices remain self-declared, with the AI Act Article 47 declaration of conformity merged into the MDR EU declaration.
- Software as a medical device (SaMD) classification under MDCG 2019-11 is unaffected; the rule-11 classification logic continues to control the device class.
One technical file, two regimes
The integrated file has the following composition:
- Device description, intended purpose, and classification — MDR Annex II §1.
- Risk management file — ISO 14971 + AI Act Article 9 hazard analysis for the AI component.
- Design, development, and manufacturing information — MDR Annex II §3 + AI Act Annex IV §2.
- Data governance documentation — AI Act Annex IV §3 + clinical-evaluation data flows (MDR Annex XIV).
- Performance evaluation — clinical evaluation under MDR Annex XIV with AI Act Annex IV §4 metrics layered in.
- Verification and validation — including bias testing across patient populations.
- Human oversight measures — AI Act Article 14 evidence; MDR usability engineering under IEC 62366-1.
- Post-market surveillance plan — MDR PMCF + AI Act Article 72.
Vigilance: parallel but not merged
MDR Article 87 and AI Act Article 73 both impose serious-incident reporting. The clocks are similar (15 days general; 10 days for death/serious harm) but the regulations describe slightly different events and the reports flow to different authorities. Until the Commission publishes converged guidance, manufacturers run parallel reports through both channels. The AI Act report goes to the market surveillance authority and is registered in the EU AI Database (where applicable); the MDR report goes through EUDAMED.
Practical compliance
- Engage your existing MDR notified body and confirm its designation covers AI Act assessments — most large notified bodies are extending designations through 2025–2026.
- Build a single integrated technical file rather than maintaining parallel MDR and AI Act files.
- Map ISO 14971 hazards to AI Act Article 9 risk types; document the mapping so an auditor reads it as one analysis.
- Set up a unified vigilance pipeline that simultaneously reports to MDR EUDAMED and AI Act market surveillance for AI-implicated serious incidents.
- For non-MDR AI used in healthcare (e.g., a public-sector triage AI under Annex III §5(a)): you are outside Article 43(3) and run a stand-alone Annex VI assessment.