EU AI Act (medical devices)Regulation (EU) 2024/1689 — Artificial Intelligence Act, as applied to medical devices

Regulation (EU) 2024/1689 — the AI Act — is the EU's horizontal regulation of artificial intelligence systems placed on the EU market. It entered into force on 1 August 2024. It is not medical-device-specific; it covers any AI system used in any sector, with the level of regulatory burden scaling to a risk classification: prohibited (Article 5), high-risk (Articles 6–49), limited-risk transparency (Article 50), and minimal-risk (no obligations).

Medical devices intersect the AI Act through Article 6(1): an AI system is automatically high-risk if it is itself, or is a safety component of, a product covered by the Union harmonisation legislation listed in Annex I — which includes Regulation (EU) 2017/745 (the MDR) and Regulation (EU) 2017/746 (the IVDR) — and that product is required to undergo a third-party conformity assessment under that legislation.

The two-step application date for high-risk obligations is the most commonly misread part of the AI Act. AI medical devices fall under the Article 6(1) / Annex I route, so the 2 August 2027 date is the operative compliance date for most of the high-risk obligations — not 2 August 2026. Annex III categories (e.g., biometric identification, critical-infrastructure AI) have the earlier 2026 date.

Chapter III, Section 2 (Articles 8–17) sets out the obligations for high-risk AI systems. Many overlap with MDR/IVDR but several are net new for medical-device manufacturers.

• Risk management system (Article 9) — continuous, iterative risk management throughout the lifecycle. ISO 14971 risk-management for medical devices substantially overlaps but is not perfectly aligned; the AI Act includes risks to fundamental rights, not just patient safety.
• Data and data governance (Article 10) — training, validation and testing datasets must be relevant, sufficiently representative, free of errors as far as possible, and have appropriate statistical properties. Bias examination is explicit.
• Technical documentation (Article 11, Annex IV) — substantial overlap with MDR/IVDR technical documentation but adds AI-specific items: training methodology, performance metrics, foreseeable misuse, human oversight measures.
• Record-keeping / logs (Article 12) — automatic logging of events over the lifetime of the AI system. New for most medical-device software.
• Transparency and provision of information to deployers (Article 13) — instructions for use must include the AI's intended purpose, accuracy, robustness, known limitations, and the human-oversight measures.
• Human oversight (Article 14) — the AI system must be designed so a human can effectively oversee it. This is more granular than the MDR's general expectation of a qualified user.
• Accuracy, robustness and cybersecurity (Article 15) — quantified performance commitments, with appropriate measures against adversarial attacks and drift.

Articles 16–20 add obligations for providers: quality management system (Article 17 — large overlap with ISO 13485 but with AI-specific components), automatically generated logs management (Article 19), and corrective actions (Article 20). Articles 26–27 add obligations for deployers (users) of high-risk AI systems, including the requirement to ensure input data is relevant and to monitor system operation.

Article 43 governs conformity assessment for high-risk AI systems. For AI systems that are medical devices covered by Annex I, the AI Act's conformity assessment is integrated with the MDR/IVDR conformity assessment — the same notified body that assesses the device under MDR/IVDR will also assess the AI Act high-risk requirements, in a single procedure.

This is the European Commission's stated intent and is reflected in Article 43(3). The practical reality, as of mid-2026, is that very few notified bodies have completed AI Act designation, the harmonised standards underpinning the assessment are still being drafted by CEN/CENELEC JTC 21, and the Commission has issued limited guidance on how the integrated procedure works in practice. Manufacturers should expect a transition period of friction.

The AI Act uses the New Legislative Framework approach: compliance is demonstrated against harmonised European standards (hENs) that, once cited in the Official Journal, give a presumption of conformity. The standards are being developed by CEN/CENELEC JTC 21 under standardisation request M/593, with target adoption dates clustered around late 2025 through 2026. ISO/IEC 42001 (AI management system, published December 2023) is a foundational management-system standard expected to be a key reference.

Until the hENs are published and cited, manufacturers must demonstrate compliance directly against the AI Act provisions, typically by leveraging existing standards (ISO 13485, IEC 62304, ISO 14971, IEC 81001-5-1 for health software cybersecurity) and supplementing with AI-specific evidence. This is workable but more bespoke than the post-2026 steady state will be.

1. Inventory AI/ML components — every device function that uses AI/ML, including third-party model components, must be classified for AI Act applicability.
2. Classify each function under MDR/IVDR — the AI Act applicability follows from the MDR/IVDR class. Article 6(1) high-risk if Class IIa+ MDR or Class B+ IVDR.
3. Gap-assess current technical documentation against Annex IV — most of the gaps will be in data governance, logging and human oversight.
4. Engage the chosen notified body on AI Act readiness — capacity will be the bottleneck for 2027.
5. Decide on QMS structure — a single integrated MDR + AI Act QMS, or parallel documented systems that share core processes.
6. Track CEN/CENELEC JTC 21 — adoption dates affect how much of the conformity case must be argued from first principles.