Latest Posts:
Search for:

Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

In AI Act

The EU AI Act and Medical Devices: Innovation or Insanity Ahead? 

by , and 6 Mins Read

AI as a medical device (AIaMD) in Europe is at a crossroads. As manufacturers grapple with compliance under two separate legal regimes – the EU AI Act (AIA) and EU Medical Device Regulations (MDR) – concerns are mounting around the sluggish pace of Notified Body designations and glaring inconsistencies between the two frameworks. Can the EU stay competitive when the AIA is piling on more regulatory obstacles than ever before?

In our blog post, we examine the hot topics that AIaMD manufacturers need on their radar as the AIA’s implementation dates for high-risk AI systems loom closer. Our top 3 tips for manufacturers are: (1) identify the gaps between existing compliance positions under the MDR / IVDR and the AIA early, (2) strategise now on how to mitigate risk relating to (inevitable) Notified Body delays, and (3) keep an eye on timelines for harmonised standards.

When is a Medical Device High-Risk under the AIA?

A device qualifies as a high-risk AI system if:

  • the AI system is a safety component of a medical device, or a medical device itself; and
  • a third-party conformity assessment would be required according to risk classification under the MDR / IVDR (Article 6(1), AIA).

From 2 August 2027, these devices will need to comply with the requirements for high-risk AI systems under the AIA, if placed on the EU market (Article 113(c), AIA).

Compliance Clash: MDR vs AIA

Navigating compliance for AIaMD means juggling overlapping requirements from both the AIA and MDR / IVDR. Both sets of regulations cover technical documentation, risk management systems, quality management systems, conformity assessments, and post-market surveillance. While there is considerable overlap, we recommend conducting a gap analysis to identify new dimensions that manufacturers will need to address under the AIA, including:

  • a high level of protection for fundamental rights, as outlined in Article 1 of the AIA. This goes beyond the usual health and safety considerations, requiring risk assessments to also factor in the right to privacy, family life, non-discrimination, and human dignity.
  • AI‑specific risks, such as algorithmic bias, cybersecurity vulnerabilities, and model drift, must be integrated into existing risk management processes (Articles 9 and 17).
  • human oversight measures that allow qualified professionals to monitor, intervene in or override AI systems (Article 14).
  • that training, validation and testing data sets are relevant, sufficiently representative, free of errors and complete given the intended purpose (Article 10).
  • the automatic generation of logs (Article 19).

To add to the complexity, there are open questions on inconsistencies between the two regimes when it comes to clinical investigations. Under the MDR, there is an exception to the rule that only CE-marked devices may be placed on the EU market, in respect of devices subject to a clinical investigation (Article 2(28), MDR). Under the AIA, there is no equivalent exception. Instead, the AIA describes: (i) testing in real-world conditions either in AI regulatory sandboxes under Article 57 or outside of such sandboxes under Article 60, or (ii) an exemption for research and development, which excludes real world testing (Article 2(8)). None of these options clearly cover clinical investigations for AIaMD. This puts AIaMD manufacturers in an awkward position – are clinical investigations for AIaMD in breach of the AIA?

Notified Bodies: A Looming Crisis?

Manufacturers of AIaMD will require a single Notified Body to carry out a combined conformity assessment under the AIA and MDR going forward, if they want to maintain access to the EU market. However, not all Notified Bodies that are currently designated under the MDR will be seeking designation under the AIA. The clock is ticking for AIaMD manufacturers who are currently with Notified Bodies in this position – transition to a new Body, or lose access to the EU market.

Even more concerning – where Notified Bodies are seeking designation under the AIA, progress looks worryingly slow. Notified Bodies may either:

  • apply for full designation under Article 30 of the AIA, which will take significant time and requires that designating authorities are established at the Member State level by 2 August 2025; or
  • apply existing software-related codes under the MDR and IVDR to include AIA requirements (Article 43(3), AIA), which may facilitate more efficient designations.

In either case, a Notified Body may only pursue a designation for assessing high-risk AI systems once national laws are in place – but timelines for these national laws are lagging. We may be facing a looming shortage of designated Notified Bodies under the AIA, which may lead to backlogs and delays at the Notified Body level.

Harmonised Standards: The Waiting Game Continues

The AIA effectively pushes down the real work of ensuring compliance for high-risk AI systems to harmonised standards. These harmonised standards operationalise the essential requirements in law, bridging the (considerable) gap between the vague essential requirements in the AIA, and the reality of what needs to be put in place by technical specialists. If a product complies with the relevant harmonised standard, there is a ‘presumption of conformity’ that means the product is presumed to comply with the relevant legislative requirement.

CEN and CENLEC, the European Standards Organisations (ESOs) are now working on new standards that will underpin compliance for providers of high-risk AI, but delays are expected. If harmonised standards are not available well in advance of 2 August 2027, conformity assessments will need to rely on a comparison with the state of the art, rather than harmonised standards. This will require significantly more manufacturer time, cost and resource than demonstrating compliance with harmonised standards.

What’s next?

The convergence of the AI Act and MDR / IVDR presents a formidable challenge for AIaMD manufacturers, but there are actions that manufacturers can take now to maintain access to the EU market. A gap analysis between existing compliance positions and the AIA will be pivotal, and manufacturers should reach out to their Notified Body now to confirm their plans to become designated under the AIA. By addressing these issues early and strategically, AIaMD manufacturers can better position themselves to maintain compliance and competitiveness in the EU market.

Categories:
Tags:
Author

Jaspreet is a Senior Associate, and advises clients on complex issues at the intersection of healthcare, data and technology. Her practice has a particular focus on accessing and using patient data, innovative collaborations with hospitals, and the use and regulation of AI in the healthcare space.

Author

Julia is Of Counsel in our London office. She is a key member of the Firm's Healthcare Practice Group, at the London, EMEA and global level. She advises both domestic and international companies in the medtech, pharma and healthcare sectors on a wide range of regulatory and general compliance matters

Author

Elina is a member of the IP/Tech practice group and specialises in advising companies operating in the pharmaceuticals and medical devices sectors on the various regulatory issues they come across on a daily basis.

Related Posts