Responsible AI Platform

Medical AI under the AI Act and the MDR: one conformity assessment, not two

··11 min read

A regulatory affairs manager at a medtech company has just secured the MDR certificate for a decision-support radiology application: class IIa, assessed by the notified body, technical file complete. Then the board asks: "What about the AI Act? Do we have to run that entire process again?" The CMIO of the hospital buying the software is asking a version of the same question: what extra obligations land on the care provider's side?

The direct answer: no, you do not need a second, standalone conformity procedure. Medical AI software that falls into MDR class IIa or higher, and is therefore assessed by a notified body, automatically qualifies as a high-risk AI system through Article 6(1) of the AI Act. But the AI Act is deliberately designed so that its additional requirements are assessed within the existing MDR conformity assessment: one combined procedure with the same notified body, one integrated technical file, one integrated quality management system. The deadline for this route is 2 August 2028. What the AI Act genuinely adds are requirements the MDR barely covers: data governance, automatic logging, human oversight and transparency towards the user. That is where the real work sits, not in a duplicate certification track.

Why medical AI is almost always high-risk

The qualification runs through two links. The first is the MDR itself: classification Rule 11 in Annex VIII of the Medical Device Regulation places software that provides information for diagnostic or therapeutic decisions in class IIa or higher in nearly all cases. Only software with no influence on clinical decisions stays in class I. In practice this means that virtually all serious medical AI, from triage tools to image analysis, goes through a notified body.

The second link is Article 6(1) of the AI Act. An AI system is high-risk if it is (a) a product covered by the EU harmonisation legislation listed in Annex I, or a safety component of such a product, and (b) that product must undergo a third-party conformity assessment. The MDR is listed in Annex I of the AI Act. Both conditions are therefore met the moment your software is class IIa or higher: your AI system is high-risk, without any separate risk assessment under the AI Act.

For a class I device without notified body involvement, that automatic qualification does not apply. You then still need to check whether the system falls under one of the Annex III use cases, but for most medical AI that is a theoretical exercise: the MDR classification has already done the work.

Annex I or Annex III: two routes, two deadlines

This is where many compliance roadmaps go wrong, because the AI Act has two different deadlines for high-risk systems, more than a year apart.

  • The Annex III route (standalone AI systems): AI systems that are high-risk because their use case is listed in Annex III, such as AI for triage of persons in emergency healthcare or AI in recruitment, must comply by 2 December 2027. That date was moved from the original August 2026 through the Digital Omnibus package; the package has political agreement and was endorsed by the European Parliament, but as of July 2026 it had not yet been published in the Official Journal. Plan around it, but do not present it internally as final law yet.
  • The Annex I route (AI embedded in regulated products): AI systems that are high-risk via Article 6(1), such as medical devices under the MDR, have until 2 August 2028. This is the route that covers virtually all certified medical AI.

For a medtech manufacturer, the practical conclusion is: your MDR-certified product follows the Annex I route and has until August 2028. But watch the edges of your portfolio. A standalone scheduling or triage application that falls just outside MDR qualification but is listed in Annex III must be ready earlier, in December 2027. And the transparency obligations of Article 50, for instance for a patient-facing chatbot, apply from 2 August 2026 and have not been postponed. Anyone planning everything against the 2028 deadline misses those two earlier moments.

What the AI Act adds on top of the MDR

The MDR and the AI Act overlap substantially: risk management, technical documentation, post-market surveillance and a quality management system are already familiar territory. The guidance in MDCG 2025-6, the joint FAQ of the Medical Device Coordination Group and the AI Board on the interplay between the MDR, IVDR and AI Act, confirms that existing MDR processes remain the foundation. The real delta sits in four clusters:

  • Data governance (Article 10). Requirements on the quality, representativeness and management of training, validation and testing data, including examination of possible bias. The MDR asks for clinical evidence; the AI Act additionally asks for demonstrable data management across the entire lifecycle.
  • Logging (Article 12). The system must automatically record events so its operation can be traced afterwards. For much existing medical software this means an engineering change, not a documentation exercise.
  • Transparency and instructions for use (Article 13). The instructions for use you already maintain under the MDR are extended with AI-specific information: capabilities, limitations, expected accuracy and the circumstances in which the system performs less reliably.
  • Human oversight (Article 14). The system must be designed so that the healthcare professional can intervene effectively, can disregard output and is aware of automation bias. This directly affects interface design and user training.

Risk management also broadens: where the MDR focuses on safety and clinical performance, the AI Act also covers risks to health, safety and fundamental rights. Accuracy, robustness and cybersecurity (Article 15) must be explicitly specified and tested.

How to organise the combined assessment

The AI Act arranges the integration itself. Article 43(3) provides that for products under Annex I, the conformity assessment procedure of the sectoral legislation is followed, with the AI Act requirements assessed as part of that procedure. In practice: the same notified body that issues your MDR certificate will also verify the AI Act requirements, provided it has been designated for that task. Ask your notified body about its timeline for that extension now; capacity will be scarce.

Duplication is explicitly not intended at the documentation level either. The AI Act allows a single integrated technical file combining the MDR documentation and the AI Act information, and allows you to embed the required processes in your existing quality management system. For most manufacturers that means extending the ISO 13485 system with AI-specific procedures rather than building a parallel system. How this relates to ISO 42001 certification, and what such a certificate does and does not prove, is covered in our article on ISO 42001 versus the EU AI Act.

A workable sequence for the next twelve months:

  1. Gap assessment per article. Put your existing MDR file next to Chapter III, Section 2 of the AI Act and mark what is already covered, what needs strengthening and what is new. MDCG 2025-6 is the guide here.
  2. Schedule the engineering delta. Logging and human oversight functionality require development capacity; put them on the release roadmap towards 2027.
  3. Document data governance. Record the provenance, composition and bias analysis of training data, including for models that have been in production for years.
  4. Align with your notified body on timing. Where possible, combine the AI Act verification with a planned MDR recertification so you keep a single audit track.

And the hospital?

The CMIO has a different list. The hospital is usually a deployer, not a provider, and that role carries its own obligations: use the system in accordance with the instructions for use, assign human oversight to people with the right competence, monitor operation and report incidents to the manufacturer. Public healthcare institutions will in due course also need to carry out the fundamental rights impact assessment of Article 27, which follows the high-risk deadlines. The first step is the same as in any AI Act preparation: know what is running. An up-to-date register of all AI systems, with supplier, MDR status and risk class, is the foundation; how to set one up is covered in our article on the AI inventory. And do not forget Article 4: healthcare professionals working with AI output must demonstrably be able to handle it. That is not a paperwork obligation but the practical precondition for human oversight to work at all.

For the full timeline and risk classes, see our AI Act Explorer. And if you would rather not run the gap assessment between your MDR file and the AI Act requirements alone: Embed AI supports medtech companies and healthcare institutions through exactly these combined trajectories, from inventory to the notified body conversation.

The core message for your roadmap: no panic about a second certification track, but focused work on the four AI-specific clusters. Map the delta now, fold it into your regular MDR cycle, and there will be no surprises at the notified body in 2028.

Frequently asked questions about medical AI under the AI Act and the MDR

Sources

EUR-Lex: Regulation (EU) 2024/1689 (AI Act) (accessed July 2026)
European Commission: AI Act Service Desk: implementation timeline (accessed July 2026)