EU AI Act and High-Risk AI in Medical Devices: Preparing for Compliance, Competing for the Future

6 min read

Artificial Intelligence is no longer just a technological edge in the medical device industry -it's becoming a regulated function of trust, accountability, and performance. Europe established a distinct border between technological progress and accountability by adopting the formal EU Artificial Intelligence Act on August 1, 2024.

The new legislation provides medical device manufacturers, specifically those working with AI-powered Software as a Medical Device (SaMD), with both regulatory requirements and market indicators.

The EU AI Act: A New Regulatory Paradigm

The Act establishes novel standards for AI development, assessment, and monitoring operations within the European Union's territory through its comprehensive measures. All AI solution developers pursuing the European Union market must understand that the message regarding AI deployment remains clear and concise. The regulatory system determines that any system affecting healthcare diagnosis or patient treatment, or health, must face a High-Risk status.

Understanding the Core of the EU AI Act: Risk-Based, Sector-Specific, Impact-Driven

The EU AI Act integrates a risk-based classification model that creates three categories: Prohibited Practices, High-Risk AI Systems, and Limited-Risk Systems. Medical AI almost always falls under the High-Risk category, particularly under Article 6(1)(b), which classifies any AI component of a medical device requiring Notified Body review as high-risk by default.

AI systems for diagnosis, therapy planning, clinical decision support, and remote monitoring - all fall under this High-Risk bracket. This includes those that employ:

Machine Learning (ML) models
Deep Learning algorithms
Neural Networks or Statistical Classifiers
Predictive or Pattern Recognition Software embedded in Medical Devices

Key Manufacturer Requirements Under the EU AI Act:

The implementation of core technical mandates within a Quality Management System needs attention from manufacturers for effective compliance.

Risk Management (Article 9):
Organized AI risk management strategies should be built and maintained by manufacturers since they resolve algorithmic prejudice model instability, along with security system breaches and problems with algorithmic prejudice. Additionally, under IEC 62304, software safety classification is a critical step. Each software item must be classified as Class A, B, or C based on risk. This classification determines the depth of required activities throughout the software lifecycle. It is important to incorporate this classification at the early design and risk assessment phases.
Data Governance (Article 10):
High-quality datasets should be selected by manufacturers along with representative samples and annotatable non-biased information for selecting datasets among other criteria.
Technical Documentation (Article 11):
Organize an active documentation system to display complete information about the AI system structure together with performance measurements and operational controls and safety components. Under IEC 82304, a Product Safety Requirements Specification must also be included during the requirements finalization stage. This document defines essential safety, security, and usability needs and should be reviewed as a core deliverable.
Transparency & Explainability (Article 13):
Users need to receive accessible descriptions of AI system logic which explain both operational capabilities and system boundaries together with justification of its decision-making processes.
Human Oversight (Article 14):
Professionals who undergo training can use authorized procedures to prevent automated damage to decisions while maintaining operational control through those procedures.
Logging & Traceability (Article 12):
System inputs together with outputs and decision tree records should be recorded fully and especially during clinical deployment for post-market surveillance activities.
Post-Market Monitoring (Article 72):
Guidelines should be implemented to measure AI system performance continuously after its commercial implementation. The system should utilize real analytics of actual operational performance to integrate user feedback and optimize risk control systems. In addition, IEC 62304 requires a documented Software Maintenance Plan. This plan must define how post-release software anomalies, patches, and updates are managed and validated. Maintenance activities should align with long-term monitoring practices.
CE Marking & Registration (Article 17):
When applying the CE mark on medical AI devices they need to satisfy the requirements of both the Medical Device Regulation (MDR 2017/745) or In Vitro Diagnostic Regulation (IVDR 2017/746) and the EU AI Act.

More Than Regulation: A Lifecycle Overhaul

The transformation goes beyond Regulatory requirements because it demands a complete redesign of the AI system lifecycle development process, from creation through maintenance. Technical performance excellence gives way to permanent Regulatory oversight and ethical standards tracking.

Incorporating IEC 62304 principles, a formal Software Problem Resolution Process is required across the entire lifecycle. Manufacturers must define procedures to identify, document, analyze, and resolve software anomalies. This should be embedded at each quality gate especially post-verification.

The management of SOUP (Software of Unknown Provenance) is also mandated. Each SOUP component must be identified, assessed for risk, and controlled through design and architecture documentation reviews. This ensures that external dependencies are safe and appropriately managed.

Furthermore, IEC 82304 emphasizes defined processes for installation, configuration management, and system decommissioning. These must be validated and documented during late-stage development before commercial release. A cybersecurity risk mitigation process must also be integrated into the SDLC and verified at each lifecycle stage.

AI Adoption in Europe: The 2024 Landscape

Eurostat's 2024 report on AI use in European enterprises remote data shows an escalating pattern for AI implementation in European businesses during 2024:

41.2% of large enterprises currently use artificial intelligence.
34.1% of enterprises benefit in marketing and sales operations.
27.5% benefit in business operations.
6.1% benefit in logistics.

The gap in AI adoption is apparent between large and smaller enterprises:

AI technology is applied for ICT security by 46.4% of large enterprises but only 17.2% of small firms use it for this purpose.
A significant percentage of 34.7% of large enterprises employ AI in production processes compared to smaller companies with 21.6% AI usage.
Industrial adoption of artificial intelligence faces both advantages and difficulties because 13.5% of EU companies currently apply AI technologies.

These figures demonstrate a dual reality- on one side, AI is already reshaping critical business functions; on the other, there is a substantial gap in scaling adoption, particularly in regulated domains like healthcare, where trust and safety are prerequisites to growth.

Europe Is Not Just Regulating -It’s Investing to Scale Trustworthy AI

Unlike earlier waves of digital transformation, the EU's approach to AI combines policy with proactive investment.

A report by Europarl acknowledges that AI innovation must be accelerated but not at the cost of patient safety or ethical oversight.

$1.8 billion in financial support for European AI startups (2023)
The EU receives only 6% of global AI venture capital, with investments four times lesser than those in the U.S.

Funding Initiatives Include:

Digital Europe Programme: €1.3 billion (2025–2027) for testing facilities and skills development hubs.
InvestAI: Part of the Digital Decade strategy, aiming to gather €200 billion for:
- AI factories
- Cloud services
- Cross-border innovation networks

EU institutions establish a supportive environment through regulatory changes which enable ethical AI systems that are clinically reliable and scalable for SaMD manufacturers.

What This Means for Medical Device Companies

The EU AI Act regulations, along with their essential business implications, present two main points that medical device manufacturers must address.

These points are further strengthened when aligned with IEC 62304 and IEC 82304 standards which provide structure, classification rigor, post-release continuity, and security governance across the software lifecycle.

Prepare for Compliance Before Market Entry

Conduct AI Act gap analysis
Update technical files, RMFs, and SOPs
Embed traceability mechanisms from the design stage
Engage early with Notified Bodies for pre-assessment
Plan for long-term Post-Market Surveillance with feedback loops

Convert Compliance into Competitive Advantage

Firms that lead compliance also lead in trust and market share
Build QMS with AI Act alignment from the concept phase
Position transparency and auditability as market differentiators
Leverage CE Mark + AI compliance as a trust badge

Frequently Asked Questions (FAQs) on the EU AI Act for Medical Devices

To help medical device manufacturers navigate the evolving compliance landscape, here are some of the most asked questions:

What is the EU AI Act, and how does it impact medical device manufacturers?
The EU AI Act is the world’s first comprehensive AI regulation framework. It imposes mandatory requirements for risk management, data governance, human oversight, and post-market surveillance, especially for high-risk medical AI like diagnostic tools and clinical decision support software.
Which AI systems in medical devices are classified as high-risk under the EU AI Act?
Any AI system used in diagnosis, therapy planning, or patient monitoring is considered high-risk. This includes machine learning-based SaMD, deep learning models, and AI tools that influence health decisions or outcomes.
What are the key compliance requirements for AI-powered medical devices under the EU AI Act?
Manufacturers must ensure:
• Traceability of inputs and outputs
• Robust data quality and governance
• Human oversight mechanisms
• Full technical documentation
• CE marking under both MDR/IVDR and AI Act standards
How does the EU AI Act relate to the MDR (2017/745) and IVDR (2017/746)?

The EU AI Act builds on MDR/IVDR by layering AI-specific requirements such as explainability, algorithm transparency, and risk controls. All AI-powered devices must meet dual compliance – traditional medical device rules and new AI standards.
Market leaders approach the EU AI Act not as a hurdle but as a blueprint for building trusted, high-performance medical technologies. They embrace compliance at the architecture level and use it to inform strategy, marketing, and brand positioning.
Medical device firms must embed AI Act readiness across their entire product and compliance ecosystem to gain a competitive edge. Contact us today to align your innovation with compliance and turn regulatory readiness into a competitive advantage.

Aspect	USA	EU	Australia	China	UAE
Regulatory Authority	FDA	EFSA & Member State Authorities	FSANZ	SAMR & NHC	ESMA & MOHAP
Major Regulation Governing Compliance	Federal Food, Drug, and Cosmetic Act (FFDCA); 21 CFR Part 110 (Current Good Manufacturing Practices)	Regulation (EC) No 178/2002 (General Food Law); Regulation (EU) No 1169/2011 on Food Information to Consumers	Food Standards Code (Australia New Zealand Food Standards Code)	Food Safety Law of the People's Republic of China (Revised 2015); GB Standards for Food Safety	UAE.S GSO 9:2017 (GCC General Requirements for Prepackaged Food)
Pre-market Approval Required?	No pre-market approval except for novel ingredients, color additives, or specific claims	No pre-market approval for general foods, but novel foods or health claims require EFSA approval.	No pre-market approval unless it's a novel food or makes health claims	Pre-market registration is required for novel foods, health foods, or products with new ingredients	Pre-market approval is required for certain foods, health products, and products with new ingredients
Processed Food Labeling Compliance /Labeling Requirements	Mandatory labeling as per FDA guidelines (Nutrition Facts, Ingredient Declaration, Allergens)	Must comply with EU Food Information Regulation (1169/2011); includes allergens, nutrition, and origin labeling.	Must follow FSANZ Food Standards Code for labeling; nutrition panels, allergens, and ingredient lists required	Must follow GB 7718-2011 (National Food Safety Standards) for labeling; mandatory nutrition facts, allergens, and shelf-life	Must follow GSO 9:2017 for pre-packaged food labeling; Arabic labeling, allergens, and nutrition facts required
Timeline for Registration	No fixed timeline: products can enter the market once compliant	No formal registration unless novel food; EFSA approval for health claims takes 12-18 months	No formal registration unless it's a novel food or makes health claims	Typically, 12-24 months for novel foods, shorter for regular processed foods	Approval may take 6-12 months for certain products. Regular processed foods can enter the market once label approval is obtained

Medicinal Products Regulatory Services

Medical Devices Regulatory Services

Consumers

Freyr Digital

Stay Ahead of the Curve With Our Innovative Regulatory Software Solutions

The EU AI Act: A New Regulatory Paradigm

Understanding the Core of the EU AI Act: Risk-Based, Sector-Specific, Impact-Driven

Key Manufacturer Requirements Under the EU AI Act:

More Than Regulation: A Lifecycle Overhaul

AI Adoption in Europe: The 2024 Landscape

Europe Is Not Just Regulating -It’s Investing to Scale Trustworthy AI

Funding Initiatives Include:

What This Means for Medical Device Companies

Frequently Asked Questions (FAQs) on the EU AI Act for Medical Devices

Subscribe to Freyr Blog

Recent Blog

Blog Tags

Related Blogs

How can we help you?

Please let us know your requirements, and we will contact you.