The EU AI Act and Medical Devices: How MDR and AI Act Obligations Stack
Quick answer: Under the EU AI Act (Regulation 2024/1689), an AI system that is a medical device — or a safety component of one — and undergoes third-party conformity assessment under MDR is classified as a high-risk AI system (Article 6(1), via Annex I listing the MDR). That triggers AI-specific requirements — risk management, data governance, technical documentation, transparency, human oversight, accuracy/robustness/cybersecurity — layered on top of MDR obligations. High-risk obligations for these embedded-legislation products apply on the AI Act's extended timeline (2027 for Annex I products), but designing them in now is far cheaper than retrofitting. Practically, most AI-SaMD manufacturers should run one integrated technical documentation set and one QMS covering both regulations.
Which medical devices are caught
The trigger is mechanical: your product contains an AI system (as defined in AI Act Article 3 — machine-based, inferring from inputs to generate outputs like predictions or recommendations), it is a device or safety component under MDR, and it undergoes notified body conformity assessment. In practice this catches nearly all AI-based software as a medical device, because MDR Rule 11 pushes diagnostic and therapeutic-decision software into Class IIa or above — which means notified body involvement — and Class I self-certified AI devices are the rare exception.
What the AI Act adds on top of MDR
Much overlaps with what a competent MDR programme already does — but the AI Act sharpens specific edges:
Risk management (Art. 9). Continuous, lifecycle-based — alignable with ISO 14971, but explicitly covering AI-specific risks like bias and performance drift.
Data and data governance (Art. 10). Training, validation, and test datasets must be relevant, representative, and examined for biases — with documented data provenance. This is genuinely new territory for many MDR files.
Technical documentation (Art. 11, Annex IV). For devices, the AI Act allows a single set of technical documentation combining MDR Annex II/III and AI Act Annex IV content — take that option; two files diverge.
Logging and traceability (Art. 12). Automatic event logging over the system's lifetime.
Transparency and human oversight (Arts. 13–14). Instructions enabling deployers to understand outputs and limitations; oversight measures appropriate to the clinical context.
Accuracy, robustness, cybersecurity (Art. 15). Declared performance metrics and resilience — including against data poisoning and adversarial inputs.
The conformity assessment is designed to run through your existing notified body procedure where the NB is designated for the AI Act — one assessment, not two, when the system works as intended.
The integration strategy
Treat the AI Act as extra requirements in your existing machinery, not a parallel programme: extend the ISO 14971 risk file with AI-specific hazards; add data governance procedures to the ISO 13485 QMS (they slot naturally into design controls and software lifecycle work under IEC 62304); build the combined technical documentation from day one; and put post-market monitoring of model performance into the MDR PMS plan — drift detection is simultaneously an AI Act obligation and PMCF-adjacent evidence.
Companies running two disconnected compliance tracks pay twice and create contradictions auditors will find.
Timing
The AI Act entered into force in August 2024 with staged application; high-risk obligations for products regulated under Annex I sectoral legislation (including MDR devices) apply from 2027. If your device certification lands near that window, your notified body will expect the AI Act content in the submission — verify the current state of NB designations and guidance, which are still maturing.
Frequently asked questions
Our ML model is locked (no continuous learning). Does the AI Act still apply? Yes — the definition doesn't require adaptivity. Locked models are simpler to document but fully in scope.
Is a new CE mark needed? One CE mark covering both regulations, via the combined conformity assessment — the mark signals conformity with all applicable EU legislation.
Does the AI Act apply to clinical decision support? If it's an MDR device with NB assessment, yes. Rule 11 makes most CDS Class IIa or higher.
Who inside the company owns AI Act compliance? The same RA/QA function that owns MDR — with data science pulled into design controls. A fractional RA/QA partner covering both is a workable SME structure.
About QLE Group
QLE Group builds integrated MDR + AI Act compliance programmes for AI-enabled medical devices — combined technical documentation, QMS extensions for data governance, and regulatory strategy — from Brussels. Delivered by Radoslav Milkov: qualified PRRC, ISO 13485 / 21 CFR 820 Lead Auditor, LL.M. in EU Law, and active European Commission external expert evaluating MedTech and AI proposals. Complexity-indexed pricing at qle.be.
Building AI into a device? Book a scoping call or email info@qle.be.