AI-driven medical devices are transforming the healthcare industry due to their wide applications, including diagnostic processes such as interpreting X-rays, using a data-driven approach to formulate personalized treatment regimens, and assistance with surgical procedures.
However, these tools can have significant implications for an individual’s health and chances of recovery, so it is vital that they are safe and effective. Although healthcare is already a highly regulated sector, the use of AI can bring novel challenges that may not be adequately addressed by existing laws and regulations. Consequently, lawmakers are increasingly moving to regulate AI systems used in healthcare through both specific and horizontal pieces of legislation.
A major horizontal legislation that will have implications for AI-driven medical devices is the EU AI Act, which takes a risk-based approach to obligations for AI systems used in the European Union. In this blog post, we provide an overview of the implications the AI Act will have for AI-driven medical devices across different parties.
Key Takeaways
The New Legislative Framework (NLF), established in 2008, is the cornerstone of EU product legislation, ensuring the safety and quality of products entering the market. Including medical devices, this framework also governs a spectrum of products, from electronics to agricultural inputs, and enforces a uniform set of obligations to maintain high standards, including quality management and comprehensive technical documentation. Additionally, it incorporates oversight mechanisms like conformity assessments and mandates for ongoing market surveillance.
Under this framework, Regulation (EU) 2017/745 on medical devices (MDR) and Regulation (EU) 2017/746 on in vitro diagnostic medical devices (IVDMR) are the key pieces of legislation targeting medical devices in the EU. Together, they cover an extensive range of products used in medicine, such as hospital equipment and diagnostic software, and have a broad definition of what constitutes a medical device. These regulations affect multiple parties including manufacturers, authorized representatives, importers, and distributors, ensuring a comprehensive governance of medical devices across the EU market.
Since the MDR and IVDMR regulations are designed to be technology-agnostic, they apply to traditional medical devices as well as those utilizing cutting-edge AI technologies. This ensures that AI-powered medical devices, which are becoming increasingly prevalent in diagnostics, treatment planning, and patient monitoring, are held to the same rigorous safety and quality standards.
Under the EU's framework, medical devices are classified using a risk-based approach, much like the EU AI Act. The MDR’s criteria for categorizing medical devices is based on their intended use and associated risk levels, and takes into account several factors including conditions of sterility, whether the device is active or passive, the level of invasiveness, and the duration of use. Based on these factors, medical devices are sorted into four main classes that range from class I to class III in order of increasing level of regulatory scrutiny and risk assessment with each subsequent class:
Each risk category of the MDR has specific requirements for compliance assessments, particularly in terms of the extent of third-party evaluation required. Notably, medical devices classified as class IIa or higher are mandated to undergo a pre-market conformity assessment conducted by a notified body, independent third-party organization designated by EU member states to assess whether a product meets the necessary regulatory requirements.
The classification of AI-powered medical devices under the MDR is particularly significant as it determines which devices might be considered high-risk under the EU AI Act.
Indeed, the third-party assessment required under the MDR for higher-risk medical devices plays a vital role in determining the risk level associated with medical devices that utilize AI technologies under the EU AI Act. As such, the classification of AI powered devices under the MDR significantly impacts the regulatory process, ensuring that devices meet stringent safety and performance standards before they are allowed to enter the market. This step is especially decisive for AI-integrated medical devices, as it aligns with the EU AI Act's aim to mitigate risks and potential harms associated with high-risk AI systems.
The EU AI Act is set to significantly influence AI-driven medical devices in two key ways:
Based on the criteria of high-risk AI systems laid down in the EU AI Act, there are in general two possible scenarios for AI-driven medical devices to be classified as high-risk:
AI systems can be integrated into products either as critical safety components or as stand-alone products. When such products fall under specific EU legislation that requires a third-party conformity assessment, they are designated as high-risk AI systems under the AI Act. This classification spans various regulated products, including but not limited to toys, machinery, and personal protective equipment, in addition to medical devices.
As such, medical devices that are categorized as class IIa or higher under the MDR, which have a mandatory requirement for a third-party conformity assessment by recognized notified bodies, are automatically deemed high-risk under the EU AI Act. For example, medical devices engineered for capturing diagnostic images using X-ray technology are typically class IIa and, being AI-driven, fall squarely into the high-risk category of the AI Act.
Furthermore, specific subsets of class I medical devices—those that are sterile, designed for reuse, or incorporate a measuring function—also require a conformity assessment, albeit to a lesser extent, focusing on their unique health-related characteristics or functionalities as stipulated by the MDR. Because of this, AI-enhanced class I medical devices under the MDR within the high-risk framework.
Therefore, it's critical for businesses to conduct a thorough evaluation of their AI-enabled medical devices, considering their intended use cases, features, and objectives, to accurately assess risk and ensure compliance with the stringent EU regulations.
The second scenario where medical devices may be classified as high-risk under the EU AI Act concerns their deployment for use cases specified in Annex III of the Act. Here, AI systems that are integral to the management and prioritization of emergency calls and services, including those used for patient triage, are identified as high-risk AI systems. Nevertheless, providers have the opportunity to demonstrate that their medical devices, even if used in these contexts, do not present a "significant risk" to health, safety, or fundamental rights, potentially exempting them from the high-risk category.Therefore, entities in the medical device sector are obliged to conduct a careful review to ensure if the use cases of their AI systems are captured by the high-risk classifications of Annex III.
Regardless of the high-risk designation, providers must meticulously document their risk assessments to justify their determination that their AI systems do not pose a high risk. Moreover, in instances where the AI system is not considered high-risk, there is still a requirement to register the system within the EU AI database and to have the risk assessment documentation available to be produced upon request.
The EU AI Act establishes a clear set of responsibilities for various players involved in the lifecycle of AI systems, such as providers, manufacturers, deployers, authorized representatives, importers, and distributors. This allocation of roles may correspond to the existing categories of economic operators under the MDR and the IVDMR as well. For instance, an enterprise producing and marketing AI-driven patient monitoring devices will be both “provider” under the EU AI Act and “manufacturer” under the MDR.
In the medical devices sector, hence, it is essential to evaluate the roles of these stakeholders on a granular, sector-specific level to accurately identify their respective responsibilities under the EU AI Act. This is because their duties as operators under the Act are directly linked to their functions within the AI value chain. For example, healthcare institutions like clinics or hospitals may take on the roles of either providers or deployers, depending on how they employ AI-driven medical devices. Each role carries distinct obligations under the Act, underscoring the need for a precise understanding and compliance strategy tailored to the specific activities and applications of AI within the healthcare domain.
The definition of ‘manufacturer’ under the MDR does not only incorporate the actual manufacturer, but also the marketer of a product under its own name or trademark. This designation is important for the EU AI Act as these parties will be considered providers of AI systems under the Act. Consequently, the manufacturers of medical devices powered by high-risk AI systems must adhere to specific obligations as providers according to the EU AI Act.
The main obligations of providers under the EU AI Act can be seen below:
Notably, the EU AI Act allows for providers to integrate their obligations regarding documentation, information, testing and reporting procedures into the already existing procedures under the MDR and IVDMR, meaning that for instance, providers may choose to go with single conformity assessment procedure for both the AI Act and MDR compliance rather than conducting separate assessments.
Consequently, providers must ensure that their compliance strategies are comprehensive, addressing all existing obligations under current regulations, and also adapt to meet the additional, distinct demands of the EU AI Act.
Other AI operators are also required to observe a set of obligations under te EU AI Act, which can be mainly summarized as below:
Given the extensive circulation and marketing of medical devices globally, all relevant market actors must assess their position and role in the market to ensure compliance with their obligations under the EU AI Act.
The EU AI Act will have a significant impact on companies investing in AI-driven medical devices. Non-compliance could lead to both penalties as well as competitive setbacks, including reputational damage. Market operators and enterprises should therefore need to adapt and transform their AI models and operations to meet the Act’s requirements.
Schedule a call with our experts today to find out how Holistic AI can help you navigate the evolving regulatory landscape with confidence.
Last updated 3 April 2024.
DISCLAIMER: This blog article is for informational purposes only. This blog article is not intended to, and does not, provide legal advice or a legal opinion. It is not a do-it-yourself guide to resolving legal issues or handling litigation. This blog article is not a substitute for experienced legal counsel and does not provide legal advice regarding any situation or employer.
Schedule a call with one of our experts
DISCLAIMER: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user or browser; Holistic AI does not recommend or endorse the contents of the third-party sites.
Readers of this website should contact their attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, contributing law firms, or committee members and their respective employers.
The views expressed at, or through, this site are those of the individual authors writing in their individual capacities only – not those of their respective employers, Holistic AI, or committee/task force as a whole. All liability with respect to actions taken or not taken based on the contents of this site are hereby expressly disclaimed. The content on this posting is provided "as is;" no representations are made that the content is error-free.
