Tech and Treatment: Comprehending the EU AI Act's Impact on Medical Devices

April 4, 2024
Authored by
Osman Gazi Güçlütürk
Legal & Regulatory Lead in Public Policy at Holistic AI
Selim Akal
Legal Researcher at Holistic AI
Tech and Treatment: Comprehending the EU AI Act's Impact on Medical Devices

AI-driven medical devices are transforming the healthcare industry due to their wide applications, including diagnostic processes such as interpreting X-rays, using a data-driven approach to formulate personalized treatment regimens, and assistance with surgical procedures.

However, these tools can have significant implications for an individual’s health and chances of recovery, so it is vital that they are safe and effective. Although healthcare is already a highly regulated sector, the use of AI can bring novel challenges that may not be adequately addressed by existing laws and regulations. Consequently, lawmakers are increasingly moving to regulate AI systems used in healthcare through both specific and horizontal pieces of legislation.

A major horizontal legislation that will have implications for AI-driven medical devices is the EU AI Act, which takes a risk-based approach to obligations for AI systems used in the European Union. In this blog post, we provide an overview of the implications the AI Act will have for AI-driven medical devices across different parties.

Key Takeaways

  • High-Risk Classification: AI systems used in medical devices may be considered high-risk under the EU AI Act, requiring strict adherence to regulatory requirements and responsibilities for medical device market participants.
  • Manufacturer Responsibilities: The manufacturers of AI-driven medical devices will be the providers for the AI systems under the EU AI Act, tasked with meeting the Act’s requirements, such as conducting conformity assessments and implementing risk management systems.
  • Complementary Nature: The obligations under the AI Act will be distinct from but complementary to the existing rules under sectoral regulations for medical devices.
  • Facilitated Compliance: It will be possible for providers to integrate some of their obligations, e.g., technical documentation or post-market monitoring, into the already existing procedures within the sectoral legislative framework for medical devices.

Understanding the EU legal framework for medical devices

The New Legislative Framework (NLF), established in 2008, is the cornerstone of EU product legislation, ensuring the safety and quality of products entering the market. Including medical devices, this framework also governs a spectrum of products, from electronics to agricultural inputs, and enforces a uniform set of obligations to maintain high standards, including quality management and comprehensive technical documentation. Additionally, it incorporates oversight mechanisms like conformity assessments and mandates for ongoing market surveillance.

Under this framework, Regulation (EU) 2017/745 on medical devices (MDR) and Regulation (EU) 2017/746 on in vitro diagnostic medical devices (IVDMR) are the key pieces of legislation targeting medical devices in the EU. Together, they cover an extensive range of products used in medicine, such as hospital equipment and diagnostic software, and have a broad definition of what constitutes a medical device. These regulations affect multiple parties including manufacturers, authorized representatives, importers, and distributors, ensuring a comprehensive governance of medical devices across the EU market.

Since the MDR and IVDMR regulations are designed to be technology-agnostic, they apply to traditional medical devices as well as those utilizing cutting-edge AI technologies. This ensures that AI-powered medical devices, which are becoming increasingly prevalent in diagnostics, treatment planning, and patient monitoring, are held to the same rigorous safety and quality standards.

How are medical devices classified under the EU laws?

Under the EU's framework, medical devices are classified using a risk-based approach, much like the EU AI Act. The MDR’s criteria for categorizing medical devices is based on their intended use and associated risk levels, and takes into account several factors including conditions of sterility, whether the device is active or passive, the level of invasiveness, and the duration of use. Based on these factors, medical devices are sorted into four main classes that range from class I to class III in order of increasing level of regulatory scrutiny and risk assessment with each subsequent class:

Class Type
Main Features
Class I
(Base Type)
Corrective Glasses
Class IIa Invasive
Short Term Use
Contact Lenses
Class IIb Invasive or Active
Long Term Use
Infusion Pumps
Dialysis machines
Class III Invasive or Active
Long Term Use
Heartbeat controller
Drug-coated stent

Each risk category of the MDR has specific requirements for compliance assessments, particularly in terms of the extent of third-party evaluation required. Notably, medical devices classified as class IIa or higher are mandated to undergo a pre-market conformity assessment conducted by a notified body, independent third-party organization designated by EU member states to assess whether a product meets the necessary regulatory requirements.

How does medical device risk classification interact with the EU AI Act?

The classification of AI-powered medical devices under the MDR is particularly significant as it determines which devices might be considered high-risk under the EU AI Act.

Indeed, the third-party assessment required under the MDR for higher-risk medical devices plays a vital role in determining the risk level associated with medical devices that utilize AI technologies under the EU AI Act. As such, the classification of AI powered devices under the MDR significantly impacts the regulatory process, ensuring that devices meet stringent safety and performance standards before they are allowed to enter the market. This step is especially decisive for AI-integrated medical devices, as it aligns with the EU AI Act's aim to mitigate risks and potential harms associated with high-risk AI systems.

How Does the AI Act affect AI-driven medical devices?

The EU AI Act is set to significantly influence AI-driven medical devices in two key ways:

  1. High-Risk Classification: Certain AI-driven medical devices will be designated as high-risk AI systems.
  1. Operational Obligations: High-risk designations will enforce stringent obligations on economic operators within the medical device sector.

When Are AI-powered medical devices classified as high-risk ai systems under the EU AI Act?

Based on the criteria of high-risk AI systems laid down in the EU AI Act, there are in general two possible scenarios for AI-driven medical devices to be classified as high-risk:

AI systems employed in or as products under the MDR or IVDMR

AI systems can be integrated into products either as critical safety components or as stand-alone products. When such products fall under specific EU legislation that requires a third-party conformity assessment, they are designated as high-risk AI systems under the AI Act. This classification spans various regulated products, including but not limited to toys, machinery, and personal protective equipment, in addition to medical devices.

As such, medical devices that are categorized as class IIa or higher under the MDR, which have a mandatory requirement for a third-party conformity assessment by recognized notified bodies, are automatically deemed high-risk under the EU AI Act. For example, medical devices engineered for capturing diagnostic images using X-ray technology are typically class IIa and, being AI-driven, fall squarely into the high-risk category of the AI Act.

Furthermore, specific subsets of class I medical devices—those that are sterile, designed for reuse, or incorporate a measuring function—also require a conformity assessment, albeit to a lesser extent, focusing on their unique health-related characteristics or functionalities as stipulated by the MDR. Because of this, AI-enhanced class I medical devices under the MDR within the high-risk framework.

Therefore, it's critical for businesses to conduct a thorough evaluation of their AI-enabled medical devices, considering their intended use cases, features, and objectives, to accurately assess risk and ensure compliance with the stringent EU regulations.

AI systems posing significant risk in certain areas

The second scenario where medical devices may be classified as high-risk under the EU AI Act concerns their deployment for use cases specified in Annex III of the Act. Here, AI systems that are integral to the management and prioritization of emergency calls and services, including those used for patient triage, are identified as high-risk AI systems. Nevertheless, providers have the opportunity to demonstrate that their medical devices, even if used in these contexts, do not present a "significant risk" to health, safety, or fundamental rights, potentially exempting them from the high-risk category.Therefore, entities in the medical device sector are obliged to conduct a careful review to ensure if the use cases of their AI systems are captured by the high-risk classifications of Annex III.

Regardless of the high-risk designation, providers must meticulously document their risk assessments to justify their determination that their AI systems do not pose a high risk. Moreover, in instances where the AI system is not considered high-risk, there is still a requirement to register the system within the EU AI database and to have the risk assessment documentation available to be produced upon request.

What are the responsibilities of economic operators for medical devices under the EU AI Act?

The EU AI Act establishes a clear set of responsibilities for various players involved in the lifecycle of AI systems, such as providers, manufacturers, deployers, authorized representatives, importers, and distributors. This allocation of roles may correspond to the existing categories of economic operators under the MDR and the IVDMR as well. For instance, an enterprise producing and marketing AI-driven patient monitoring devices will be both “provider” under the EU AI Act and “manufacturer” under the MDR.

In the medical devices sector, hence, it is essential to evaluate the roles of these stakeholders on a granular, sector-specific level to accurately identify their respective responsibilities under the EU AI Act. This is because their duties as operators under the Act are directly linked to their functions within the AI value chain. For example, healthcare institutions like clinics or hospitals may take on the roles of either providers or deployers, depending on how they employ AI-driven medical devices. Each role carries distinct obligations under the Act, underscoring the need for a precise understanding and compliance strategy tailored to the specific activities and applications of AI within the healthcare domain.

Key obligations of manufacturers of AI-powered medical devices under the AI Act

The definition of ‘manufacturer’ under the MDR does not only incorporate the actual manufacturer, but also the marketer of a product under its own name or trademark. This designation is important for the EU AI Act as these parties will be considered providers of AI systems under the Act. Consequently, the manufacturers of medical devices powered by high-risk AI systems must adhere to specific obligations as providers according to the EU AI Act.

The main obligations of providers under the EU AI Act can be seen below:

Obligations under the EU AI Act Procedure for Compliance
Ensuring compatibility with the following high-risk AI system requirements with regard to:
  • Data quality and governance (Article 10)
  • Human oversight (Article 14)
  • Transparency and informativeness (Article 13)
  • Accuracy, robustness and cybersecurity (Article 15)
  • Separately conducted
    Conducting third party pre-market conformity assessment (Article 43) Integrable with MDR/IVDMR
    Technical documentation (Article 11) and record-keeping (Article 12) for AI activities Integrable with MDR/IVDMR
    Establishing AI quality management system (Article 17) and risk management system (Article 9) Integrable with MDR/IVDMR
    Declaration of conformity (Article 48) and affixing CE marking (Article 49) Integrable with MDR/IVDMR
    Registration with the EU AI database (Article 51) Separately conducted
    Carrying out post-market monitoring measures (Article 61) Integrable with MDR/IVDMR

    Notably, the EU AI Act allows for providers to integrate their obligations regarding documentation, information, testing and reporting procedures into the already existing procedures under the MDR and IVDMR, meaning that for instance, providers may choose to go with single conformity assessment procedure for both the AI Act and MDR compliance rather than conducting separate assessments.

    Consequently, providers must ensure that their compliance strategies are comprehensive, addressing all existing obligations under current regulations, and also adapt to meet the additional, distinct demands of the EU AI Act.

    Obligations of Other Market Operators

    Other AI operators are also required to observe a set of obligations under te EU AI Act, which can be mainly summarized as below:

    Main obligations
    Deployers Healthcare service institutions Implementation of technical and organizational measures including:
  • Human oversight
  • Monitoring medical device functioning
  • Managing input data
  • Record-keeping of logs produced by AI operations
  • Authorized Representatives Representatives of non-EU medical device manufacturers Ensuring compliance with the EU AI Act on behalf of non-EU providers
    Importers Medical device import companies Verification of product compliance with the Act, including:
  • Confirming conformity assessments
  • Technical documentation
  • Distributors Medical device retailers or wholesalers Verification of product documentation compliant with the Act
    Proper storage or transport conditions for products with high-risk AI systems

    Given the extensive circulation and marketing of medical devices globally, all relevant market actors must assess their position and role in the market to ensure compliance with their obligations under the EU AI Act.

    Prepare for upcoming legislative developments

    The EU AI Act will have a significant impact on companies investing in AI-driven medical devices. Non-compliance could lead to both penalties as well as competitive setbacks, including reputational damage. Market operators and enterprises should therefore need to adapt and transform their AI models and operations to meet the Act’s requirements.

    Schedule a call with our experts today to find out how Holistic AI can help you navigate the evolving regulatory landscape with confidence.

    Last updated 3 April 2024.

    DISCLAIMER: This blog article is for informational purposes only. This blog article is not intended to, and does not, provide legal advice or a legal opinion. It is not a do-it-yourself guide to resolving legal issues or handling litigation. This blog article is not a substitute for experienced legal counsel and does not provide legal advice regarding any situation or employer.

    Subscriber to our Newsletter
    Join our mailing list to receive the latest news and updates.
    We’re committed to your privacy. Holistic AI uses this information to contact you about relevant information, news, and services. You may unsubscribe at anytime. Privacy Policy.

    Discover how we can help your company

    Schedule a call with one of our experts

    Schedule a call