[EU AI Act · Medical Device]
EU AI Act requirements for
medical device companies.
By William McCann · ClearpathAI · Updated May 2026
Medical device companies face a uniquely complex AI regulatory environment in the EU. AI used in or as a medical device is potentially subject to two overlapping frameworks: the EU AI Act and the EU Medical Device Regulation (MDR) or In Vitro Diagnostic Regulation (IVDR). Understanding which framework governs which AI use — and where they overlap — is the first step in building a compliant governance structure.
The Key Question
Is the AI system functioning as a medical device — making or supporting clinical decisions — or is it being used in the business operations around medical device manufacturing? The answer determines which regulation primarily governs it, and what compliance looks like.
Two frameworks. Understanding
which applies when.
EU AI Act
Governs AI in business operations
AI used in hiring, quality control decisions, supply chain, HR, and operational management. High-risk AI used in safety-critical manufacturing contexts. All AI systems with EU market exposure regardless of medical application.
EU MDR / IVDR
Governs AI as a medical device
AI systems that function as Software as a Medical Device (SaMD) — making or supporting clinical decisions, diagnosis, treatment planning, or patient monitoring. These face the stricter MDR/IVDR pathway, which the EU AI Act largely defers to.
The EU AI Act includes a specific provision for AI systems already regulated under EU MDR or IVDR: where those frameworks impose equivalent requirements, the EU AI Act requirements are considered satisfied. However, operational AI — the AI your company uses to run the business, not the AI in your products — is not covered by MDR/IVDR and falls fully under the EU AI Act.
Which AI use cases in medical device companies
fall under which framework?
AI diagnostic support software (SaMD)
AI that analyzes imaging, pathology, or patient data to support clinical diagnosis or treatment decisions. Classified as Software as a Medical Device.
AI in manufacturing quality control
Vision systems or AI making pass/fail decisions on medical device components or finished goods. High-risk under EU AI Act due to safety implications.
AI-assisted hiring and HR decisions
AI tools used to screen candidates, evaluate employees, or make workforce decisions. High-risk under EU AI Act regardless of industry.
Predictive maintenance AI
AI monitoring manufacturing equipment telemetry. Minimal risk unless autonomous decisions affect worker safety or product quality release.
AI for regulatory documentation
Generative AI used to draft Technical Files, Design History Files, or regulatory submissions. No mandatory requirements — but output accuracy is critical.
Supply chain and inventory AI
AI for demand forecasting, supplier management, and inventory optimization. Minimal risk under EU AI Act unless affecting critical supply decisions for safety-critical components.
What the EU AI Act requires for
high-risk operational AI in medical device companies.
Article 9
Risk management system
Documented risk management for high-risk AI systems — lifecycle risk identification, probability and severity assessment, and mitigation documentation.
For medical device companies: your existing ISO 14971 risk management process provides the framework. Extend it to cover operational AI risk, not just product risk.
Article 11
Technical documentation
Detailed technical documentation before deployment: system purpose, design specifications, training data, performance metrics, risk management. Kept current throughout the system's lifecycle.
For medical device companies: your Design History File (DHF) discipline applies here. Same rigor, same document control infrastructure, extended to operational AI.
Article 12
Automatic event logging
High-risk AI systems must log events automatically. Minimum 6-month retention — longer for quality-critical systems to align with device history record requirements.
For medical device companies: align with your Device History Record (DHR) retention requirements — typically the lifetime of the device plus 2 years under EU MDR.
Article 14
Human oversight
High-risk AI systems must enable effective human oversight. Particularly important for AI involved in quality control decisions — humans must be able to override AI pass/fail determinations.
For medical device companies: document human review procedures for any AI-driven quality disposition decision. Your existing nonconformance and corrective action process provides the model.
What medical device companies
should prioritize first.
01Map your AI landscape — separate AI in your products (MDR/IVDR governed) from AI in your operations (EU AI Act governed). Many companies have not done this distinction clearly.
02Classify operational AI by EU AI Act tier — particularly hiring AI and quality control AI, which are most likely to be high-risk
03Extend your existing QMS infrastructure — ISO 13485, ISO 14971, and DHF discipline provide the model for EU AI Act technical documentation and risk management
04Build an AI Use Policy — covering acceptable use, vendor risk, generative AI for regulatory documents, and incident reporting
05Assess your SaMD AI separately — if you have AI functioning as a medical device, ensure your Notified Body is aware of EU AI Act implications for your MDR/IVDR technical file
Medical device experience.
AI governance expertise.
ClearpathAI builds AI governance frameworks for regulated industries. We understand both the quality management discipline medical device companies already have and the specific EU AI Act obligations that extend it.
