AI in Medical Devices: The New EU Obligations
8 min read
93 percent of Germany’s 13,500 medical-technology manufacturers are small and medium-sized enterprises. Many of their AI systems embedded in diagnostic or therapeutic products will soon have to meet the EU AI Act’s high-risk requirements in addition to MDR and IVDR. The rules take effect from 2027 and 2028 respectively. Manufacturers must now close gaps in data governance, documentation and post-market monitoring.
Key takeaways
- 93 percent SMEs: Of Germany’s 13,500 medical-technology manufacturers, most employ fewer than 250 people. The AI Act applies to them in addition to MDR and IVDR.
- Two compliance deadlines: High-risk obligations are scheduled to begin in August 2027, but the Digital Omnibus Package is expected to push this to August 2028.
- Close gaps now: Data governance, bias evidence, logging and post-market monitoring plans can be integrated into existing MDR structures instead of being rebuilt from scratch.
Related:Grants slow down SME growth / PSD3: What CFOs need to know now
When AI in medical devices is classified as high-risk
Under the AI Act, an AI system is considered high-risk if two conditions are met. First, it must be a safety component of a product or the product itself that falls under harmonised EU legislation such as the MDR or IVDR. Second, the product or AI system itself must require conformity assessment by a notified body.
MDCG guidance 2025-6 (June 2025) clarifies this point. MDR Class IIa, IIb and III devices-and most IVDR Class B, C and D products that incorporate AI-are subject to the high-risk rules. Stand-alone MDR Class I devices that self-certify without a notified body, or in-house products under MDR/IVDR Article 5(5), are generally not considered high-risk under the AI Act.
Classification under MDR or IVDR determines the AI Act designation. Conversely, the AI Act does not alter the MDR/IVDR class. Both regimes apply in parallel and complement each other. The MDCG guidance refers to the affected systems as Medical Device Artificial Intelligence (MDAI), which also covers accessories and certain Annex XVI products.
Deadlines and Delays until 2028
The EU AI Act entered into force on 1 August 2024. Prohibited practices have applied since February 2025. The obligations for high-risk AI systems in regulated products such as medical devices were originally scheduled to take effect on 2 August 2027.
On 16 June 2026 the European Parliament and on 29 June 2026 the Council approved the Digital Omnibus Package. Under this package, the high-risk obligations for systems embedded in products (Annex I, including MDR/IVDR) are now postponed to 2 August 2028. Publication in the Official Journal of the European Union is imminent. Until then, the original timeline remains legally binding. Manufacturers should keep both dates in view.
Transparency obligations under Article 50 will apply in part as early as 2026. The delay buys time for standards and notified bodies, but does not relieve manufacturers of the need to prepare.
Key figures on risk and exposure
- 13,500 medical-technology manufacturers in Germany (2023), of which 93 percent employ fewer than 250 staff (GTAI data).
- Breaches of high-risk obligations may incur fines of up to €15 million or 3 percent of global annual turnover (whichever is higher). Prohibited practices: up to €35 million or 7 percent (Article 99 of Regulation (EU) 2024/1689).
New Requirements for Data, Documentation and Monitoring
The AI Act adds MDR/IVDR-specific demands: detailed data governance demonstrating the quality, representativeness and bias mitigation of training, validation and test data. Manufacturers must build logging functions for traceability.
Technical documentation must meet Annex IV of the AI Act. It can be integrated into existing MDR/IVDR documentation. A single technical file and a joint declaration of conformity are possible (Article 11(2)).
Additional duties include human oversight measures, accuracy, robustness and cybersecurity requirements, plus a post-market monitoring plan addressing interactions with other AI systems, performance drift and foreseeable misuse. For adaptive systems, predefined change plans are relevant.
MDCG Guidance 2025-6 stresses complementary application. Risk management and quality management systems must cover AI-specific hazards.
Conformity Assessment and Practical Integration
Conformity assessment is normally handled by the same notified body if it is appropriately accredited. A separate assessment is not mandatory. Article 8(2) of the AI Act allows integration of required tests, reports and documents into existing MDR/IVDR processes.
Manufacturers must ensure all AI Act requirements are demonstrably met. MDCG guidance recommends a unified approach to changes and post-market surveillance. Notified bodies are increasingly checking AI-specific aspects during MDR/IVDR audits.
In Germany, the BfArM remains responsible for market surveillance of AI-based medical devices. The draft AI Market Surveillance and Innovation Promotion Act (AI-MIG) confirms this role. General AI Act supervision rests with the Federal Network Agency.
Risks for SMEs and Concrete Preparation
Mid-sized manufacturers already face heavy MDR implementation burdens. Notified bodies are scarce. Extra demands on data quality and logging raise the workload. Scarce resources for regulatory affairs and AI expertise heighten the risk of delays or fines.
At the same time, the AI Act and MDCG guidance offer relief: simplified technical documentation for micro and small enterprises is envisaged. Integrating requirements into existing systems avoids duplication.
Concrete Steps for Manufacturers
- Verify classification of all AI-containing products against the table in MDCG 2025-6 and document notified-body involvement.
- Conduct a gap analysis of the quality management system and technical documentation against Chapter III of the AI Act and the MDCG FAQs.
- Establish a data-governance process: document training datasets, bias tests, and representativeness in a verifiable manner.
- Define logging functions, human oversight concepts, and post-market monitoring plans for AI-specific risks (drift, interactions) and integrate them into existing surveillance.
- Coordinate early with the notified body to determine whether an integrated conformity assessment is possible. Allocate resources for implementation through 2027/2028.
Manufacturers who tackle these steps systematically reduce risk and use the remaining time to build a robust implementation. The requirements are concrete and verifiable, and they build on existing MDR/IVDR structures.
Frequently Asked Questions
When is an AI medical device considered high-risk?
When it falls under the MDR or IVDR and requires conformity assessment by a notified body. According to MDCG Guidance 2025-6, this covers MDR classes IIa, IIb, and III and most IVDR classes B, C, and D.
Does the AI Act change the risk class under the MDR?
No. The MDR or IVDR class determines the classification under the AI Act, not the other way around. Both frameworks apply in parallel and complement each other.
What are the fines for violations?
For breaches of high-risk obligations, up to €15 million or 3 % of global annual turnover, whichever is higher. For prohibited practices, up to €35 million or 7 %.
Is a separate conformity assessment required for the AI?
Generally not. Article 8 of the AI Act allows integrating the necessary checks and documentation into existing MDR and IVDR processes, usually via the same notified body.
Are there simplifications for small manufacturers?
Yes. The AI Act provides simplified technical documentation for small and micro-enterprises. Integrating into existing systems also avoids duplicate work.
Editor’s Reading Picks
- Grants Slow Down SMEs
- PSD3: What CFOs Need to Know Now
- Process Optimization Without the Marathon Project
More from the MBF Media Network
- cloudmagazin: Cloud Trends for SMEs
- Digital Chiefs: IT Strategy for Decision-Makers
- SecurityToday: Security Briefing
Image source: AI-generated (July 2026)
