Is medical AI high-risk under the EU AI Act?

Almost always, yes. Healthcare AI hits the EU AI Act through two routes. Route 1: Annex I embedded high-risk, AI as a safety component of regulated medical devices (covered by MDR Regulation 2017/745) or in-vitro diagnostic devices (covered by IVDR Regulation 2017/746). AI diagnostic systems, AI in surgical robots, AI in radiology reading software, AI in lab analysers all fall here. Route 2: Annex III(5)(a), AI used by public authorities to determine access to public assistance benefits or services, which covers some hospital triage + emergency dispatch AI. Annex I embedded high-risk obligations apply from 2 August 2028 (delayed from 2 August 2026 by the Omnibus deal of 7 May 2026).

What's the difference between MDR and EU AI Act for medical AI?

They stack. MDR (Medical Device Regulation 2017/745) and IVDR (in-vitro Diagnostic Devices Regulation 2017/746) regulate the safety + performance of the medical device itself, including conformity assessment, CE marking, post-market surveillance, vigilance reporting. The EU AI Act adds AI-specific obligations on top: Article 8-15 high-risk system requirements (risk management, data governance, technical documentation, transparency, human oversight, accuracy, robustness, cybersecurity) + Article 26 deployer obligations + Article 73 incident reporting. For Annex I AI, the AI Act conformity assessment is integrated with the existing MDR/IVDR notified-body assessment to avoid duplicate work, but both regulations apply.

When does the EU AI Act apply to medical devices?

Annex I embedded high-risk obligations apply from 2 August 2028 (originally 2 August 2026, delayed by the Digital Omnibus deal of 7 May 2026). Article 4 AI literacy obligations on the deploying organisation (the hospital, clinic, lab) apply today since 2 February 2025. Article 5 prohibited practices apply today: real-time biometric identification in publicly accessible spaces, untargeted facial-image scraping. The Article 99 + Article 101 penalty regime is live for in-force obligations. So the staged timeline is: literacy + prohibitions live today; full Annex I embedded high-risk obligations from August 2028.

Does AI in clinical decision support need a FRIA?

Sometimes, depending on the deployer. Article 27 FRIA requirements apply to (a) bodies governed by public law and private entities providing public services, and (b) deployers of Annex III(5)(b) credit-scoring + (5)(c) life/health insurance AI. A public hospital using clinical decision support AI is in scope of Article 27 FRIA. A private hospital using the same AI is not directly in Article 27 scope but should run a FRIA-pattern document anyway as Article 99(7) mitigating evidence. Article 26 deployer obligations apply in both cases regardless of FRIA scope.

What incident-reporting obligations does healthcare AI face?

Two parallel streams. MDR vigilance: report serious incidents involving the medical device to the national competent authority under MDR Articles 87-92 (typical timelines: 2 days for serious public-health threat, 10 days for death or unanticipated serious deterioration, 15 days for other serious incidents). EU AI Act Article 73: GPAI / high-risk AI provider obligation to report serious incidents to the market surveillance authority with the same 2/10/15 day clocks from awareness. The Commission has indicated that aligned reporting (one notification feeding both regimes) will be acceptable; in practice, expect to coordinate with both the medical device competent authority + the AI market surveillance authority. Hospital deployers also have Article 26(5) reporting obligations to the device provider.

Can AI replace radiology readings under the EU AI Act?

It can supplement them but cannot fully replace a qualified human reader for diagnostic decisions. Article 14 (human oversight) applies in full to Annex I embedded high-risk AI used in clinical settings. The AI output must be reviewable by a person who has the competence, authority, and time to override it. Several national medical councils have stated that radiologist-removed AI reporting is currently incompatible with professional medical responsibility standards, regardless of the AI's accuracy. The AI Act doesn't ban AI radiology, it requires meaningful human oversight on the diagnostic decision flow.

What about AI mental health chatbots and telemedicine?

Depends on the use case. Pure conversational chatbots offering general wellness information sit in limited risk (Article 50 transparency: must disclose users are interacting with AI) and don't trigger Annex I or Annex III. AI mental health tools that make clinical assessments, screening recommendations, or treatment decisions can flip to Annex I high-risk if they qualify as medical devices under MDR. AI used in telemedicine triage that determines access to public-service healthcare benefits sits in Annex III(5)(a) high-risk. The distinction is whether the AI exercises medical-device-like clinical judgement, vs whether it provides information without claiming to be a medical device.

Does Article 4 AI literacy apply to medical staff?

Yes. Every medical professional, technician, or administrator using AI tools in patient care, diagnostics, or hospital operations needs Article 4 literacy proportionate to their role. For a radiologist using AI image-reading software: needs to understand the AI's capabilities + limitations, recognise when to override, document oversight decisions. For a nurse using AI triage support: needs to know what the AI's escalation thresholds mean and when to disregard. For a hospital admin running AI scheduling: needs to understand bias risks in workforce allocation. Hospitals are responsible. Documented per-individual training records, typically integrated with existing CME (continuing medical education) systems, are the audit evidence.

What about AI used for drug discovery and research?

Generally minimal-risk under the EU AI Act when used for research purposes. The Research Exception in Recital 25 + Article 2(8) of Regulation (EU) 2024/1689 carves out AI systems and models specifically developed and put into service for the sole purpose of scientific research and development. AI used to identify new drug candidates, predict protein structures, or analyse research data is not in scope. The line moves when the same AI gets deployed clinically, at that point Annex I / Annex III scope reapplies. The research exception doesn't shield clinical trial AI when the AI is part of the clinical care pathway, only true upstream R&D.

What fines apply for healthcare AI violations?

Three potential exposures, sometimes stacking. EU AI Act Article 99 fines: Tier 1 (Article 5 prohibitions) EUR 35M / 7%, Tier 2 (Articles 6-49 high-risk) EUR 15M / 3%, Tier 3 (incorrect info) EUR 7.5M / 1%. Article 101 for GPAI providers used in healthcare: EUR 15M / 3%. MDR fines: vary by Member State, typically EUR 50K to 5M per Article 113 MDR. GDPR Article 83 fines for special-category health data violations: EUR 20M / 4% global turnover. A single healthcare AI incident involving patient data could in principle trigger fines under all three regimes simultaneously. Article 99(6) SME relief + Omnibus SMC extension apply for the AI Act side.

Healthcare AI: MDR + EU AI Act dual conformity for Annex I embedded high-risk devices

Vertical: Healthcare AI

Knowledge Library/Compliance/Healthcare AI

ComplianceHealthcareAnnex IMDR / IVDRFree

EU AI Act for healthcare AI: medical devices, diagnostics, and clinical decision support

Healthcare AI sits at the intersection of two regulatory regimes: the EU AI Act and sectoral product law (MDR Regulation 2017/745 + IVDR Regulation 2017/746). Most clinical AI is Annex I embedded high-risk requiring dual conformity assessment. Article 4 literacy + Article 5 prohibitions apply today. Annex I embedded high-risk obligations apply from 2 August 2028 (delayed from 2 August 2026 by the Omnibus deal of 7 May 2026).

John Ferguson

Founder, Agentic Fluxus · Published 16 May 2026 · 15 min

Healthcare AI compliance in 60 seconds

Most clinical AI is Annex I embedded high-risk via MDR (medical devices) or IVDR (diagnostics)
Some healthcare AI is Annex III(5)(a): public health benefits + emergency dispatch
Dual conformity: AI Act assessment integrated with MDR/IVDR notified-body work to avoid duplication
Article 4 literacy: live today for every clinician using AI tools
Article 5 prohibitions: live since 2 Feb 2025 (real-time biometric ID, untargeted scraping)
Article 14 human oversight: AI cannot fully replace qualified medical readers
Research exception: pure R&D AI out of scope (Article 2(8) + Recital 25)
Annex I embedded high-risk obligations apply from 2 August 2028 (post-Omnibus)
Triple penalty exposure: EU AI Act + MDR + GDPR can stack on a single incident

Find your route

Classify your healthcare AI: Annex I or Annex III?

Walk the classifier and see whether your medical AI is Annex I embedded (MDR / IVDR route) or Annex III(5) standalone. The deadline that applies to you depends on which.

Open the classifier

Two routes into the EU AI Act for healthcare

Healthcare AI hits the EU AI Act through two distinct doors. Knowing which one applies to your specific deployment matters because the obligation stack differs.

Route 1: Annex I embedded high-risk (most clinical AI)

Article 6(1) classifies as high-risk any AI system that is itself a regulated product, or a safety component of one, covered by Union harmonisation legislation listed in Annex I. Annex I includes the Medical Device Regulation 2017/745 (MDR) and the In-Vitro Diagnostic Devices Regulation 2017/746 (IVDR). Practically:

AI diagnostic systems (radiology image reading, pathology slide analysis, ECG interpretation). Annex I embedded high-risk via MDR.

AI in laboratory analysers (genetic test result interpretation, blood-marker AI). Annex I embedded high-risk via IVDR.

AI in surgical robots, anaesthesia systems, infusion pumps. Annex I embedded high-risk via MDR.

AI in continuous patient monitoring (wearable arrhythmia detection, sepsis prediction). Annex I embedded high-risk via MDR.

AI clinical decision support that qualifies as a medical device under MDR. Annex I embedded high-risk. The MDR Article 2 definition of medical device is broad; many software-as-medical-device tools qualify.

Route 2: Annex III standalone (some non-medical-device healthcare AI)

Some healthcare AI doesn’t qualify as a medical device but still falls under EU AI Act high-risk via Annex III:

Annex III(5)(a), Access to essential public services. AI used by public authorities (national health services, social-security funds) to determine eligibility for healthcare benefits, prioritisation of care, or access to public-sector medical services. Includes some triage AI in public hospitals.

Annex III(5)(c), Risk assessment + pricing in life and health insurance. AI used by insurers to assess risk for life or health insurance pricing. Standalone high-risk under Annex III, not via MDR. Requires Article 27 FRIA before deployment.

Annex III(5)(c), Emergency dispatch. AI used in ambulance call triage, priority emergency call assessment, dispatch prioritisation by public emergency services. Annex III high-risk standalone.

The classification matters

Annex I embedded high-risk applies from 2 August 2028 (delayed by Omnibus). Annex III standalone high-risk applies from 2 December 2027 (also delayed). Article 4 literacy + Article 5 prohibitions are live today regardless. If your healthcare AI hits both routes (a triage AI inside a medical device used by a public hospital), both timelines apply and the earlier one bites first.

Healthcare AI: which route applies

Annex I vs Annex III, when each route fires

Healthcare AI hits the EU AI Act via two distinct routes. Knowing which one applies determines your regulatory frame and the deadline.

Route 1, Annex I embedded

AI as safety component of medical device

• Via MDR (Regulation 2017/745) or IVDR (2017/746)

• Diagnostic AI, surgical robots, infusion pumps, monitoring

• Lab analyser AI (IVDR route)

• AI clinical decision support that qualifies as medical device

Applies from 2 August 2028 (delayed by Omnibus). Dual conformity with MDR/IVDR.

Route 2, Annex III standalone

Healthcare-context AI, not a medical device

• (5)(a) Public health benefits eligibility

• (5)(c) Life + health insurance pricing

• (5)(c) Emergency call triage + dispatch

• Public-sector triage AI in some hospital workflows

Applies from 2 December 2027 (delayed by Omnibus). FRIA required for (5)(b)/(c).

Outside both routes (lower risk)

Pure R&D (Article 2(8) exception)

Drug-discovery AI, protein-structure prediction, retrospective research AI, pre-clinical analytics. Article 4 literacy still applies to staff using these tools.

Article 5 prohibited (live today)

Banned outright in healthcare contexts

Real-time biometric ID in publicly accessible spaces (most hospital settings). Untargeted facial-image scraping. Article 99 Tier 1 fines apply since 2 Feb 2025.

Methodology. Routes derived from Article 6(1) (Annex I embedded) + Article 6(2) (Annex III standalone) of Regulation (EU) 2024/1689. MDR + IVDR list per Annex I. R&D exception per Article 2(8) + Recital 25. Run your specific healthcare AI through our Risk Classifier for a structured verdict.

The dual conformity assessment route

Healthcare AI providers face two regulatory frameworks for the same product. The Commission has been clear since the AI Act’s adoption that this should not mean duplicate notified-body assessments. Practical mechanics:

One notified body, both regimes. For Annex I embedded high-risk AI in medical devices, the same notified body that handles MDR/IVDR conformity assessment should also assess the AI Act Article 8-15 requirements. This integrated assessment is the supposed cost-saver vs running two parallel assessments. In practice, the integration is still being operationalised; expect some friction in 2026-2027.

Technical documentation overlap. Article 11 + Annex IV technical documentation for AI Act high-risk overlaps significantly with MDR Annex II + III technical files. The same documentation pack typically satisfies both, provided you structure it to do so. Many medtech providers retroactively restructure their MDR technical file to map to Annex IV.

CE marking covers both. A single CE mark with two declarations of conformity (one MDR, one AI Act) is the expected pattern. The MDR CE mark is the existing one; the AI Act adds a declaration on top.

Post-market surveillance + vigilance. MDR Article 83-100 vigilance and AI Act Article 72 post-market monitoring both require ongoing post-market work. The Commission expects providers to integrate the two surveillance loops rather than run parallel ones.

Newsletter

Weekly EU AI Act updates, delivered.

One email per week. Deadlines, enforcement actions, regulatory shifts. Curated by John Ferguson, founder of Agentic Fluxus. Unsubscribe anytime.

Article 14 human oversight in clinical settings

Article 14 requires high-risk AI systems to be designed to be effectively overseen by natural persons. The oversight person must be able to: (a) understand the capacities and limitations of the AI; (b) remain aware of automation bias; (c) interpret the AI’s output correctly; (d) decide not to use the AI’s output in any particular situation; (e) intervene in the operation of the AI; (f) interrupt the AI through a "stop" function.

In clinical practice this has a hard implication: AI cannot fully replace a qualified human reader for diagnostic decisions. Several national medical councils (NL KNMG, DE Bundesärztekammer, FR HAS) have explicitly stated that radiologist-removed AI reporting is currently incompatible with professional medical responsibility standards, irrespective of AI accuracy claims. The Article 14 oversight requirement is the legal anchor for that position.

What Article 14 doesn’t prevent: AI used as a second reader, AI prioritising the radiologist’s worklist by suspected urgency, AI flagging cases for review, AI providing structured summaries the radiologist signs off on. The legal line is meaningful human review of the diagnostic decision, not whether AI does any of the work.

Incident reporting: MDR vigilance + Article 73

Healthcare AI providers face two parallel incident-reporting obligations. Both clocks start at awareness.

MDR vigilance (Articles 87-92 of MDR 2017/745)

Report serious incidents and field safety corrective actions to the national competent authority. Timelines:

2 days. Serious public-health threat (immediate or imminent risk of widespread harm).

10 days. Death or unanticipated serious deterioration in a person’s state of health.

15 days. Any other serious incident.

Twin-clock incident reporting

One incident, two parallel reporting regimes, same deadlines

MDR vigilance

Articles 87-92 · MDR 2017/745

2 days

Serious public-health threat

10 days

Death / serious harm

15 days

Any other serious incident

AI Act Article 73

Regulation (EU) 2024/1689

2 days

Serious public-health threat

10 days

Death / serious harm

15 days

Any other serious incident

Aligned reporting. The Commission has signalled one notification can feed both regimes. Expect coordinated submission to the national medical-device competent authority AND the AI market surveillance authority.

Sources: MDR 2017/745 Articles 87-92; Regulation (EU) 2024/1689 Article 73. Both clocks start at awareness. Hospital deployers also report to the device provider under Article 26(5).

AI Act Article 73 (parallel for the AI provider)

The AI Act adds Article 73 incident reporting with effectively the same 2/10/15 day clocks for serious incidents. The Commission has signalled that aligned reporting (one notification feeding both regimes) will be acceptable; expect coordinated submission to the national medical-device competent authority AND the AI market surveillance authority.

Hospital deployers also have Article 26(5) reporting obligations to the device provider. The chain: clinician detects incident → hospital reports to device provider → device provider files MDR vigilance + AI Act Article 73 → both authorities receive aligned reports.

The research exception

Article 2(8) + Recital 25 of the EU AI Act exclude AI systems and models specifically developed and put into service for the sole purpose of scientific research and development. For healthcare this is significant:

In scope of the exception. AI used in drug-discovery pipelines (predicting protein structures, identifying molecular candidates, analysing screening data). AI used in retrospective research on historical clinical data. AI used in pre-clinical research models.

Out of the exception. AI used in clinical trials where the AI directly participates in patient care (active arm of a trial, not just data analysis). AI deployed in production clinical settings, even if also generating research data. AI sold or deployed beyond pure R&D.

The line moves when the same AI gets deployed clinically. The research exception is a true R&D shield, not a soft launch route for production deployment.

Article 4 AI literacy for medical staff

Article 4 applies to every clinician, technician, or administrator using AI tools in patient care. The hospital or clinic is the deployer and carries the obligation. Three role tiers map well to healthcare:

Clinicians + technicians using AI tools (Tier 1 staff literacy). Understand the AI’s clinical capabilities + limitations. Recognise hallucination, automation bias, and bias-by-training-data patterns. Know when to override. Know how to document oversight. Compatible with existing CME (continuing medical education) systems.

Department heads + medical directors (Tier 2 manager literacy). Article 14 oversight design, Article 26 deployer obligations, vendor evaluation, incident management. The clinical lead signing off on AI-supported pathways needs this depth.

CMO + CHRO + governance (Tier 3 director literacy). Article 4 personal liability, MDR vigilance + Article 73 incident reporting, governance design, board-pack risk reporting, AI Act fines (Article 99 + Article 101) + MDR Article 113 fines.

Documented per-individual training records are the audit evidence. Hospitals typically integrate this with existing CME tracking systems. Generic "intro to AI" training without role-specific content doesn’t satisfy Article 4’s proportionality requirement.

Tools for healthcare AI compliance

Risk Classifier →

Three questions classify each healthcare AI tool. Returns the verdict (Annex I embedded / Annex III standalone / minimal) + the obligations.

Incident Response Runbook →

Article 73 reporting in three questions. For healthcare deployments, runs alongside MDR vigilance Article 87-92.

Compliance Scorecard →

Score 0 to 100 against the 10-step framework. Healthcare-specific weighting on Article 14 human oversight + Article 27 FRIA (public hospital).

Fine Calculator →

Article 99 + Article 101 AI Act fines. Healthcare incidents can also trigger MDR Article 113 + GDPR Article 83 fines simultaneously.

EU AI Act Timeline →

Article 4 + Article 5 live today. Annex I embedded high-risk (most clinical AI) applies from 2 August 2028 post-Omnibus.

Sources

Frequently asked questions

Free template

Healthcare AI Dual Conformity Checklist

Coordinated conformity-assessment checklist for medical AI sitting in both MDR (or IVDR) and EU AI Act Annex I embedded high-risk territory.

Open + print to PDF →

Official sources

Regulation (EU) 2024/1689 (the EU AI Act) on EUR-Lex ↗The full text of the EU AI Act on the EU's official legal portal. The source of every Article and Annex referenced in this post.
Regulation (EU) 2017/745 (Medical Device Regulation) on EUR-Lex ↗The Medical Device Regulation. Annex I embedded high-risk AI inherits MDR conformity assessment + vigilance reporting.
Regulation (EU) 2017/746 (In Vitro Diagnostic Regulation) on EUR-Lex ↗The In Vitro Diagnostic Regulation. Covers diagnostic AI products.
European AI Office ↗The European Commission AI Office, the central enforcement body for GPAI obligations and coordination across national authorities.
Regulation (EU) 2016/679 (GDPR) on EUR-Lex ↗The General Data Protection Regulation. Article 22 (automated decision-making) and Article 33 (breach notification) interact directly with the EU AI Act.

Ask Fluxus

Got a question about this article?

Ask anything about the EU AI Act in this article’s scope. One question per ask. Free, no signup. Powered by Fluxus.

Was this post useful?

John Ferguson

Founder of Agentic Fluxus, Amsterdam. Writes about EU AI Act compliance, AI literacy, and the operational reality of getting AI systems past Article 4 and Annex III.

About John →

Stay in the loop

One email per week. Only the EU AI Act news that matters.

Deadlines, enforcement actions, regulatory shifts, and practical compliance moves. Curated by John. Unsubscribe anytime.

Vertical: Healthcare AI

Knowledge Library/Compliance/Healthcare AI

ComplianceHealthcareAnnex IMDR / IVDRFree

EU AI Act for healthcare AI: medical devices, diagnostics, and clinical decision support

John Ferguson

Founder, Agentic Fluxus · Published 16 May 2026 · 15 min

Healthcare AI compliance in 60 seconds

Most clinical AI is Annex I embedded high-risk via MDR (medical devices) or IVDR (diagnostics)
Some healthcare AI is Annex III(5)(a): public health benefits + emergency dispatch
Dual conformity: AI Act assessment integrated with MDR/IVDR notified-body work to avoid duplication
Article 4 literacy: live today for every clinician using AI tools
Article 5 prohibitions: live since 2 Feb 2025 (real-time biometric ID, untargeted scraping)
Article 14 human oversight: AI cannot fully replace qualified medical readers
Research exception: pure R&D AI out of scope (Article 2(8) + Recital 25)
Annex I embedded high-risk obligations apply from 2 August 2028 (post-Omnibus)
Triple penalty exposure: EU AI Act + MDR + GDPR can stack on a single incident

Find your route

Classify your healthcare AI: Annex I or Annex III?

Walk the classifier and see whether your medical AI is Annex I embedded (MDR / IVDR route) or Annex III(5) standalone. The deadline that applies to you depends on which.

Open the classifier

Two routes into the EU AI Act for healthcare

Healthcare AI hits the EU AI Act through two distinct doors. Knowing which one applies to your specific deployment matters because the obligation stack differs.

Route 1: Annex I embedded high-risk (most clinical AI)

AI diagnostic systems (radiology image reading, pathology slide analysis, ECG interpretation). Annex I embedded high-risk via MDR.

AI in laboratory analysers (genetic test result interpretation, blood-marker AI). Annex I embedded high-risk via IVDR.

AI in surgical robots, anaesthesia systems, infusion pumps. Annex I embedded high-risk via MDR.

AI in continuous patient monitoring (wearable arrhythmia detection, sepsis prediction). Annex I embedded high-risk via MDR.

Route 2: Annex III standalone (some non-medical-device healthcare AI)

Some healthcare AI doesn’t qualify as a medical device but still falls under EU AI Act high-risk via Annex III:

Annex III(5)(c), Emergency dispatch. AI used in ambulance call triage, priority emergency call assessment, dispatch prioritisation by public emergency services. Annex III high-risk standalone.

The classification matters

Healthcare AI: which route applies

Annex I vs Annex III, when each route fires

Healthcare AI hits the EU AI Act via two distinct routes. Knowing which one applies determines your regulatory frame and the deadline.

Route 1, Annex I embedded

AI as safety component of medical device

• Via MDR (Regulation 2017/745) or IVDR (2017/746)

• Diagnostic AI, surgical robots, infusion pumps, monitoring

• Lab analyser AI (IVDR route)

• AI clinical decision support that qualifies as medical device

Applies from 2 August 2028 (delayed by Omnibus). Dual conformity with MDR/IVDR.

Route 2, Annex III standalone

Healthcare-context AI, not a medical device

• (5)(a) Public health benefits eligibility

• (5)(c) Life + health insurance pricing

• (5)(c) Emergency call triage + dispatch

• Public-sector triage AI in some hospital workflows

Applies from 2 December 2027 (delayed by Omnibus). FRIA required for (5)(b)/(c).

Outside both routes (lower risk)

Pure R&D (Article 2(8) exception)

Drug-discovery AI, protein-structure prediction, retrospective research AI, pre-clinical analytics. Article 4 literacy still applies to staff using these tools.

Article 5 prohibited (live today)

Banned outright in healthcare contexts

Real-time biometric ID in publicly accessible spaces (most hospital settings). Untargeted facial-image scraping. Article 99 Tier 1 fines apply since 2 Feb 2025.

The dual conformity assessment route

Newsletter

Weekly EU AI Act updates, delivered.

One email per week. Deadlines, enforcement actions, regulatory shifts. Curated by John Ferguson, founder of Agentic Fluxus. Unsubscribe anytime.

Article 14 human oversight in clinical settings

Incident reporting: MDR vigilance + Article 73

Healthcare AI providers face two parallel incident-reporting obligations. Both clocks start at awareness.

MDR vigilance (Articles 87-92 of MDR 2017/745)

Report serious incidents and field safety corrective actions to the national competent authority. Timelines:

2 days. Serious public-health threat (immediate or imminent risk of widespread harm).

10 days. Death or unanticipated serious deterioration in a person’s state of health.

15 days. Any other serious incident.

Twin-clock incident reporting

One incident, two parallel reporting regimes, same deadlines

MDR vigilance

Articles 87-92 · MDR 2017/745

2 days

Serious public-health threat

10 days

Death / serious harm

15 days

Any other serious incident

AI Act Article 73

Regulation (EU) 2024/1689

2 days

Serious public-health threat

10 days

Death / serious harm

15 days

Any other serious incident

Sources: MDR 2017/745 Articles 87-92; Regulation (EU) 2024/1689 Article 73. Both clocks start at awareness. Hospital deployers also report to the device provider under Article 26(5).

AI Act Article 73 (parallel for the AI provider)

The research exception

The line moves when the same AI gets deployed clinically. The research exception is a true R&D shield, not a soft launch route for production deployment.

Article 4 AI literacy for medical staff

Tools for healthcare AI compliance

Risk Classifier →

Three questions classify each healthcare AI tool. Returns the verdict (Annex I embedded / Annex III standalone / minimal) + the obligations.

Incident Response Runbook →

Article 73 reporting in three questions. For healthcare deployments, runs alongside MDR vigilance Article 87-92.

Compliance Scorecard →

Score 0 to 100 against the 10-step framework. Healthcare-specific weighting on Article 14 human oversight + Article 27 FRIA (public hospital).

Fine Calculator →

Article 99 + Article 101 AI Act fines. Healthcare incidents can also trigger MDR Article 113 + GDPR Article 83 fines simultaneously.

EU AI Act Timeline →

Article 4 + Article 5 live today. Annex I embedded high-risk (most clinical AI) applies from 2 August 2028 post-Omnibus.

Sources

Frequently asked questions

Free template

Healthcare AI Dual Conformity Checklist

Coordinated conformity-assessment checklist for medical AI sitting in both MDR (or IVDR) and EU AI Act Annex I embedded high-risk territory.

Open + print to PDF →

Official sources

Regulation (EU) 2024/1689 (the EU AI Act) on EUR-Lex ↗The full text of the EU AI Act on the EU's official legal portal. The source of every Article and Annex referenced in this post.
Regulation (EU) 2017/745 (Medical Device Regulation) on EUR-Lex ↗The Medical Device Regulation. Annex I embedded high-risk AI inherits MDR conformity assessment + vigilance reporting.
Regulation (EU) 2017/746 (In Vitro Diagnostic Regulation) on EUR-Lex ↗The In Vitro Diagnostic Regulation. Covers diagnostic AI products.
European AI Office ↗The European Commission AI Office, the central enforcement body for GPAI obligations and coordination across national authorities.
Regulation (EU) 2016/679 (GDPR) on EUR-Lex ↗The General Data Protection Regulation. Article 22 (automated decision-making) and Article 33 (breach notification) interact directly with the EU AI Act.

Ask Fluxus

Got a question about this article?

Ask anything about the EU AI Act in this article’s scope. One question per ask. Free, no signup. Powered by Fluxus.

Was this post useful?

John Ferguson

Founder of Agentic Fluxus, Amsterdam. Writes about EU AI Act compliance, AI literacy, and the operational reality of getting AI systems past Article 4 and Annex III.

About John →

Stay in the loop

One email per week. Only the EU AI Act news that matters.

Deadlines, enforcement actions, regulatory shifts, and practical compliance moves. Curated by John. Unsubscribe anytime.

EU AI Act for healthcare AI: medical devices, diagnostics, and clinical decision support

Two routes into the EU AI Act for healthcare

Route 1: Annex I embedded high-risk (most clinical AI)

Route 2: Annex III standalone (some non-medical-device healthcare AI)

The dual conformity assessment route

Article 14 human oversight in clinical settings

Incident reporting: MDR vigilance + Article 73

MDR vigilance (Articles 87-92 of MDR 2017/745)

AI Act Article 73 (parallel for the AI provider)

The research exception

Article 4 AI literacy for medical staff

Tools for healthcare AI compliance

Sources

Frequently asked questions

Continue reading the EU AI Act compliance series

Why Your Business Will Be Left Behind Without AI in 2027

The True Cost of AI Non-Compliance: EU AI Act Penalties Explained

Is Your AI Tool High-Risk? How to Classify AI Under the EU AI Act

EU AI Act for healthcare AI: medical devices, diagnostics, and clinical decision support

Two routes into the EU AI Act for healthcare

Route 1: Annex I embedded high-risk (most clinical AI)

Route 2: Annex III standalone (some non-medical-device healthcare AI)

The dual conformity assessment route

Article 14 human oversight in clinical settings

Incident reporting: MDR vigilance + Article 73

MDR vigilance (Articles 87-92 of MDR 2017/745)

AI Act Article 73 (parallel for the AI provider)

The research exception

Article 4 AI literacy for medical staff

Tools for healthcare AI compliance

Sources

Frequently asked questions

Continue reading the EU AI Act compliance series

Why Your Business Will Be Left Behind Without AI in 2027

The True Cost of AI Non-Compliance: EU AI Act Penalties Explained

Is Your AI Tool High-Risk? How to Classify AI Under the EU AI Act

Search

EU AI Act for healthcare AI: medical devices, diagnostics, and clinical decision support

Two routes into the EU AI Act for healthcare

Route 1: Annex I embedded high-risk (most clinical AI)

Route 2: Annex III standalone (some non-medical-device healthcare AI)

The dual conformity assessment route

Article 14 human oversight in clinical settings

Incident reporting: MDR vigilance + Article 73

MDR vigilance (Articles 87-92 of MDR 2017/745)

AI Act Article 73 (parallel for the AI provider)

The research exception

Article 4 AI literacy for medical staff

Tools for healthcare AI compliance

Sources

Frequently asked questions

Continue reading the EU AI Act compliance series

Why Your Business Will Be Left Behind Without AI in 2027

The True Cost of AI Non-Compliance: EU AI Act Penalties Explained

Is Your AI Tool High-Risk? How to Classify AI Under the EU AI Act

EU AI Act for healthcare AI: medical devices, diagnostics, and clinical decision support

Two routes into the EU AI Act for healthcare

Route 1: Annex I embedded high-risk (most clinical AI)

Route 2: Annex III standalone (some non-medical-device healthcare AI)

The dual conformity assessment route

Article 14 human oversight in clinical settings

Incident reporting: MDR vigilance + Article 73

MDR vigilance (Articles 87-92 of MDR 2017/745)

AI Act Article 73 (parallel for the AI provider)

The research exception

Article 4 AI literacy for medical staff

Tools for healthcare AI compliance

Sources

Frequently asked questions

Continue reading the EU AI Act compliance series

Why Your Business Will Be Left Behind Without AI in 2027

The True Cost of AI Non-Compliance: EU AI Act Penalties Explained

Is Your AI Tool High-Risk? How to Classify AI Under the EU AI Act