AI in healthcare: the AI Act and the Medical Device Regulation (MDR)
Adopted 2026-06-20 ยท ≈ 2 min read ยท 
edited by Dirk Baaijen
Medical AI often falls under two regimes at once: as a medical device under the MDR (CE marking) and as high-risk AI under the AI Act (Annex I). The regulations align the conformity assessment as far as possible. Health data is also special-category personal data under the GDPR.
Short answer: AI in healthcare often falls under two regimes at once. If the AI is a medical device (or part of one), the Medical Device Regulation (MDR) applies with CE marking. At the same time, AI that is a safety component in such a regulated product is high-risk under the AI Act (Art. 6, Annex I). The legislator tries to align the conformity assessment so you don't do the same thing twice. And health data is special-category personal data under the GDPR.
The dual qualification
Much healthcare AI โ diagnostic image recognition, triage support, decision support โ is a medical device under the MDR (or IVDR for in-vitro diagnostics) and must already undergo a conformity assessment and CE marking. The AI Act adds a layer: if it contains AI as a safety component, the system qualifies as high-risk (Annex I). You then face the requirements of both regulations.
How the two connect
The AI Act is deliberately designed to build on existing product law. Where possible the AI conformity assessment is integrated into the existing MDR route, through the same notified body, to limit duplication. The heaviest high-risk obligations for AI in regulated products (Annex I) also apply in phases โ later than stand-alone Annex III systems. See the overview of high-risk obligations and the conformity assessment.
Annex III and the GDPR too
Not all healthcare AI is a medical device. AI that determines access to care or emergency services (for example triage) can fall under Annex III as a stand-alone high-risk system. And all healthcare AI processes health data โ special-category personal data under Article 9 GDPR, with a strict protection regime.
What to do
- Determine the qualification: is it a medical device (MDR/IVDR), an Annex III system, or both?
- Combine the conformity routes โ let the AI Act requirements run within the MDR assessment where possible.
- Ensure human oversight and clinical validation.
- Arrange the GDPR basis for health data and run a DPIA.
- Track the phased dates for Annex I products.
Healthcare AI may be the sharpest intersection of the AI Act with sectoral law: two regimes, one system. Those who already know the MDR route build the AI Act requirements on top of it most efficiently โ not alongside it.
Sources
- https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Regulation (EU) 2024/1689 (AI Act): Art. 6 and Annex I โ AI as a safety component of regulated products (incl. medical devices) is high-risk. - https://eur-lex.europa.eu/eli/reg/2017/745/oj
Regulation (EU) 2017/745 (MDR): conformity and CE marking for medical devices.
Read next
AI in healthcare: the guide for care providers and manufacturers
Healthcare AI touches three regimes at once: the AI Act (high-risk), the MDR for medical devices, and data law (GDPR and the European Health Data Space). This guide brings together what applies to care providers and manufacturers and where to start.
AI as a medical device: the dual conformity (MDR + AI Act)
If your AI is a medical device, it must meet both the MDR (clinical evaluation, CE) and the AI Act (high-risk requirements). The regulations are meant to run together through a single conformity assessment and one notified body โ not two separate tracks.
Which AI systems are high-risk? The Commission's draft Article 6 guidelines
On 19 May 2026 the Commission published draft guidelines on which AI systems are high-risk under Article 6: the two routes (Annex I and Annex III), the Article 6(3) filter and practical examples. Non-binding; the targeted consultation was extended to 23 July 2026, final text expected later in 2026.