AI as a medical device: the dual conformity (MDR + AI Act)
If your AI is a medical device, it must meet both the MDR (clinical evaluation, CE) and the AI Act (high-risk requirements). The regulations are meant to run together through a single conformity assessment and one notified body — not two separate tracks.
Short answer: If your AI is a medical device (or a safety component of one), it must meet two regulations at once: the MDR (or IVDR) with clinical evaluation and CE marking, and the AI Act with the requirements for high-risk AI (Annex I). The legislator designed this so both can run through a single conformity assessment and one notified body — it is expressly not intended that you run two separate tracks.
Why two regimes
The MDR ensures a medical device is safe and clinically substantiated. The AI Act adds the AI-specific requirements: risk management, data quality and bias examination, technical documentation, logging, transparency, human oversight and requirements on accuracy and robustness. For AI diagnostics or decision support, both apply.
How to combine them
- One CE marking covers conformity; you add the AI Act requirements to your existing MDR technical documentation rather than building a separate dossier.
- The same notified body assesses both where possible, so you don't get audited twice.
- Build on what you have: your clinical evaluation, risk management (ISO 14971) and quality system are the basis; you layer the AI Act requirements (and EN ISO/IEC 42001 for AI management) on top. See the conformity assessment for high-risk AI.
The timeline
The high-risk obligations for AI in regulated products (Annex I, such as medical devices) apply in phases and later than stand-alone Annex III systems. That gives manufacturers time to weave the AI Act requirements into their existing MDR processes — but you can start now.
What to do
- Confirm the qualification: is it a medical device (MDR/IVDR) with AI as a component?
- Map the AI Act requirements and link them to your existing MDR documentation.
- Coordinate with your notified body on a combined assessment.
- Strengthen data governance and human oversight — the two areas where AI adds most to the MDR.
- See the broader framework in AI in healthcare.
Two regimes, one device: those who already master the MDR route build the AI Act on top of it most efficiently, not alongside.
Sources
- https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Regulation (EU) 2024/1689 (AI Act): Art. 6 and Annex I; alignment of the conformity assessment with sectoral product law. - https://eur-lex.europa.eu/eli/reg/2017/745/oj
Regulation (EU) 2017/745 (MDR): clinical evaluation and conformity assessment for medical devices.
Read next
AI in healthcare: the AI Act and the Medical Device Regulation (MDR)
Medical AI often falls under two regimes at once: as a medical device under the MDR (CE marking) and as high-risk AI under the AI Act (Annex I). The regulations align the conformity assessment as far as possible. Health data is also special-category personal data under the GDPR.
CE marking and notified bodies for high-risk AI
High-risk AI receives a CE marking after a successful conformity assessment. Sometimes the provider assesses itself; sometimes an independent notified body must be involved. This guide explains when each route applies and what the CE marking means.
Conformity assessment and CE marking for high-risk AI: how does it work?
Before placing a high-risk AI system on the market you run a conformity assessment (Art. 43), draw up technical documentation, issue an EU declaration, affix the CE marking and register in the EU database.