MDR and the AI Act: regulatory overlap for medical software
Adopted 2026-06-29 · ≈ 3 min read · 
edited by Dirk Baaijen
Medical software with AI components falls simultaneously under the MDR and the AI Act; the high-risk classification via the MDR route (Article 6(1) AI Act) does not apply until 2 August 2027.
Short answer: Medical software with an AI component (MDAI) falls simultaneously under both the MDR and the AI Act. The high-risk classification via the MDR route — Article 6(1) in conjunction with Annex I of the AI Act, covering products under EU harmonisation legislation that require a notified body — does not apply until 2 August 2027 (Article 113 AI Act). Manufacturers preparing now should build a single integrated technical file that satisfies both frameworks.
Two routes to high-risk AI
The AI Act provides two routes for classifying an AI system as high-risk (Article 6):
Route 1 — Annex I / MDR route (Article 6(1)): An AI system is high-risk if it is itself a product or serves as a safety component in a product covered by EU harmonisation legislation (Annex I of the AI Act, which includes MDR Regulation 2017/745 and IVDR Regulation 2017/746), and if that product requires a third-party conformity assessment by a notified body. Medical software of Class IIa or higher under the MDR falls here automatically. This route applies from 2 August 2027.
Route 2 — Annex III (Article 6(2)): AI systems in the categories listed in Annex III (biometrics, critical infrastructure, employment, etc.) are classified as high-risk regardless of notified body involvement. Annex III contains no dedicated medical device category; medical software primarily classifies via Route 1. The general AI Act application date is 2 August 2026.
What the MDCG 2025-6 guidance clarifies
In June 2025, the Medical Device Coordination Group (MDCG) and the European Artificial Intelligence Board (AIB) jointly published the FAQ MDCG 2025-6 / AIB 2025-1 — the first combined guidance from both bodies. Key points:
- Classifying an AI system as high-risk under the AI Act does not automatically raise the risk class of the device under the MDR.
- Application of the MDR/IVDR and the AI Act is simultaneous and complementary: manufacturers do not run two separate procedures but work towards a single integrated technical file.
- Class I devices (no notified body) generally fall outside Article 6(1), though certain AI Act transparency obligations may still apply.
- Predetermined Change Control Plans (PCCP) provide a pathway for model updates without full recertification, provided they are agreed in advance with the notified body.
Combined obligations for manufacturers
Manufacturers of MDAI systems must anticipate requirements under both frameworks:
- Risk management: extend to cover AI-specific elements (data poisoning, model robustness, bias).
- Technical documentation: a single integrated file satisfying MDR Annexes II/III and AI Act requirements (Articles 8–15).
- Quality management system: integrate AI governance into the existing ISO 13485 framework.
- Human oversight: transparency and explainability are statutory requirements under the AI Act.
- Post-market surveillance: logging and audit trails must align with MDR post-market surveillance requirements.
Practical timeline
| Date | What takes effect |
|---|---|
| 2 February 2025 | AI Act Chapters I and II (prohibited practices) |
| 2 August 2025 | AI Act GPAI rules, governance, penalties |
| 2 August 2026 | General AI Act application (Annex III systems) |
| 2 August 2027 | Article 6(1): high-risk via MDR/notified body route |
Until August 2027, AI-enabled medical devices are certified exclusively under the MDR/IVDR pathway. Manufacturers would do well to conduct a gap analysis now, so the technical file is ready by 2027 without a complete rebuild.
Sources
- https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689
AI Act (Regulation 2024/1689), Articles 6 and 113 — classification rules and application dates - https://health.ec.europa.eu/document/download/b78a17d7-e3cd-4943-851d-e02a2f22bbb4_en?filename=mdcg_2025-6_en.pdf
MDCG 2025-6 / AIB 2025-1 — official FAQ on the interplay between MDR/IVDR and the AI Act (European Commission, June 2025) - https://health.ec.europa.eu/latest-updates/mdcg-2025-6-faq-interplay-between-medical-devices-regulation-vitro-diagnostic-medical-devices-2025-06-19_en
European Commission — MDCG 2025-6 announcement page - https://artificialintelligenceact.eu/article/113/
AI Act Service Desk — Article 113 application dates (unofficial consolidated version)
Read next
AI as a medical device: the dual conformity (MDR + AI Act)
If your AI is a medical device, it must meet both the MDR (clinical evaluation, CE) and the AI Act (high-risk requirements). The regulations are meant to run together through a single conformity assessment and one notified body — not two separate tracks.
CE marking and notified bodies for high-risk AI
High-risk AI receives a CE marking after a successful conformity assessment. Sometimes the provider assesses itself; sometimes an independent notified body must be involved. This guide explains when each route applies and what the CE marking means.
AI in healthcare: the AI Act and the Medical Device Regulation (MDR)
Medical AI often falls under two regimes at once: as a medical device under the MDR (CE marking) and as high-risk AI under the AI Act (Annex I). The regulations align the conformity assessment as far as possible. Health data is also special-category personal data under the GDPR.