AI in medical devices
Principles and requirements of the EU AI Act
1. Introduction
AI Act (EU Regulation 2024-1689)
The European Union has adopted EU Regulation 2024/1689 on Artificial Intelligence (AI Act) to ensure the safe use of AI.
In this blog post, we provide an overview of the part of the EU AI Act that is relevant for medical device manufacturers. This blog shows how conformity assessment, the quality management system (QMS), technical documentation, adaptive AI systems, entry into force of the AI Act and transitional arrangements are defined.
2. Definitions
The following terms from Article 3 of the EU AI Act are relevant:
- Conformity assessment [Article 3, point 20]: Conformity assessment is the process of checking whether a system meets the specified requirements.
- Conformity Assessment Body [Article 3, point 21]: A Conformity Assessment Body is responsible for assessing third party compliance. This includes testing, certification and inspections.
- Notified body [Article 3, point 22]: A Notified Body is an authorized organization that carries out conformity assessments. It ensures technical assessment, consumer protection and safety in the internal market.
2.1 AI - Classification
There are 4 risk levels for AI systems, which are classified based on risk:
- Unacceptable risk: high risk to fundamental rights or security. Their use is prohibited in the EU. Example: AI for covert mass surveillance or to manipulate human behavior.
- High risk / High risk: Use in safety-critical areas. Examples: Healthcare, law enforcement or critical infrastructure management. A conformity assessment must be carried out before placing on the market.
- Limited risk: Transparency required for users to interact with an AI. Example: Chatbots - must identify themselves as such.
Minimal risk: very low risk. Examples: gaming apps, AI-supported translation programs. no regulatory requirements
Conformity assessment of AI systems
There are two possible conformity assessment procedures for high-risk AI systems:
- Internal control: not applicable to medical devices (not discussed further here).
- Assessment by a Notified Body: An assessment by a Notified Body prior to market launch is mandatory.
3.1 QMS and technical documentation
A notified body checks requirements from the MDR/IVDR and AI Act, such as
- Algorithm transparency
- Risk management
- Validation
For AI systems, the following must also apply:
- The manufacturer must notify the notified body before changing the QMS
- Changes to the QMS must be approved (certified) by the Notified Body
3.1.1 Special monitoring of the quality management system (QMS)
The quality management system (QMS) must be certified. The QMS is continuously monitored by the notified body. The QMS includes processes for development, design and verification.
3.1.2 Notification and approval of changes to the QMS
What is new is that the Notified Body must be notified of any intended changes to the QMS. No changes may be made without prior assessment and approval by the Notified Body.
3.1.3 Assessment of the technical documentation: Comprehensive tests by the notified body
Scope of the technical documentation (Annex IV of the AI Act):
- General description of the AI system (incl. intended areas of application).
- Risk management (identification of hazards and risk mitigation measures).
- Lifecycle management plan showing how the safety and performance of the AI system will be ensured throughout its use.
Notified body needs access to the training, validation and test data sets of the AI system to verify the performance of the AI algorithms in terms of reliability and safety.
3.1.4 Conclusion: QMS review
- Approval of the QMS before delivery and before modification
- Examination of the technical documentation by the notified body
- The notified body must have full access to the training, validation and test data.
3.2.1 Simplified technical documentation
Small and medium-sized enterprises (SMEs) have the option of simplifying their technical documentation. Safety requirements or the quality of the AI systems must not suffer as a result.
Background: SMEs often do not have the resources of large companies to create comprehensive technical documentation.
3.2.1 Special treatment by Notified Bodies
There will be special treatment of SMEs by Notified Bodies, which will
- customized consulting services
- faster processing times or
- reduced fees
- Simplified technical documentation (see above).
The safety and quality of AI systems must not be compromised.
3.3 Adaptive AI systems
Adaptive AI systems are systems that evolve over time through machine learning or other adaptive technologies. These are subject to special monitoring processes: any planned change to such a system that could affect its safety or performance must be documented and approved.
3.4 Reuse of documentation and certificates
Article 29 (4) of the Regulation also offers the option of reusing documentation and certificates from other designation procedures (approval procedures for other products, e.g. automotive engineering) for the conformity assessment procedure. The aim is to avoid redundancies and shorten processing times.
4. Validity of the regulations from May/June 2025
The regulations for notified bodies will come into force in 2025 and will then be binding for all institutions operating in the EU. From this date, all medical devices placed on the European market must be inspected and certified by these bodies.
5. Transition to the implementation of the EU-AI Act
The EU regulation on artificial intelligence (AI Act) is being introduced gradually in order to prepare for the new regulations. There are already clear recommendations for manufacturers of AI systems on how they can prepare.
5.1 Voluntary compliance during the transition phase
The EU regulation will not apply until August 2026, but companies should use this time to prepare for the regulations and start implementing the relevant requirements. This will allow compliance processes to be established within the company. This could give companies a competitive advantage in the long term.
5.2 Important reporting dates
The full applicability of the regulation comes into force on August 2, 2026. There are the following interim deadlines:
- From February 2, 2025, the general provisions and certain prohibitions of the regulation will begin to apply. This includes the restriction or prohibition of the use of certain types of AI systems.
- From August 2025, the provisions on Notified Bodies and the governance structure will come into effect:
- Notified bodies must perform their tasks in connection with conformity assessment.
- The structures for monitoring and enforcing the regulation will be established at European and national level.
- As of August 2, 2025, member states are required to define their rules on penalties and fines (including administrative penalties such as fines).
- From August 2025, companies must ensure that their products are tested and certified by a Notified Body.
Unser Newsletter „qonzentrat“
kompakt, professionell und präzise
Profitieren Sie von unserem Fachwissen.
Jetzt anmelden
