EU AI Act for Healthcare: Which Medical and Clinical AI Systems Are High-Risk

Healthcare is one of the most heavily regulated sectors under the EU AI Act, and for good reason. AI systems that influence clinical decisions, diagnose conditions, or triage patients carry direct safety implications. The Act treats these systems accordingly — most healthcare AI falls squarely into the high-risk category.

But healthcare AI also sits at the intersection of two major EU regulatory frameworks: the EU AI Act and the Medical Devices Regulation (MDR). Understanding how these overlap — and where they don't — is critical for any company building or deploying clinical AI.

Which healthcare AI is in scope

Annex III of the EU AI Act lists specific high-risk use cases. For healthcare, the relevant provisions are:

• Section 10 — Medical devices. AI systems that are themselves medical devices, or that serve as safety components of medical devices, are automatically classified as high-risk. This covers diagnostic AI, clinical decision support, imaging analysis, and treatment recommendation systems.
• Section 10 — In vitro diagnostic devices. AI used in laboratory diagnostics, pathology analysis, or genetic testing falls under the same classification.
• AI in triage and emergency. Systems that prioritise patients for emergency services or influence resource allocation in healthcare settings are high-risk.
• AI for insurance and access decisions. AI that evaluates health insurance claims, determines coverage, or assesses health risk profiles is high-risk under the essential services provisions.

If your AI system touches any of these areas and serves the EU market, you have high-risk obligations. There is no SMB exemption for safety-critical AI.

How it overlaps with the Medical Devices Regulation

Many healthcare AI products already hold CE marking under the MDR (2017/745) or IVDR (2017/746). A common misconception is that existing CE marking satisfies EU AI Act requirements. It does not.

The two frameworks regulate different things:

• MDR/IVDR: Regulates safety and performance of medical devices. Focuses on clinical evidence, biocompatibility, labeling, and post-market surveillance.
• EU AI Act: Regulates the AI-specific aspects — transparency, explainability, data governance, bias testing, human oversight, and continuous risk management.

However, the EU AI Act does streamline things slightly. For AI medical devices that require a third-party conformity assessment under the MDR, the AI Act conformity assessment can be integrated into the existing notified body process. You do not need a separate notified body for each regulation — the same assessment can cover both, provided the notified body has AI Act competence.

Specific obligations for healthcare AI

High-risk healthcare AI systems must comply with all 11 high-risk obligations. Several are particularly significant in the healthcare context:

• Data governance (Article 10). Training data must be representative of the patient population the system will serve. Bias across demographic groups — age, sex, ethnicity, comorbidities — must be tested and documented. Healthcare data is also subject to GDPR special category protections.
• Risk management (Article 9). Continuous risk management covering foreseeable misuse, edge cases, and failure modes. In healthcare, this includes drug interaction risks, rare conditions, and adversarial inputs.
• Human oversight (Article 14). Clinical AI must have interfaces that allow healthcare professionals to understand the AI's reasoning, review confidence levels, and override decisions. Fully autonomous clinical decisions without human oversight are not permitted for high-risk systems.
• Accuracy and robustness (Article 15). Performance must be validated across demographic subgroups. A diagnostic AI that performs well overall but poorly for specific populations is not compliant.
• Transparency (Article 13). Instructions for use must be clear enough for healthcare professionals — the intended users — to understand capabilities, limitations, and appropriate use contexts.

Clinical decision support systems

Clinical decision support (CDS) systems present a classification challenge. Not all CDS is classified as a medical device under the MDR. Some CDS — particularly systems that provide general clinical knowledge without patient-specific recommendations — may fall outside MDR scope.

Under the EU AI Act, the analysis is different. Even CDS that is not an MDR medical device may still be high-risk if it materially influences clinical decisions. The test is functional: does the AI system's output influence a decision that affects a patient's health? If yes, it is likely high-risk regardless of MDR classification.

This creates a category of AI systems that are high-risk under the EU AI Act but not regulated as medical devices under the MDR. These systems need full EU AI Act compliance without the benefit of an existing MDR conformity assessment process.

What to do now

• Inventory all AI systems in your clinical workflow. Include third-party AI tools your organisation deploys, not just systems you build. Deployer obligations apply.
• Classify each system. Determine whether each is a medical device (MDR/IVDR scope), a non-device high-risk AI system (EU AI Act only), or a minimal-risk system. Use the free classifier as a starting point.
• Map the regulatory overlap. For AI medical devices, identify which MDR compliance evidence can support EU AI Act requirements and where gaps exist. Key gap areas: bias testing, human oversight product features, and Annex IV documentation.
• Prioritise data governance. Healthcare AI training data documentation is one of the most demanding requirements. Start cataloguing data sources, demographic representation, and data quality measures now.
• Build oversight controls. Clinical AI must surface confidence scores, flag uncertain cases, and provide override mechanisms. If your product does not currently have these features, they need to be on your roadmap.

The transparency deadline is 74 days away. High-risk obligations land in 561 days. Healthcare AI companies that are already CE-marked have a head start on regulatory processes, but the AI-specific obligations are substantively new work.