Skip to content
High-Risk under Annex III

Healthcare AI is high-risk
under the EU AI Act

Clinical decision support, diagnostic imaging AI, and triage systems fall under Annex III as safety components of medical devices or standalone high-risk systems. If your AI influences patient care decisions, you have until December 2, 2027 — 561 days — to comply.

Which healthcare AI is high-risk?

AI systems used as safety components of medical devices — or AI that is itself a medical device — are automatically high-risk under Annex I. Clinical decision tools also fall under Annex III, point 5.

Clinical decision support systems

AI that assists clinicians in diagnosing conditions, recommending treatments, or prioritising patients based on clinical data

Diagnostic & imaging AI

Systems that analyse medical images, lab results, or patient records to detect diseases, flag abnormalities, or suggest diagnoses

Triage & risk stratification

AI that determines urgency of care, allocates hospital resources, or scores patient risk levels for emergency or surgical settings

Mental health & behavioural AI

Systems that assess mental health conditions, predict patient deterioration, or recommend psychiatric interventions based on behavioural patterns

What's not high-risk in healthcare?

Administrative and operational AI in healthcare settings generally won't trigger Annex III — unless it directly influences clinical outcomes for individual patients.

Hospital scheduling and bed-management optimisation without clinical decisions
Administrative chatbots for appointment booking (transparency obligations only)
Supply chain AI for pharmaceutical logistics (no patient impact)
Research-only models not deployed in clinical settings

Even if your system is not high-risk, transparency obligations under Article 50 may still apply. Run the free classifier to find out.

Medical Device Regulation overlap

MDR / IVDR + EU AI Act

If your AI qualifies as a medical device under the MDR or IVDR, the EU AI Act conformity assessment integrates with your existing CE marking process. The notified body handling your MDR/IVDR assessment will also evaluate AI Act compliance. This means you won't need a separate conformity assessment — but you do need the additional AI-specific documentation: bias testing, model accuracy records, and continuous post-market monitoring plans.

See the full regulatory overlap mapping →

10 mandatory obligations for high-risk healthcare AI

Each must be in place before December 2, 2027. Non-compliance risks fines up to €15 million or 3% of global turnover.

1
Risk management system (Article 9)
2
Data governance & bias documentation (Article 10)
3
Full Annex IV technical documentation
4
Automatic event logging (Article 12)
5
Transparency & instructions for deployers (Article 13)
6
Human oversight measures (Article 14)
7
Accuracy, robustness & cybersecurity (Article 15)
8
Conformity assessment (Article 43)
9
EU database registration (Article 49)
10
Post-market monitoring (Article 72)

Already GDPR compliant?

Some work carries over

Healthcare organisations handling patient data under GDPR already have data protection impact assessments and processing records. These partially cover Article 10 (data governance) and Article 9 (risk management) of the AI Act. But you'll still need AI-specific documentation: model accuracy and bias testing, conformity assessment, and continuous post-market monitoring.

See the full GDPR overlap mapping →

Further reading

EU AI Act Compliance Checklist for 2026

7 min read

EU AI Act vs GDPR: What Overlaps, What Doesn't

8 min read

EU AI Act Compliance Cost Breakdown: DIY vs Consultant vs Software

6 min read

561 days until enforcement

Healthcare AI will face intensive regulatory scrutiny from day one. Classify your system now and start generating the compliance documentation you need.