More than 3 years after the draft was presented, the European Artificial Intelligence Act (AIA) was published in the Official Journal of the European Union on July 12, 2024 as Regulation (EU) 2024/1689. In this blog post, we answer questions that arise for medical technology manufacturers as a result of the AIA.
kras99 / stock.adobe.com
Challenges for AI-based medical devices due to the EU Artificial Intelligence Act (AIA)
Which risk category can medical devices be assigned to in the AIA?
According to Art. 6 (1) AIA, AI systems are classified as high-risk AI systems as stand-alone products or safety components of products that are subject to Regulation (EU) 2017/745 on medical devices (Medical Device Regulation, MDR) or Regulation (EU) 2017/746 on in-vitro diagnostics (In-vitro Diagnostics Regulation, IVDR), as well as conformity assessment by third parties. Put simply, these are all AI-based medical devices in risk classes IIa-III and in vitro diagnostics in risk classes B-D.
What are the specific requirements in relation to medical devices?
In contrast to the MDR and IVDR, the AIA does not contain the product requirements in an annex, but describes them in detail in the legal text. Providers of high-risk AI systems are generally subject to the provisions of Art. 16 AIA. The following table lists the requirements that apply to medical devices as high-risk devices within the meaning of the AIA and - if available - the respective equivalents in the MDR:
Requirements | Reference AIA | Reference MDR | Degree of consistency between AIA and MDR |
Risk management system | Art. 9 | Art. 10 (2) | mainly |
Data and data governance | Art. 10 | -- | No |
Technical documentation | Art. 11 | Art. 10 (4), Annex II/III | Partially |
Mandatory automatic recording during operation | Art. 12 | -- | No |
Transparency and provision of information to deployers | Art. 13 | Art. 10 (11) | Partially in relation to instructions for use |
Mandatory human oversight (human-machine interface) | Art. 14 | -- | Partially |
Accuracy, robustness and cybersecurity | Art. 15 | Annex II/III | Partially |
Labeling provisions | --- | Annex I | No |
Quality management system | Art. 17 | Art. 10 (9) | Partially |
Documentation keeping | --- | Art. 10 (8) | Partially |
Automatic generation of logs | Art. 19 | -- | No |
Conformity assessment | Art. 43 | Art. 10 (6) | Partially |
EU declaration of conformity | Art. 47 | Art. 10 (6) | Partially |
CE marking | Art. 48 | Art. 10 (6) | Mainly |
Registration obligations | Art. 49 (1) | Art. 10 (7) | Partially |
Necessary corrective actions and resp. information | Art. 20 | Art. 10 (12) | Mainly |
Demonstration of conformity towards national competent authority | --- | Art. 10 (14) | Partially |
Additional obligations are existing for deployers | Art. 26 | --- | No |
Additional obligations are existing for surveillance authorities | Art. 74 | Art. 93 | partly with the exception of the extensive powers under the AIA |
Post-market surveillance and vigilance (suppliers) | Art. 72, 73 | Art. 10 (10, 12, 13) | Mainly |
For AI-based medical devices, the technical documentation to demonstrate compliance with the legal requirements must comply with both Annex IV AIA and Annexes II and III MDR and must be kept available by the provider for a certain period of time (Art. 11, 18). For SMEs and start-ups, a simplified provision of technical documentation in accordance with Annex IV AIA is provided for (Art. 11 (1)). However, a form must be used for this, which has yet to be provided by the European Commission. Providers of AI-based medical devices have the option of integrating the implementation of the provision of the AIA into their respective MDR processes and documentation (Art. 8 (2) AIA). For medical devices and IVDs, a standardized technical documentation is to be created that simultaneously meets the requirements of the sector-specific legal acts and the AIA (Art. 11 (2)).
Articles 10 and 15 of the AIA in particular contain AI-specific requirements that medical device manufacturers are not familiar with from the MDR. These requirements largely overlap with those from the joint IG-NB and Team-NB questionnaire “Artificial Intelligence (AI) in Medical Devices”. It is therefore all the more important for providers (manufacturers) to consistently implement the requirements of the questionnaire in order to be prepared for the AIA (AIA-Ready). In some cases, the requirements of the questionnaire go beyond the relevant legal requirements.
A quality management system in accordance with Art. 17 AIA is not a new requirement for medical device manufacturers. ISO 13485 is generally applied in this context, although this does not meet all the requirements of the EU Medical Device Regulation (MDR). According to TÜV AI.LAB, many requirements from Article 17 of the AIA are already comprehensively addressed by ISO 13485. This applies to development, quality assurance and communication, for example. AI-specific aspects such as data management or AI-specific risk management are not covered.
You can find a more in-depth analysis of the AIA in our blog post "AI systems under the EU Artificial Intelligence Act (AIA): Challenges and solutions".
What are the requirements for continuous-learning AI systems?
The handling of changes to high-risk AI systems that have already undergone a conformity assessment procedure is regulated in Art. 43 (4) AIA. In the event of a significant change, these “shall be subject to a new conformity assessment procedure, irrespective of whether the modified system is to be placed on the market or continued to be used by the current operator”. It also states: “For high-risk AI systems that continue to learn after being placed on the market or put into service, changes to the high-risk AI system and its performance that were pre-determined by the provider at the time of the initial conformity assessment and are included in the information in the technical documentation referred to in point 2(f) of Annex IV shall not be considered a substantial change”. The determination of changes to the high-risk AI system and its performance at the time of the initial conformity assessment, as well as the identification of associated risks, could be similar to the FDA's Pre-determined Change Control Plan (PCCP), which was recently presented in a VDE-DGBMT recommendation.
How do MDR/IVDR and the AIA interact?
The MDCG has published Guideline 2025-6 with FAQs on the interaction between MDR/IVDR and AIA. A selection of important points is listed below:
- Medical devices as high-risk AI systems (MDAI) are subject to both MDR/IVDR and AIA.
- The AIA introduces strict requirements for MPCI on data quality, transparency and traceability of AI systems and requires proof of accuracy, robustness and cybersecurity. Both lead to the expansion of existing technical documentation and quality management.
- The identified and assessed risks are to be reduced as part of the risk management system. This relates not only to organizational measures, but also to specific measures that are taken during development (compliance by design).
- AIA-specific content must also be integrated into post-market surveillance (post-market monitoring).
- Similar to the “responsible person” under the MDR, providers of AI systems must also regulate the responsibilities within the organization for the AIA.
- The International Medical Device Regulators Forum (IMDRF) is developing a guideline on the PCCP, which is expected to serve as the basis for future guidelines on this topic under the AIA.
- The safety, performance and, where applicable, clinical benefit of MPAIs must be supported by clinical data. When an MPAI is subject to a clinical trial, it is a real-world trial in accordance with the AIA.
- Human oversight can be considered a measure to prevent or minimize risks to health, safety or fundamental rights when a high-risk AI system is used as intended or under conditions of reasonably foreseeable misuse.
- Longer development cycles cannot be ruled out due to the additional regulations.
Summary and recommendations
Manufacturers of AI-based medical devices must quickly take into account the increased effort in the technical documentation and the extended conformity assessment in terms of both organizational and financial resources. In this regard, we recommend participating in our hands-on training course “Artificial Intelligence (AI) in Medical Devices”, as well as the VDE recommendation “MD CoDe - Compliance by Design as a key concept for meeting the European regulatory requirements for medical devices”. Furthermore, relevant guidelines for the AIA and the MDR that will be published in the future should be observed.
