Artificial intelligence is becoming increasingly important in medical technology. From diagnostic support tools to software that interprets clinical data, AI-based medical devices promise faster workflows, more personalized care, and better decision-making.
But these opportunities also create a new regulatory challenge. In Europe, an AI-based medical device may fall under both the Medical Device Regulation (MDR) and the EU AI Act, and the roadmap shows how these two frameworks interact when an MDR-regulated medical device also qualifies as a high-risk AI system.
Why AI-Based Medical Devices Are a Special Case
The MDR already sets high standards for medical devices. Manufacturers must demonstrate safety, performance, clinical benefit, risk control, technical documentation, post-market surveillance, and quality management.
The AI Act does not replace those requirements. It adds AI-specific obligations on top of them, including requirements for risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy, robustness, cybersecurity, post-market monitoring, and AI competence.
That is especially relevant because AI systems introduce risks that are not fully captured by traditional medical device regulation. So manufacturers must ask not only whether the medical device is safe and clinically useful, but also whether the AI system is transparent, robust, appropriately supervised, and reliable in its intended use context.
Build on MDR Processes
A central message of the roadmap is that many AI Act requirements can be integrated into existing MDR processes. Manufacturers do not necessarily need separate compliance structures for AI if their existing systems can be extended in a structured way.
That applies in particular to:
- risk management.
- technical documentation.
- quality management.
- instructions for use.
- post-market surveillance.
- corrective actions.
- documentation retention.
- communication with authorities.
At the same time, MDR compliance alone is not enough. The AI Act adds requirements that are specific to how the AI system is developed, trained, validated, logged, monitored, and supervised throughout its lifecycle.
Risk Management
Risk management is already central under the MDR, and the AI Act reinforces that approach while expanding it to cover AI-specific risks throughout the lifecycle of the system. For AI-based medical devices, this means manufacturers should consider risks such as biased outputs, poor performance in subgroups, dataset drift, automation bias, unexpected model behavior, adversarial attacks, overreliance by users, and risks arising from updates or changes in use context.
The roadmap emphasizes that risk management must be continuous and iterative. It should not end at market launch, because AI systems can behave differently in real-world settings, with new data, new workflows, or changing user behavior.
Data Governance
One of the most important additions in the AI Act is its focus on data governance. For AI-based medical devices, the quality of the model depends heavily on the quality of the data used for training, validation, testing, and monitoring.
The roadmap highlights that datasets should be relevant, representative, sufficiently complete, appropriately annotated, and free from avoidable bias. This is particularly important in healthcare, where poor data quality can lead to unequal performance across patient groups.
Where personal data is involved, GDPR obligations also apply. In practice, this means manufacturers need clear procedures for data collection, data cleaning, annotation, dataset selection, bias detection, data quality control, and documentation.
Technical Documentation
The MDR already requires detailed technical documentation. The AI Act adds documentation requirements that are specific to the AI system itself. For manufacturers, this means the technical file should not only describe the medical device, software architecture, intended purpose, clinical evaluation, and risk management strategy, but also explain how the AI system was developed, trained, validated, tested, and controlled.
Important elements include:
- AI system design and model architecture.
- data governance procedures.
- training, validation, and test datasets.
- performance testing.
- risk assessments.
- limitations of the system.
- human oversight measures.
- logging mechanisms.
- cybersecurity controls.
- post-market monitoring plans.
The roadmap’s key point is that the AI Act documentation should be integrated into the MDR technical documentation, not managed as a disconnected parallel system.
Logging and Traceability
AI systems must automatically record relevant events during their lifecycle. This is one of the clearest AI-specific requirements in the roadmap and goes beyond traditional MDR expectations.
Logging supports post-market monitoring, investigation of incidents, detection of unexpected behavior, identification of significant changes, and oversight of how the system is used. For medical AI, logging can also help determine whether a system produced an output in a valid context and whether performance issues emerged over time.
If logs contain personal data, they must also be handled in line with data protection requirements.
Transparency and Human Oversight
Transparency under the AI Act goes beyond ordinary labeling or instructions for use. Users must receive information that enables them to understand and interpret the system’s outputs appropriately.
The roadmap makes clear that this does not necessarily require full technical explainability of the model. It does require meaningful information about intended purpose, capabilities and limitations, expected input data, output interpretation, known risks, required human oversight, maintenance and updates, and logging mechanisms.
Human oversight is similarly more than a formal statement that a human remains responsible. The system must be designed so that human supervision is actually possible in practice. That includes suitable interfaces, warnings, uncertainty communication, and the ability to intervene or stop use when necessary.
Accuracy, Robustness, and Cybersecurity
The AI Act requires high-risk AI systems to achieve appropriate levels of accuracy, robustness, and cybersecurity throughout their lifecycle. For medical AI, this is especially important because failures can directly affect patient safety and clinical decision-making.
Accuracy must be defined, measured, documented, and communicated. Robustness means the system should remain reliable under foreseeable disturbances, unusual inputs, or environmental changes. Cybersecurity must also cover AI-specific threats such as data poisoning, model poisoning, adversarial examples, and model evasion.
The roadmap treats these topics as partly connected to MDR requirements, but clearly adds an AI-specific layer. In other words, classical software security remains necessary, but it is not sufficient on its own.
Quality Management and Monitoring
The AI Act requires a quality management system that ensures continuous compliance across the AI lifecycle. The roadmap’s main point is that this can usually be integrated into the existing MDR QMS, provided it is expanded to cover AI-specific activities.
That includes AI design and development controls, data management, model validation, performance monitoring, change management, incident handling, logging, supplier responsibilities, and communication with authorities.
Post-market monitoring is also central. For AI-based medical devices, it should be able to detect performance degradation, subgroup effects, drift, misuse patterns, and changes caused by updates or real-world use.
Value Chain and Roles
AI-based medical devices often involve multiple actors: manufacturers, AI developers, software providers, data providers, cloud providers, distributors, deployers, and clinical users. The roadmap stresses that responsibilities along the value chain must be clear.
This matters because a party that substantially modifies an AI system or changes its intended purpose may become the provider under the AI Act. For manufacturers and partners, that makes contracts, technical agreements, supplier qualification, and responsibility matrices more important than before.
AI Literacy
A particularly important concept is AI literacy. The AI Act requires providers and deployers to ensure that people involved with AI systems have an appropriate level of competence.
In clinical settings, this means healthcare professionals do not need to become data scientists, but they do need enough understanding to use the system responsibly. They should know that AI outputs are probabilistic, limited by training data, and dependent on correct inputs and context.
That makes AI literacy part of safe use, quality management, and patient safety.
What This Means
The overall message of the roadmap is clear: AI-based medical devices require integrated regulatory thinking. Manufacturers should not treat the AI Act as a separate checklist added at the end of development.
Instead, AI Act requirements should be built into the product lifecycle from the beginning. That means integrating AI risks into MDR risk management, embedding AI documentation into the technical file, strengthening data governance, designing for transparency and human oversight, validating accuracy and robustness with suitable datasets, expanding cybersecurity to AI-specific threats, and connecting AI monitoring with MDR post-market surveillance.
The goal is not only to satisfy regulation, but to make AI-based medical devices safer, more understandable, more reliable, and more trustworthy.
