AI Act High-Risk Medical Devices are one of the most misunderstood parts of the EU AI Act. If you build AI into a medical device, this guide explains how to determine whether your product falls into that category.
Part 2 of 3 in our plain-English EU AI Act series. Part 1 explains the Act and what August 2nd really means. Part 3 covers the part most teams underestimate: staying compliant as your AI keeps changing.
A quick note on terms before we start. MDR is the EU Medical Device Regulation. IVDR is the In Vitro Diagnostic Regulation (the rules for lab and diagnostic tests). SaMD means Software as a Medical Device (software that is itself the medical product). A notified body is an independent organisation that checks and signs off your device so it can carry a CE mark, the marking that lets you sell it in Europe. Those are all the acronyms you need here.
AI Act High-Risk Medical Devices: The Simple Test
The good news is that the test is short. Under the AI Act, your AI medical product is high-risk when both of these are true:
- The AI is itself a medical device, or a safety part of one. Not just software near a device, but software that does a medical job.
- A notified body has to sign it off. In other words, you cannot self-certify it. An independent body has to assess it before it gets its CE mark.
That second point is usually the deciding factor, and it is easy to check, because it follows your device class:
- MDR Class IIa, IIb, or III devices need a notified body.
- IVDR Class B, C, or D devices need a notified body.
So if your product is, say, a Class IIb AI tool that supports diagnosis, or a Class C AI companion diagnostic, both boxes are ticked and you are high-risk under the AI Act.
The one common exception is a genuine Class I device that you self-certify with no notified body. That usually does not meet condition 2, so it usually sits outside this high-risk door.
But here is the catch for software specifically. An MDR classification rule called Rule 11 pushes most decision-driving medical software up to Class IIa or higher. Very little real SaMD stays in Class I. The practical result: most AI SaMD ends up high-risk. (Rule 11 is itself under review, so this baseline could shift. Worth watching, not worth waiting for.)
One thing that confuses everyone
Being “high-risk” under the AI Act does not raise your MDR or IVDR risk class.
A Class IIa device stays Class IIa. The AI Act calling it “high-risk” is a separate label, on a separate track, answering a different question. You are not being bumped up a class. You are just being told the AI Act’s substantive rules apply to you. Keep these two ideas in different mental boxes and a lot of confusion disappears.
What are the real deadlines for you?
This is where you can relax a little, because your category got the longest runway.
- 2 August 2026, the transparency rules (Article 50): live now. This is the date in all the headlines. If your product interacts with people or generates content, the “be open that it is AI” rules apply from here. This part was not delayed.
- Your category, AI built into a regulated medical device, has a provisional deadline of 2 August 2028. After the Digital Omnibus on AI (published 19 November 2025, with a provisional agreement on 6 May 2026, confirmed by the Council on 13 May 2026), the heavy high-risk obligations for AI embedded in regulated products like medical devices and IVDs were moved to 2 August 2028.
Two honest caveats. First, that 2028 date is provisional. As of June 2026 it still has to be formally published in the EU’s Official Journal, and these timelines have already moved more than once. Plan for the substance, do not bank on the exact day. Second, a longer runway is not less work. It is the same work spread across more model updates, more data changes, and more software releases. Part 3 is all about that.
“Wait, weren’t medical devices almost let off the hook?”
You may have seen news that medical devices were going to be carved out of the AI Act. It nearly happened, and then it did not.
There was a proposal to move the MDR and IVDR into a different section of the law (from Annex I Section A to Section B), which would have largely exempted AI medical devices from the heavy obligations. That proposal was rejected. Medical devices and IVDs stay fully in scope.
The only softer tool left is this: the Commission may later use implementing acts to narrow how the AI Act applies, but only where the MDR or IVDR already give an “equivalent level of protection.” That is a future, case-by-case mechanism, not a blanket exemption. So the safe planning assumption today is simple: assume the AI Act applies to you in full.
The reassuring part: it rides on what you already do
Here is the message to take to your team. The AI Act was deliberately built on the same European framework as the MDR and IVDR. It does not create a second CE mark or a separate AI auditor.
Instead, the AI Act requirements get folded into the conformity assessment you already run through your existing notified body. And the systems you already have become the foundation:
- Your ISO 13485 quality system,
- your ISO 14971 risk management,
- your IEC 62304 software lifecycle process,
- and your MDR/IVDR technical documentation.
So the question is not “do I start over?” It is “where do I extend what I already have?” Most of the AI Act overlaps with your existing work. The genuinely new effort is concentrated in three areas: data governance (documenting your training, validation, and test data), human oversight (a person must be able to supervise and step in), and automatic logging (the system keeps records of how it operated). On top of that, you broaden your existing risk work and post-market monitoring to cover AI-specific failure modes.
The takeaway from Part 2: if a notified body signs off your AI device, assume you are high-risk. Your real deadline is the provisional 2 August 2028 for the heavy rules, with transparency already live from 2 August 2026. And most of it builds on the ISO 13485 and FDA compliance and ISO 14971 risk management work you already do.
How qmsWrapper fits in
Once you confirm you are high-risk, the AI Act asks you to keep a connected set of evidence: your model version, your data, your risk file, your testing, your monitoring, and your Technical File, all consistent with each other. qmsWrapper is a connected Medical Device Compliance QMS that links those records and extends your existing ISO 13485 and ISO 14971 work instead of duplicating it. That way the new AI Act pieces (data governance, oversight, logging) plug into the system you already run. Book a qmsWrapper demo to see it for an AI device.
Common Questions About High-Risk AI Medical Devices
Is my AI medical device high-risk under the EU AI Act?
It is high-risk if two things are true: the AI is itself a medical device (or a safety part of one), and a notified body has to sign it off. In practice that means MDR Class IIa, IIb, or III, or IVDR Class B, C, or D. Because Rule 11 pushes most software above Class I, most AI SaMD ends up high-risk.
Does the AI Act raise my MDR or IVDR risk class?
No. The “high-risk” label under the AI Act is separate from your device class. A Class IIa device stays Class IIa. The two run on parallel tracks and answer different questions.
What is my actual deadline?
For AI built into a regulated medical device, the provisional deadline for the heavy high-risk obligations is 2 August 2028. The transparency rules (Article 50) are already live from 2 August 2026. The 2028 date is provisional as of June 2026 and still needs formal publication.
Were medical devices exempted from the AI Act?
No. A proposal that would have largely exempted them was rejected. Medical devices and IVDs remain fully in scope. The Commission may later narrow how the Act applies in specific cases where the MDR or IVDR already give equivalent protection, but that is not a blanket carve-out.
What is genuinely new compared with MDR?
Three things stand out: data governance (documenting your training, validation, and test data), human oversight (a person must be able to supervise and intervene), and automatic logging. You also broaden your existing risk management and post-market monitoring to cover AI-specific failure modes.
Do I need a separate AI auditor or a second CE mark?
No. The AI Act requirements are folded into the conformity assessment you already run through your existing notified body. Your ISO 13485, ISO 14971, and IEC 62304 work becomes the foundation you extend.
