§01
How the AI Act classifies medical AI
Article 6 designates AI systems as high-risk where they are safety components of products covered by EU harmonisation legislation listed in Annex I · which includes the MDR and IVDR. In practice, almost any AI-enabled medical device with a notified-body route under MDR is high-risk under the AI Act.
- Risk management system covering AI-specific harms across the lifecycle.
- Data and data governance with documented quality, bias, and representativeness measures.
- Technical documentation per Annex IV · additive to the MDR technical file.
- Logging, transparency, human oversight, accuracy, robustness, and cybersecurity by design.
§02
Conformity assessment, twice
For high-risk medical AI, the AI Act conformity assessment is integrated into the MDR notified-body route · but it is not absorbed by it. Manufacturers still need an AI-specific quality management system, an AI-specific risk management process, and AI-specific post-market monitoring.
§03
General-purpose AI and foundation models
If your SaMD is built on top of a general-purpose AI model (GPAI) · including most LLMs and large vision models · you inherit obligations that flow from the GPAI provider, plus your own as a downstream deployer or provider. Contractually pinning the model and its documentation is no longer optional.
- Provider documentation, training data summaries, and copyright disclosures must flow to you.
- GPAI models with systemic risk trigger additional model-evaluation and incident-reporting duties.
- Substantial modification of a GPAI for medical use can make you the provider in the eyes of the Act.
§04
Cybersecurity & the CRA overlap
Cybersecurity expectations come from MDR Annex I (security by design), the AI Act (robustness against adversarial inputs, model integrity), and · for products with digital elements · the Cyber Resilience Act from 2027. Build the control set once and map it across all three.