EU AI Act for Healthcare: High-Risk Rules for Clinical AI

Healthcare AI carries real risk to patient safety, and the EU AI Act (Regulation (EU) 2024/1689) regulates it accordingly. Clinical decision support, diagnostic and triage tools are frequently high-risk — either as a safety component of a regulated medical device under Art. 6, or via the essential-services route in Annex III. The Act applies to any system whose output is used in the EU, wherever the developer sits.

Is it in scope?

There are two routes into high-risk here. Under Art. 6, an AI system is high-risk if it is a safety component of a product covered by EU harmonisation law that requires third-party conformity assessment — which captures most software qualifying as a medical device under the MDR/IVDR. Separately, Annex III covers AI used in access to essential public services, which can reach triage and eligibility tools. Many clinical products meet both tests, so the medical-device conformity assessment and the AI Act obligations must be aligned rather than run in isolation.

Typical AI use cases

  • AI-assisted diagnostic imaging (radiology, pathology)
  • Clinical decision-support and treatment recommendation
  • Emergency triage and patient prioritisation
  • Early-warning and patient-deterioration prediction
  • Automated interpretation of lab and diagnostic results
  • AI-driven remote patient monitoring

Risk classification

Most clinical software will be high-risk through the Art. 6 medical-device route. The manufacturer placing the device on the market is the provider and must satisfy Art. 9–15 alongside its MDR/IVDR conformity assessment; the AI Act requirements can often be integrated into the existing device documentation. The hospital or clinician deploying the tool is a deployer under Art. 26, responsible for human oversight, use per the instructions, and monitoring in real-world clinical practice.

Obligations to prepare for

Risk management system (Art. 9)
Data governance & quality (Art. 10)
Technical documentation, Annex IV (Art. 11)
Logging & traceability (Art. 12)
Human oversight (Art. 14)
Accuracy, robustness & cybersecurity (Art. 15)

FAQ

Our software is already CE-marked as a medical device — does the AI Act add more?

Yes. Being a medical-device safety component makes it high-risk under Art. 6, so AI Act duties (risk management, data governance, oversight) apply on top of MDR/IVDR. The two conformity assessments can and should be integrated.

Is a symptom-checker or triage chatbot high-risk?

It depends on function. If it qualifies as a medical device or determines access to essential care, it is likely high-risk. Purely informational tools may instead fall under Art. 50 transparency duties.

Who is responsible — the AI vendor or the hospital?

The manufacturer/provider handles the design-time obligations under Art. 9–15. The deploying hospital is responsible under Art. 26 for oversight, correct use and monitoring in clinical practice.

See exactly what applies to your system

Run the free 2-minute risk checker — no sign-up.

Run the free check