EU AI ActHealthcareMedical devicesHigh-risk

The EU AI Act for healthcare and medical AI: the two high-risk routes

Published July 18, 2026 · 6 min read

AI is moving fast into diagnosis, triage and clinical decision support. Under the EU AI Act, health AI is often high-risk, but by one of two distinct routes, with different assessment paths. Knowing which one applies is the first step for any medtech, clinic or health startup.

Route 1: your AI is (part of) a medical device

If your AI is a safety component of, or is itself, a medical device or in-vitro diagnostic, it is high-risk under Article 6(1). The hook is Annex I, which lists the Medical Devices Regulation (EU) 2017/745 and the IVDR (EU) 2017/746 (items 11 and 12). Two conditions must both be met: the AI is or is part of such a product, and that product already requires third-party conformity assessment. Most Class IIa and higher devices do.

Route 2: your AI is a listed health use case

Even outside the medical-device rules, Annex III (Article 6(2)) lists health-related uses that are high-risk on their own:

  • Eligibility for healthcare services (point 5(a)). AI used by or for public authorities to decide who gets essential benefits and services, expressly including healthcare, or to grant, reduce or revoke them.
  • Emergency triage (point 5(d)). AI that triages emergency calls or dispatches first response, including medical aid and emergency patient-triage systems.
  • Life and health insurance pricing (point 5(c)). AI for risk assessment and pricing of natural persons, covered in our insurance guide.

It stacks on the MDR, it does not replace it

The AI Act does not merge into the medical-device rules; its requirements are additional. Where a product falls under both, you must comply with all of them (Article 8(2)). The one relief: you may integrate the AI Act's testing, documentation and reporting into the MDR or IVDR procedures you already run, to avoid duplication (Recital 64). And note: being classified high-risk does not by itself make a use lawful under other law (Recital 63) — data-protection and device rules still apply in full.

What you have to do

Once high-risk, the Chapter III obligations apply:

  • Risk management (Article 9) and data governance (Article 10) — quality, representativeness and bias-checking of clinical data.
  • Technical documentation (Article 11, Annex IV) and logging (Article 12).
  • Human oversight (Article 14) — a clinician must be able to review and override.
  • Accuracy, robustness and cybersecurity (Article 15).

Deadlines

The Annex III health use cases apply from 2 December 2027; the medical-device (Annex I) route from 2 August 2028, both rescheduled by the Digital Omnibus (adopted, pending Official Journal publication). Given device validation cycles, start now. Our deadlines guide has the full table.

Where to start

Map which route your systems fall under with the free EU AI Act Snapshot, two minutes, no signup, then work the 9-step checklist and prepare the conformity assessment. Plans start at EUR 0.

Related guides