AI Act Healthcare Compliance: Annex III, MDR, and the Double Obligation

Why most clinical AI systems must satisfy two separate regulatory regimes at once — and what that means for hospitals, labs, and vendors

Healthcare AI does not choose between the EU AI Act and the Medical Device Regulation. It must comply with both simultaneously.

The Annex III classification under the AI Act does not subtract from MDR or IVDR obligations — it adds to them. Every requirement from both frameworks applies in full. Most AI Act implementation guides and MDR compliance programmes still treat this in isolation, which is where the compliance gap opens.

This guide covers where the two regimes intersect, what Articles 9, 10, 14, and 26 require in a clinical context, how ISO 14971 and ISO/IEC 42001 relate to each other, and what hospitals and clinical labs must do as deployers even when they did not develop the AI system.

Annex III, Point 5: Healthcare AI Is High-Risk by Default

Annex III of the EU AI Act enumerates high-risk application domains. The health sector classification sits under Article 6(2) as read with Annex III, and it captures AI systems intended as safety components of regulated products, or that themselves constitute regulated products under EU harmonised legislation in Annex I — which includes MDR and IVDR.

In practice that means: AI medical devices under Regulation (EU) 2017/745 (MDR), in-vitro diagnostic AI under Regulation (EU) 2017/746 (IVDR), AI safety components integrated in medical devices, and clinical AI that informs or replaces clinical judgement in diagnosis, prognosis, or treatment selection.

The vast majority of clinical AI software — standalone Software as a Medical Device (SaMD) or embedded in imaging platforms, laboratory information systems, or decision support suites — is both high-risk under the AI Act and regulated under MDR or IVDR. There is no carve-out.

For the full Annex III taxonomy, see the AI Act high-risk systems guide.

The Double Obligation: Why Subtraction Does Not Work

A common planning error in healthcare AI compliance is to treat MDR/IVDR conformity as a proxy for AI Act compliance, or to assume that meeting one framework's requirements on data governance or risk management automatically closes the gap under the other. It does not.

The two frameworks were developed independently, use different concepts, and do not map cleanly onto each other.

MDR/IVDR governs device lifecycle: design and manufacturing controls, clinical evaluation, conformity assessment, CE marking, post-market clinical follow-up, and post-market surveillance. Its risk framework references ISO 14971 — harm-probability analysis anchored in clinical patient outcomes.

The EU AI Act governs AI systems as a technology category: risk management across the AI lifecycle, training data governance, logging, human oversight, and transparency to deployers. Its risk concepts draw from ISO/IEC 42001 (AI management systems) and the NIST AI RMF.

The overlap is real — both require risk management documentation and post-market obligations — but they are not identical and cannot be merged into a single document. A clinical evaluation report under MDR is not an AI risk management system under Article 9. A bias assessment of training data under Article 10 is not a clinical performance study under IVDR.

Organizations that treat MDR/IVDR conformity as a proxy for AI Act compliance will have documented gaps when an audit or incident investigation arrives.

Article 9: Clinical Risk Management Meets AI Risk Management

Article 9 of the EU AI Act requires a documented, iterative risk management system covering the full lifecycle of every high-risk AI system. For clinical AI, this creates a two-layer requirement that must be explicitly designed, not improvised.

Layer 1 — ISO 14971 clinical risk management. MDR mandates ISO 14971-aligned risk management: identifying patient safety hazards, estimating and evaluating clinical risk, implementing controls, and evaluating residual risk against clinical benefit. Risk objects are harms to patients or operators.

Layer 2 — AI Act risk management. Article 9 requires a system addressing AI-specific risks: model degradation, distributional shift (deployment population differs from training data), adversarial inputs, feedback loops, and output opacity. Risk objects extend beyond patient harm to systemic bias and erosion of clinical oversight.

These layers must be explicitly linked. ISO 14971 documentation that ignores AI-specific risks does not satisfy Article 9. An AI risk log disconnected from patient safety outcomes does not satisfy MDR. ISO/IEC 42001 provides the management system framework that maps most directly onto Article 9 — for clinical AI, ISO 14971 risk objects should be cross-referenced within the ISO/IEC 42001 AI impact assessment.

The AI compliance checklist 2026 covers Article 9 documentation requirements in full.

Article 10: Clinical Training Data Under Two Regimes

Article 10 of the AI Act governs the data used to train, validate, and test high-risk AI systems. For clinical AI, training data governance sits at the intersection of Article 10, GDPR Article 9 (special category data), and the clinical validation requirements under MDR/IVDR.

Clinical training data is Article 9 GDPR special category data. Health data — patient records, medical imaging, laboratory results — requires a legal basis under Article 9(2)(h) (healthcare purposes) or Member State law with appropriate safeguards. Legal basis decisions must be documented per data category, per jurisdiction.

Article 10 AI Act requires documented data quality. Training and test datasets must be relevant, representative of the intended patient population, and free from known bias. Representativeness failures are clinically consequential: a diagnostic model trained on one demographic cohort may perform less accurately on underrepresented groups. Explicit bias assessment is a documented obligation, not a technical nicety.

MDR/IVDR clinical validation additionally requires clinical evidence of performance and benefit in the intended use population. Where accuracy varies across patient subgroups, those variations are relevant to both the clinical evaluation under MDR and the Article 10 bias documentation.

A DPIA is mandatory under GDPR Article 35 for large-scale health data processing. The DPIA for AI systems template provides a structured starting point covering training data categories, retention, data minimisation, and data subject rights.

Use the AI Act Readiness Assessment to identify your specific data governance gaps before your MDR conformity assessment timeline requires closure.

Article 14: Human Oversight in Clinical Practice

Article 14 of the AI Act requires that high-risk AI systems be designed and operated to allow designated human overseers to understand, monitor, and intervene in AI output. In a clinical setting, this obligation intersects directly with existing medical liability frameworks and clinical governance structures.

Clinical AI must support, not replace, clinical judgement. Article 14 is structurally consistent with how regulators and clinical bodies have consistently framed clinical decision support AI: the clinician retains accountability for the clinical decision, and the AI system is a tool that informs rather than determines. What Article 14 adds is a technical and procedural requirement: the AI system must produce output that a competent clinician can interrogate, and the process of human review must be documented and not ceremonial.

What this means in practice:

AI outputs must include confidence measures or reasoning information sufficient for a clinician to exercise genuine discretion — not accept or reject a black-box result
Override and halt mechanisms must be technically implemented and tested, not policy-stated
Named oversight roles must be documented with competency requirements per clinical workflow
Each human review — including overrides — must be logged as part of the audit trail

A properly implemented Article 14 oversight log also provides the documentation that protects clinical institutions under professional liability frameworks when an AI-assisted decision is later scrutinised.

Article 26: Deployer Obligations for Hospitals and Clinical Labs

Most hospitals, clinical laboratories, and healthcare networks that deploy AI diagnostic or decision-support tools are deployers, not providers. They procured the AI system from a vendor; they did not develop it. Article 26 of the AI Act creates a distinct layer of obligations that attach to deployers regardless of whether the system has a CE mark under the AI Act.

The deployer cannot outsource accountability. Receiving a vendor AI system with documentation does not transfer compliance responsibility. The deploying institution must:

Use the system only within its declared intended purpose. Deploying outside validated parameters creates a regulatory breach and a clinical risk the institution owns.
Assign qualified human overseers — named individuals per deployment context with documented competency to critically interpret AI outputs.
Conduct a Fundamental Rights Impact Assessment (FRIA) where required. For public healthcare deployments processing patient data at scale, a FRIA under Article 27 applies alongside the GDPR DPIA — overlapping but distinct.
Maintain post-market surveillance contributions. Article 26(5) requires deployers to monitor system performance in their environment and report anomalies to the provider. Deployer observation data is a required input into the provider's MDR post-market surveillance, not optional feedback.
Register as deployer in the EU AI database where applicable.

AI procurement due diligence becomes a compliance function. Every clinical AI procurement now requires compliance review alongside clinical evaluation: confirming high-risk classification, reviewing provider documentation against Articles 11–13, verifying CE marking under both MDR and AI Act pathways, and ensuring contractual obligations for provider support and incident notification are in place.

CE Marking: Concurrent Conformity Assessment

MDR/IVDR conformity assessment for AI-based medical devices is already required for Class IIa, IIb, and III devices, involving notified body review and clinical evaluation. The AI Act adds a separate high-risk conformity assessment pathway. Article 6(1) allows the sectoral conformity assessment to incorporate AI Act requirements where the sectoral legislation permits — but this requires explicit agreement with the notified body, not an assumption.

As of 2026 the "single assessment" pathway for healthcare AI is still maturing. Running both assessments in parallel with explicit cross-referencing is the operationally safe approach. A CE mark covering MDR does not automatically extend to the AI Act — both must be addressed before market placement.

4Legals: Where Compliance Meets Contract Intelligence

For healthcare organisations procuring AI software from vendors, the compliance obligations under Article 26 create a documentation burden that cannot be managed manually at scale. Every AI system procurement requires review of provider technical documentation, conformity assessment evidence, instructions for use, and contractual obligations for incident reporting, system updates, and ongoing support.

Knowlee's 4Legals capability addresses this through:

Audit-trail-by-default. Every AI-assisted workflow interaction — oversight events, overrides, anomaly flags, incident reports — is captured in an immutable, timestamped log. This satisfies Article 14 logging, Article 12 automatic logging for providers, and creates the post-market surveillance record that Article 26(5) requires.

DPIA template and cross-functional review workflow. Structured DPIA completion with cross-functional assignment (legal, clinical informatics, DPO) and version-controlled output, designed to satisfy GDPR Article 35 and AI Act Article 9 simultaneously.

Contract intelligence for AI procurement. Automated review of vendor agreements against the Article 26 deployer checklist: intended purpose boundaries, incident reporting commitments, CE marking status, and post-market surveillance data-sharing obligations.

See how 4Legals applies to your deployment context.

Frequently Asked Questions

Q: What is the timeline for healthcare AI to comply with both the AI Act and MDR simultaneously?

The AI Act's Capo III high-risk obligations became applicable in August 2026 for new systems, with transition periods for systems already on the market. MDR has been fully applicable since May 2021 for new devices. For new or substantially modified clinical AI, both regimes apply concurrently — there is no sequencing. Verify whether AI Act transition provisions cover your existing deployment, and plan for the first substantial modification to trigger full AI Act obligations.

Q: If an AI system has MDR CE marking, does it automatically satisfy the AI Act high-risk requirements?

No. MDR CE marking covers the Medical Device Regulation requirements — clinical evaluation, quality management, and device-specific technical obligations. It does not cover the AI Act's Article 9 risk management system, Article 10 training data governance, Article 12 logging, Article 14 human oversight design, or Article 13 instructions for use. Where the AI Act permits the sectoral conformity assessment to incorporate AI Act requirements, this requires explicit agreement with the notified body — it is not automatic.

Q: Our hospital uses an AI diagnostic tool that the vendor describes as clinical decision support rather than a medical device. Are we still subject to these obligations?

Classification as a medical device is determined by the software's intended purpose under MDR Article 2 and MDCG guidance, not by the vendor's marketing description. If the software is intended to diagnose, prevent, monitor, or treat disease and produces clinical recommendations, it is likely a medical device regardless of how the vendor frames it. That same intended-purpose analysis determines Annex III classification. The deployer cannot rely on the vendor's self-description — a formal classification assessment is the first required step.

Q: What counts as post-market surveillance for a hospital deploying clinical AI under Article 26?

Article 26 post-market surveillance means actively monitoring AI performance in your deployment environment: tracking recommendation accuracy against clinical outcomes, logging clinician overrides and the outcomes that followed, escalating anomalous behaviour to the provider under the incident notification terms in your contract, and feeding observational data into your clinical governance cycle. This data-sharing is a regulatory obligation. The provider's PMCF under MDR depends in part on deployer observations — Article 26 formalises what was previously left to goodwill.

Q: What happens if a hospital uses a clinical AI system outside the vendor's declared intended use?

Off-label AI use removes the deploying institution from the compliance envelope of the provider's conformity assessment. The deployer effectively operates an unassessed high-risk AI system and assumes the full compliance burden of a provider for that use. Under MDR, off-label device use triggers separate clinical liability and, in some jurisdictions, regulatory obligations around compassionate use or clinical investigation. Off-label clinical AI use is a significant compliance event requiring legal and clinical governance review — not a routine practice decision.

What to Do Now

If your organisation develops, deploys, or procures clinical AI, the question is not whether these obligations apply — it is whether your current compliance programme is structured to satisfy both regimes simultaneously.

The starting point is a structured readiness assessment that covers AI Act Article 6 classification, MDR/IVDR conformity status, and the deployer obligation gaps under Article 26. The AI Act Readiness Assessment provides a structured output across all three dimensions.

For organisations managing AI software procurement contracts, the 4Legals cross-functional review workflow reduces the compliance overhead of each new vendor assessment without reducing its rigour. Talk to the team about how 4Legals fits your current procurement process.

For the broader regulatory framework across all high-risk AI sectors, the AI compliance checklist 2026 covers EU AI Act, GDPR, ISO 42001, and sector-specific controls in a single reference format.

For the intersecting Annex III sectoral compliance obligations in a different domain, see the AI Act Annex III HR & Employment guide.