1. You are here:
  2. Homepage
  3. News & Insights Search
  4. Expert: AI compliance in EU requires proactive lifecycle management approach

rf-fullcolor.png

 

Regulatory News
November 10, 2025
by Ferdous Al-Faruque

Expert: AI compliance in EU requires proactive lifecycle management approach

ROTTERDAM, NETHERLANDS – As medtech companies look to incorporate artificial intelligence (AI) into their products, Fernanda Ferraroli Paro, a regulatory compliance specialist at Compliance & Risk, said that EU law expects them to be more proactive and adopt a lifecycle management approach to their products.
 
"The most important thing organizations should bear in mind is to change from reactive to proactive compliance, where risk management, postmarket vigilance, and continuous improvements are built into the entire lifecycle," she told attendees at the RAPS European Digital Technology and Software Conference.
 
Ferraroli Paro spoke about the current legal landscape that companies must consider when embracing AI, outlining legal requirements under the relevant legislation. She noted, for instance, that the recently passed EU AI Act uses a risk-based regulatory approach that companies should familiarize themselves with.
 
“It categorizes AI systems into four levels of risk: minimal, limited, high, and unacceptable risk,” said Ferraroli Paro. “In healthcare, most AI systems will fall under the high-risk category because they impact patient diagnosis, treatment, or monitoring.
 
“Under... the AI act, any AI system is a safety component of a product regulated under [the Medical Device Regulation (MDR)] and [In Vitro Diagnostic Regulation (IVDR)], or itself a medical device,” she added. “So, it is automatically classified as a high-risk.”
 
Ferraroli Paro said that the compliance pathway for an AI system considered a high-risk medical device will depend on its conformance assessment under the MDR and IVDR. She noted that the AI Act builds on that conformance by adding specific requirements related to data governance, equality, bias prevention, representativeness, algorithm transparency, human oversight, technical robustness, and accuracy over time.
 
However, she stressed that the EU wants to avoid administrative duplication by allowing a single integrated conformance assessment.
 
“It means that notified bodies can verify compliance with both sets of requirements and in a single assessment process,” said Ferraroli Paro. “The conformance assessments are no longer one-time certifications; they require ongoing postmarket monitoring.
 
“It's the entire lifecycle; not only [about] how you manufacture, how you design it, or how you put it into the market,” she added. “You have to pay attention also afterward.”
 
Ferraroli Paro said that EU regulations prioritize explainability, accountability, and traceability. She said that manufacturers need to ensure that regulators, clinicians, and patients can trust how their AI systems work.
 
Furthermore, Ferraroli Paro emphasized that manufacturers must maintain comprehensive documentation, including documentation on the intended purpose, risk classification, justification, training and testing, data specifications, human oversight, and risk mitigation strategies. She also noted that the documents must be kept up to date and available to notified bodies and regulators.
 
“In terms of transparency, for example, the AI Act requires clear labeling and user information about system purpose, limitations and levels of automation,” said Ferraroli Paro. “MDR and IVDR, for example, require inclusion of key safety and performance data.”
 
She added that the European Database on Medical Devices (EUDAMED), which is being implemented in phases, is also another consideration for manufacturers in terms of transparency.
 
Ferraroli Paro stated that the MDR, IVDR, and AI Act all require traceability throughout the product lifecycle. This includes requirements for unique device identification (UDI) systems and audit trails that ensure accountability for software updates and algorithm modifications. Additionally, she noted that manufacturers should factor in the AI Act's requirement for an AI system log, which ensures that regulators can conduct post-market evaluations and maintain an audit trail.
 
Another key factor to consider is cybersecurity, according to Ferraroli Prado. She noted that now manufacturers have to pay attention to three regulations that address cybersecurity. More specifically, she stated that manufacturers are required to demonstrate they are managing cybersecurity as part of their risk management process under the MDR and IVDR. Furthermore, in October 2024, she noted that the Network and Information Security Directive 2 (NIS 2) expanded the EU cybersecurity framework to include healthcare and medical device manufacturers as essential or important entities that must take additional measures to ensure cybersecurity.
 
“Cybersecurity is no longer optional or reactive, so it is a core regulatory and safety requirement,” said Ferraroli Paro. “Cybersecurity by design ensures protection against cyber risks embedded throughout the entire product lifecycle; so from design and development to deployment, maintenance and the commission.
 
“It means integrating security principles and controls at every stage of a product's lifecycle, not as a final add-on,” she added. “This proactive approach is central to the EU NIS 2, and also the MDR, IVDR, and Cyber Resilience Act (CRA).”
 
Ferraroli Paro added that manufacturers are required to implement risk management policies, including supply chain security measures such as incident detection and response capabilities, business continuity, and crisis management plans. They are also required to provide staff with cybersecurity training, which is another crucial requirement to ensure proper vulnerability management, incident reporting, and vulnerability handling processes for identifying, assessing, and remedying cybersecurity problems. While coordinated vulnerability disclosures are not a mandatory requirement, she said they are recommended.
 
Finally, Ferraroli Paro noted that data protection is a cornerstone of EU digital health compliance, highlighting that the General Data Protection Regulation (GDPR), the European Health Data Space (EHDS) regulation, and the AI Act all incorporate data protection considerations.
 
RAPS Digital Technology and Software Conference

Related topics

Diagnostics/IVDs Digital health/SaMD/AI Europe Medical Devices Regulatory Intelligence/Policy
Return to listing

Recommended content

Regulatory Affairs Professionals Society (RAPS)
5635 Fishers Lane, Suite 400
Rockville, Maryland 20852

Telephone: +1 301 770 2920
Fax: +1 301 841 7956

Email:  [email protected]

Design & Development by Pixl8
Membership software by ReadyMembership

Regulatory Affairs Professionals Society (RAPS)

© 2026 Regulatory Affairs Professionals Society

×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.