Navigating convergence and divergence between the EU MDR and EU AI Act

Introduction

• To analyze the convergence and divergence between the EU MDR and AI Act; and
• To explain the evolving concept of risk under both frameworks, using practical examples.

The EU AI Act: An introduction

• Providers, who develop or place an AI system on the market (e.g., manufacturers, software developers, and even some distributors);
• Deployers, who use AI systems under their authority (e.g., hospitals, clinics, insurance companies, labs, and sometimes healthcare professionals). It is important to note that deployers under the EU AI Act are not synonymous with users under the EU MDR. While the term users refers to the individuals who operate a medical device per EU MDR, deployers, as stated above, can represent entire organizations or entities that control and oversee the system’s use, extending beyond the scope of a single end user;¹³ and
• Importers and distributors, who ensure compliance and traceability across the supply chain.

Definition of an AI system

General structure of the EU AI Act

Key structural highlights: Chapters 3, 4, 7, 8, and 9

Risk classification as per EU AI Act

The picture changes when the same type of system is designed to extract clinically relevant information, generate structured notes, or feed data into electronic health records in ways that shape diagnosis, treatment, or triage. In these scenarios, the ambient scribe contributes directly to how clinical information is interpreted and prioritized and may influence when and how patients receive care. Such functionality corresponds to the high‑risk category in Annex III, Point 5(d) related to essential private and public services – specifically the provision covering AI systems that analyze or categorize emergency calls, support dispatch decisions, or set the priority for sending emergency responders such as police, fire, or medical services, including systems used for emergency‑care triage.¹⁶

In these cases, the system would be treated as a high‑risk AI system and would need to meet the corresponding obligations under the EU AI Act, including robust risk management, transparency, and oversight. This example highlights how subtle shifts in intended use can alter a product’s classification entirely, underscoring the importance of documenting intended purpose clearly and aligning it with the AI system’s actual functionality.

Risk classification in this article has so far focused on AI systems embedded in medical devices. However, the AI Act is a horizontal legislation that applies across sectors and products, not only to healthcare. This broader scope means organizations must look beyond clinical applications when assessing where the act applies.

For example, AI is used in human resources for tasks such as screening job candidates or supporting hiring decisions. These systems fall under the EU AI Act and are explicitly listed as high‑risk in Annex III because they can significantly affect access to employment and career progression (Annex III, Section 4(f), supported by Recital 57).¹⁶ This category includes AI tools used to target job advertisements, filter or rank applications, assess candidates, or monitor employee performance and behavior, all of which are subject to heightened safeguards under the EU AI Act’s high‑risk regime.

Therefore, organizations should not limit their focus to medical devices; they must also consider AI systems used in other processes, such as human resources. These systems carry substantial compliance obligations under the EU AI Act, including risk management, transparency, human oversight, and incident reporting. Adopting this broader perspective ensures comprehensive governance of AI systems across all organizational functions.

Mapping high-risk classification between the EU MDR and the EU AI Act

The relationship between EU MDR risk classes and the EU AI Act’s high‑risk definition is more nuanced than a simple one‑to‑one match. As clarified in Section 1(2) of the MDCG 2025-6 guidance,¹³ a medical device that is classified as high-risk under the EU MDR and also qualifies as an AI system will generally be treated as high-risk according to the EU AI Act, particularly where third-party conformity assessment by a notified body is required. However, as clarified in Section 1(4),¹³ the converse does not automatically hold: being high-risk as per the EU AI Act does not mean the product is high-risk under the EU MDR, and the requirements may differ depending on the intended use and regulatory pathway.

This interplay means regulatory professionals must carefully map obligations across both frameworks. Not all AI-enabled devices classified as high-risk under the EU MDR will be high-risk under the EU AI Act unless they meet specific conditions (such as being listed in Annex I or III of the act and undergoing notified body review), as shown in Figure 4. Conversely, some high-risk AI systems designated by the EU AI Act may not trigger the highest EU MDR classification or may not require the same conformity assessment process. For regulatory professionals, this makes careful mapping essential: each system must be assessed under both frameworks, with obligations aligned but not assumed to be identical merely because the term high‑risk appears in both frameworks.

Convergence and divergence: EU AI Act and EU MDR

It is clear that the EU AI Act and the EU MDR are best understood as complementary rather than contradictory. At a high level, both the EU MDR and the EU AI Act are built on the same foundation: they aim to protect patients and users by ensuring that products and systems are safe, perform as intended, and are controlled throughout their lifecycle. For AI‑enabled medical devices, this means the EU AI Act does not replace the EU MDR but adds an extra regulatory layer that must be integrated into an already familiar framework. The result is a convergent structure with important points of divergence that regulatory professionals must understand and manage in a coordinated way (Figure 5).

Convergence: Shared foundations

Both the EU MDR and the EU AI Act follow a risk‑based approach, rely on CE marking, and require structured conformity assessment, technical documentation, and post‑market surveillance. Article 11(2) of the EU AI Act explicitly recognizes this alignment by allowing manufacturers of products covered by European Union harmonization legislation in Annex I (including the EU MDR) to prepare a single set of technical documentation and, by extension, a single declaration of conformity that demonstrates compliance with both frameworks.​¹⁶ At the level of core obligations, there is substantial overlap. Both frameworks require:

• A documented quality management system, including design and change control, verification and validation, and control of suppliers and data;
• A lifecycle risk management process covering identification, evaluation, reduction, and monitoring of risks, with continuous, iterative review;
• Technical documentation that explains design, intended purpose, performance, risk controls, and benefit-risk rationale in a way that can be assessed by notified bodies and competent authorities; and
• Postmarket surveillance and vigilance procedures to actively collect and assess performance and incident data, triggering corrective and preventive actions when needed.​

Section II of the MDCG 2025‑6¹³ explicitly encourages manufacturers to integrate EU AI Act requirements into their existing EU MDR quality management, risk management, and documentation structures rather than building separate systems. This enables a unified compliance approach, allowing manufacturers to build one coherent regulatory spine rather than two parallel systems.¹³ AI‑specific topics, such as accuracy, robustness, and cybersecurity (Article 15 of the EU AI Act), can be embedded into existing EU MDR processes for design control, validation, and vigilance. Likewise, new obligations on logging, oversight, and data management can be addressed by extending existing quality management systems and postmarket surveillance (PMS) mechanisms, rather than creating entirely new structures.

Divergence: Additional AI‑specific obligations¹⁶

Despite this shared regulatory spine, the EU AI Act introduces additional obligations beyond the traditional medical device paradigm that must be explicitly addressed for high‑risk AI systems.

Data and data governance (Article 10 EU AI Act). The EU MDR focuses on clinical evidence and performance data, but does not prescribe in detail how training, validation, and test data for algorithms must be governed. By contrast, Article 10 of the EU AI Act requires structured data governance and management practices, including documented design choices, data collection methods, bias prevention, dataset representativeness and completeness, and alignment with other EU data laws, such as the GDPR.​

Record‑keeping and automatic logging (Article 12). The EU AI Act requires high‑risk AI systems to implement logging capabilities that automatically record relevant events throughout the system’s lifecycle to support traceability, incident investigation, and postmarket monitoring. The EU MDR requires PMS and vigilance but does not mandate AI‑specific automatic logging at this level of granularity.​

Expanded risk management and fundamental rights (Article 9). Under the EU MDR, risk management focuses on health and safety and on ensuring that residual risks are acceptable when weighed against benefits. Article 9 of the EU AI Act expands this scope to require a risk management system that also considers risks to fundamental rights, including discrimination and undue bias, and obliges providers to eliminate or reduce these risks to the extent technically feasible, not only to the extent possible under traditional medical‑device criteria.​

Transparency and human oversight (Articles 13 and 14). The EU MDR focuses on labeling, instructions for use, and essential performance information for users. The EU AI Act adds explicit obligations to ensure that users (deployers) understand that they are interacting with AI, can understand the system’s intended purpose, limitations, and conditions of use, and are able to exercise meaningful human oversight. MDCG 2025‑6 emphasizes that explainability and human control become central design and documentation elements for medical device AI under this combined framework.​

Accuracy, robustness, and cybersecurity (Article 15). While the EU MDR already requires manufacturers to address performance, reliability, and information security, Article 15 of the EU AI Act introduces AI‑specific expectations for accuracy, robustness, and cybersecurity across the lifecycle. This includes resilience against errors, misuse, data poisoning, adversarial manipulation, and degradation over time, considering both the AI model and datasets as well as the device’s context.​

Registration and databases (Articles 49 and 60s). Under the EU MDR, device registration, certificates, and relevant economic operators are recorded in EUDAMED. The EU AI Act supplements this with an EU AI database for certain high‑risk AI systems (notably those listed in Annex III), increasing transparency on AI providers, system types, and risk classification. For some AI‑enabled technologies, this may result in obligations under both EUDAMED and the AI database, depending on how the system is classified.​

Practical implications for manufacturers

For manufacturers of AI‑enabled medical devices, convergence offers an opportunity to streamline compliance by establishing one integrated system that satisfies both legal acts, using Article 11(2) of the EU AI Act to justify a unified technical documentation set and declaration. However, the divergence means that existing EU MDR systems must be expanded to address new obligations rather than simply reused.

Timeline for enforcement and compliance

Having outlined how AI systems are classified and how regulatory requirements align with those categories, the next consideration is timing. Obligations do not take effect simultaneously. Instead, they surface in stages, with each stage bringing a different set of duties into effect (Figure 6). Under Article 113 of the EU AI Act, the regulation applies from 2 August 2026, with most substantive obligations for high‑risk AI systems beginning on that date. However, the regime enters into force in stages: certain general provisions and prohibitions apply earlier, and the rules for different categories of high‑risk AI systems come into effect at different times.

For manufacturers, a critical distinction lies between systems captured under Annex I (AI in products regulated by European Union harmonization legislation, such as the EU MDR and EU IVDR) and Annex III (stand‑alone high‑risk use cases), as elucidated in Article 113 of the EU AI Act. High‑risk AI systems falling under Annex III must comply from 2 August 2026, whereas high‑risk AI systems that are safety components of, or are themselves, medical devices or IVDs under Annex I must comply from 2 August 2027. Manufacturers that assume the later deadline without verifying whether any of their AI functions fall within Annex III risk entering the compliance period already non‑compliant.¹⁶

Conclusion

As this first article in the series concludes, one message is clear: the EU MDR/IVDR and the EU AI Act are not competing frameworks but complementary layers of a single regulatory system. Together, they reshape how risk, safety, and accountability are understood for AI-enabled medical technologies, extending attention from static devices to adaptive algorithms, data governance, and human oversight across the lifecycle. Rather than signaling a crisis, this evolution reflects the EU’s effort to keep regulatory practice aligned with rapidly changing technological capabilities.​

For regulatory and quality professionals, the focus now shifts from understanding what the EU AI Act means to operationalizing it within existing structures. This article has examined scope, classification, and the conceptual interplay between the EU MDR and the AI Act, using examples to illustrate where boundaries blur and where obligations clearly diverge. The second article in this series will transition from principles to practice, exploring how existing international and European standards, combined with current EU MDR processes, can be leveraged to meet the AI Act's requirements for risk management, data governance, transparency, and postmarket governance.

EU AI Act, EU Artificial Intelligence Act; EU IVDR, EU In Vitro Diagnostic Regulation; EU MDR, EU Medical Devices Regulation; EUDAMED, European Database on Medical Devices; GDPR, General Data Protection Regulation [EU]; MDCG, Medical Device Coordination Group; NLF, New Legislative Framework [EU]; PMS, postmarket surveillance.

Geethapriya (Priya) Setty, MS, MBA, RAC, PMP, is a manager of global regulatory affairs at Hologic, specializing in regulatory strategy, regulatory intelligence, and digital health/AI compliance for high‑risk devices. She has more than eight years of regulatory affairs experience and over twenty years in healthcare, including prior work as a pediatric occupational therapist. Setty holds an MS from the University of Mumbai, India, and an MBA from St. Thomas University, Minnesota. She is a member of RAPS and board member of the Southern California Local Networking Group. She holds the RAC-Devices and can be reached at [email protected]

Attrayee Chakraborty, MS, MSc, CQSP, is a quality systems engineer at Analog Devices. She has experience in quality systems and regulatory affairs in medical devices, with a focus on quality management systems and AI regulation. Chakraborty has a Master of Science degree in Regulatory Affairs from Northeastern University, a Master of Science degree from the University of Calcutta, India, and holds the Certified Quality Systems Professional certification. She is a RAPS member and recipient of the RAPS Rising Star Award (2025). She can be reached at [email protected]

Disclaimer This article represents the views and opinions solely of the authors and does not constitute, nor should it be construed as, legal or professional advice. The authors’ affiliation with any companies does not imply any endorsement, sponsorship, or responsibility by these entities for the content herein.  

Acknowledgment This article was adapted from a presentation by the authors at the 2025 Convergence in Pittsburgh, PA, from 7-9 October. The authors thank John Brandstetter, Cécile van der Heijden, Aleksandr Tiulkanov, Jay Vaishnav, Sean Smith, Rita Ahmed, and Sue Dahlquist for editorial support and feedback during the development stages of the original presentation and this article.

Citation Chakraborty A, Setty G. Navigating convergence and divergence between the EU MDR and EU AI Act. RAPS Journal of Regulatory Affairs. 2026;1(2):4-17. Published online 6 March 2026. https://www.raps.org/resource/navigating-convergence-and-divergence-between-the.html

All references were last checked and verified on 16 February 2026.

1. Xu Y, et al. Artificial intelligence: a powerful paradigm for scientific research. Innovation. Published 28 October 2021. Accessed 15 December 2025. https://doi.org/10.1016/j.xinn.2021.100179
2. Silcox C, et al. The potential for artificial intelligence to transform healthcare: Perspectives from international health leaders. NPJ Digit Med. Published 9 April 2024. Accessed 15 December 2025. https://www.nature.com/articles/s41746-024-01097-6
3. Chustecki M. Benefits and risks of AI in health care: Narrative review. Interact J Med Res. Published 18 November 2024. Accessed 15 December 2025. https://pmc.ncbi.nlm.nih.gov/articles/PMC11612599
4. Rajkomar A, et al. ensuring fairness in machine learning to advance health equityNat Med. Published 8 April 2024. Accessed 15 December 2025. https://pubmed.ncbi.nlm.nih.gov/30508424/
5. Liu J. ChatGPT: Perspectives from human-computer interaction and psychology. Front Artif Intell. Published 18 June 2024. Accessed 15 December 2025. https://pmc.ncbi.nlm.nih.gov/articles/PMC11217544/
6. Aboy M, et al. Navigating the EU AI Act: Implications for regulated digital medical products. NPJ Digit Med. Published 6 September 2024. Accessed 15 December 2025. https://www.nature.com/articles/s41746-024-01232-3
7. European Commission. New legislative framework. Not dated. Accessed 15 December 2025. https://single-market-economy.ec.europa.eu/single-market/goods/new-legislative-framework_en
8. Hacker P. The AI Act between digital and sectoral regulations. Bertelsmann Stiftung. Published December 2024. Accessed 14 December 2025. https://www.bertelsmann-stiftung.de/fileadmin/files/user_upload/The_AI_Act_between_Digital_and_Sectoral_Regulations__2024_en.pdf
9. Craven, J. Convergence: Rebuilding public trust in science with empathy, transparency. Regulatory Focus. Published 6 October 2025. Accessed 15 December 2025. https://www.raps.org/news-and-articles/news-articles/2025/10/2025-convergence-plenary
10. Food and Drug Administration. Factors to consider when making benefit-risk determinations in medical device premarket approval and de novo classifications. Issued 30 August 2019. Accessed 15 December 2025. https://www.fda.gov/media/99769/download
11. Abulibdeh R, et al. The illusion of safety: A report to the FDA on AI healthcare product approvals. PLOS Digit Health. Published 5 June 2025. Accessed 15 December 2025. https://pmc.ncbi.nlm.nih.gov/articles/PMC12140231/
12. European Commission. AI Act. Not dated. Accessed 15 December 2025. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
13. AIB 2025-1 – MDCG 2025-6 – Interplay between the Medical Devices Regulation (MDR) & In vitro Diagnostic Medical Devices Regulation (IVDR) and the Artificial Intelligence Act (AIA) [guidance]. Dated June 2025. Accessed 15 December 2025. https://health.ec.europa.eu/document/download/b78a17d7-e3cd-4943-851d-e02a2f22bbb4_en?filename=mdcg_2025-6_en.pdf
14. Future of Life Institute. Historic timeline. Not dated. Accessed 15 December 2025. https://artificialintelligenceact.eu/developments/
15. European Parliament. EU AI Act: First regulation on artificial intelligence. Published 8 June 2023. Accessed 15 December 2025. https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence
16. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act). Accessed 15 December 2025. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689
17. Renner C, et al. The EU AI Act is here – With extraterritorial reach. Morgan Lewis. Published 26 July 2024. Accessed 15 December 2025. https://www.morganlewis.com/pubs/2024/07/the-eu-artificial-intelligence-act-is-here-with-extraterritorial-reach
18. Moore L, et al. A practical guide to the extraterritorial reach of the AI Act. William Fry. Dated 23 July 2024. Accessed 15 December 2025. https://www.williamfry.com/knowledge/a-practical-guide-to-the-extraterritorial-reach-of-the-ai-act/
19. Data Europa Academy. Next steps to compliance: Preparing for the EU AI Act [webinar slides]. Dated 18 July 2025. Accessed 15 December 2025. https://data.europa.eu/sites/default/files/course/webinar-ai-act-slides.pdf

Related assets