EU AI Act High-Risk Classification Guidelines for Medical Device Manufacturers

Why the High-Risk Classification Guidelines Matter Now

On May 19, 2026, the European Commission published three companion documents forming the long-anticipated Draft Commission Guidelines on the classification of high-risk AI systems under Article 6 of the EU AI Act (Regulation EU 2024/1689). The guidelines address the single most consequential classification question manufacturers face: when does an AI system fall inside the high-risk regime, and when does it stay outside?

For medical device manufacturers, this question is not theoretical. AI-powered diagnostic software, AI-integrated surgical systems, and AI-based IVD interpretation engines are all subject to classification decisions that determine whether they must comply with the AI Act's full high-risk requirements — including data governance, technical documentation, human oversight, and conformity assessment — on top of their existing MDR or IVDR obligations.

The guidelines arrive at a critical moment. The consultation closes on June 23, 2026, giving stakeholders roughly five weeks to submit feedback. The Omnibus amendment reached provisional agreement on May 7, 2026, revising compliance deadlines. And the guidelines themselves contain interpretive positions that will shape how manufacturers document their AI classification decisions for years to come.

The Two Paths to High-Risk Classification

Article 6 of the AI Act establishes two independent routes through which an AI system can be classified as high-risk. The draft guidelines address both, with separate companion documents for each path.

Path 1: Article 6(1) — The Product Safety Route (Annex I)

An AI system is classified as high-risk under Article 6(1) when two conditions are both met:

1. The AI system is intended to be used as a safety component of a product, or the AI system itself is a product, covered by EU harmonisation legislation listed in Annex I of the AI Act. The MDR (Regulation 2017/745) and IVDR (Regulation 2017/746) are both listed in Annex I.
2. The product (or the AI system as a product) is required to undergo third-party conformity assessment — meaning Notified Body involvement — before being placed on the market.

For medical devices, this means:

• Class IIa, IIb, and III medical devices under MDR that incorporate AI are automatically high-risk under Article 6(1), because they require Notified Body conformity assessment
• Class B, C, and D IVDs under IVDR that incorporate AI are similarly captured
• Class I medical devices that are self-certified (no Notified Body) generally fall outside this path — unless they use AI as a safety component in a way that triggers another Annex I regulation

The guidelines provide practical examples to illustrate the boundary. For instance, an AI algorithm that analyzes diagnostic imaging scans and produces clinical interpretations qualifies as a medical device under MDR and, if it requires Notified Body review (Class IIa or above), is automatically high-risk. An AI module that controls dosing in an infusion pump serves as a safety component of a Class II or III device and is likewise captured.

Path 2: Article 6(2) — The Use-Case Route (Annex III)

An AI system is classified as high-risk under Article 6(2) when it falls within one of the eight use-case categories listed in Annex III of the AI Act, regardless of whether it is also a regulated product.

The eight Annex III categories are:

1. Biometrics
2. Critical infrastructure
3. Education and vocational training
4. Employment, workers' management, and access to self-employment
5. Access to and enjoyment of essential private services and essential public services and benefits
6. Law enforcement
7. Migration, asylum, and border control management
8. Access to and enjoyment of essential public services and benefits — including assistance in emergency situations

For medical device manufacturers, Annex III is relevant primarily when AI components serve functions that go beyond the medical device's primary intended use — for example, AI that processes biometric data for patient identification, or AI used in critical infrastructure management.

However, the guidelines clarify that medical devices using AI that also fall within Annex III categories could be subject to obligations under both paths. This dual coverage is a key area where the guidelines provide interpretive guidance.

Key Clarifications in the Draft Guidelines

Not Everything Called "AI" Is an AI System

The guidelines emphasize a fundamental threshold question that many organizations overlook: before determining whether an AI system is high-risk, you must first determine whether it qualifies as an AI system under the Act's definition at all.

The draft guidance is explicit: the high-risk analysis is not triggered simply because a tool is automated, sophisticated, or marketed as AI. The system must meet the AI Act's definition — which requires machine learning, logic-based approaches, statistical methods, or other techniques that can, for a given set of human-defined objectives, generate outputs such as content, predictions, recommendations, or decisions influencing the environments they interact with.

Rule-based software with no learning or adaptive component may fall outside the AI Act's scope entirely. This is particularly relevant for legacy medical device software that uses deterministic algorithms.

The "Complex Systems" Rule

One of the most consequential clarifications in the draft guidelines addresses a workaround that some manufacturers had been considering. The guidelines introduce a "complex systems" rule that prevents manufacturers from decomposing a clearly high-risk AI system into smaller sub-components and arguing that each individual component is not high-risk on its own.

This means that if an AI system, taken as a whole, performs a high-risk function, the classification applies to the system in its entirety — regardless of how its internal architecture is organized.

Article 6(3) — The Opt-Out Path

Article 6(3) allows providers of AI systems that fall under Annex III to argue that their system is not high-risk, despite being listed, if it does not pose a significant risk to health, safety, or fundamental rights. To exercise this opt-out, the provider must document the assessment before placing the system on the market.

The guidelines set a high bar for this documentation. The assessment must be specific, evidence-based, and available to market surveillance authorities upon request. Simply asserting that a system is low-risk without supporting evidence is insufficient.

For medical device manufacturers, this opt-out path is generally not applicable to AI that functions as part of a regulated medical device, because the Article 6(1) product safety route provides an independent (and mandatory) basis for high-risk classification.

Revised Compliance Timelines After the Omnibus Amendment

The May 7, 2026 Omnibus provisional agreement significantly revised the compliance deadlines for high-risk AI obligations. The revised timelines are:

For medical device manufacturers, the key takeaway is:

• AI in medical devices subject to Notified Body review has until August 2, 2028 to comply with high-risk AI obligations
• Standalone AI systems listed in Annex III that are not regulated medical devices must comply by December 2, 2027
• Transparency obligations (Article 50) remain in effect from August 2, 2025 — this includes requirements for AI systems that interact with humans or generate content

Some deadlines are conditional: certain provisions only take effect when harmonized standards are published and the EU AI database is operational. This conditional triggering means the actual compliance window could shift further if supporting infrastructure is not ready.

How This Intersects with MDR and IVDR

The Single Technical File Opportunity

The MDCG published Position Paper MDCG 2025-6 on the interplay between the AI Act and medical device regulations. The key principle is that where AI Act obligations overlap with MDR/IVDR requirements, manufacturers should document compliance through a single integrated technical file rather than maintaining separate documentation sets.

This applies to:

• Risk management: AI Act Article 9 requirements can be integrated into the ISO 14971 risk management file already required by MDR
• Quality management: AI Act Article 17 QMS requirements can be integrated into the ISO 13485 QMS
• Technical documentation: AI Act Article 11 documentation can be appended to the MDR technical file
• Post-market surveillance: AI Act Article 72 post-market monitoring can be integrated into the MDR PMS plan

Dual Registration Requirements

Medical device manufacturers with AI components face a dual registration obligation. Devices must be registered in EUDAMED under MDR. When the AI Act's EU database becomes operational, AI systems classified as high-risk must also be registered there. The draft guidelines note that the details of this dual registration process are still under development.

Notified Body Assessment

For high-risk AI in medical devices, the conformity assessment required under the AI Act will be combined with the conformity assessment already required under MDR/IVDR. This means Notified Bodies will assess both MDR compliance and AI Act compliance in a single assessment process. Notified Bodies are being designated under the AI Act to conduct these combined assessments.

Practical Steps Before the Consultation Deadline

1. Review the Draft Guidelines Against Your AI Portfolio

The guidelines contain worked examples for each classification scenario. Map every AI component in your medical device portfolio against the Article 6(1) and Article 6(2) criteria. Document the classification rationale for each.

2. Submit Feedback by June 23, 2026

The European Commission's targeted consultation is open until June 23, 2026, at 22:00 CET. Feedback can be submitted through the Commission's digital strategy consultation page. The consultation asks specifically about the clarity of the guidelines and the usefulness of the examples.

3. Prepare for August 2028 Compliance

Even though the deadline for medical device AI has been extended to August 2, 2028, the volume of work required — data governance documentation, bias testing, human oversight design, and technical file integration — warrants starting now. Companies that begin classification and gap analysis in 2026 will have a significant advantage over those that wait until 2027.

4. Integrate AI Act Documentation into MDR Processes

Rather than building a separate AI Act compliance program, embed AI-specific requirements into your existing MDR/IVDR quality management system, risk management process, and technical documentation structure. This is the approach recommended by both the MDCG position paper and industry observers.

5. Monitor Harmonized Standards Development

The first harmonized standard relevant to the AI Act — prEN 18286, covering quality management systems — entered public enquiry in October 2025, eight months behind schedule. Additional standards covering risk management, data quality, and technical documentation are still under development. The availability of these standards directly affects the compliance timeline.

Key Takeaways

• The European Commission published draft guidelines on May 19, 2026 clarifying how Article 6 high-risk classification works under the AI Act
• Medical devices that incorporate AI and require Notified Body review (Class IIa/IIb/III under MDR, Class B/C/D under IVDR) are automatically high-risk under Article 6(1)
• The Omnibus amendment extended the compliance deadline for medical device AI to August 2, 2028
• Standalone Annex III high-risk AI systems must comply by December 2, 2027
• The consultation on the guidelines closes June 23, 2026 — this is the window to provide feedback
• The guidelines clarify that not all automated software qualifies as AI under the Act, and rule-based systems may fall outside scope
• A "complex systems" rule prevents decomposing high-risk AI into smaller components to avoid classification
• Manufacturers should integrate AI Act compliance into existing MDR/IVDR processes rather than maintaining separate documentation