MedDeviceGuideMedDeviceGuide
Back
Digital Health & AIEU MDR / IVDRSaMDRegulatoryEU

EU AI Act for Medical Devices: August 2028 Deadline and MDR Dual Compliance Strategy

EU AI Act Omnibus extends medical device AI compliance to August 2, 2028. Dual MDR strategy, data governance, human oversight, tech doc integration, and preparation timeline.

Ran Chen
Ran Chen
Global MedTech Expert | 10× MedTech Global Access
Published 2026-06-10Last reviewed 2026-06-1011 min read

Medical Device AI Now Has Until August 2028 — But the Clock Is Already Running

On May 7, 2026, EU co-legislators reached a provisional political agreement on the Digital Omnibus on AI, amending the EU AI Act (Regulation 2024/1689) with significant timeline relief for medical device manufacturers. Under the confirmed deal, high-risk AI systems embedded in products regulated under Annex I of the AI Act — including medical devices and IVDs under the MDR and IVDR — now have until August 2, 2028 to comply with the Act's full high-risk obligations.

This is a 12-month extension from the original August 2027 deadline for product-embedded AI. Stand-alone high-risk AI systems under Annex III (biometrics, employment, education, and other use-case-based categories) have a separate deadline of December 2, 2027.

The agreement has been endorsed by Member State representatives in the Council, and formal adoption is expected before August 2, 2026. The European Commission's Digital Strategy portal now lists the revised timeline as the operative planning baseline.

But "breathing room" is not the same as "do nothing." Medical device manufacturers with AI-enabled products face a dual compliance framework: the MDR/IVDR requirements they already know, plus the AI Act's additional obligations on data governance, transparency, human oversight, and algorithmic robustness. Integrating both into a single technical file and quality management system is a substantial engineering and documentation effort.

What Changed: From the Original AI Act to the Omnibus Deal

Original Timeline

When the AI Act entered into force on August 1, 2024, it established phased compliance deadlines:

  • February 2, 2025: Prohibitions on unacceptable-risk AI practices and AI literacy obligations became enforceable
  • August 2, 2025: Obligations for general-purpose AI (GPAI) models became applicable
  • August 2, 2026: High-risk AI obligations were scheduled to apply across the board
  • August 2, 2027: Product-embedded high-risk AI (medical devices, machinery, vehicles) was to comply

What the Omnibus Changed

The Digital Omnibus on AI, agreed in trilogue on May 7, 2026, replaced fixed deadlines for high-risk AI with later dates:

AI System Category Original Deadline New Deadline
Stand-alone Annex III high-risk (biometrics, employment, education, law enforcement) August 2, 2026 December 2, 2027
Product-embedded Annex I high-risk (medical devices, machinery, lifts, toys) August 2, 2027 August 2, 2028
Generative AI transparency (Article 50(2)) for systems placed on market before August 2026 August 2, 2026 December 2, 2026

The reason for the extension: many of the harmonized standards needed to operationalize the AI Act's high-risk requirements were still under development. The first relevant standard — prEN 18286, covering quality management systems — entered public enquiry in October 2025, eight months behind schedule.

Key Substantive Changes for Medical Devices

Beyond timeline relief, the Omnibus introduced two structural changes relevant to medical device manufacturers:

  1. Delegated acts for redundancy removal: The European Commission gained authority to adopt delegated acts that can exempt specific AI Act high-risk requirements for medical devices if the MDR or IVDR already mandates equivalent standards. This creates a legal pathway to eliminate duplicative compliance obligations.

  2. Tightened "safety component" definition: The agreement clarified that AI systems that only assist users or optimize performance do not automatically face high-risk obligations if their failure does not create health or safety risks. This may reduce the scope of AI features that qualify as high-risk components.

Why Medical Devices Are High-Risk Under the AI Act

The AI Act classifies AI systems using a risk-based approach. AI-enabled medical devices fall into the highest tier of permitted AI: high-risk, under Article 6(1) and Annex I.

The classification is automatic. Any AI system that is itself a product, or is a safety component of a product, that is subject to EU harmonisation legislation — including the MDR (2017/745) and IVDR (2017/746) — and requires third-party conformity assessment (Notified Body involvement) is high-risk.

In practice, this means:

  • AI diagnostic imaging software that performs clinical analysis (SaMD, typically Class IIa and above)
  • AI algorithms embedded in medical devices that influence treatment decisions
  • AI-powered IVD analysis software
  • Clinical decision support tools that meet the definition of a medical device
  • Safety components of medical devices that use AI for monitoring or alerting

AI features that are purely administrative (scheduling, billing, workflow optimization) and do not affect device safety or performance are not high-risk.

Recommended Reading
Medical Device AI Bias Testing: Fairness Validation and Documentation
Digital Health & AI Regulatory2026-05-14 · 33 min read

Dual Compliance: MDR/IVDR Plus AI Act

Medical device manufacturers with high-risk AI face two regulatory frameworks simultaneously. The MDCG published guidance in 2025 (MDCG 2025-6) addressing the interplay between the AI Act and MDR/IVDR. The key principle: the AI Act complements the MDR/IVDR; it does not replace it.

Where the Frameworks Overlap

The MDCG guidance identifies five areas where MDR/IVDR and AI Act obligations converge:

Compliance Area MDR/IVDR Requirements AI Act Requirements
Quality Management ISO 13485 QMS (now aligned with FDA QMSR) AI-specific QMS (Article 17) covering data governance, bias mitigation, and model monitoring
Risk Management ISO 14971 risk management file AI-specific risk management system (Article 9) including algorithmic bias, model drift, and adversarial threats
Data Governance Clinical data requirements per MDR Article 61 Training, validation, and testing data quality and representativeness (Article 10)
Technical Documentation MDR Annex II/III technical file AI Act Annex IV documentation including training methodology, model validation, and performance characteristics
Transparency and Human Oversight Labeling and IFU requirements per MDR Article 10(10-11) Human override capability, confidence thresholds, and explicit AI limitations disclosure (Articles 13-14)

The Integration Strategy

Rather than maintaining separate documentation for each framework, manufacturers should create unified technical files. King & Spalding's analysis of MDCG 2025-6 identifies the approach: risk analyses under ISO 14971 should include AI failure modes, and the clinical evaluation report should address AI data quality and robustness.

Biot-Med, a regulatory consultancy, recommends a practical workflow:

  1. Build a requirements grid cross-referencing MDR Annex I with AI Act Annex I and Annex IV
  2. Integrate AI-specific risk management into existing ISO 14971 processes
  3. Document data governance (training data provenance, bias testing, validation methodology) as an extension of the existing technical file
  4. Design human oversight features into the product and document them in the IFU

Six Technical Requirements for AI-Enabled Medical Devices

1. Risk Management System (AI Act Article 9)

The AI Act requires a dedicated risk management process that identifies, evaluates, and mitigates risks specific to AI systems. This is documented separately from but integrated with ISO 14971.

Key elements:

  • Identification of known and foreseeable risks arising from the AI system
  • Estimation and evaluation of risks when the system is used as intended
  • Risk mitigation through design, development, and post-market monitoring
  • Testing to verify that residual risks are acceptable

For medical device manufacturers, this means extending the existing risk management file to include AI-specific failure modes: algorithmic bias, model degradation over time, adversarial inputs, and data distribution shifts.

2. Data Governance (AI Act Article 10)

Data governance is the compliance area most underestimated by medical device teams. The AI Act requires that training, validation, and testing datasets be:

  • Relevant, sufficiently representative, and as free of errors as possible
  • Assessed against demographic and geographic representativeness criteria
  • Documented with provenance, labeling methodology, and data quality controls

This goes beyond MDR's clinical data requirements, which focus on clinical evidence and performance, to address the data engineering practices behind the AI model.

3. Technical Documentation (AI Act Article 11, Annex IV)

The AI Act requires comprehensive technical documentation that includes:

  • Description of the AI system's purpose and design
  • Training methodology, including data selection and preprocessing
  • Model validation approach and performance characteristics
  • Known limitations and failure modes
  • Post-market monitoring plan

This documentation should be integrated into the existing MDR technical file, not maintained as a separate document.

4. Transparency and IFU Requirements (AI Act Article 13)

The AI Act requires that users be provided with clear information about:

  • The AI system's intended purpose and capabilities
  • Accuracy metrics and performance characteristics
  • Known limitations and circumstances under which human oversight is required
  • The level of confidence in the AI system's predictions

For medical device manufacturers, this translates to extended IFU content and in-device transparency features (confidence scores, explanation interfaces, and alert mechanisms).

5. Human Oversight (AI Act Article 14)

High-risk AI systems must be designed so that humans can effectively oversee operation:

  • Override or reverse AI outputs at any time
  • Receive alerts when the system detects low confidence or anomalous inputs
  • Understand the system's decision logic at a level appropriate to the clinical context

Product requirements should include an override function, confidence threshold displays, and mechanisms to prevent automation bias.

6. Accuracy, Robustness, and Cybersecurity (AI Act Article 15)

AI systems must demonstrate:

  • Appropriate levels of accuracy, robustness, and cybersecurity throughout their lifecycle
  • Resilience to errors, faults, and adversarial inputs
  • Protection against unauthorized modifications

For connected medical devices, this integrates with existing cybersecurity requirements under FDA Section 524B and the EU Cyber Resilience Act.

Preparation Timeline: 26 Months to August 2028

With the confirmed August 2, 2028, deadline, manufacturers have approximately 26 months from June 2026. A phased preparation approach:

Months 1–6 (June–December 2026): Scope and Map

  • Audit your portfolio to identify all AI-enabled devices and features
  • Classify each against the AI Act's high-risk criteria
  • Build a requirements grid cross-referencing MDR and AI Act obligations
  • Catalogue all training, validation, and testing datasets

Months 7–12 (January–June 2027): Data Governance and QMS

  • Document data provenance, labeling methodology, and bias testing
  • Integrate AI-specific risk management into ISO 14971 processes
  • Expand QMS to cover AI data governance and model monitoring
  • Begin technical documentation updates

Months 13–18 (July–December 2027): Technical Documentation

  • Complete integrated technical files covering both MDR and AI Act Annex IV
  • Design and document human oversight features
  • Conduct robustness and adversarial testing
  • Draft extended IFU content covering AI transparency requirements

Months 19–24 (January–June 2028): Conformity Assessment Preparation

  • Engage Notified Body for dual MDR/AI Act assessment
  • Submit updated technical documentation
  • Conduct internal readiness review
  • Register in the EU AI database (once operational)

Months 25–26 (July–August 2028): Market Compliance

  • Complete conformity assessment
  • Issue EU Declaration of Conformity covering both MDR and AI Act
  • Apply CE marking with AI Act compliance
  • Implement post-market monitoring for AI performance and bias drift
Recommended Reading
EU-Switzerland MRA Update 2026: What It Means for Medical Device Market Access
Regulatory EU MDR / IVDR2026-06-09 · 11 min read

Penalties for Non-Compliance

The AI Act imposes significant penalties:

  • Up to €35 million or 7% of global annual turnover for prohibited AI violations
  • Up to €15 million or 3% of global annual turnover for high-risk AI non-compliance
  • Up to €7.5 million or 1% of turnover for supplying incorrect information

For medical device manufacturers, the penalties apply on top of MDR enforcement actions by national competent authorities.

What About MDR Revision?

The European Commission has proposed broader reforms to the MDR and IVDR (sometimes called "MDR 2.0") that could further change the regulatory landscape. Under Article 2(2) of the AI Act, if medical device legislation is moved from the AI Act's Annex I (Section A) to a future revised product legislation category (Section B), the AI Act's substantive high-risk obligations could cease to apply directly to medical AI, with the MDR/IVDR becoming the sole framework.

However, the MDR revision is a separate legislative process with its own timeline. The August 2028 deadline under the current AI Act is the operative compliance date. Manufacturers should prepare for dual compliance while monitoring the MDR revision process.

Sources

  • European Commission, Digital Strategy, "AI Act: Regulatory Framework," updated 2026.
  • Gibson Dunn, "EU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Other Key Changes," May 2026.
  • RAPS, "EU Commission Drafts Guidelines on Classifying High-Risk Systems Under the AI Act," June 2026.
  • MDCG 2025-6, "Interplay Between the Medical Devices Regulation and the AI Act," 2025.
  • MDx CRO, "EU AI Act and Medical Devices: What SaMD Developers Need to Know," March 2026.
  • IntuitionLabs, "EU AI Act High-Risk Compliance: Pharma & Medical Devices," 2026.
  • DataArt, "EU AI Act for Medical Devices: Translating Rules into Product Requirements," 2026.
  • Biot-Med, "EU AI Act + MDR Compliance Guide for AI-Enabled Medical Devices," 2026.
  • Tandem Health, "EU AI Act Explained: What Healthcare Organisations Need to Know," 2026.
  • Specculo, "AI Act Omnibus: What HRAI Delay Means for Medical Device Manufacturers," 2026.
  • MD+DI, "EU AI Act Compliance: What Companies Need to Know About Penalties," June 2026.

Related Articles

RegulatoryEU MDR / IVDR

EUDAMED After Go-Live: What the First Weeks Reveal and What to Do Next

Post-May 28 EUDAMED compliance reality check: common registration errors, data consistency traps, legacy device triage, NB certificate bottlenecks, and a six-month action plan.

2026-06-10·9 min read
RegulatoryCommercialization

Colombia INVIMA: 4,582 Importers, 80% Imports — Who Controls Device Access?

Analysis of 423,394 INVIMA records reveals 4,582 importers and 2,537 apoderados competing in Colombia's USD 1.5B device market, with 81.8% of registrations tied to import pathways.

2026-06-09·12 min read
RegulatoryEU MDR / IVDR

EU MDR Post-Market Surveillance Plan: MDCG 2025-10 Practical Guide

Build a PMS plan aligned with MDCG 2025-10 guidance: proactive data collection, QMS integration, trend reporting, PMS reports vs PSURs, and custom-made device obligations.

2026-06-09·13 min read