Artificial intelligence is becoming an increasingly visible part of healthcare, from diagnostic support and workflow automation to decision-support tools and patient monitoring. As these applications move from pilot projects into routine clinical use, the regulatory implications are becoming more significant for medical device manufacturers and their users.
The central question is no longer whether AI will be used in healthcare, but how to ensure that AI-enabled devices are developed, validated, and monitored in a way that meets the expectations of both regulators and notified bodies. In the EU and the US, that means understanding how AI fits within existing medical device frameworks, while also accounting for new and evolving requirements that reflect the specific risks of AI and machine learning.
In the EU, MDR and IVDR remain the foundation for placing AI-enabled medical devices on the market. That means the usual pillars will apply: intended purpose, classification, clinical evaluation or performance evaluation, risk management, software lifecycle control, cybersecurity, and post-market surveillance. The fact that the device includes AI raises the bar for how convincingly manufacturers demonstrate control over the system’s behaviour, especially when the model depends on data inputs, training datasets, and algorithmic updates.
In the current landscape, the TEAM-NB questionnaire on AI in medical devices is useful as a readiness tool because it forces teams to ask the right questions early. How was the model trained? What data was used? How was bias assessed? What validation supports the intended purpose? How are updates controlled? What is the monitoring plan once the device is in use? These are not theoretical questions. They are the kinds of issues that determine whether the technical documentation tells a coherent story about safety, performance, and control.
The AI Act adds another layer for high-risk AI-systems, which includes all medical devices/IVD’s that requires Notified Body assessment many AI-enabled medical devices. The key question is here how the AI Act’s requirements intersect with existing device obligations (see MDCG 2025-6). This is where implementation discipline matters when mapping AI-specific requirements onto the existing MDR/IVDR quality system, it can often build a more efficient and defensible dossier. In addition to the Team-NB questionnaire, topics like human oversight, ethical considerations and effects on the environment need to be incorporated.
The recent Digital Omnibus agreement gives medical device manufacturers some more room as the entry into force of the AI Act for medical devices is delayed by one year till 2 August 2028. Attempts to remove direct applicability of the AI Act for already regulated products (List A of Annex I) failed with the exception of the Machine Directive, keeping medical devices / IVD’s in full scope (See also the Team-NB post on the digital Omnibus agreement). If your AI medical device is already on the market before 2 August 2028, it does not need to comply with the obligations for Annex I high-risk AI systems as clarified in MDCG 2025-6 Question 31[i], unless significant changes are made to its design (note that the qualification of a significant change is not defined).
The US approach differs in structure but not in its underlying logic. The FDA has made clear that AI-enabled medical device software functions must be evaluated in a lifecycle context. That means regulators will look not only at premarket evidence, but also at how the manufacturer manages updates, performance drift, and ongoing safety and effectiveness.
One of the most important developments in the US is the growing emphasis on predetermined change control planning for AI-enabled functions. This is highly relevant for products that are expected to learn, adapt, or be updated after deployment. The practical message is that the FDA is not asking manufacturers to freeze innovation. It is asking them to define, in advance, the bounds within which innovation will occur. That includes the types of changes expected, the validation approach for those changes, and the controls that preserve safety and effectiveness.
In the United States, AI-enabled medical devices do not enter the market through a separate regulatory universe. They must fit within the FDA’s existing device classification and premarket pathways, which means that intended use, risk profile, and software function remain the starting point for regulatory analysis. The main FDA pathways are 510(k), De Novo, and PMA, with most AI-enabled devices fitting into the first two unless the risk profile is high.
For both regulatory regimes, medical device AI compliance is increasingly about demonstrating good data management, design discipline and change discipline. The submission must explain the intended use, the algorithmic role, the validation framework, the human factors considerations, and the post-market monitoring strategy in a way that makes the product understandable and manageable. The FDA is not necessarily asking the same questions as an EU notified body, but the core themes are familiar: traceability, evidence, risk control, and lifecycle accountability.
For organizations asking where to launch their product, the initial strategy would not differ too greatly. Regardless the path, it starts with defining the intended use and performance claims of the AI with precision. AI creates compliance ambiguity when teams are vague about what the device does, for whom, and under what conditions. A narrow and well-supported intended purpose makes classification, validation, and risk assessment much more manageable.
Secondly, the system architecture needs to be mapped out, and data dependencies identified. It is crucial to understand where the data comes from, how it is curated, whether it is used for training or inference, and how changes to inputs may affect outputs. This is foundational for both EU and US submissions. Thirdly, the lifecycle controls need to be built in. This includes design controls, verification and validation, cybersecurity, model monitoring, update management, and post-market surveillance. If these controls are not documented early, they tend to become expensive retrofit work later.
It is only at the fourth level where geographical differences come into play as evidence package across jurisdictions need to be identified and aligned if multiple markets are targeted. A good dual-market strategy does not mean writing two completely different technical files or submissions. It means developing one core evidence architecture and then tailoring it to the specific regulatory expectations of each region.
When looking at effort, timelines and costs, choosing a market to launch first could favour the US when there is a suitable predicate device. If no predicate is available, the differences between the EU and the US are much smaller and could even favour the EU as the US is stricter on using US data where the EU is more flexible as long as use of data from outside of the EU can be rationalized.
Once the CE mark or FDA approval is achieved, the door to the rest of the world will open as many countries have a quick market access for products carrying the CE mark or FDA approval. If you want to know more about registration of your AI medical device in the rest of the world, join our webinar on June 25.
[i] Corrected for the Digital Omnibus agreement.