PowerQuantEUSend your AI questionnaire

AI is used in healthcare for diagnostics, triage, decision support and image analysis. The EU AI Act (Regulation (EU) 2024/1689) has a particular interplay here with sector-specific product legislation for medical devices. The Regulation applies directly; no separate national implementing law is required for the AI Act itself.

Interplay with Annex I product legislation

Annex I to the AI Act covers sector-specific product legislation. Many medical devices already fall under such harmonised product legislation with their own conformity assessment procedures. When an AI system constitutes or is a component of such a product, the interplay arises between the AI Act's high-risk requirements and the existing sectoral legislation.

This means that medical AI is not assessed in isolation against the AI Act, but in conjunction with the product legislation that already regulates the product.

The sectoral procedure in Article 43(3)

Conformity assessment is governed by Article 43. For high-risk systems covered by certain sectoral legislation in Annex I, Article 43(3) means that the conformity assessment is integrated into the procedure that already applies under the sectoral legislation. The aim is to avoid duplicated procedures and instead have the AI requirements examined within the existing product procedure.

For healthcare and medical technology actors it is therefore central to understand how their own system positions itself in relation to Annex I.

Roles: provider and deployer

The Regulation distinguishes between provider and deployer. A manufacturer of medical AI is typically a provider, while a healthcare provider using a purchased system is a deployer. Article 25 can, however, reclassify a deployer as a provider, for example in the case of a substantial modification or applying its own name.

The obligations for deployers are set out in Article 26 and include, among other things, following the provider's instructions for use, ensuring human oversight and monitoring operation.

Human oversight under Article 14

Article 14 requires that high-risk systems be designed so that they can be subject to effective human oversight during use. Within diagnostics and triage this is particularly relevant: the system must be capable of being monitored and, where necessary, overridden by competent personnel, and the oversight person must be able to understand the system's capacity and limitations, interpret the output correctly and decline, override or interrupt its use.

For deployers in healthcare this means that procedures, competence and staffing for oversight need to be in place, not just technical functionality.

Timeline

  • 2 February 2025: Article 4 (AI literacy) and Article 5 (prohibited practices) in force.
  • 2 August 2026: Article 50 (transparency) applies. The Annex III obligations for deployers apply from this date under the original timeline.
  • 2 December 2027: Proposed deferral of the Annex III obligations via the Digital Omnibus (approved by the European Parliament on 16 June 2026; the Council awaits OJ publication). This is a Digital Omnibus proposal and is not yet in force.

Penalties

Under Article 99, prohibited practices under Article 5 can result in fines of up to EUR 35 million or 7 % of global annual turnover. Infringements of, among other things, high-risk obligations and Article 50 can result in up to EUR 15 million or 3 %. Incorrect information can result in up to EUR 7.5 million or 1 %.

Before procurement

  • Clarify whether the AI system falls under sectoral legislation in Annex I.
  • Investigate how Article 43(3) affects the conformity assessment procedure.
  • Establish your role: deployer or provider - and monitor Article 25.
  • Ensure procedures and competence for human oversight under Article 14.
  • Request the provider's documentation ahead of Article 26 compliance.

This page is general information about the AI Act and does not constitute legal advice.