Annex I & Annex III

EU AI Act Compliance for Healthcare AI

Healthcare AI sits across two different EU AI Act regimes with different deadlines. AI that is a safety component of a regulated medical device falls under Annex I with a 2027 compliance date. Administrative healthcare AI that affects patient access to services falls under Annex III with a 2026 date. Many healthcare AI teams are focused on only one of these — most commonly the medical device track — and miss obligations that apply to their administrative AI products.

Two tracks, two deadlines: Annex I (medical device AI) — 2 August 2027. Annex III (administrative health AI) — 2 August 2026. Both require the same Articles 9–15 compliance obligations, just on different timelines.

The Two Compliance Regimes for Healthcare

Annex I — Medical Device AI

Deadline: 2 August 2027

AI systems that are safety components of medical devices regulated under MDR (Regulation 2017/745) or in vitro diagnostic medical devices under IVDR (Regulation 2017/746).

AI-powered diagnostic imaging (radiology, pathology)
Continuous glucose monitors with AI interpretation
AI-assisted surgical systems
AI ECG analysis as a medical device feature

Note: The 2027 deadline provides an extra year, but the obligations are the same as Annex III. MDR already imposes significant quality system and documentation requirements — align AI Act documentation with your existing technical file.

Annex III — Administrative and Access AI

Deadline: 2 August 2026

AI systems used to determine patient access to care, prioritise limited healthcare resources, or make decisions about treatment pathways that are not safety components of medical devices.

Patient triage and appointment prioritisation
Hospital bed allocation systems
Clinical pathway recommendation tools (non-MDR)
Care eligibility and resource allocation AI

Note: This category is less well understood in the healthcare sector. Many healthcare AI teams assume the AI Act only applies to medical devices. Administrative AI that gates patient access to healthcare resources is within scope.

Core Obligations (Articles 9–15)

Both Annex I and Annex III healthcare AI must comply with Articles 9–15. Two articles are particularly demanding in the clinical context.

Art. 9Risk management

Must be conducted and documented throughout the system's lifecycle. For clinical AI, this intersects with ISO 14971 (medical device risk management) but is not replaced by it. Document the relationship explicitly.

Art. 10Data governance

Training data must be documented for representativeness across patient populations — including age, sex, ethnicity, comorbidity profiles, and healthcare setting. Clinical AI trained on data from specific healthcare systems may perform poorly for underrepresented populations.

Art. 11Technical documentation

Full Annex IV documentation required. For medical device AI, align this with the Technical File or Design Dossier required under MDR to reduce duplication. The AI Act technical documentation is a separate legal document but can cross-reference MDR documents.

Art. 14Human oversight

Clinicians using AI diagnostic or triage tools must be able to meaningfully review and override AI outputs. This has design implications: the system must present uncertainty estimates, flag low-confidence outputs, and provide the information clinicians need to exercise independent judgment.

Common Compliance Gaps in Healthcare AI

Assuming MDR compliance is sufficient for AI Act compliance

MDR requires extensive technical documentation and clinical evaluation for medical devices. However, the AI Act adds specific requirements that MDR does not cover: the Article 9 continuous risk management system (distinct from MDR risk management under ISO 14971), the Article 10 training data documentation, and the Article 14 human oversight design requirements. Both frameworks must be satisfied independently.

Not classifying administrative health AI as high-risk

Many healthcare AI teams focus their compliance effort on diagnostic AI (which is clearly within scope) and miss administrative AI that also affects patients. A triage algorithm that determines which patients are seen first, or a scheduling system that affects appointment availability for high-risk conditions, may be high-risk AI under Annex III Category 5 regardless of medical device status.

Insufficient documentation of training data provenance for clinical AI

Clinical AI models are frequently trained on datasets from specific hospital systems, patient populations, or geographic regions. Article 10 requires documentation of training data composition and examination for representativeness — including across age, sex, ethnicity, and comorbidity profiles. A model trained on data from a single tertiary care centre may perform poorly on community hospital populations, and this risk must be documented.

Start your healthcare AI documentation

Nytivo generates the full Annex IV technical documentation for your healthcare AI system — structured to align with both EU AI Act requirements and MDR technical file conventions where applicable.

Start free trial

FAQ

Healthcare AI — FAQs

Our AI is a clinical decision support tool but not classified as a medical device. Does the AI Act apply?

Possibly under Annex III Category 5. If your clinical decision support tool contributes to decisions about patient access to care, treatment pathways, or prioritisation of limited healthcare resources — and those decisions materially affect individual patients — you may be within Category 5 (essential services). The medical device classification is a separate regulatory question from the AI Act classification. A tool can be non-MDR and still be high-risk AI under the Act.

We are building an AI medical device regulated under MDR. Does the EU AI Act add obligations?

Yes, for most AI medical devices. If your AI is used as a safety component of a medical device product covered by the Medical Devices Regulation (MDR), it falls under Annex I of the EU AI Act — with the compliance deadline of 2 August 2027, one year later than Annex III systems. You will need to satisfy both the MDR conformity assessment and the AI Act conformity assessment. The AI Act does not replace MDR — it adds to it for AI-enabled devices.

Does emotion recognition AI used in mental health apps require EU AI Act compliance?

Emotion recognition systems are explicitly named in Annex III Category 1 (biometrics), which covers AI systems that categorise natural persons based on their biometric data. If your mental health app infers emotional states from voice, facial expressions, or physiological signals, it may be high-risk under Category 1 regardless of whether it is a medical device. Article 50(3) transparency obligations also apply independently of the risk classification — users must be informed the system is operating.

How does the AI Act interact with the General Data Protection Regulation for patient data?

GDPR and the AI Act impose overlapping but distinct obligations. GDPR governs data collection, processing, retention, and patient rights (including Article 22 rights for automated decisions). The AI Act governs the design and documentation of the AI system itself. Article 10 of the AI Act requires documentation of training data governance — which will reference GDPR compliance for data collection legality. In practice, healthcare AI teams need integrated compliance programmes covering both regulations, with shared documentation where possible.

What is the compliance deadline for healthcare AI?

It depends on the category. If your AI system is a safety component of a medical device or other regulated product under Annex I of the AI Act, the deadline is 2 August 2027. If your healthcare AI is an Annex III system (administrative decisions, patient triage, access to services), the deadline is 2 August 2026. Systems that involve prohibited AI practices (biometric surveillance, subliminal manipulation) were subject to the ban from 2 February 2025.