Healthcare AI compliance under the EU AI Act
Healthcare AI compliance under the EU AI Act
If your startup builds AI for clinical decision support, diagnostic imaging, patient triage, or any system that influences medical outcomes, the EU AI Act classifies your product as high-risk under Annex III. That classification triggers a comprehensive set of obligations that go well beyond standard software quality requirements. CTOs and Heads of Product at healthcare AI companies need to understand these rules now, because the compliance timeline is tighter than many teams realise.
What the EU AI Act requires
Healthcare AI systems that fall under Annex III, Category 5 (AI intended to be used as a safety component of a medical device, or as a medical device itself, governed by EU Regulation 2017/745 or 2017/746) are classified as high-risk. Under Articles 9 through 17, high-risk AI providers must establish a documented risk management system (Article 9), implement data governance and management practices for training, validation, and testing data (Article 10), produce technical documentation before placing the system on the market (Article 11), ensure systems generate logs for traceability (Article 13), provide clear instructions for use and transparency to deployers (Article 13), implement human oversight mechanisms so that clinical staff can intervene or override outputs (Article 14), and maintain a quality management system covering the full product lifecycle (Article 17). Registration in the EU database under Article 49 is also mandatory. The compliance deadline for Annex III high-risk systems is December 2, 2027, following the extension introduced by the Digital Omnibus Act in May 2026.
What this means for your business
In practice, a diagnostic AI that flags potential tumours in radiology scans must be able to demonstrate that its training data was curated to avoid bias across demographic groups, that radiologists can see confidence scores and override the system, and that every prediction is logged with enough detail to reconstruct what happened in the event of an adverse outcome. A clinical triage chatbot that routes patients to emergency care must have documented procedures for what happens when the model is uncertain. These are not theoretical requirements. Notified Bodies are already gearing up for conformity assessments, and CE marking under the EU AI Act will become a market access requirement. Hospitals and healthcare networks procuring AI tools will increasingly demand evidence of compliance before signing contracts, meaning non-compliant products face commercial as well as regulatory risk before the 2027 deadline arrives.
Steps to get compliant
1. Classify your system precisely. Map each AI component in your product against Annex III categories and confirm whether exemptions apply. Not all AI used in healthcare is automatically high-risk under the Act.
2. Build your risk management file. Establish a living document covering risk identification, estimation, evaluation, and control measures as required by Article 9. Align this with your existing MDR/IVDR technical file if applicable.
3. Implement data governance. Document your training and validation datasets, including data sources, labelling methodology, known limitations, and bias mitigation steps, as required by Article 10.
4. Establish human oversight controls. Design your UI and workflows so that clinical users can review, question, and override AI outputs. Document these controls and include them in your instructions for use under Article 13.
Free EU AI Act risk assessment
Not sure where your AI system stands? The free ActComply risk screener classifies your system in under 5 minutes. No sign-up required.